Daily Tech Digest - May 09, 2023

A Guide to Steganography: Meaning, Types, Tools, & Techniques

Steganography encodes a secret message within another non-secret object in such a manner as to make the message imperceptible to those who aren’t aware of its presence. Of course, because of this secrecy, steganography generally requires the recipient to be aware that a message is forthcoming. To understand the meaning of steganography, it’s important to know the origins of the technique. The practice of steganography dates back to ancient Greece, from which we also get the word itself: a combination of the Greek words “steganos” (covered or concealed) and “graphein” (writing). ... As you might imagine, steganography can be used for both good and ill. For instance, dissidents living under oppressive regimes can use steganography to hide messages from the government, passing sensitive information within a seemingly innocuous medium. However, digital steganography is also a tool for malicious hackers. An attacker can hide the source code for a malware application inside another supposedly harmless file (such as a text file or an image). A separate program can then extract and run the source code.

How to Trim Your Cloud Budget

An essential first step in cloud budget trimming is to ask the enterprise’s FinOps team to evaluate current usage, Orshaw advises. “You need to have a clear understanding of what you’re using and how much you’re paying,” he says. “Start by looking at your cloud bills and identifying any unused or underutilized resources.” Optimizing current cloud resources can help bring a soaring budget under control. “This means resizing instances, eliminating instances that are no longer needed, and adopting a more granular approach to resource allocation,” Orshaw says. Automated tools can aid in this process, he adds. Virtually all cloud service providers offer some form of cost optimization support. “Understanding these tools and techniques … save organizations a lot of money in the long term,” Ozdemir says. Also consider taking advantage of reserved instances, Orshaw advises. “Reserved instances offer a significant discount over on-demand instances, but require a commitment of at least one year,” he explains. “Reserved instances are best for workloads with predictable usage patterns.”

How Security Architects Fit Into Organizations

The best-known security architecture domains are identity and access management and network security. The latter works on zoning and firewall topics (i.e., how to structure a network to hinder lateral movements while allowing components and applications to interact). Identity and access management covers authentication and authorization for internal employees, but nowadays also for customers, partners, and suppliers interacting with company services and applications. Active directory, LDAP, and identity provider are technologies and buzzwords in this area. The expansion and growth of CISO organizations drive their need for tool support to ensure efficiency, especially for logging network and IAM events, identifying potential attacks, and security incident management. Splunk, Sentinel, Microsoft Defender, and Jira are typical solutions for turning log events into actionable items and managing potential security incidents. Architects help with the initial design and maintain and evolve such solutions over the years.

Overcoming The Dark Side Of Being A Problem-Solver

The truth is, harnessing the superpower of problem solving can be like wielding a double-edged sword. On one hand, it's an essential skill that allows us to navigate through life's challenges and find solutions to complex problems. On the other hand, when taken too far, it can lead to overthinking, anxiety, and a lack of trust in ourselves and others. When we're accustomed to taking charge and finding solutions to challenges, we easily become critical of others and their ability to solve problems. We start to believe that we're the only ones who can fix the issue effectively, while everyone else is incompetent. This lack of trust also extends to ourselves. Constantly anticipating problems and overthinking every situation forces us to doubt our abilities and decisions. We become paralyzed by the fear of making the wrong decision or taking the wrong action, leading to procrastination, analysis paralysis and missed opportunities. So how do we overcome this problem of being a problem solver? How do we ensure our superpowers don't morph into weaknesses? 

9 upskilling tips that pay dividends

CIOs shouldn’t feel they have a responsibility to upskill only their own employees — they should upskill any employee with some degree of technical skills, Ramirez stresses. This is because “we’re shifting toward skills-based staffing to help close the talent gap. It’s the idea that great talent can come from anywhere.” This can be done by utilizing learning platforms and talent marketplaces, where IT employees share their strengths. One way of doing this is by IT posting small projects that employees can work on together, which they find out about through a talent marketplace. ... The speed with which technology changes requires every employee who cares about their job to upskill and train, and Long wants to make that a shared responsibility. “We as a company want to improve skills, but I remind employees they’re the custodian of their career.” Employees have an annual meeting with their manager to set goals in terms of jobs and skills, and Long says he and other leaders are there to help and provide mentorship. From there, it is incumbent upon the employee to schedule a meeting with their manager once a month or quarter to update them on what they’ve done on their development plan, he says.

