6 principles for building engaged security governance
No governance strategy can be built without knowing where the organization is
currently and where it is going. Start by understanding the organization's core
business practices, its product portfolio, customers, geographical footprint,
and ethos and culture -- all from a security perspective. This should help
answer key security-related questions, such as who does what, why they do it and
for whom. Next gain a better understanding of the organizational structure and
current security standards, guidelines, regulations and frameworks. Get a better
grasp of how security functions operate. Take a comprehensive review of the
security policies in place and how effective they are. Understand the current
state of security procedures, projects and activities, tests and exercises as
well as the current level of information security controls and future roadmap.
Assess the skills and capabilities of security practitioners and their
responsibilities, and benchmark it with best practices in the industry to expose
the gaps in existing capabilities and activities.
Cyber attribution: Vigilance or distraction?
In some situations, effective attribution can be a valuable source of
intelligence for organizations that suffered a cyber breach. Threat actors go to
great lengths to cover their tracks, and any evidence and facts gathered through
attribution can bring organizations closer to catching the perpetrators.
Deploying a good Cyber Threat Intelligence (CTI) program helps organizations
understand which current or future threats can impact their business operations.
Some organizations don’t treat threat intelligence seriously because they
already have their “go-to” to blame, or they simply believe no one will attack a
small organization. During the Wannacry attack, we witnessed a prime example of
a poor interpretation of threat intelligence, when organizations and ISPs
started blocking access to a sinkhole URL discovered by security researcher
Marcus Hutchins. Rather than being a malicious website, devices connecting to
the URL prevented the malware’s payload from activating, so blocking it resulted
in further infections.
A Comprehensive Checklist For IoT Project Success
IoT projects often require a variety of specialized knowledge and skills, from
edge/gateway device knowledge, to networking, to cloud platform knowledge, to
security and real-time dashboard displays. Building a team with the
appropriate expertise to manage this technology and other necessary skills
helps ensure that the project is designed, developed and implemented
successfully. If you do not have team members on hand with the necessary
expertise, consider outsourcing some or all of the work to third-party IoT
experts. ... IoT systems often need to handle vast amounts of data and
potentially millions of devices at once, and planning for scalability ensures
that the system’s architecture can handle the expected load (network coverage,
reliability, bandwidth, latency, etc.) at the edge and gateway device and
cloud platform level (e.g., end user dashboards, alerts, and more). Best
practices here would include designing for modularity and flexibility, using
scalable technologies, implementing caching and load balancing, and generally
planning for growth.
Principles for Adopting Microservices Successfully
While microservices architecture has many benefits, it also introduces new
challenges and potential pitfalls. One common pitfall to avoid is creating too
many or too few services. Creating too many services can lead to unnecessary
complexity while creating too few services can make it difficult to maintain
and scale the application. It is important to strike a balance by breaking the
application into small, independent services that are focused on specific
business functions. Another common pitfall is not considering the operational
overhead of microservices. ... It is important to ensure the team has the
necessary skills and resources to manage a microservices architecture,
including monitoring, debugging, and deploying services. Finally, it is
important to avoid creating overly coupled services. Services that are tightly
coupled can create dependencies and make it difficult to make changes to the
application. It is important to design services with loose coupling in mind,
ensuring that each service is independent and can be modified or replaced
without affecting other services.
Why Audit Logs Are Important
Audit logs have a different purpose and intended audience when compared to the
system logs written by your application’s code. Whereas those logs are usually
designed to help developers debug unexpected technical errors, audit logs are
primarily a compliance control for monitoring your system’s operation. They’re
helpful to regulatory teams, system administrators and security practitioners
who need to check that correct processes are being followed. Audit logs also
differ in the way they’re stored and retained. They’re usually stored for much
longer periods than application logs, which are unlikely to be kept after an
issue is solved. Because audit logs are a historical record, they could be
retained indefinitely if you have the storage available. ... The information
provided by an audit log entry will vary depending on whether the record
relates to authentication or authorization. If it’s an authentication attempt,
the request will have occurred in the context of a public session.
Authorization logs, written by AuthZ services like Cerbos, will include the
identity of the logged-in user.
