Think about the normal day for a security analyst. If we’re expecting them to handle alerts, events that have come up, and new attacks that are happening right now—that’s a lot of new information to look at and assess. How much time do they have to read dozens of RSS feeds, research blogs, industry and government reports, security vendor reports, news websites, and GitHub repositories? Collecting and making sense of all that data becomes crucial, but there’s no way individuals can do this on their own quickly enough. Being able to automate that process so you can get to the information that you are going to use now or later and filter out the noise is essential. Obviously, automation is a fundamental capability to reduce the burden of manual review and prioritization of alerts. But while a recent report on cybersecurity automation adoption finds that confidence in automation is rising, only 18% of respondents are applying automation to alert triage. Automation can also help mitigate risk from vulnerabilities in legacy systems.
Boards have reported the use of FAIR provides an organized means through which to identify the value of assets, the design of probable loss scenarios, and providing a means to allocate capital to get the most bang for the buck. Some boards have reported FAIR has been useful in demonstrating to objective third parties, like regulators, that they have been prudent in managing digital risk. Reputational loss is widely considered the largest impact from a cyber incident. Unfortunately, reliable statistics are not yet available, but anecdotal evidence supports the popular belief. ... The ability of the board to appropriately ensure the company has the proper level of cyber resilience requires an understanding of an adverse event but also the total cost of controls, ranging from the mundane to worst-case scenarios. Scenario-based exercises combined with CRQ techniques, like FAIR, provide an objective means to assess materiality, and the most appropriate capital allocation. The allocation of too little capital leaves you exposed, while too much wastes capital that can be better applied other places. Determining the cost of a control is almost always the easy part.
Trip or no trip, lock your SIM card. SIM-jacking (or SIM-swapping, unauthorized port-out or “slamming”) is a real and underreported crime where threat actors pretend to be you, contact your wireless provider and “port over” your SIM card to your (their) “new phone.” Imagine someone stealing your entire online life, including your social media accounts. In other words, your phone number is now theirs. All your password resets now run through the threat actor. Considering how many work credentials, social media accounts and apps run through your phone number, the nightmare of this crime quickly becomes evident. If you haven’t already done so, lock down your SIM card with your wireless provider. ... Use two-factor authentication (2FA) everywhere and with everything. When choosing how to receive the authentication code, always opt for token over text as it’s much more secure. At Black Hat 2022, a Swedish research team demonstrated exactly how insecure text authentications are. If a hacker has your login credentials and phone number, text-based authentication simply won’t protect you.
Published under the GMF think-tank’s Digital Innovation and Democracy Initiative, the report said that while algorithmic audits can help correct for the opacity of AI systems, poorly designed or executed audits are at best meaningless, and at worst can deflect attention from, or even excuse, the harms they are supposed to mitigate. This is otherwise known as “audit-washing”, and the report said many of the tech industry’s current auditing practices provide false assurance because companies are either conducting their own self-assessments or, when there are outside checks, are still assessed according to their own goals rather than conformity to third-party standards. “If well-designed and implemented, audits can abet transparency and explainability,” said the report. “They can make visible aspects of system construction and operation that would otherwise be hidden. Audits can also substitute for transparency and explainability. Instead of relying on those who develop and deploy algorithmic systems to explain or disclose, auditors investigate the systems themselves.
Many companies create business continuity plans to manage a crisis around key business operations. But these plans may overlook specifics for small offshore development teams or not account for intermittent disruptions to internet, power, or other resources that impact an offshore team’s safety, health, or productivity. “If you’re working with a global, distributed team, you need to accept the responsibilities that come with supporting your workforce—whether they are across the world or seated two desks away,” says Andrew Amann, CEO of NineTwoThree Venture Studio. “This means having a plan in place for when a global crisis limits your team members’ ability to work.” Amann offers several recommendations for developing a practical plan. “Cross-train employees, build relationships with development agencies, plan for difficulties with offshore payments, and make sure you stand behind your distributed teams when they need help,” he says.
