The waterfall model of development involved the explicit passing of responsibilities between highly specialized design, development, QA, and release teams. It also involved lengthy feedback loops. Scrum and agile methodologies made the entire SDLC more flexible and nimble by introducing sprints and allowing more frequent iterative development and delivery. Further, DevOps and DevSecOps focus on removing the silos between development, operations, and security through tooling and automation. As a result, the time to market and quality have improved dramatically. Adding shift left testing into the mix better positions teams to handle the broad range of responsibilities from the design stage through the maintenance stage as effectively as possible. Shift left testing focuses on prevention rather than detection. Shift left benefits include the following:Increase efficiency by eliminating bugs earlier in the SDLC: Reduce human errors and associated costs; Increase delivery speed and reduce the time between releases; Improve the quality of software; Gain a competitive advantage.
The blue teams are responsible for establishing security measures around an organization's key assets. Therefore, the blue team conducts a risk assessment by identifying threats and weaknesses these threats can exploit after obtaining data and documenting what needs to be protected. Blue teams perform risk assessments. They identify critical assets, determine what impact their absence will have on the business, and document the importance of these assets. Following that, employees are educated on security procedures, and stricter password policies are implemented to tighten access to the system. A monitoring tool is often installed to log and check access to systems. As part of regular maintenance, blue teams will perform DNS audits, scan internal and external networks for vulnerabilities, and capture network traffic samples. Senior management has a crucial role in this stage since only they can accept a risk or implement mitigating controls. As a result, security controls are often selected based on their cost-benefit ratio.
Think about yourself as a customer for a moment, about how many businesses have your personal information housed in their data warehouses. Even if they have your permission to store your details and notify you of relevant promotional offers, this does not guarantee your information will not be leaked at some point. Data leaks are not going away any time soon, so businesses focused on enhancing personal and relevant customer experiences—while remaining committed to protecting your privacy—are fast waking up to the value of synthesizing their structured data. By structured data, I mean the hundreds/thousands/millions of rows of data that live in places like databases or CSV files. We’re talking about billions of data points, and this number continues to grow. Here, AI trains on the original data and generates a synthetic version of that data which is privacy safe, with zero links back to any original data points. Not only is it statistically representative, but the data can be modified during the synthesization process; for example, an existing bias can be corrected to produce a more balanced data set.
An air-gapped network's DNS server connected to the enterprise IT system has connections to the public DNS system on the internet even if it's kept behind a firewall. That's because of the nature of the DNS system, Uriel Gabay, a Pentera security researcher, tells Information Security Media Group. The DNS is the decentralized system that translates domain names into the numerical IP addresses needed for routing across a network. A large majority of organizations surveyed by IDC earlier this year said they experienced some type of DNS attack in 2022. Most DNS traffic is sent over the UDP protocol, meaning there isn't built-in error detection for packets sent and received as there is in TCP. It's the "received" part of a DNS response that poses a risk. Given the possibility for a DNS request to trace the hops from an air-gapped network to the enterprise network to a public DNS server, a datagram originating from outside the air gap is ultimately received by a computer on the inside. "You allow the response to come into your organization because this is the meaning of allowing the protocol.
Private Channels can be accessed by those members of the team who were included in the Private Channel. And this is very critical and important to understand. You cannot invite just about anyone into Private Channel. You can only invite users who are already a member of the overall Team. In other words, using the example I mentioned above, I can only include John and Mary in the private channel, who are already members of the Team. I cannot invite David, who is not part of my Team in the first place. So think of Private Channels as almost a separate membership roster available in the overall Team roster (membership). ... The Shared Channel is represented by a “shared” icon on the channel name and is only visible to the members of that shared channel only. It would be invisible to the users who are regular team members and who are not members of that channel. ... You probably already guessed that the file management model for the Shared Channel resembles that of a Private Channel. Just like with Private Channel, a separate SharePoint site is created. It has the same naming convention: [name of the team]-[name of the shared channel].
“As the cyber threat landscape evolves, we will see the number of cyber events and organizations held to ransom continue to rise,” said James Nunn-Price, growth markets security lead at Accenture. “With this increase, organizations will continue to make significant investments in their situational awareness, threat-based security monitoring, incident response and crisis management practices.” However, many organizations, including those with mature practices, are still overly reliant on people, and that can slow detection and responses, he said. For example, Accenture found that even when security monitoring teams took action to mitigate attacks, it was still too late to stop data exfiltration. Attackers are using the latest tools and automated technologies to strike fast and hard — to exfiltrate key data and damage infrastructure within minutes. “In 2023, more organizations will prioritize fully automated response technology, as the impacts from a successful breach now far outweigh the risks of these newer technologies, which in turn, frees their people up to focus on how the business can become more cyber resilient, said Nunn-Price.
The second time around, Meta's scientists made the program faster and, in a few cases, more accurate on benchmark tests of machine learning tasks. "Data2vec 2.0 shows that the training speed of self-supervised learning can be substantially improved with no loss in downstream task accuracy," write authors Alexei Baevski, Arun Babu, Wei-Ning Hsu, and Michael Auli, four of the authors of the original Data2vec paper, in this new work, Efficient Self-supervised Learning with Contextualized Target Representations for Vision, Speech and Language, posted on arXiv. The singular accomplishment of this second Data2vec is to reduce the time it takes to train Data2vec. Training a neural net is typically measured in terms of "epochs," meaning the number of times the neural net is given the training examples. It can also be measured by the wall clock time, the literal hours, minutes, and days counted from start to finish. "Experiments show that Data2vec 2.0 can reach the same accuracy as many popular existing algorithms in 2-16x the training speed," they write.
For engineering, procurement and construction (EPC) companies like my company, Black & Veatch (BV), the metaverse opens a door of opportunity. By placing a top priority on developing and maintaining a strong safety culture, these new technologies provide virtual training experiences that can be designed to closely match real-world situations. Using a game-styled approach, workers can practice safety procedures in the metaverse and be better prepared to work on construction sites. The metaverse can be a new creative way for companies to address a variety of hiring and retention challenges in today’s changing work world. According to Indeed, 88% of employers say they now conduct video interviews with candidates. Most companies said this provides them with an opportunity to engage more leaders in the interview process and allows for more flexibility in scheduling. Another way the metaverse could impact talent management is by using virtual worlds to assess and test skills and performance.
FedRAMP Authorization Act - The bill includes a provision to codify into law and update the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP program is operated by the General Services Administration (GSA) to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal government agencies. Protection of critical infrastructure - This provision enhances the military’s ability to step to conduct actions in defense of attacks on critical infrastructure. It states that if “the President determines that there is an active, systematic, and ongoing campaign of attacks in cyberspace by a foreign power against the Government or the critical infrastructure of the United States,” the President may authorize the secretary of defense, acting through the commander of Cybercom, to conduct military cyber activities or operations pursuant to existing statutory war powers in foreign cyberspace to deter, safeguard, or defend against such attacks.
Quote for the day:
"Leadership is based on a spiritual quality; the power to inspire, the power to inspire others to follow." -- Vince Lombardi