Daily Tech Digest - March 10, 2023

Why So Much Open Source Software Is Vulnerable to Hackers

A high-risk vulnerability is defined by the Cybersecurity Research Center this way, McGuire said: “They take the advisories from numerous (industry) security feeds, analyze them and send them out to our customers. And as part of this analysis, they assign severity scores. When it comes to open source vulnerabilities, they’re using the CVSS scoring system. It (severity) also depends on whether or not there’s an exploit; whether or not there is a fix available; the type of exploit; how easy it is for somebody to go through and actually exploit the application; whether this can be done remotely; and whether you have access to the running instance. So all these (attributes) are taken into consideration for that score. And then that score is what tells us whether or not it’s a high-severity vulnerability,” McGuire said. Jason Schmitt, general manager of the Synopsys Software Integrity Group, said that the report findings underlined the reality of open source as the underlying foundation of most types of software built today. 

Building An Automation Strategy: A Leadership Quandary

A digital transformation is a colossal effort for an organization and it has multiple parts to it. From legacy modernization, cloud migration, hybrid development and enterprise data management to automation and reporting, everything can fall under the purview of digital transformation. Leaders should know when to take a sequential approach and what needs to be done in parallel for all of these efforts to converge at some point. A digital transformation strategy can't be restricted to the board room alone with outside consultants and CXOs involved, lacking participation from department heads and leaders who are aware of the factors that contribute to inefficiencies and delays. A bottom-up approach to digital transformation is critical, as it can help in identifying priorities, including which departments need automation, the scope of automation for each department, potential use cases, projected returns and more. This requires leaders to spend time at a grassroots level, explaining their vision and ensuring they have organizational support in turning their digital goals into reality.

Marketing Compliance in 2023: What CPOs Need to Know

Consent refers to the compliance measures taken to abide by laws such as the European Union’s General Data Protection Regulation law and the various privacy laws in the United States. In order to be in compliance with the law, companies must obtain permission to collect consumer data and track consumer activity across the internet. We most often see this play out online in the form of a pop-up that appears when one visits a website asking a visitor to ‘accept’ or ‘decline’ cookies. Another example is the ‘opt in to communications’ box one checks when sharing an email address with a company. Consumer consent is markedly different than preferences because it requires consumers to give permission for companies to communicate with them and track their activity online. Consent varies, however, between different laws; for example, in the E.U., consumers are required to opt in to cookie tracking, whereas in the United States, consumers would need to object. All consent laws, however, require companies to make a consumer’s data available to them upon request.

8 ways to retain top developer talent

DX takes DevOps to the next level. As Guillermo Rauch, CEO and founder of Vercel told me, “Organizations will move from DevOps to dev experience. Great developer experience leads to better developer productivity and improved developer velocity, directly improving your bottom line. Every organization should be thinking, ‘How do I empower my developers to spend more time on the application and product layer while spending minimal time on the backend and infrastructure layer?’” ... Developers create software for two audiences: users and developers — that is, those developers who will work on the product. For users, product excellence is critical. But for developers, excellence inside the product is extremely important as well, and that has big implications for the business using the software. In this sense, DX is an indication of code quality, which says everything about the viability of software. Here, the importance to the business is two-fold. First, systems with good DX are easier to maintain and extend, with software quality a key differentiator between code that can grow and evolve and code that is doomed to degrade and decay.

Stolen credentials increasingly empower the cybercrime underground

"Unlike most modern organizational security teams, threat actors do not operate in silos, and instead pool resources while learning from one another," the company said. "Flashpoint is finding that adept threat actors and ransomware gangs increasingly share code, in addition to tactics, tools, and procedures—largely thanks to the proliferation of illicit markets." Just like ransomware gangs come and go in what seems like a never-ending cycle of rebranding, illegal markets do, too. While there were several law enforcement takedowns or self-shutdowns of big and long-running cybercrime markets -- SSNDOB, Raid Forums, and Hydra being some notable ones -- others quickly popped up to take their place. Cybercriminals usually maintain alternative communication channels like Telegram, where they can keep each other informed and advertise new alternative markets after one disappears. In fact, just last year Flashpoint recorded 190 new illicit markets emerge. 

