Daily Tech Digest - December 26, 2023

Generative AI is forcing enterprises and policymakers to rewrite the rules of cybersecurity

In a sense, creativity is the new hacker’s currency; it’s used to craft and execute attacks that traditional cybersecurity measures fail to detect and prevent. With 72 percent of white hat hackers believing they’re more creative than AI, it’s safe to assume that bad actors with similar skill sets only need a few creative muscles to cause material problems at scale. From persistent nagging to creative wordplay, hackers can trick an AI model to perform unintended functions and reveal information otherwise meant to be guarded. These prompts don’t need to be complex, and bad actors are constantly exploring new methods to get generative AI models to spill their secrets. The threat landscape for companies innovating with AI just got a lot more complex. So what should we do about it? Just like there are various ways to express a message in English, the same goes for LLM hacks. There are countless different ways to get an AI model to produce toxic or racist content, expose credit card information, or espouse misinformation. The only way to effectively protect AI apps from this volume of attack vectors is with data. A lot of it. Safeguarding against AI threats requires extensive knowledge of what those threats are. 

Rejection Doesn't Have to Be a Bad Thing. Here's How You Can Use It as a Tool for Success.

Pain is inevitable, but suffering is optional. Recognize that you have a choice in how you feel about rejection. Whatever story you tell yourself about rejection comes from you. It's up to you to interpret the information that exists in your world. You have the power to flip the script, change the narrative and tell yourself a different story. You can choose to view rejection as a good thing — it means you put yourself out there, asked a tough question and exuded courage. It means you got out of your comfort zone, which always helps us grow and evolve. It means you got to practice a skill (the skill of asking, influencing or selling). That practice will help you grow thicker skin and hone your craft, making you stronger and tougher. With that in mind, you can choose to view rejection as a good thing. ... Once you've been rejected and know why, you can adjust your strategy. You might learn that making calls at lunch time isn't effective because no one answers the phone. You might learn you've been targeting the wrong demographic and need to pick different prospects. You might learn prospecting on the weekdays isn't as effective as prospecting on weekends. 

You should be worried about cloud squatting

The core issue is that cloud asset deletions often occur without removing associated records, which can create security risks for subdomains. Failure to also delete records allows attackers to exploit subdomains by creating unauthorized phishing or malware sites. This is called cloud squatting. Resources are provisioned and deallocated programmatically, typically. Allocating assets such as virtual servers and storage space is quick, generally done in seconds, but deallocation is more complex, and that’s where the screwups occur. ... To mitigate this risk, the security teams design internal tools to comb through company domains and identify subdomains pointing to cloud provider IP ranges. These tools check the validity of IP records assigned to the company’s assets. These are assigned automatically by cloud providers. I always get nervous when companies create and deploy their own security tools, considering that they may create a vulnerability. Mitigating cloud squatting is not just about creating new tools. Organizations can also use reserved IP addresses. This means transferring their owned IP addresses to the cloud, then maintaining and deleting stale records, and using DNS names systemically.

Great business partners drive great business performance

A core part of the finance team is also risk management and the ability to say “No”. Too often finance teams say “No”. My boss says that a CFO is many times a CF-No. There are two aspects here. To use football parlance, a CFO has not just to keep score but to score goals. This means that finance teams have to enable risk-taking. No risk, no gain. Capital allocation and building resilience to take measured risks is a critical function of the CFO. In a VUCA world, understanding the risks is a critical imperative. The Covid pandemic and the Ukraine war have resulted in significant supply chain risks. The rapid pace of digitisation, AI, and other developments threaten business models. Making sense of the developments and allowing strategic choices to develop, capital allocation to be done and monies invested is now engaging CFOs significantly. The CFO, at times, has to be a CF-No. Exercising this has to be done very carefully. Done too often, the finance teams become a blocker. But if the teams have done enough to provide insights, engage well with the business, and develop trust – saying a “No” is accepted as sage advice by the business. Getting this right is an art. But this is something that finance teams now have to constantly work on.

How the new Instegogram threat creates liability for organizations

Under Section 230 of the Communications Decency Act (CDA), companies that offer web-hosting services are typically shielded from liability for most content that customers or malicious users place on the websites they host. However, such protection may cease if the website controls the information content. A company that uses a social media network to create the picture or develop information would arguably control that information and thus may not be immune. That is, if a service provider is "responsible, in whole or in part, for the creation or development of the offending content," its actions could fall outside the CDA's protections. Whether the CDA protections extend to damage caused by malware is still largely an open question of law. Companies could therefore be liable for third-party damage resulting from an Instegogram attack, even if they did not know the digital image was infected. As no statutory immunities exist to shield social media users, a company could be liable for any resulting damage caused by a criminal hacker's embedded command-and-control infrastructure. 

