7 Security Trends to Watch Heading into 2024
Cyberattacks led by nation-state threat actors, as well as politically motivated
hacktivist groups, will continue in relation to the active conflicts in Ukraine
and Gaza. Vanderlee points out that attacks in these regions may have a higher
likelihood of kinetic impact. For example, Sandworm, a threat actor linked with
Russia, disrupted the power in Ukraine and caused a power outage in late 2022.
“Those are definitely things to watch out for, particularly if you do business
in those regions or in countries situated around those regions,” says Vanderlee.
... Cloud migration continues to be a significant theme in the IT space. As more
organizations embrace a cloud-first approach, threat actors are looking for ways
to target hybrid and multi-cloud environments. Mandiant observed threat actors
targeting cloud environments and seeking ways to gain persistence and move
laterally in 2023, according to Google Cloud’s Cybersecurity Forecast 2024. That
trend is likely to bleed over into 2024; threat actors are going to look for
ways to exploit cloud misconfigurations and move laterally across multi-cloud
environments.
Internet's deep-level architects slam US, UK, Europe for pushing device-side scanning
Client-side scanning has since reappeared, this time on legislative agendas. And
the IAB – a research committee for the Internet Engineering Task Force (IETF), a
crucial group of techies who help keep the 'net glued together –thinks that's a
bad idea. "A secure, resilient, and interoperable internet benefits the public
interest and supports human rights to privacy and freedom of opinion and
expression," the IAB declared in a statement just before the weekend. "This is
endangered by technologies, such as recent proposals for client-side scanning,
that mandate unrestricted access to private content and therefore undermine
end-to-end encryption and bear the risk to become a widespread facilitator of
surveillance and censorship." ... For the IAB and IETF, client-side scanning
initiatives echo other problematic technology proposals – including wiretaps,
cryptographic backdoors, and pervasive monitoring. "The IAB opposes technologies
that foster surveillance as they weaken the user's expectations of private
communication which decreases the trust in the internet as the core
communication platform of today's society," the organization wrote.
Zombie Scrum First Aid
Zombie Scrum is on the rise! What may look like Scrum from a distance often
turns out to be anything, but when you take a closer look. Although teams go
through the motions of Scrum, Sprints don’t result in valuable outcomes,
customers are not involved, teams have little autonomy, and nobody is doing
anything to improve. The first response to Zombie Scrum might be to panic, run
around, and hide below your desk. That doesn’t usually work. So, for our book,
the Zombie Scrum Survival Guide, we created a simple poster that tells you
exactly what to do in clear and simple language. ... Complaints, cynicism, and
sarcasm don’t help anyone. It may even contribute to teams sliding further into
Zombie Scrum. Instead, highlight what works well, where improvements occur, and
what is possible when you work together. Use humor to lighten the mood, but not
sugarcoat the truth. Facilitate the next Sprint Retrospective with the
Liberating Structure ‘Appreciative Interviews’. It helps identify enablers for
success in less than one hour. By starting from what goes well — instead of what
doesn’t — AI liberates spontaneous momentum and insights for positive change as
“hidden” success stories are uncovered.
On-prem vs cloud storage: Four decisions about data location
For the best performance, system architects need to minimise latency between
applications and storage. To access cloud storage via the public internet
inevitably increases latency. Internet connections are also more prone to
variable performance and general reliability issues. This suggests that for best
performance, data should be stored on-premise. For the most critical
applications, this is still usually the case. But the decision is not always
clear cut. “We know that if you start to run compute on a storage bucket across
the wire, you are going to have a performance impact,” cautions Paul Mackay,
regional vice-president for EMEA and APAC at cloud data firm Cloudera. ... Even
so, optimised on-premise storage can still be the cheaper option. As PA’s Gupta
points out, much depends on how new the customer’s on-site infrastructure is,
and how much life it has left. Cloud storage also has hidden costs. Data egress
is frequently cited as a reason for higher than expected bills, but firms can
also find they pay more than expected because they store data for extended
periods in expensive tiers rather than dedicated cloud archives. Again, careful
application design and a clear picture of data use will minimise this.
Parallels Between Open Source and Fully Remote Team Setups
In open source and remote work, digital communication is the vital link uniting
individuals, fostering collaboration and understanding. Beyond information
transfer, it builds relationships and transcends cultural differences.
Contributors in open source projects require effective digital communication for
diverse backgrounds. Platforms like GitHub offer not just code repositories but
crucial discussion spaces. Remote work tools like Slack and Zoom create a
virtual office, addressing the challenge of sustaining connections. Clarity
counters miscommunication, while video meetings provide a personal touch,
supporting empathetic communication. Inclusive digital communication ensures
accessibility, involving all contributors. ... Open source communities epitomize
meritocracies, fostering diversity and innovation by evaluating contributions
solely on merit. In remote work, meritocracy shifts the emphasis from
productivity to quality and impact, allowing introverted individuals to shine
based on tangible outputs, fostering an objective assessment. While
offering advantages, challenges include potential “echo chamber” effects and the
risk of overlooking diverse contributions.