Darktrace warns of phishing scam powered by ChatGPT

According to Darktrace, there has been a rise in cybercriminals using ChatGPT to create more personalised and authentic-looking phishing emails in an attempt to breach users’ finances, since the chatbot was released last November, reported The Guardian. However, it’s claimed that there isn’t so much a new wave of attackers targeting businesses and individual users with phishing techniques, as there is a shift in tactics using the Microsoft–backed software. Common features within the emails include “linguistic complexity, including text volume, punctuation and sentence length”, while techniques relying on malicious links in the text are decreasing. “We’re seeing a big shift. ‘Hey, guess what, you’ve won the lottery…’ emails are becoming a thing of the past,” Darktrace CEO Poppy Gustafsson told The Times. “Instead, phishing emails are much more about trying to elicit trust and communication. They’re bespoke, with much more sophisticated language — the punctuation is changing, the language is changing. It’s more about trying to elicit trust.”

5 tips for designing a cloud-smart transformation strategy

Don't just "lift and shift" everything as it is during your transition to the cloud. This approach might seem easy but it risks keeping previous mistakes, blunders, and problems in your program. Instead, reconsider everything. Keep what works, replace what doesn't, and discard the rest. Then migrate only the components that your business requires. We have retired (and continue to retire) many workloads in our transition to a hybrid cloud. The traditional practice of "lift and shift" is giving way to a more methodical and strategic approach to modernization. It's a move motivated by years of hard lessons learned and tears shed during previous cloud implementations. Recognize that workloads are inextricably linked and have highly complex dependencies. You can't just move any job to the cloud at random because that might break something. Even if the long-term goal is to move all workloads to the cloud at the same time, containerization and orchestration provide a useful hybrid option for achieving reasonable levels of flexibility and performance.

Synthetic identity fraud calls for a new approach to identity verification

What can be done to tackle the scourge of synthetic identity fraud? At the industry level, lenders and credit bureaus must come together to develop a standard approach for identifying, classifying and reporting synthetic identities. Targeted businesses also need to share data, as criminals use their synthetic identities at (and often defraud) many different organizations as they build their credit histories. Forming a consortium to share intelligence could bring suspicious patterns of activity to light sooner, likely reducing the risk of massive losses. On an organizational level, a multipronged detection strategy is highly recommended. Enterprises need to implement identity verification solutions that combine online and offline data to comprehensively examine risk signals, such as device behavior biometrics, device identity and reputation, email tenure and reputation, mobile phone tenure and reputation, usage patterns of personally identifiable information, and tenure and activity on social media platforms.

US Intelligence Ranks China as Top National Security Threat

The big-picture challenge with China, the report says, is its "capability to directly attempt to alter the rules-based global order in every realm and across multiple regions, as a near-peer competitor that is increasingly pushing to change global norms and potentially threatening its neighbors." The U.S. intelligence report also singles out Beijing for its willingness to use cyber operations and economic espionage to advance its domestic technology capabilities and knowledge and as a domestic and foreign lever to expand the Chinese Communist Party's "technology-driven authoritarianism globally." The country controls key supply chains - for batteries, critical minerals, pharmaceuticals, less advanced semiconductors and solar panels - which Chinese President Xi Jinping in 2020 said the country wouldn't hesitate to use for economic and political gain if required. The intelligence assessment says that this could include cutting off supply to other countries in a time of crisis.

IT leadership: 3 ways to boost your Generational IQ (GQ)

People need to feel heard. Across generations, people put a high value on recognition and respect. As a leader, make sure you have processes that allow you to listen more than you talk. Create plenty of opportunities to show appreciation and respect through both informal recognition processes as well as through formal rewards programs. Leaders who do enough listening (and ask the right questions) can weave generational preferences into how they acknowledge and recognize individuals. With the huge amount of diversity not only across but within generations, using surveys to identify those preferences is a smart way to test what works. A great example of this is customizing how you recognize your team after a big project goes live. A Millennial may value a gift card to use for a trip, while a Boomer may find more value in having their wisdom documented in an online training course for future team members.

Quote for the day:

"A good leader can't get too far ahead of his followers" -- Franklin D. Roosevelt

No comments:

Post a Comment