Daily Tech Digest - May 10, 2022

Tackling tech anxiety within the workforce

The average employee spends over two hours each day on work admin, manual paperwork, and unnecessary meetings. As a result, 81% of workers are unable to dedicate more than three hours of their day to creative, strategic tasks — the very work most ill-suited to machines. Fortunately, this is where digital collaboration comes in. When AI is set to automate certain processes, employees are freer to work on what they love, which often also happens to be what they do best. This extra time back then offers more opportunities to learn, create, and innovate on the job. Take Google’s ‘20% time’ rule, for instance. The policy involves Google employees spending a fifth of their week away from their usual, everyday responsibilities. Instead, they use the time to explore, work, and collaborate on exciting ideas that might not pay off immediately, or even at all, but could eventually reveal big business opportunities. It’s a win-win model for almost every business. At worst, colleagues enjoy the time to strengthen team bonds, improve problem-solving skills, and boost their morale. And at best, they uncover incredible ideas that can change the course of the company.

NFTs Emerge as the Next Enterprise Attack Vector

"The most common attacks try to trick cryptocurrency enthusiasts into handing over their wallet’s recovery phrase," he says. Users who fall for the scam often stand to lose access to their funds permanently, he says. "Bogus Airdrops, which are fake promotional giveaways, are also common and ask for recovery phrases or have the victim connect their wallets to malicious Airdrop sites, he adds, noting that many fake Airdrop sites are imitations of real NFT projects. And with so many small unverified projects around, it’s often hard to determine authenticity, he notes. Oded Vanunu, head of product vulnerability at Check Point Software, says what his company has observed by way of NFT-centric attacks is activity focused on exploiting weaknesses in NFT marketplaces and applications. "We need to understand that all NFT or crypto markets are using Web3 protocols," Vanunu says, referring to the emerging idea of a new Internet based on blockchain technology. Attackers are trying to figure out new ways to exploit vulnerabilities in applications connected to decentralized networks such as blockchain, he notes.

The OT security skills gap

Though often the responsibility for OT security is combined with the OT Infrastructure design role, in the OT world this is in my opinion less logical because it is the automation design engineer that has the wider overview of overall business functions in the system. If OT would be like IT, so primarily data manipulation, it makes sense to put the lead with OT infrastructure design. But because OT is not only data manipulation but also initiating various control actions that need to operate within a restricted operating window, it makes sense to give automation design this coordinating role. This is because automation design oversees all three skill elements and has more detailed knowledge of the production process than the OT infrastructure design role. It is very comparable to cyber security in a bank, where the lead role is linked to the overall business process and the infrastructure security is in a more supportive role. Finally, there is the process design role, what are the cyber security responsibilities for this role? First of all the process design role understands all the process deviations that can lead to trouble, and they know what that trouble is, they know how to handle it, and they have set criteria for limiting the risk that this trouble occurs.

Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself

The cybercriminal economy—a connected ecosystem of many players with different techniques, goals, and skillsets—is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker’s skills. RaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services

U.S. White House releases ambitious agenda to mitigate the risks of quantum computing

The first directive, the executive order, seeks to advance QIS by placing the National Quantum Initiative Advisory Committee, the federal government’s main independent expert advisory body for quantum information science and technology, under the authority of the White House. The National Quantum Initiative, established by a law known as the NQI Act, encompasses activities by executive departments and agencies (agencies) with membership on either the National Science and Technology Council (NSTC) Subcommittee on Quantum Information Science (SCQIS) or the NSTC Subcommittee on Economic and Security Implications of Quantum Science (ESIX).” ... The national security memorandum (NSM) plans to tackle the risks posed to encryption by quantum computing. It establishes a national policy to promote U.S. leadership in quantum computing and initiates collaboration among the federal government, industry, and academia as the nation begins migrating to new quantum-resistant cryptographic standards developed by the National Institute of Standards and Technology (NIST).