The road to digital trust is not always smooth sailing. The number one IT challenge cited was managing digital certificates, rated as important by 100% of enterprises, while regulatory compliance and handling the massive scope of what they are protecting was deemed important by 99% of respondents. Other challenges cited in the research included the difficulty of securing a complex dynamic, multivendor network, and a lack of staff expertise. The report also p oint sout that many common security practices have yet to be implemented. ... For companies still looking for ways to improve digital trust, DigiCert recommends making it a strategic imperative securand recognizing the impact it has on business outcomes such as customer loyalty and revenue. DigiCert said it’s also important to remember that digital trust awareness is rising among users and customers, meaning that your business success and reputation are directly tied an organization’s ability to ensure digital trust at a high level.
The researchers focused on a problem known as multiagent reinforcement learning. Reinforcement learning is a form of machine learning in which an AI agent learns by trial and error. Researchers give the agent a reward for “good” behaviors that help it achieve a goal. The agent adapts its behavior to maximize that reward until it eventually becomes an expert at a task. But when many cooperative or competing agents are simultaneously learning, things become increasingly complex. As agents consider more future steps of their fellow agents, and how their own behavior influences others, the problem soon requires far too much computational power to solve efficiently. This is why other approaches only focus on the short term. “The AIs really want to think about the end of the game, but they don’t know when the game will end. They need to think about how to keep adapting their behavior into infinity so they can win at some far time in the future. Our paper essentially proposes a new objective that enables an AI to think about infinity,” says Kim.
Even as layoffs continue, unemployment in the tech sector has remained at near-historic lows, hovering around 2.2%. That compares with the overall US unemployment rate of 3.7% as of October. So far this year, tech industry employment has increased by 193,900 jobs, 28% higher than the same period in 2021, according to a jobs report from CompTIA, a nonprofit association for the IT industry and workforce. “Tech hiring activity remains steady, but there are undoubtedly concerns of a slowing economy,” CompTIA CEO Tim Herbert said in a statement. While November’s job data is not expected to be as robust as the same period a year earlier (when 73,600 jobs were added), the overall projection is that it will remain at a status quo level, with hiring continuing at the same rate as in the last two quarters. “All-in-all, experienced IT Professionals will be in high demand,” Janco said. “Especially those who exhibit a strong work ethic and are results-oriented. Positions that will be in low demand will be administrative and non-line supervisors and managers.”
The FAANG companies (Facebook-Apple-Amazon-Netflix-Google) can afford to pay amazing salaries. But most companies hiring data scientists are not like that. Don’t get me wrong! Data scientists still can make a very decent living! But in the world of actual practicing, non-tech data scientists, things are much more realistic. Unfortunately though, it means I am competing for talent against the FAANG companies. As such I have had to get very creative in where I advertise my postings and do my recruiting. Data scientists will always look for jobs at the FAANG companies, but they don’t always think about non-tech companies as employing data scientists. So this means I have learned that I have to be much more proactive in marketing my open roles. LinkedIn is great and recruiters can be helpful. However, I have also found great success in recruiting in unusual online forums — places like Discord, Slack, and Twitter. But make no mistake: recruiting data scientists is a full-contact sport! It is messy. You have to move quickly.
Once an application architecture and design are defined, security risk assessments should be performed that identify and categorize the inherent security risk of the planned application architecture and the application’s expected functional capabilities. These assessments should be inclusive of types of data, business processes, third-party systems and platforms, and/or information infrastructure with which the application will interact and/or to and from which it will store, process, and transmit data. By gaining insight into inherent security risk, appropriate security control objectives and associated security controls can be defined to manage risk appropriately within the applications. Controls can include, but are not limited to, the use of web application firewalls (WAFs) and application program interface (API) security gateways, encryption capabilities, authentication and secrets management, logging requirements, and other security controls. The identification of security instrumentation requirements should also be included in the architecture and design stage of application development.
Quote for the day:
"Problem-solving leaders have one thing in common: a faith that there's always a better way." -- Gerald M. Weinberg