Daily Tech Digest - December 19, 2023

7 Security Trends to Watch Heading into 2024

Cyberattacks led by nation-state threat actors, as well as politically motivated hacktivist groups, will continue in relation to the active conflicts in Ukraine and Gaza. Vanderlee points out that attacks in these regions may have a higher likelihood of kinetic impact. For example, Sandworm, a threat actor linked with Russia, disrupted the power in Ukraine and caused a power outage in late 2022. “Those are definitely things to watch out for, particularly if you do business in those regions or in countries situated around those regions,” says Vanderlee. ... Cloud migration continues to be a significant theme in the IT space. As more organizations embrace a cloud-first approach, threat actors are looking for ways to target hybrid and multi-cloud environments. Mandiant observed threat actors targeting cloud environments and seeking ways to gain persistence and move laterally in 2023, according to Google Cloud’s Cybersecurity Forecast 2024. That trend is likely to bleed over into 2024; threat actors are going to look for ways to exploit cloud misconfigurations and move laterally across multi-cloud environments.

Internet's deep-level architects slam US, UK, Europe for pushing device-side scanning

Client-side scanning has since reappeared, this time on legislative agendas. And the IAB – a research committee for the Internet Engineering Task Force (IETF), a crucial group of techies who help keep the 'net glued together –thinks that's a bad idea. "A secure, resilient, and interoperable internet benefits the public interest and supports human rights to privacy and freedom of opinion and expression," the IAB declared in a statement just before the weekend. "This is endangered by technologies, such as recent proposals for client-side scanning, that mandate unrestricted access to private content and therefore undermine end-to-end encryption and bear the risk to become a widespread facilitator of surveillance and censorship." ... For the IAB and IETF, client-side scanning initiatives echo other problematic technology proposals – including wiretaps, cryptographic backdoors, and pervasive monitoring. "The IAB opposes technologies that foster surveillance as they weaken the user's expectations of private communication which decreases the trust in the internet as the core communication platform of today's society," the organization wrote. 

Zombie Scrum First Aid

Zombie Scrum is on the rise! What may look like Scrum from a distance often turns out to be anything, but when you take a closer look. Although teams go through the motions of Scrum, Sprints don’t result in valuable outcomes, customers are not involved, teams have little autonomy, and nobody is doing anything to improve. The first response to Zombie Scrum might be to panic, run around, and hide below your desk. That doesn’t usually work. So, for our book, the Zombie Scrum Survival Guide, we created a simple poster that tells you exactly what to do in clear and simple language. ... Complaints, cynicism, and sarcasm don’t help anyone. It may even contribute to teams sliding further into Zombie Scrum. Instead, highlight what works well, where improvements occur, and what is possible when you work together. Use humor to lighten the mood, but not sugarcoat the truth. Facilitate the next Sprint Retrospective with the Liberating Structure ‘Appreciative Interviews’. It helps identify enablers for success in less than one hour. By starting from what goes well — instead of what doesn’t — AI liberates spontaneous momentum and insights for positive change as “hidden” success stories are uncovered. 

On-prem vs cloud storage: Four decisions about data location

For the best performance, system architects need to minimise latency between applications and storage. To access cloud storage via the public internet inevitably increases latency. Internet connections are also more prone to variable performance and general reliability issues. This suggests that for best performance, data should be stored on-premise. For the most critical applications, this is still usually the case. But the decision is not always clear cut. “We know that if you start to run compute on a storage bucket across the wire, you are going to have a performance impact,” cautions Paul Mackay, regional vice-president for EMEA and APAC at cloud data firm Cloudera. ... Even so, optimised on-premise storage can still be the cheaper option. As PA’s Gupta points out, much depends on how new the customer’s on-site infrastructure is, and how much life it has left. Cloud storage also has hidden costs. Data egress is frequently cited as a reason for higher than expected bills, but firms can also find they pay more than expected because they store data for extended periods in expensive tiers rather than dedicated cloud archives. Again, careful application design and a clear picture of data use will minimise this.

Parallels Between Open Source and Fully Remote Team Setups

In open source and remote work, digital communication is the vital link uniting individuals, fostering collaboration and understanding. Beyond information transfer, it builds relationships and transcends cultural differences. Contributors in open source projects require effective digital communication for diverse backgrounds. Platforms like GitHub offer not just code repositories but crucial discussion spaces. Remote work tools like Slack and Zoom create a virtual office, addressing the challenge of sustaining connections. Clarity counters miscommunication, while video meetings provide a personal touch, supporting empathetic communication. Inclusive digital communication ensures accessibility, involving all contributors. ... Open source communities epitomize meritocracies, fostering diversity and innovation by evaluating contributions solely on merit. In remote work, meritocracy shifts the emphasis from productivity to quality and impact, allowing introverted individuals to shine based on tangible outputs, fostering an objective assessment. While offering advantages, challenges include potential “echo chamber” effects and the risk of overlooking diverse contributions. 

