Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say
Making the determination of what's attackable comes by looking beyond the
presence of open source dependencies with known vulnerabilities and examining
how they're actually being used, says Manish Gupta, CEO of ShiftLeft. "There are
many tools out there that can easily find and report on these vulnerabilities.
However, there is a lot of noise in these findings," Gupta says. ... The idea of
analyzing for attackability also involves assessing additional factors like
whether the package that contains the CVE is loaded by the application, whether
it is in use by the application, whether the package is in an
attacker-controlled path, and whether it is reachable via data flows. In
essence, it means taking a simplified threat modeling approach to open source
vulnerabilities, with the goal of drastically cutting down on the fire drills.
CISOs have already become all too familiar with these drills. When a new
high-profile supply chain vulnerability like Log4Shell or Spring4Shell hits the
industry back channels, then blows up into the media headlines, their teams are
called to pull long days and nights figuring out where these flaws impact their
application portfolios, and even longer hours in applying fixes and mitigations
to minimize risk exposures.
The Power and Pitfalls of AI for US Intelligence
Depending on the presence or absence of bias and noise within massive data sets,
especially in more pragmatic, real-world applications, predictive analysis has
sometimes been described as “astrology for computer science.” But the same might
be said of analysis performed by humans. A scholar on the subject, Stephen
Marrin, writes that intelligence analysis as a discipline by humans is “merely a
craft masquerading as a profession.” Analysts in the US intelligence community
are trained to use structured analytic techniques, or SATs, to make them aware
of their own cognitive biases, assumptions, and reasoning. SATs—which use
strategies that run the gamut from checklists to matrixes that test assumptions
or predict alternative futures—externalize the thinking or reasoning used to
support intelligence judgments, which is especially important given the fact
that in the secret competition between nation-states not all facts are known or
knowable. But even SATs, when employed by humans, have come under scrutiny by
experts like Chang, specifically for the lack of scientific testing that can
evidence an SAT’s efficacy or logical validity.
Data Modeling and Data Models: Not Just for Database Design
The prevailing application-centric mindset has caused the fundamental problems
that we have today, Bradley said, with multiple disparate copies of the same
concept in system after system after system after system. Unless we replace
that mindset with one that is more data-focused, the situation will continue
to propagate, he said. ... Models have a wide variety of applicable uses and
can present different levels of detail based on the intended user and context.
Similarly, a map is a model that can be usedlike models are used in a
business. Like data models, there are different levels of maps for different
audiences and different purposes. A map of the counties in an election will
provide a different view than a street map used for finding an address. A
construction team needs a different type of detail on a map they use to
connect a building to city water, and a lesson about different countries on a
globe uses still another level of detail targeted to a different type of user.
Similarly, some models are more focused on communication and others are used
for implementation.
Microverse IDE Unveiled for Web3 Developers, Metaverse Projects
"With Microverse IDE, developers and designers collaboratively build
low-latency, high-performance multiuser Microverse spaces and worlds which can
then be published anywhere," the company said in a June 21 news release. As
part of its Multiverse democratization effort, Croquet has open sourced its
Microverse IDE Metaverse world builder and some related components under the
Apache License Version 2.0 license so developers and adopters can examine, use
and modify the software as needed. ... The California-based Croquet also
announced the availability of its multiplane portal technology, used to
securely connect independent 3D virtual worlds developed by different parties,
effectively creating the Metaverse from independent microservices. These
connections can even span different domains, the company said, thus providing
safe, secure and decentralized interoperability among various worlds
independent of the large technology platforms. "Multiplane portals solve a
fundamental problem in the Metaverse with linking web-based worlds in a secure
and safe way," the company said.
5 Firewall Best Practices Every Business Should Implement
Changes that impact your IT infrastructure happen every single day. You might
install new applications, deploy additional network equipment, grow your user
base, adopt non-traditional work practices, etc. As all this happens, your IT
infrastructure’s attack surface will also evolve. Sure, you can make your
firewall evolve with it. However, making changes to your firewall isn’t
something you should take lightly. A simple mistake can take some services
offline and disrupt critical business processes. Similarly, you could also
expose ports to external access and compromise their security. Before you
apply changes to your firewall, you need to have a change management plan. The
plan should specify the changes you intend to implement and what you hope to
achieve. ... Poorly configured firewalls can be worse than having no firewall,
as a poorly installed firewall will give you a false sense of security. The
same is true with firewalls without proper deployment planning or routine
audits. However, many businesses are prone to these missteps, resulting in
weak network security and a failed investment.
