Daily Tech Digest - March 17, 2023

6 principles for building engaged security governance

No governance strategy can be built without knowing where the organization is currently and where it is going. Start by understanding the organization's core business practices, its product portfolio, customers, geographical footprint, and ethos and culture -- all from a security perspective. This should help answer key security-related questions, such as who does what, why they do it and for whom. Next gain a better understanding of the organizational structure and current security standards, guidelines, regulations and frameworks. Get a better grasp of how security functions operate. Take a comprehensive review of the security policies in place and how effective they are. Understand the current state of security procedures, projects and activities, tests and exercises as well as the current level of information security controls and future roadmap. Assess the skills and capabilities of security practitioners and their responsibilities, and benchmark it with best practices in the industry to expose the gaps in existing capabilities and activities.

Cyber attribution: Vigilance or distraction?

In some situations, effective attribution can be a valuable source of intelligence for organizations that suffered a cyber breach. Threat actors go to great lengths to cover their tracks, and any evidence and facts gathered through attribution can bring organizations closer to catching the perpetrators. Deploying a good Cyber Threat Intelligence (CTI) program helps organizations understand which current or future threats can impact their business operations. Some organizations don’t treat threat intelligence seriously because they already have their “go-to” to blame, or they simply believe no one will attack a small organization. During the Wannacry attack, we witnessed a prime example of a poor interpretation of threat intelligence, when organizations and ISPs started blocking access to a sinkhole URL discovered by security researcher Marcus Hutchins. Rather than being a malicious website, devices connecting to the URL prevented the malware’s payload from activating, so blocking it resulted in further infections.

A Comprehensive Checklist For IoT Project Success

IoT projects often require a variety of specialized knowledge and skills, from edge/gateway device knowledge, to networking, to cloud platform knowledge, to security and real-time dashboard displays. Building a team with the appropriate expertise to manage this technology and other necessary skills helps ensure that the project is designed, developed and implemented successfully. If you do not have team members on hand with the necessary expertise, consider outsourcing some or all of the work to third-party IoT experts. ... IoT systems often need to handle vast amounts of data and potentially millions of devices at once, and planning for scalability ensures that the system’s architecture can handle the expected load (network coverage, reliability, bandwidth, latency, etc.) at the edge and gateway device and cloud platform level (e.g., end user dashboards, alerts, and more). Best practices here would include designing for modularity and flexibility, using scalable technologies, implementing caching and load balancing, and generally planning for growth.

Principles for Adopting Microservices Successfully

While microservices architecture has many benefits, it also introduces new challenges and potential pitfalls. One common pitfall to avoid is creating too many or too few services. Creating too many services can lead to unnecessary complexity while creating too few services can make it difficult to maintain and scale the application. It is important to strike a balance by breaking the application into small, independent services that are focused on specific business functions. Another common pitfall is not considering the operational overhead of microservices. ... It is important to ensure the team has the necessary skills and resources to manage a microservices architecture, including monitoring, debugging, and deploying services. Finally, it is important to avoid creating overly coupled services. Services that are tightly coupled can create dependencies and make it difficult to make changes to the application. It is important to design services with loose coupling in mind, ensuring that each service is independent and can be modified or replaced without affecting other services.

Why Audit Logs Are Important

Audit logs have a different purpose and intended audience when compared to the system logs written by your application’s code. Whereas those logs are usually designed to help developers debug unexpected technical errors, audit logs are primarily a compliance control for monitoring your system’s operation. They’re helpful to regulatory teams, system administrators and security practitioners who need to check that correct processes are being followed. Audit logs also differ in the way they’re stored and retained. They’re usually stored for much longer periods than application logs, which are unlikely to be kept after an issue is solved. Because audit logs are a historical record, they could be retained indefinitely if you have the storage available. ... The information provided by an audit log entry will vary depending on whether the record relates to authentication or authorization. If it’s an authentication attempt, the request will have occurred in the context of a public session. Authorization logs, written by AuthZ services like Cerbos, will include the identity of the logged-in user.