The only CIO resolution that matters

CIOs need to own, or at the very least contribute substantively to, the overarching narrative regarding IT’s business context — what is going on, what has gone right, what has gone wrong, which technology developments require action, and so on. Ideally, the office of the CIO would brief the enterprise on a systemic basis on these matters. I am thinking of something similar to the President’s Daily Brief. Four critical decisions need to be made to establish such a brief: what form should the briefing to take, what subject areas should we keep an eye on, which constituencies need to be briefed, and what time frame should we use. Once those decisions have been made, a systemic program of insight capture must also be instituted for the briefings to be effective. Such a learning process — observe, orient — can’t be left to chance. The CIO could assign an individual or set of deputies responsible for enumerating and sharing targeted insights to critical constituencies on a daily, weekly, or monthly basis. This knowledge wrangling — and ignorance vanquishing — operation could work at a departmental or group level and rotate around the staff on an episodic basis.

A lifecycle is a thing that exists from beginning to end. A product lifecycle lasts from inception to decommission. A production lifecycle is a regular way of producing products. A business lifecycle may go from order to ship. A lifecycle is often not even a thing itself, but just the process a thing goes through. I am aging each year. ... Architects build things. We are creative professionals. We make cathedrals. We make solutions. We make better business outcomes in particular ways. I have never seen a group of people who so deeply care about the products they create. Delivery of an outcome based on a business and technology strategy is 90% of architects jobs in practice. This means we touch a LOT of lifecycles. And that is why we must be so very good at navigating them. At discussing pros/cons without religious belief, even without emotion. Building beautiful things is its own reward. How we get there is part of the price we pay to do it. The actual architecture lifecycle then is the method used by ALL of the architects in the practice to deliver value to the organization! But beware, this means all of them. You can’t put business architects in one stack and solution in another and enterprise in a third.

The Elusive Quest for DevSecOps Collaboration

While the concept of DevSecOps has been discussed for years as a best practice for integrating security into development lifecycles, actual adoption has been gradual at best. As Or Shoshani, CEO of cloud security provider Stream Security, explains, "In most of the organizations that we have been working with and exposed to, the SecOps and DevOps are still being separated into two different groups." The reality is that despite widespread consensus on the need for closer collaboration between security and development teams, real-world progress has lagged. Shoshani attributes this to the constant tension between an exciting vision and on-the-ground implementation realities. Just as with past innovations like multi-cloud, he notes, "Everybody talks about it, but the industry isn't ready." Systemic culture shifts take patience. What's behind this lagging evolution? Incumbent challenges around processes, mindsets, and communication persist. Groups accustomed to working in silos and throwing issues "over the wall" resist new rhythms. Security teams are trying to validate each release phase before the next begins trip up accelerated development timetables. And without air cover from leadership, there's little incentive to try.

Building A Secure Foundation: Embracing Best Practices For Coding

Not sure where to start when investing in secure coding practices? Begin with these tips: Organizations should provide developers with comprehensive training on secure coding practices. This training should cover topics such as common vulnerabilities, mitigation techniques and security tools; Organizations should invest in static analysis tools to help developers identify and address vulnerabilities in their code. These tools can automate the process of detecting security flaws, saving developers time and effort; Organizations should create a culture of security awareness within the development team. This culture should encourage open communication about security concerns and promote a shared responsibility for building secure software applications; Developers should stay up to date on the latest security threats and vulnerabilities, which can be achieved by reading security blogs, attending conferences and participating in online forums; Developers should utilize security tools and resources to identify and address potential security flaws in their code. These tools can include static analysis tools, code review tools and security libraries.

From Compliance-First to Risk-First: Why Companies Need a Culture Shift

A paradigm shift is undеrway as businеssеs еvolvе – transitioning from a traditional "Compliancе-First" approach to a more dynamic and forward-thinking "Risk-First" mindset. This cultural shift rеcognizеs that compliancе, whilе еssеntial, should not bе viеwеd in isolation but as an intеgral componеnt of a broadеr risk managеmеnt strategy. This еvolution is not mеrеly a concеptual adjustmеnt but a pragmatic nеcеssity, as organizations sееk to proactivеly idеntify, undеrstand, and mitigatе risks, еnhancing thеir rеsiliеncе and adaptability in an еvеr-changing businеss еnvironmеnt. This еxamination divеs into the importance of companies adopting a cultural transformation. This shift involves shifting from a narrow еmphasis solely on compliancе to a broad and morе stratеgic еmbracе of risk. Bеyond mеrе obligation, this shift fostеrs a culturе that mееts rеgulatory rеquirеmеnts and positions organizations to thrivе amidst uncеrtainty, bolstеring thеir long-tеrm sustainability as wе еxplorе thе complеxitiеs of this changе, wе uncovеr thе fundamеntal connеction bеtwееn compliancе and risk.

Quote for the day:

"Great leaders go forward without stopping, remain firm without tiring and remain enthusiastic while growing" -- Reed Markham

No comments:

Post a Comment