Debate over AI sentience marks a watershed moment
While it is objectively true that large language models such as LaMDA, GPT-3
and others are built on statistical pattern matching, subjectively this
appears like self-awareness. Such self-awareness is thought to be a
characteristic of artificial general intelligence (AGI). Well beyond the
mostly narrow AI systems that exist today, AGI applications are supposed to
replicate human consciousness and cognitive abilities. Even in the face of
remarkable AI advances of the last couple of years there remains a wide
divergence of opinion between those who believe AGI is only possible in the
distant future and others who think this might be just around the corner.
DeepMind researcher Nando de Freitas is in this latter camp. Having worked to
develop the recently released Gato neural network, he believes Gato is
effectively an AGI demonstration, only lacking in the sophistication and scale
that can be achieved through further model refinement and additional computing
power. The deep learning transformer model is described as a “generalist
agent” that performs over 600 distinct tasks with varying modalities,
observations and action specifications.
Data Architecture Challenges
Most traditional businesses preserved data privacy by holding
function-specific data in departmental silos. In that scenario, data used by
one department was not available or accessible by another department. However,
that caused a serious problem in the advanced analytics world, where
360-degrees customer data or enterprise marketing data are everyday
necessities. Companies, irrespective of their size, type, or nature of
business, soon realized that to succeed in the digital age, data had to be
accessible and shareable. Then came data science, artificial intelligence
(AI), and a host of related technologies that transformed businesses
overnight. Today, an average business is data-centric, data-driven, and
data-powered. Data is thought of as the new currency in the global economy. In
this globally competitive business world, data in every form is traded and
sold. For example, 360-degrees customer data, global sales data, health care
data, and insurance history data are all available with a few keystrokes. A
modern Data Architecture is designed to “eliminate data silos, combining data
from all corners of the company along with external data sources.”
One in every 13 incidents blamed on API insecurity – report
Lebin Cheng, vice president of API security at Imperva, commented: “The
growing security risks associated with APIs correlate with the proliferation
of APIs, combined with the lack of visibility that organizations have into
these ecosystems. At the same time, since every API is unique, every incident
will have a different attack pattern. A traditional approach to security where
one simple patch addresses all vulnerabilities doesn’t work with APIs.” Cheng
added: “The proliferation of APIs, combined with the lack of visibility into
these ecosystems, creates opportunities for massive, and costly, data
leakage.” ... By the same metric, professional services were also highly
exposed to API-related problems (10%-15%) while manufacturing, transportation,
and utilities (all 4-6%) are all in the mid-range. Industries such as
healthcare have less than 1% of security incidents attributable to API-related
security problems. Many organizations are failing to protect their APIs
because it requires equal participation from the security and development
teams, which have historically have been somewhat at odds.
What Are Deep Learning Embedded Systems And Its Benefits?
Deep learning is a hot topic in machine learning, with many companies looking
to implement it in their products. Here are some benefits that deep learning
embedded systems can offer: Increased Efficiency and Performance: Deep
learning algorithms are incredibly efficient, meaning they can achieve
high-performance levels even when running on small devices. This means that
deep learning embedded systems can be used to improve the performance of
existing devices and platforms or to create new devices that are powerful and
efficient. Reduced Size and Weight: Deep learning algorithms are often very
compact and can be implemented on small devices without sacrificing too much
performance or capability. This reduces the device’s size and weight, making
it more portable and easier to use. Greater Flexibility: Deep learning
algorithms can often exploit complex data sets to improve performance. This
means deep learning embedded systems can be configured to work with various
data sets and applications, giving them greater flexibility and
adaptability.
State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks
The activity cluster, attributed to a hacking group dubbed Bronze Starlight by
Secureworks, involves the deployment of post-intrusion ransomware such as
LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0. "The
ransomware could distract incident responders from identifying the threat
actors' true intent and reduce the likelihood of attributing the malicious
activity to a government-sponsored Chinese threat group," the researchers said
in a new report. "In each case, the ransomware targets a small number of
victims over a relatively brief period of time before it ceases operations,
apparently permanently." Bronze Starlight, active since mid-2021, is also
tracked by Microsoft under the emerging threat cluster moniker DEV-0401, with
the tech giant emphasizing its involvement in all stages of the ransomware
attack cycle right from initial access to the payload deployment. ... The key
victims encompass pharmaceutical companies in Brazil and the U.S., a
U.S.-based media organization with offices in China and Hong Kong, electronic
component designers and manufacturers in Lithuania and Japan, a law firm in
the U.S., and an aerospace and defense division of an Indian conglomerate.
Quote for the day:
"Leadership has a harder job to do
than just choose sides. It must bring sides together." --
Jesse Jackson
No comments:
Post a Comment