The impact of prompt injection in LLM agents
Addressing prompt injection in LLMs presents a distinct set of challenges
compared to traditional vulnerabilities like SQL injections. In these types of
scenarios, the structured nature of the language allows for parsing and
interpretation into a syntax tree, making it possible to differentiate between
the core query (code) and user-provided data, and enabling solutions like
parameterized queries to handle user input safely. In contrast, LLMs operate
on natural language, where everything is essentially user input with no
parsing into syntax trees or clear separation of instructions from data. This
absence of a structured format makes LLMs inherently susceptible to injection,
as they cannot easily discern between legitimate prompts and malicious inputs.
Any defensive and mitigation strategies should be created with the assumption
that attackers will eventually be able to inject prompts successfully.
Firstly, enforcing stringent privilege controls ensures LLMs can access only
the essentials, minimizing potential breach points. We should also incorporate
human oversight for critical operations to add a layer of validation to
safeguard against unintended LLM actions
Navigating cloud concentration and AI lock-in
Although you can choose to reduce the use of a specific cloud provider, it is
sometimes nearly impossible to move some applications to other platforms. This
is due to the coupling of those applications to the cloud platform and the
economic inability to get them off those platforms. To guard against the risks
associated with cloud concentration and AI lock-in, IT leaders are exploring
strategies to reduce dependency on a single cloud provider. This can include
leveraging single-tenant cloud solutions, colocation companies, and hybrid
cloud strategies to diversify their cloud deployment and infrastructure. As IT
leaders navigate the complex landscape of cloud concentration risks and AI
lock-in, it is evident that an agile approach to cloud strategy and AI
adoption is mandatory. Organizations can mitigate risks by understanding the
nuanced considerations of vendor selection, fostering a multicloud approach,
and embracing innovative technologies. At the end of the day, keep your eyes
open for the fully optimized solution, and do not focus on just a single cloud
provider’s services, including AI.
Will Putting a Dollar Value on Vulnerabilities Help Prioritize Them?
Whether the focus on impact makes VISS any more valuable than other scoring
systems is a matter of debate. Any scoring systems should not just replicate
what others are already doing, and VISS seems to try to cover some new ground
— at least in terms of scope, says Brian Martin, vulnerability historian at
Flashpoint, a threat intelligence firm. "Do we need another scoring system?
No, but kind of yes," he says. "On one hand, we have too many SSes. We have
CVSS version 2, version 3, version 4, we have EPSS, we have the ransomware
prediction scoring system — So I'm skeptical, but if it is more direct and to
be utilized for a single purpose, such as bug bounties, then I can see it
being beneficial." However, companies should not expect prioritizing
vulnerabilities using VISS to be any easier than it is with other systems.
While VISS may be simpler to calculate, it still requires knowledgeable
answers to assign the right level of risk to vulnerabilities, says Tim Jarrett
... "Scoring models are not are not silver bullets," he says. "You actually
have to adopt them and use them and feed them. And I think that what this does
not do is make the problem of prioritizing vulnerabilities any less labor
intensive."
9 tips for achieving IT service delivery excellence
To achieve maximum efficiency, Cziomer also suggests focusing service efforts
on DevOps Research and Assessment (DORA) metrics, such as “lead time for
change” and “time to restore service.” Customer-centric Net Promoter Scores
are equally important, he adds. “To dive deeper into understanding our
services, I employ methods like value stream mapping to pinpoint bottlenecks
or inefficiencies,” says Cziomer, who feels that proactive approaches such as
these enable IT organizations to consistently elevate their service levels.
... Effective IT service delivery begins by creating and standardizing
processes and documentation, says Patrick Cannon, field CTO at data center and
cloud services firm US Signal. Standardization ensures a consistent end-user
experience with outcomes that adhere to established security policies. “It’s
also beneficial for effective training and new IT staff onboarding,” he says,
adding that when IT understands the needs of each business unit, it opens the
way to a more proactive service approach, reducing downtime and fostering
innovation.
Architecting for Resilience: Strategies for Fault-Tolerant Systems
A fault-tolerant system can keep working properly even when things go wrong.
Faults are any issues that make a system behave differently than expected.
Faults can be caused by hardware failure, software bugs, human errors, or
environmental factors like power outages. And in complex systems with a lot of
services and sub-services, hundreds of servers, and distributed in different
Data Centers minor issues happen all the time. ... Testing plays a key role in
building resilient, fault-tolerant systems. Testing helps identify and address
potential weaknesses before they cause real failures or outages. There are
various testing methods focused on resilience, including chaos engineering,
stress testing, and load testing. These techniques simulate realistic failure
scenarios like hardware crashes, traffic spikes, or database overloads. The
goal is to observe how the system responds and find ways to improve fault
tolerance. Testing validates whether redundancy, failover, replication, and
other strategies work as intended. All big IT companies practice resilience
testing. And Netflix is leading here.
Quote for the day:
"Perhaps the ultimate test of a leader
is not what you are able to do in the here and now - but instead what
continues to grow long after you're gone" -- Tom Rath
No comments:
Post a Comment