Deepfakes Grow in Sophistication, Cyberattacks Rise Following Ukraine War
The use of deepfakes to evade security controls and compromise organizations is
on the rise among cybercriminals, with researchers seeing a 13% increase in the
use of deepfakes compared with last year. That's according to VMware's eighth
annual "Global Incident Response Threat Report," which says that email is
usually the top delivery method. The study, which surveyed 125 cybersecurity and
incident response (IR) professionals from around the world, also reveals an
uptick in overall cybersecurity attacks since Russia's invasion of Ukraine;
extortionary ransomware attacks including double extortion techniques, data
auctions, and blackmail; and attacks on APIs. "Attackers view IT as the golden
ticket into an organization's network, but unfortunately, it is just the start
of their campaign," explains Rick McElroy, principal cybersecurity strategist at
VMware. "The SolarWinds attack gave threat actors looking to target vendors a
step-by-step manual of how to successfully pull off an attack." He says that
keeping this in mind, IT and security teams need to work hand in hand to ensure
all access points are secure to prevent an attack like that from harming their
own organization.How CFOs and CISOs Can Build Strong Partnerships
“There is no substitute for regular communication,” he said. “In addition to the
formal, structured channels, I have found it most helpful to just talk to Lena
and her team about key initiatives, any issues concerning them, and overall
trends in security and the business more broadly.” If possible, conversations
between the CISO and chief financial officer should also include the chief
privacy officer, said Raj Patel, partner and cybersecurity practice leader at
consulting firm Plante Moran. “Each has a role in protecting data and assets,”
he said. “The conversation can start simply by scheduling a meeting around it.”
These talks should take place at least quarterly, according to Patel, and should
not be focused solely on the budget. “We don’t fight a war on budgets but do
what we need to defend ourselves,” he said. “When our organizations get attacked
every day, we are in a war. Many finance executives focus on a budget and at
times compare it to prior budgets. When it comes to cybersecurity, the focus
needs to be on risk, and allocating financial resources should be based on
risk.”The cloud ate my database
The first version of PostgreSQL was released in 1986, and MySQL followed less
than a decade later in 1995. Neither displaced the incumbents—at least, not for
traditional workloads. MySQL arguably took the smarter path early on, powering a
host of new applications and becoming the “M” in the famous LAMP stack (Linux,
Apache, MySQL, PhP/Perl/Python) that developers used to build the first wave of
websites. Oracle, SQL Server, and DB2, meanwhile, kept to their course of
running the “serious” workloads powering the enterprise. Developers loved these
open source databases because they offered freedom to build without much
friction from traditional gatekeepers like legal and purchasing. Along the way,
open source made inroads with IT buyers, as Gartner showcases. Then the cloud
happened and pushed database evolution into overdrive. Unlike open source, which
came from smaller communities and companies, the cloud came with
multibillion-dollar engineering budgets, as I wrote in 2016. Rather than
reinvent the open source database wheel, the cloud giants embraced databases
such as MySQL and turned them into cloud services like Amazon RDS.Everything CISOs Need to Know About NIST
When it comes to protecting your data, NIST is the gold standard. That said, the
government does not mandate it for every industry. CISOs should comply with NIST
standards, but business leaders can handle risk management with whichever
approach and standards they believe will best suit their business model.
However, federal agencies must use these standards. As the U.S. government
endorses NIST, it came as little surprise when Washington declared these
standards the official security control guidelines for information systems at
federal agencies in 2017. Similarly, if CISOs work with the federal government
as contractors or subcontractors, they must follow NIST security standards. With
that in mind, any contractor who has a history of NIST noncompliance may be
excluded from future government contracts. The Cybersecurity Framework is one of
the most widely adopted standards from NIST. While optional, this framework is a
trusted resource that many companies adhere to when attempting to reduce risk
and improve their cybersecurity systems and management. What Does The Future Hold For Serverless?
In production-level serverless applications, monitoring your application is
paramount to your success. You need to know if you’ve dropped any events, where
the bottlenecks are, and if items are piling up in dead letter queues. Not to
mention you need the ability to trace a transaction end to end. This is an area
that is finally beginning to take off. As more and more serverless production
workloads are coming online, it is becoming increasingly obvious there’s a gap
in this space. Vendors like DataDog, Lumigo, and Thundra all attempt to solve
this problem - with pretty good success. But it needs to be better. In the
future we need tools like what the vendors listed above offer, but with
optimization and insights built-in like AWS Trusted Advisor. We need app
monitoring to evolve. When we hear application monitoring, we need to assume
more than service graphs and queue counts. Application monitoring will become
more than fancy dashboards and slack messages. It will eventually tell us we
provisioned the wrong infrastructure from the workload it sees.Cybersecurity on the board: How the CISO role is evolving for a new era
More and more businesses agree. Gartner's survey of board directors found that
88% view cybersecurity as not only a technical problem for IT departments to
solve, but a fundamental risk to how their businesses operate. That’s hardly
surprising, given the recent history of hacks against private businesses. ...