Quantum Computing Is the Future, and Schools Need to Catch Up

Thankfully, things are starting to change. Universities are exposing students sooner to once-feared quantum mechanics courses. Students are also learning through less-traditional means, like YouTube channels or online courses, and seeking out open-source communities to begin their quantum journeys. And it’s about time, as demand is skyrocketing for quantum-savvy scientists, software developers and even business majors to fill a pipeline of scientific talent. We can’t keep waiting six or more years for every one of those students to receive a Ph.D., which is the norm in the field right now. Schools are finally responding to this need. Some universities are offering non-Ph.D. programs in quantum computing, for example. In recent years, Wisconsin and the University of California, Los Angeles, have welcomed inaugural classes of quantum information masters’ degree students into intensive year-long programs. U.C.L.A. ended up bringing in a much larger cohort than the university anticipated, demonstrating student demand. 

Forget the hybrid cloud; it’s time for the confidential cloud

“The use cases are expanding rapidly, particularly at the edge, because as people start doing AI and machine learning processing at the edge for all kinds of reasons [such as autonomous vehicles, surveillance infrastructure management], this activity has remained outside of the security perimeter of the cloud,” said Lavender. The traditional cloud security perimeter is based on the idea of encrypting data-at-rest in storage and as it transits across a network, which makes it difficult to conduct tasks like AI inferencing at the network’s edge. This is because there’s no way to prevent information from being exposed during processing. “As the data there becomes more sensitive — particularly video data, which could have PII information like your face or your driver’s [license] or your car license [plate] number — there’s a whole new level of privacy that intersects with confidential computing that needs to be maintained with these machine learning algorithms doing inferencing,” said Lavender.

DevOps and Hybrid Cloud: A Q+A With Rosalind Radcliffe

The hardest thing to change in any transformation is the culture. The same is true in the IBM CIO office. Both new and experienced developers are learning from each other in a non-penalty environment. Although we have a full hybrid cloud and systems running in lots of places, the reality is I would like to run as much as appropriate on IBM Z from a security and availability or always-on standpoint. I can keep things more available on the platform because of the hardware stability in addition to all the agile capabilities that I can exploit. Meanwhile, I continually chip away at the fears and the misconceptions about development on z/OS. One way to start is by removing that fear and making it simpler and more accessible. Encouraging people to play with z/OS in IBM Cloud with Wazi as a Service, allowing them to experiment, understand and learn in a penalty free environment. They have the freedom to know they are not breaking an existing system or impacting production.

Cyberattackers Continue Assault Against Fortinet Devices

Fortinet described the attack on its customers' devices in some detail in its advisory. The attackers had used the vulnerability to modify the device firmware and add a new firmware file. The attackers gained access to the FortiGate devices via the FortiManager software and modified the devices' start-up script to maintain persistence. The malicious firmware could have allowed for data exfiltration, the reading and writing of files, or given the attacker a remote shell, depending on the command the software received from the command-and-control (C2) server, Fortinet stated. More than a half dozen other files were modified as well. The incident analysis, however, lacked several critical pieces of information, such as how the attackers gained privileged access to the FortiManager software and the date of the attack, among other details. When contacted, the company issued a statement in response to an interview request: "We published a PSIRT advisory (FG-IR-22-369) on March 7 that details recommended next steps regarding CVE-2022-41328," the company said. 

3 ways layoffs will impact IT jobs in 2023

With no oversight, shadow IT services and tools increase risk and vulnerability to attack, or more commonly, poor security hygiene. With mounting to-do lists and more projects than ever, overworked IT teams may default to rubber-stamping access in the name of productivity. But failure to properly govern identities within the organization can lead to a chain reaction of regulatory and budgetary compliance missteps. Automation tools can help ease identity governance worries internally, but IT teams should still be cognizant of what’s being used by employees externally and the business risks they pose. In the case of shadow IT, too many tech tools and services can be seen as the problem. But in many ways, they can also serve as a solution. The right technology can go a long way in alleviating common IT burdens – the key is choosing solutions that work well within a company’s existing technology stack. Advocating for software that is easy for employees to use and integrate will go a long way. 

Quote for the day:

"All leaders ask questions, keep promises, hold themselves accountable and atone for their mistakes." -- James Kouzes and Barry Posner

No comments:

Post a Comment