Review your on-prem ADCS infrastructure before attackers do it for you

If your firm is like a typical firm, your Active Directory infrastructure has been in place for many years. As a result, you may have older settings, leftover services, and older forest and domain settings. Pentesters and attackers will often use the ADCS attacks to showcase how trivial it can be to gain access. As Spectorops have showcased in a whitepaper on the topic, there are several methods to run attack techniques. If your Active Directory certificate template permits client authentication and allows an enrollee to supply an arbitrary subject alternative name (SAN), the attacker can request a certificate based on the vulnerable template and specify an arbitrary SAN. Thus, if the attacker has a password gleaned from a user authenticated on the domain, they can then use various tools to request a certificate and specify that it has the domain administrator as the SAN field. You can already see what’s coming next, because the attacker requested a certificate and has received it with the equivalent of domain administrator rights. Even if you’ve already fixed this potential for breach and pivot in-house, I’d argue that you’d still want to reach out to any consultant you rely on — if they have a weakness, you share the risk.

What happens when we run out of data for AI models

One of the most significant challenges of scaling machine learning models is the diminishing returns of increasing model size. As a model’s size continues to grow, its performance improvement becomes marginal. This is because the more complex the model becomes, the harder it is to optimize and the more prone it is to overfitting. Moreover, larger models require more computational resources and time to train, making them less practical for real-world applications. Another significant limitation of scaling models is the difficulty in ensuring their robustness and generalizability. Robustness refers to a model’s ability to perform well even when faced with noisy or adversarial inputs. Generalizability refers to a model’s ability to perform well on data that it has not seen during training. As models become more complex, they become more susceptible to adversarial attacks, making them less robust. Additionally, larger models memorize the training data rather than learn the underlying patterns, resulting in poor generalization performance. Interpretability and explainability are essential for understanding how a model makes predictions.

5G Networks Are Performing Worse. What’s Going On?

The amount of 5G performance degradation isn’t consistent from country to country, and there are a handful of countries bucking the general trend. Ookla’s speed-test data identifies four: Canada, Italy, Qatar, and the United States. That said, Giles doesn’t believe that means there’s necessarily any common denominator between them. For the United States, Giles suggests, more availability of new spectrum has so far helped operators in the country stay out ahead of growing congestion on the new networks. In Qatar, by contrast, the massive investment around the 2022 FIFA World Cup included building out robust 5G networks. It’s too early to say whether or how 6G development will be affected by 5G’s early stumbles, but there are a handful of possible impacts. It’s conceivable, for example, given the lackluster debut of millimeter-wave, that the industry devotes less time in terahertz-wave research and instead considers how cellular and Wi-Fi technologies could be merged in areas requiring dense coverage.

Radical Transparency: How a Strong Startup Culture can Deliver Success

Culture is a reflection of a company's core values in action. If you know what you want your company to be, the people you want to attract and the type of service you want to be known for, you can define a base set of principles to act as a guiding light. This can keep a company on track and create a body of highly motivated overachievers that are not only incredibly driven, they’re personally invested and incentivized to bring the company and their teams along with them for the ride as they build the business together. Key to this for us has been embracing radical transparency, internally and externally. This enables us to show, not just tell, their true values across every aspect of a company and team. While not easy, it’s an investment that employees and customers appreciate, reward and reciprocate. For example, we allow employees to fully access just about all company data no matter if it relates to customer support, finances or any other area. This is the foundation of a business model that has existed from our outset.

To enable ethical hackers, a law reform is needed

What’s needed is fresh eyes and an outsider mentality to see where issues exist. This is where ethical hacking comes in. An organization can have a legion of external researchers on their side probing continuously for any weaknesses, uncovering vulnerabilities that automated scans and internal teams miss, performing recon to discover new insecure assets. Like cybercriminals, hackers will also be leveraging tools such as publicly available Common Vulnerabilities and Exposures (CVE) databases. They go beyond CVEs in known applications to discover and examine hidden assets that potentially pose a greater risk. One-third of organizations say they monitor less than 75% of their attack surface and 20% believe over half of their attack surface is unknown or not observable. So, it’s easy to understand why cybercriminals with significant and often cheap labor power plus an array of techniques target unknown assets and regularly uncover exploitable vulnerabilities. The way to keep pace and avoid burnout in internal security teams is to engage hackers to work on their behalf by setting up a vulnerability disclosure program (VDP).

Quote for the day:

"Most people live with pleasant illusions, but leaders must deal with hard realities." -- Orrin Woodward

No comments:

Post a Comment