Ensuring the CISO has a seat on the board is one way of ensuring a company has a
firm handle on how to handle these risks to the business. Even so, says Andrew
Rose, resident CISO at security company Proofpoint, they should be careful in
how they communicate their concerns. “The 'sky is falling' narrative can be used
once or twice, but after that, the board will become a bit numb to it all,” Rose
explains. Forcing boards to prioritise cybersecurity should instead be done
through positive affirmation, argues Carson - and, ideally, be framed in how
shoring up the company’s defences will help it perform better in the long term.
“You need to show them how this is going to help the business be successful, how
it will help employees to do their jobs better, provide value to the
shareholders, [and] return an investment,” he says.
Neuro-symbolic AI brings us closer to machines with common sense
Artificial intelligence research has made great achievements in solving specific
applications, but we’re still far from the kind of general-purpose AI systems
that scientists have been dreaming of for decades. Among the solutions being
explored to overcome the barriers of AI is the idea of neuro-symbolic systems
that bring together the best of different branches of computer science. In a
talk at the IBM Neuro-Symbolic AI Workshop, Joshua Tenenbaum, professor of
computational cognitive science at the Massachusetts Institute of Technology,
explained how neuro-symbolic systems can help to address some of the key
problems of current AI systems. Among the many gaps in AI, Tenenbaum is focused
on one in particular: “How do we go beyond the idea of intelligence as
recognizing patterns in data and approximating functions and more toward the
idea of all the things the human mind does when you’re modeling the world,
explaining and understanding the things you’re seeing, imagining things that you
can’t see but could happen, and making them into goals that you can achieve by
planning actions and solving problems?”
IT Security Decision-Makers Struggle to Implement Strategies
While businesses still have many privileged identities left unprotected, such
as application and machine identities, attackers will continue to exploit and
impact business operations in return for a ransom payment, Carson said. "The
good news is that organizations realize the high priority of protecting
privileged identities," he added. "The sad news is that many privileged
identities are still exposed as it is not enough just to secure human
privileged identities." ... The security gap is not only increasing between
the business and attackers, but also between the IT leaders and the business
executives, according to Carson. "While in some industries this is improving,
the issue still exists," he said. "Until we solve the challenge on how
to communicate the importance of cybersecurity to the executive board and
business, IT security decision-makers will continue to struggle to get the
needed resources and budget to close the security gap." From Carson's
perspective, that means there needs to be a change in the attuite at the
C-suite level.GraphQL is a big deal: Why isn’t it the industry standard for database querying?
What if you could leverage the expressive attributes of SQL and the
flexibility of GraphQL at the same time? There are technologies available that
claim to do that, but they are unlikely to become popular because they end up
being awkward and complex. The awkwardness arises from attempting to force SQL
constructs into GraphQL. But they are different query languages with different
purposes. If developers have to learn how to do SQL constructs in GraphQL,
they might as well use SQL and connect to the database directly. However, all
is not lost. We believe GraphQL will become more expressive over time. There
are proposals to make GraphQL more expressive. These may eventually become
standards. But fundamentally, SQL and GraphQL have different world views,
respectively: uniform backends vs. diverse backends, tables vs. hierarchical
data, and universal querying vs. limited querying. Consequently, they serve
different purposes. ESG: Building On Commitments On The E To Boost The S & The G
The first milestone could very well apply to enhancing data on
anti-corruption. Challenges, of course, exist—corruption tends to be more
political within organisations, and there can be hesitation to report on
incidences of it. Measuring progress on reducing corruption is challenging,
and indicators have to be carefully considered. For example, if the number of
reported cases of crime increases in a given period, it could mean different
things: anti-corruption mechanisms are working better and are well enough
designed to identify corruption; people trust in the whistleblowing system and
feel confident to report; or, indeed, corruption levels are going up.
Nevertheless, academic scholarship and investment in anti-corruption are
resulting in new indicators being developed (for example, the recently updated
Index of Public Integrity [IPI] and the Transparency Index [T-Index] developed
by Professor Alina Mungiu-Pippidi of the Hertie School). Collaboration with
researchers and anti-corruption specialists could help design better
data-collection methods.Quote for the day:
"Leadership is a potent combination of strategy and character. But if you must be without one, be without the strategy." -- Norman Schwarzkopf
No comments:
Post a Comment