Daily Tech Digest - May 18, 2022

Google Cloud launches services to bolster open-source security, simplify zero-trust rollouts

On the zero-trust front, Google is introducing BeyondCorp Enterprise Essentials, which is designed to help enterprise customers begin to deploy zero-trust environments. The new solution brings context-aware access controls for SaaS applications or any other apps connected via Security Assertions Markup Language (SAML), which is an XML-based protocol that supports real-time authentication and authorization across federated Web services environments. It also includes threat and data protection capabilities, such as data loss prevention, malware and phishing protection, and URL filtering, integrated in the Chrome browser, according to Potti. “It’s a simple and effective way to protect your workforce, particularly an extended workforce or users who leverage a ‘bring your own device’ model,” Potti stated. “Admins can also use Chrome dashboards to get visibility into unsafe user activity across unmanaged devices.” BeyondCorp Enterprise includes an app and client connector that can simplify connections to apps running on other clouds such as Azure or AWS without the need to open firewalls or set up site-to-site VPN connections, Potti stated.

Deployment of Low-Latency Solutions in the Cloud

Cloud-native environments offer a common platform and interfaces to ease definition and deployment of complex application architectures. This infrastructure enables the use of mature off-the-shelf components to solve common problems such as leader election, service discovery, observability, health-checks, self-healing, scaling, and configuration management. Typically the pattern has been to run containers atop of virtual machines in these environments; however, now all the main cloud providers offer bare-metal (or near bare-metal) solutions, so even latency-sensitive workloads can be hosted in the cloud. This is the first iteration of a demonstration of how Chronicle products can be used in these architectures and includes solutions to some of the challenges encountered by our clients in cloud and other environments. By leveraging common infrastructure solutions, we can marry the strengths of Chronicle products with the convenience of modern production environments to provide simple low-latency, operationally robust systems.

FBI and NSA say: Stop doing these 10 things that let the hackers in

The joint alert recommends MFA is enforced for everyone, especially since RDP is commonly used to deploy ransomware. "Do not exclude any user, particularly administrators, from an MFA requirement," CISA notes. Incorrectly applied privileges or permissions and errors in access control lists can prevent the enforcement of access control rules and could give unauthorized users or system processes access to objects. Of course, make sure software is up to date. But also don't use vendor-supplied default configurations or default usernames and passwords. These might be 'user friendly' and help the vendor deliver faster troubleshooting, but they're often publicly available 'secrets'. The NSA strongly urges admins to remove vendor-supplied defaults in its network infrastructure security guidance. ... "These default credentials are not secure – they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software."

The rise of servant leadership

Though the style originated in the 1970s, servant leadership has gained momentum today as the Great Resignation reveals the pandemic’s mental toll on workers and employees leave their jobs in droves in search of more meaningful work. The pressure to attract and retain talent has never been greater, and companies are moving away from command-and-control style leadership in favor of more purpose-driven management, says David Dotlich, president and senior client partner at Korn Ferry. “We’re seeing this as a big trend across all industries,” Dotlich says. More than half of Korn Ferry’s clients now view purpose as the center of their leadership, he says. “They’re signing up for help” to answer those questions of who do we serve, how do we help, how do we make a difference, how do we change the world, and they’re receiving individual training and tools. ... Servant leaders know how to build trust, provide the tools and support that employees need to grow, remove obstacles, listen more and talk less, and let employees create their own path for success. It can backfire though if employees aren’t dedicated to the team’s core mission.

Four ways to combat the cybersecurity skills gap

Some businesses attempt to narrow the gap by retraining their IT professionals. While there is a chance that some employees with technical skills may be able and willing to take on cybersecurity positions, they still need to have someone to teach them. Most cybersecurity experts today are self-taught and there is very little that an organization can do to help because the availability of security certifications is also limited. However, the real problem is that organizations often perceive cybersecurity as something that only the dedicated cybersecurity workforce should deal with. This perception is the cause of several problems mentioned above, for example, the high level of stress and burnout for cybersecurity staff. Security teams often work alone and the rest of the organization is not aware, not educated, and worst of all: does not feel responsible for security. ... The cybersecurity industry is still a bit behind the trends and a lot of tools are still created with dedicated security specialists in mind. Such tools are difficult or even impossible to use in complex environments, 