Quantum Computing Is the Future, and Schools Need to Catch Up
Thankfully, things are starting to change. Universities are exposing students
sooner to once-feared quantum mechanics courses. Students are also learning
through less-traditional means, like YouTube channels or online courses, and
seeking out open-source communities to begin their quantum journeys. And it’s
about time, as demand is skyrocketing for quantum-savvy scientists, software
developers and even business majors to fill a pipeline of scientific talent.
We can’t keep waiting six or more years for every one of those students to
receive a Ph.D., which is the norm in the field right now. Schools are
finally responding to this need. Some universities are offering non-Ph.D.
programs in quantum computing, for example. In recent years, Wisconsin and the
University of California, Los Angeles, have welcomed inaugural classes of
quantum information masters’ degree students into intensive year-long
programs. U.C.L.A. ended up bringing in a much larger cohort than the
university anticipated, demonstrating student demand.
Forget the hybrid cloud; it’s time for the confidential cloud
“The use cases are expanding rapidly, particularly at the edge, because as
people start doing AI and machine learning processing at the edge for all
kinds of reasons [such as autonomous vehicles, surveillance infrastructure
management], this activity has remained outside of the security perimeter of
the cloud,” said Lavender. The traditional cloud security perimeter is based
on the idea of encrypting data-at-rest in storage and as it transits across a
network, which makes it difficult to conduct tasks like AI inferencing at the
network’s edge. This is because there’s no way to prevent information from
being exposed during processing. “As the data there becomes more sensitive —
particularly video data, which could have PII information like your face or
your driver’s [license] or your car license [plate] number — there’s a whole
new level of privacy that intersects with confidential computing that needs to
be maintained with these machine learning algorithms doing inferencing,” said
Lavender.
DevOps and Hybrid Cloud: A Q+A With Rosalind Radcliffe
The hardest thing to change in any transformation is the culture. The same is
true in the IBM CIO office. Both new and experienced developers are learning
from each other in a non-penalty environment. Although we have a full hybrid
cloud and systems running in lots of places, the reality is I would like to
run as much as appropriate on IBM Z from a security and availability or
always-on standpoint. I can keep things more available on the platform because
of the hardware stability in addition to all the agile capabilities that I can
exploit. Meanwhile, I continually chip away at the fears and the
misconceptions about development on z/OS. One way to start is by removing that
fear and making it simpler and more accessible. Encouraging people to play
with z/OS in IBM Cloud with Wazi as a Service, allowing them to experiment,
understand and learn in a penalty free environment. They have the freedom to
know they are not breaking an existing system or impacting production.
Cyberattackers Continue Assault Against Fortinet Devices
Fortinet described the attack on its customers' devices in some detail in its
advisory. The attackers had used the vulnerability to modify the device
firmware and add a new firmware file. The attackers gained access to the
FortiGate devices via the FortiManager software and modified the devices'
start-up script to maintain persistence. The malicious firmware could have
allowed for data exfiltration, the reading and writing of files, or given the
attacker a remote shell, depending on the command the software received from
the command-and-control (C2) server, Fortinet stated. More than a half dozen
other files were modified as well. The incident analysis, however, lacked
several critical pieces of information, such as how the attackers gained
privileged access to the FortiManager software and the date of the attack,
among other details. When contacted, the company issued a statement in
response to an interview request: "We published a PSIRT advisory
(FG-IR-22-369) on March 7 that details recommended next steps regarding
CVE-2022-41328," the company said.
3 ways layoffs will impact IT jobs in 2023
With no oversight, shadow IT services and tools increase risk and
vulnerability to attack, or more commonly, poor security hygiene. With
mounting to-do lists and more projects than ever, overworked IT teams may
default to rubber-stamping access in the name of productivity. But failure to
properly govern identities within the organization can lead to a chain
reaction of regulatory and budgetary compliance missteps. Automation tools can
help ease identity governance worries internally, but IT teams should still be
cognizant of what’s being used by employees externally and the business risks
they pose. In the case of shadow IT, too many tech tools and services can be
seen as the problem. But in many ways, they can also serve as a solution. The
right technology can go a long way in alleviating common IT burdens – the key
is choosing solutions that work well within a company’s existing technology
stack. Advocating for software that is easy for employees to use and integrate
will go a long way.
Quote for the day:
"All leaders ask questions, keep
promises, hold themselves accountable and atone for their mistakes." --
James Kouzes and Barry Posner
No comments:
Post a Comment