Daily Tech Digest - December 06, 2022

Stealth Data Collection Threatens Employee Privacy

It’s no secret that collecting sensitive information comes with risks, says Alan Brill, senior managing director of the cyber risk practice, at business advisory firm Kroll. “You may be collecting information that's covered by laws or regulations, whether you know it or not,” he warns. “Collecting data that you don’t actually need in order to perform a business process represents 100% risk and 0% value.” Enterprise leadership has to recognize that collecting unneeded information, or information that's not used for intended purposes, can be an actual danger to the organization. “This decision should not be delegated solely to IT leaders,” Brill says. ... The fastest way to identify confidential and unnecessary data is by using advanced data loss prevention (DLP) capabilities to search for specific patterns, such as email addresses, phone numbers, protected health information, and personally identifiable information (PHI/PII) data types, says Doug Saylors, a cybersecurity partner with global technology research and advisory firm ISG. Another protection measure, aimed at limiting traffic visibility, is to require remote workers to use VPN connections whenever linking to the enterprise network, he adds.

AWS names 6 key trends driving machine learning innovation and adoption

Increasing volumes of data, and different types of data, are being used to train ML models. This is the second key trend Saha identified. Organizations are now building models that have been trained on structured data sources such as text, as well as unstructured data types including audio and video. Having the ability to get different data types into ML models has led to the development of multiple services at AWS to help in training models. One such tool that Saha highlighted is SageMaker Data Wrangler, which helps users process unstructured data using an approach that makes it practical for ML training. AWS also added new support for geospatial data in SageMaker this week at the re:Invent conference. ... The final key trend that will drive ML forward is democratizing the technology, making tools and skills accessible to more people. “Customers tell us that they … often have a hard time in hiring all the data science talent that they need,” Saha said. The answers to the challenge of democratization, in Saha’s view, lie in continuing to develop low-code and use case-driven tools, and in education.

Balancing cybersecurity costs and business protection

For many SMEs, cuts to cybersecurity budgets may feel justified due to a lack of breaches encountered in the past. However, the reality is those defences are why they’ve never had an attack. You wouldn’t get rid of a house alarm because you’ve never been burgled. Cybersecurity should be no different. Organisations may also think they can do away with security measures because they’re too small – that they’re not a juicy enough target. But the opposite can be true. Hackers can see smaller businesses as easy prey that won’t have the same calibre of defence as a large corporation – and more likely to give in to demands too. ... When thinking about cybersecurity, another area that is often overlooked is the possibility of human error. While the risk of an employee retaining data accidentally can be just as serious as an external hacker, preventing accidental breaches shouldn’t cost the earth and there are simple ways to minimise the chance of one happening. Regular training is the most effective ways to prevent a slip-up and will empower staff to stay on top of new threats. It’s important, however, that this training is targeted and being applied in the right areas.

Great Leaders Manage Complexity with Self-Awareness and Context Awareness

Undoubtedly, people across organizations have expectations of “leaders.” In a general sense, they expect them to lead. In my experience, this entails a diverse set of expectations from various people within a collective or shared context. The most common expectations I’ve come across are providing answers and clarity, guidance, context, direction and vision, structure, and accountability. Think of how expectations are entangled with the framing of leadership. People seem to have different specific needs to take steps toward something and make progress. My experience is that a person’s historical experiences significantly influence their needs, which vary with context. People’s awareness about themselves, a specific situation, and others vary. So what people think is needed is sometimes not relevant or appropriate. These are some reasons I’ve found the specifics of leadership challenging, to say the least. Some of the sources that I’ve found particularly helpful when managing these challenges—understanding individual and contextual needs—are SCARF by David Rock and Wardley Mapping.

Machine Learning Models: A Dangerous New Attack Vector

Researchers demonstrated how such an attack would work in a POC focused on the PyTorch open source framework, showing also how it could be broadened to target other popular ML libraries, such as TensorFlow, scikit-learn, and Keras. Specifically, researchers embedded a ransomware executable into the model's weights and biases using a technique akin to steganography; that is, they replaced the least significant bits of each float in one of the model's neural layers, Janus says. Next, to decode the binary and execute it, the team used a flaw in PyTorch/pickle serialization format that allows for the loading of arbitrary Python modules and execute methods. They did this by injecting a a small Python script at the beginning of one of the model's files, preceded by an instruction for executing the scrip, Janus says. "The script itself rebuilds the payload from the tensor and injects it into memory, without dropping it to the disk," she says. ... The resulting weaponized model evades current detection from antivirus and endpoint detection and response (EDR) solutions while suffering only a very insignificant loss in efficacy, the researchers said. 

