Daily Tech Digest - January 11, 2023

WSL stands for writing as a second language. ... Whatever the intention, WSL leads to an overall tone that adds distance between the writer and the reader. And that is precisely the opposite of what is needed now from leaders. If there are fewer opportunities to hear leaders speak in person because so many of us are working from home, then we need to “hear” them speak in their emails. A more conversational writing tone shortens the distance between author and audience. It feels more real, which is what everyone craves at a time when we are living more of our lives online. To guard against WSL, just apply this simple test when reviewing what you’ve written: Does this sound like me? Would I talk like this if I were speaking face-to-face with a colleague? Reading aloud is a good way to check for the WSL problem (especially if, as a leader, someone else is writing the words for you). ... “Expert-itis” happens when people get too close to their subject. They assume everyone else knows as much as they do, so they focus on the nuances of a particular topic or insight without explaining the context.

Attackers Are Already Exploiting ChatGPT to Write Malicious Code

Sergey Shykevich reiterates that with ChatGPT, a malicious actor needs to have no coding experience to write malware: "You should just know what functionality the malware — or any program — should have. ChatGTP will write the code for you that will execute the required functionality." Thus, "the short-term concern is definitely about ChatGPT allowing low-skilled cybercriminals to develop malware," Shykevich says. "In the longer term, I assume that also more sophisticated cybercriminals will adopt ChatGPT to improve the efficiency of their activity, or to address different gaps they may have." From an attacker’s perspective, code-generating AI systems allow malicious actors to easily bridge any skills gap they might have by serving as a sort of translator between languages, added Brad Hong, customer success manager at Horizon3ai. Such tools provide an on-demand means of creating templates of code relevant to an attacker's objectives and cuts down on the need for them to search through developer sites such as Stack Overflow and Git, Hong said in an emailed statement to Dark Reading.

Cybersecurity staff are struggling. Here's how to support them better

Cybersecurity professionals are at breaking point, with many fearing they will soon lose their jobs because of a cyberattack and others struggling to cope with the growing strain. Unless businesses act soon, an ever-growing skills gap might become an unbridgeable chasm. ... "Cyber used to be very much off in a darkened room," she says. "And don't get me wrong, there's loads of stuff relating to IT security that people in security still have to do. But you need to be thinking about cyber at the heart of every business process and everything that you do within an organization." And cyber isn't a one-way street -- as well as ensuring the people in security feel part of the broader enterprise, Heneghan says line-of-business professionals must also learn about cyber concerns themselves. Success requires a joined-up approach, where business and security come together and recognize how information integrity isn't just one team's -- or even one person's -- responsibility. "It's about building the fundamental foundation," she says. "It's not acceptable for anyone in an organization not to understand the exposure and the risks around security anymore."

FTC Is Escalating Scrutiny of Dark Patterns, Children’s Privacy

The FTC has publicly identified dark patterns as an enforcement priority. In September 2022, the FTC released a report summarizing concerns that companies are increasingly using sophisticated design practices, known as dark patterns, to trick or manipulate consumers into buying products or services or provide their personal data. The report reflects the FTC’s findings that dark patterns are used in a variety of industries and contexts, including e-commerce, cookie consent banners, children’s apps, and subscription sales. Unlike neutral interfaces, dark patterns often take advantage of consumers’ cognitive biases to steer their conduct or delay access to information needed to make fully informed decisions. The FTC’s research noted that dark patterns are highly effective at influencing consumer behavior. Dark patterns include disguising ads to look like independent content, making it difficult for consumers to cancel subscriptions or charges, burying key terms or junk fees, and tricking consumers into sharing their data. Because dark patterns are covert or otherwise deceptive, many consumers don’t realize they are being manipulated or misled.

8 top priorities for CIOs in 2023

Over the past decade, enterprises have rapidly added powerful technology and cloud-based services to their portfolios. At the same time, they have been much less likely to retire the legacy systems these new tools were meant to replace, creating a complex web of redundant applications and systems, warns VMware CIO Jason Conyard. There’s an industry-wide push to reduce technical and data debt and reallocate those resources toward building the future, Conyard says. “CIOs will be looking to rationalize their technology estate to reduce unnecessary cost and maintenance, and to minimize their security attack surface and privacy exposure.” ... There must be open, transparent, and collaborative working sessions to create alignment on how technology capabilities can be deployed to meet enterprise goals, states Bill Cassidy, CIO at New York Life Insurance. “All participants need to demonstrate strong communication skills, including effective listening, to properly weigh the pros, cons, and tradeoffs of one path of execution versus another,” he adds. ... Organizations that can successfully act on their data insights will thrive, says Dan Krantz, CIO of electronics test and measurement equipment manufacturer Keysight Technologies. 