The impact of prompt injection in LLM agents

Addressing prompt injection in LLMs presents a distinct set of challenges compared to traditional vulnerabilities like SQL injections. In these types of scenarios, the structured nature of the language allows for parsing and interpretation into a syntax tree, making it possible to differentiate between the core query (code) and user-provided data, and enabling solutions like parameterized queries to handle user input safely. In contrast, LLMs operate on natural language, where everything is essentially user input with no parsing into syntax trees or clear separation of instructions from data. This absence of a structured format makes LLMs inherently susceptible to injection, as they cannot easily discern between legitimate prompts and malicious inputs. Any defensive and mitigation strategies should be created with the assumption that attackers will eventually be able to inject prompts successfully. Firstly, enforcing stringent privilege controls ensures LLMs can access only the essentials, minimizing potential breach points. We should also incorporate human oversight for critical operations to add a layer of validation to safeguard against unintended LLM actions

Navigating cloud concentration and AI lock-in

Although you can choose to reduce the use of a specific cloud provider, it is sometimes nearly impossible to move some applications to other platforms. This is due to the coupling of those applications to the cloud platform and the economic inability to get them off those platforms. To guard against the risks associated with cloud concentration and AI lock-in, IT leaders are exploring strategies to reduce dependency on a single cloud provider. This can include leveraging single-tenant cloud solutions, colocation companies, and hybrid cloud strategies to diversify their cloud deployment and infrastructure. As IT leaders navigate the complex landscape of cloud concentration risks and AI lock-in, it is evident that an agile approach to cloud strategy and AI adoption is mandatory. Organizations can mitigate risks by understanding the nuanced considerations of vendor selection, fostering a multicloud approach, and embracing innovative technologies. At the end of the day, keep your eyes open for the fully optimized solution, and do not focus on just a single cloud provider’s services, including AI.

Will Putting a Dollar Value on Vulnerabilities Help Prioritize Them?

Whether the focus on impact makes VISS any more valuable than other scoring systems is a matter of debate. Any scoring systems should not just replicate what others are already doing, and VISS seems to try to cover some new ground — at least in terms of scope, says Brian Martin, vulnerability historian at Flashpoint, a threat intelligence firm. "Do we need another scoring system? No, but kind of yes," he says. "On one hand, we have too many SSes. We have CVSS version 2, version 3, version 4, we have EPSS, we have the ransomware prediction scoring system — So I'm skeptical, but if it is more direct and to be utilized for a single purpose, such as bug bounties, then I can see it being beneficial." However, companies should not expect prioritizing vulnerabilities using VISS to be any easier than it is with other systems. While VISS may be simpler to calculate, it still requires knowledgeable answers to assign the right level of risk to vulnerabilities, says Tim Jarrett ... "Scoring models are not are not silver bullets," he says. "You actually have to adopt them and use them and feed them. And I think that what this does not do is make the problem of prioritizing vulnerabilities any less labor intensive."

9 tips for achieving IT service delivery excellence

To achieve maximum efficiency, Cziomer also suggests focusing service efforts on DevOps Research and Assessment (DORA) metrics, such as “lead time for change” and “time to restore service.” Customer-centric Net Promoter Scores are equally important, he adds. “To dive deeper into understanding our services, I employ methods like value stream mapping to pinpoint bottlenecks or inefficiencies,” says Cziomer, who feels that proactive approaches such as these enable IT organizations to consistently elevate their service levels. ... Effective IT service delivery begins by creating and standardizing processes and documentation, says Patrick Cannon, field CTO at data center and cloud services firm US Signal. Standardization ensures a consistent end-user experience with outcomes that adhere to established security policies. “It’s also beneficial for effective training and new IT staff onboarding,” he says, adding that when IT understands the needs of each business unit, it opens the way to a more proactive service approach, reducing downtime and fostering innovation.

Architecting for Resilience: Strategies for Fault-Tolerant Systems

A fault-tolerant system can keep working properly even when things go wrong. Faults are any issues that make a system behave differently than expected. Faults can be caused by hardware failure, software bugs, human errors, or environmental factors like power outages. And in complex systems with a lot of services and sub-services, hundreds of servers, and distributed in different Data Centers minor issues happen all the time. ... Testing plays a key role in building resilient, fault-tolerant systems. Testing helps identify and address potential weaknesses before they cause real failures or outages. There are various testing methods focused on resilience, including chaos engineering, stress testing, and load testing. These techniques simulate realistic failure scenarios like hardware crashes, traffic spikes, or database overloads. The goal is to observe how the system responds and find ways to improve fault tolerance. Testing validates whether redundancy, failover, replication, and other strategies work as intended. All big IT companies practice resilience testing. And Netflix is leading here. 

Quote for the day:

"Perhaps the ultimate test of a leader is not what you are able to do in the here and now - but instead what continues to grow long after you're gone" -- Tom Rath

No comments:

Post a Comment