How to get cloud migration right

A successful migration — like a house renovation — begins with an analysis of your current environment. Knowing how DNS/DHCP functions in your environment, as well as identifying adjacent technologies and integrations, security posture, and business processes is a necessary step. It won’t prevent all surprises during migration, but it can help. Next, outline and explore the challenges related to your current network architecture. Stakeholders should arrive with a vision of their ideal infrastructure. What things do they not want to see in their new network? What do they want to prevent, improve, and optimize — and how do they expect the cloud to help? Resilience drives many enterprises to cloud migration. This might occur after crippling outages that disrupt user experiences and business operations. But the hunt for efficiency and new IT initiatives that can reduce service level agreements are also factors. There’s another often-ignored factor that can derail cloud migrations: not including the right stakeholders. In an on-premises environment, the main stakeholders were the data center or network team. Successful cloud migrations demand inclusion. 

When blaming the user for a security breach is unfair – or just wrong

The best place to start is understanding employee roles, resources, and access habits, Laxdal says. For example, financial workers should understand the specific risks to business accounts and social engineering attempts such as BEC scams that may target them. Development departments will have different risk areas to focus on; for example, their IP on hosted servers or malware hidden in public open-source libraries. HR, on the other hand, is dealing with PII (financial, banking, and healthcare information) that shouldn’t be shared over any channel, particularly given that anyone can impersonate a CEO and request files or transfers. “All of these vectors are being used globally against information assets and are overwhelmingly credential-based attacks that are perpetrated through phishing. Users need to understand why and be part of that discussion with real-world examples,” Laxdal explains. “Sit down with your employees, ask about their typical day and access requirements. And understand each functional area of the business so you can design controls and training for their business.”

7 ways to cope with a C-level rival

Embrace and uplift your foe, regardless of whether they embrace and uplift you, advises Paola Saibene, principal consultant at IT and business advisory and consulting firm Resultant. “Your focus should be on revamping, refreshing, reinventing, and progressing, so that you’ll be known as a leader, no matter what,” she says. “If you put your focus on getting better and better, and being inclusive along the way, the rival will have fewer and fewer opportunities to bring you down.” Also try to view the situation from the antagonist’s perspective, no matter how unjustified it may be. “Take the opportunity to bring them into a conversation to deconstruct the issue,” Saibene recommends. “If it’s not a personal issue, it’s solvable.” Finally, if all efforts at compromise fail, feel free to proceed with no regrets, Saibene suggests, fully realizing that you tried your best. As you struggle with your nemesis, it’s important to maintain your composure and not let emotions get in the way of your decision-making process, says Kimberley Tyler-Smith, a former McKinsey & Co. analyst. Currently the strategist at career tech service company Resume Worded, Tyler-Smith advises seeking impartial help.

Data Clean Rooms: Enabling Analytics, Protecting Privacy

According to Forrester, to qualify as a data clean room, security and privacy controls must be embedded in the tool so that enterprise and customer data is protected before it’s shared and analyzed. This means they must include strong identity and access management capabilities, and encryption of data entering the “clean room,” among other protections. But it’s not just the tools that need to incorporate these protections. Forrester says that clean rooms must have processes in place to protect privacy, too. For instance, a critical process would include normalizing data before entering the room and verifying the degree of de-identification when data leaves the room. Another essential piece is a process to assess risks in the data clean room, according to Forrester. Forrester lists two other keys to data clean rooms: transparent data governance controls, and a self-governing analysis experience. One data clean room provider is Snowflake. Originally known for its cloud data warehouse services, the company was already known for working with end-customer data, and it was talking about data clean rooms back in January 2020 as a way to continue data analysis while abiding by new regulations such as GDPR and the California Consumer Privacy Act.

Adopting Low Code/No Code: Six Fitnesses to Look For

LCNC platforms usually offer more than one hosting option. Typical hosting options include the LCNC provider's cloud and self-hosting within your own infrastructure. Choosing the provider's cloud has the benefit of making use of their end-to-end DevOps toolchain which should be operationally easy to manage and in turn, cost-effective. Note that this benefit is best when a significant number of applications are hosted within their environment, and those applications are isolated in nature (meaning, limited integrations with existing applications residing in your hosting infrastructure). You also need to check if the provider's cloud offers transparency to your deployed resources and offers support tiered to your application’s criticality. For example, if you have a significant number of applications developed on the Mendix platform and you plan to build more applications on it, then choosing Mendix Cloud may be cost-effective and operationally simplistic.

Quote for the day:

"Being honest and open is the only way to convince cynical employees that you truly want to establish a partnership with them." - Florence M. Stone

No comments:

Post a Comment