Learning From Other People’s Mistakes

One prerequisite to this consolidation of wisdom is the need for information sharing. Information about what works and what does not work is needed to enact controls in an environment that help prevent certain events from happening twice. This can be accomplished in several ways. Using organizations such as ISACA® to stay connected to peers working at other enterprises helps professionals converse about relevant topics. But information sharing goes beyond merely discussing what you are working on and how you are solving control problems. There is also a need to discuss what went wrong. This means sharing information about what failed and why. This is hard for several reasons, not the least of which is that it is embarrassing to admit to failure. However, there can also be legal impacts of admitting that something went wrong and that as a result services, people’s data, or even their lives were endangered. ... In short, not all cyberincidents can be attributed to sophisticated nation-state hackers leveraging advanced persistent threats (APTs), phrases such as “we are taking it seriously” notwithstanding.

Developer experience will take center stage in 2023

In order for software companies to win and retain top developer talent, they must be able to provide a great developer experience. To do that, tech leaders must prioritize minimizing toil and frustration in the software development process. Software development is a highly creative process, but is often rampant with bottlenecks and inefficiencies that disrupt creative flow. By minimizing bottlenecks like idle time waiting for build and test feedback cycles to complete and inefficient troubleshooting, software development teams will improve productivity while increasing developer happiness. Especially given the uncertain economic outlook, now is the time for companies to focus on solidifying their software development team and upgrading their talent pool. As a result, there will be a greater emphasis on tools that boost productivity so developers can spend more time innovating and creating useful code. This is the best way to attract and retain top talent. When you ask many software development leaders what their average feedback cycle time is, they usually don’t have an answer. 

What Are the Advantages of Quantum Computing?

At their core, quantum computers manipulate subatomic particles, making them ideal for atomic and molecular scale research and development. “It can help us solve physics problems where quantum machines and the interrelation of materials or properties are important,” Mark Potter, SVP and CTO of Hewlett Packard Enterprise and director of Hewlett Packard Labs, explained in an interview with ITPro in late 2019. “At an atomic level, quantum computing simulates nature and therefore could help us find new materials or identify new chemical compounds for drug discovery.” Quantum technology is also having an out-sized impact on logistics management and route planning. For example, grocery chain Save-On-Foods is using quantum computing to optimize their logistics to become more efficient, save money, and bring fresh food to their customers. Specifically, they were able to reduce the computation time of an optimization task down from 25 hours to only 2 minutes. Another major area of interest is quantum cryptography, which, depending who you ask, is either a major advantage or a cause for concern. 

CISOs Mark Data Proliferation as Growing Security Problem

Claude Mandy, chief evangelist of data security at Symmetry Systems, says data sprawl is a headache for security teams because they have historically designed their security to protect the systems and networks that data is stored or transmitted on, but not the data. “As data proliferates outside of these secured environments, they have realized their security is no longer adequate,” he says. “This is particularly concerning when the traditional perimeter that provided some comfort has all but disappeared as organizations have moved to the cloud.” ... In the new era of data security, CISOs must have the ability to learn where sensitive data is anywhere in the cloud environment, who can access these data, and their security posture and deploy these solutions. “Traditionally, data security has been the ultimate goal of infosec organizations,” says Ravi Ithal, Normalyze CTO and cofounder. “As the volume of data increases and the number of places where data exists increases -- data proliferation -- the number of ways in which it can be accessed and misused also increases. 

4 key shifts in the breach and attack simulation (BAS) market

First, they require up-front configuration for their on-site deployments, which may also require customizations to ensure everything works properly with the integrations. Additionally, BAS solutions need to be proactively maintained, and for enterprise environments this often requires dedicated staff. As a result, we’ll see BAS vendors work harder to streamline their product deployments to help reduce the overhead cost for their customers through methods such as providing more SaaS-based offerings. Many BAS tools are designed to conduct automated security control validation. Most have an extensive library of automation modules that can simulate specific threats and malicious behaviors on endpoints, networks, or cloud platforms. BAS vendors tend to compete in the market this way. However, many vendors don’t offer the ability to create or customize modules in a meaningful way. For example, some don’t provide the user with a way to chain attack procedures together, which can be essential when trying to simulate an emerging threat that uses common tactics, techniques, and procedures

Quote for the day:

"A leader is someone people respond to, trust and want to work with." -- @ShawnUpchurch

No comments:

Post a Comment