Why You Should Care About Software Architecture

Broadly speaking, achieving “sustainability” is the focus on architectural work in software products. A software product can be considered sustainable if it is capable of meeting its current requirements, including QARs, without jeopardizing its ability to meet future requirements. As we stated in the previous section, quality attribute requirements drive the architecture, and meeting key QARs is essential to create sustainable architectural designs. Unfortunately, software systems “wear out” over time, as functional enhancements are being implemented, and new design decisions are made, which may stretch or even break the original architectural design. ... How do you know when your software system is wearing out, the same way you know when your car tires are wearing out and need to be replaced? Just as a physician may use many different kinds of tools to assess the health of an individual, different tools help a team assess software architecture fitness. Older systems may be difficult to understand because, as we mentioned earlier, their design decisions and assumptions are often not documented, and documentation, when it exists, is likely to be outdated.

Open-source standard aims to unify incompatible cloud identity systems

In a press release, Strata Identity stated that current popular cloud platforms use proprietary identity systems with individual policy languages, all of which are incompatible with each other. What’s more, each application must be hard-coded to work with a specific identity system, it added. Hexa has been designed to use IDQL to enable any number of identity systems to work together as a unified whole, without making changes to them or to applications, Strata Identity said. It works by abstracting identity and access policies from cloud platforms, authorization systems, data resources, and zero trust networks to discover what policies exist, then translates them from their native syntax into the generic, IDQL declarative policy, the vendor continued. It then orchestrates identity and access instructions across cloud systems and throughout apps, data resources, platforms, and networks by translating back into native, imperative policies of target systems via a cloud-based architecture.

Vulnerabilities found in Bluetooth Low Energy gives hackers access to numerous devices

This issue is believed to be something that can’t be easily patched over or just an error in Bluetooth specification. This exploit could affect millions of people, as BLE-based proximity authentication was not originally designed for use in critical systems such as locking mechanisms in smart locks, according to NCC Group. “What makes this powerful is not only that we can convince a Bluetooth device that we are near it—even from hundreds of miles away—but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance,” said Sultan Qasim Khan, Principal Security Consultant and Researcher at NCC Group. “All it takes is 10 seconds—and these exploits can be repeated endlessly.” To start, the cybersecurity company points out that any product relying on a trusted BLE connection is vulnerable to attacks from anywhere in the world at any given time.

Augmented reality will give us superpowers

Over the next ten years, augmented reality will replace the mobile phone as our primary interface for digital content. Early adopters will embrace the lure of new, magical capabilities. Everyone else, skeptics included, will quickly find themselves at a disadvantage without omniscience, x-ray vision, superhuman recall, and dozens of other capabilities that are not even on the drawing board yet. This will drive adoption as quickly as the transition from flip phones to smartphones. After all, not upgrading your hardware will mean missing out on layers of useful information that everyone else can see. An augmented world is coming — one with the potential to be magical, embellished with artistic content and infused with superhuman abilities. At the same time, there are risks we must avoid, as augmented reality will give tech platforms unprecedented ability to track our activities and mediate our experiences. For these reasons, we need to push for a safe and regulated metaverse, especially the augmented metaverse. It will impact all of our lives in the very near future.

What’s new with ML.NET Automated ML (AutoML) and tooling

Training machine learning models is a time-consuming and iterative task. Automated Machine Learning (AutoML) automates that process by making it easier to find the best algorithm for your scenario and dataset. AutoML is the backend that powers the training experiences in Model Builder and the ML.NET CLI. Last year we announced updates to the AutoML implementation in our Model Builder and ML.NET CLI tools based Neural Network Intelligence (NNI) and Fast and Lightweight AutoML (FLAML) technologies from Microsoft Research. These updates provided a few benefits and improvements over the previous solution which include:Increase in the number of models explored. ... Until recently, you could only take advantage of these AutoML improvements inside of our tools. We’re excited to announce that we’ve integrated the NNI / FLAML implementations of AutoML into the ML.NET framework so you can use them from a code-first experience. To get started today with the AutoML API install the latest pre-release version of the Microsoft.ML and Microsoft.ML.Auto NuGet packages using the ML.NET daily feed.

Quote for the day:

"Most people live with pleasant illusions, but leaders must deal with hard realities." -- Orrin Woodward

No comments:

Post a Comment