Industry pushes back against India's data security breach reporting requirements

India's Internet Freedom Foundation has offered an extensive criticism of the regulations, arguing that they were formulated and announced without consultation, lack a data breach reporting mechanism that would benefit end-users, and include data localization requirements that could prevent some cross-border data flows. The foundation also points out that the privacy implications of the rules – especially five-year retention of personal information – is a very significant requirement at a time when India's Draft Data Protection Bill has proven so controversial it has failed to reach a vote in Parliament, and debate about digital privacy in India is ongoing and fierce. Indian outlet Medianama has quoted infosec researcher Anand Venkatanarayanan, who claimed one way to report security incidents to CERT-In involves a non-interactive PDF that has to be printed out and filled in by hand. Venkatanarayanan also pointed out that the rules' requirement to report incidents as trivial as port scanning has not been explained – is it one PDF per IP address scanned, or can one report cover many IP addresses?

When—and how—to prepare for post-quantum cryptography

Consider data shelf life. Some data produced today—such as classified government data, personal health information, or trade secrets—will still be valuable when the first error-corrected quantum computers are expected to become available. For instance, a long-term life insurance contract may already be sensitive to future quantum threats because it could still be active when quantum computers become commercially available. Any long-term data transferred now on public channels will be at risk of interception and future decryption. Because regulations on PQC do not yet exist, the possibility of data transferred today being decrypted in the future does not yet pose a compliance risk. For the moment, far more significant are the future consequences for organizations, for their customers and suppliers, and for those relationships. However, regulatory considerations will also become relevant as the field develops, which could speed up the need for some organizations to act. Just as with data, some critical physical systems developed today ... will still be in use when the first fully error-corrected quantum computer is expected to come online.
If we compare railways with, for example, the banking sector then we see we have some catching up to do but given the fact that we are used to dealing with risks I am confident that this sector is fully able to develop the necessary mechanisms to stay resilient to these new emerging threats. Of course, we can fall victim to some kind of attack someday just like any other organization. It is up to us to be prepared and stay resilient; I am confident we can do that. ... Actually, any technique, tactic, or procedure (TTP) that can be used in other organizations as well. What we will see is, now that our sector is speeding up the digitization process, that the attack surface is broadening and becoming more complex. Trains will become Tesla’s on rails having many connections with other digital services such as the European Rail Traffic Management System (ERTMS) and driving via Automatic Train Automation (ATO). The obvious consequence is that we need to be able to withstand those TTP’s and plan for mitigation in our digital roadmaps. In the most ideal world, we develop our services cybersafe by design and default. There’s work to do there!

How data can improve your website’s accessibility

With an understanding of how data can inform accessibility, it’s time to apply that data towards accessibility improvements. This entails framing your tracked data in the context of Web Content Accessibility Guidelines (WCAG), which provides the latest standards for ensuring web accessibility. ... WCAG 2.1 focuses on five accessibility principles. These are perceivability, operability, understandability, robustness, and conformance. Your KPIs for accessibility should be tied to these features. For example, measure conformance through the number of criteria violations that occur through site testing. This and similar metrics will help you identify areas of improvement. ... Your approach to gathering accessibility data should not be limited to one tool or testing procedure. Instead, diversify your data to ensure quality. Both quantitative and qualitative metrics factor in, including user feedback, numbers of flagged issues, and insights from all kinds of tests and validation procedures. ... The gamut of usability considerations is broader than most testers can accommodate in one go. 

Low Code: Satisfying Meal or Junk Food?

“If low code is treated as strictly an IT tool and excludes the line of business -- just like manual coding -- you seriously run the risk of just creating new technical debt, but with pictures this time,” says Rachel Brennan, vice president of Product Marketing at Bizagi, a low-code process automation provider. However, when no-code and low-code platforms are used as much by citizen developers as by software developers, whether it satisfies the hunger for more development stems from “how” it is used rather than by whom. But first, it's important to note the differences between low-code platforms for developers and those for citizen developers. Low code for the masses usually means visual tools and simple frameworks that mask the complex coded operations that lie beneath. Typically, these tools can only realistically be used for fairly simple applications. “Low-code tools for developers offer tooling, frameworks, and drag-and drop options but ALSO include the option to code when the developer wants to customize the application -- for example, to develop APIs, or to integrate the application with other systems, or to customize front end interfaces,” explains Miguel Valdes Faura

Quote for the day:

"One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man." -- Elbert Hubbard

No comments:

Post a Comment