Generative AI is forcing enterprises and policymakers to rewrite the rules of cybersecurity
In a sense, creativity is the new hacker’s currency; it’s used to craft and execute attacks that traditional cybersecurity measures fail to detect and prevent. With 72 percent of white hat hackers believing they’re more creative than AI, it’s safe to assume that bad actors with similar skill sets only need a few creative muscles to cause material problems at scale. From persistent nagging to creative wordplay, hackers can trick an AI model to perform unintended functions and reveal information otherwise meant to be guarded. These prompts don’t need to be complex, and bad actors are constantly exploring new methods to get generative AI models to spill their secrets. The threat landscape for companies innovating with AI just got a lot more complex. So what should we do about it? Just like there are various ways to express a message in English, the same goes for LLM hacks. There are countless different ways to get an AI model to produce toxic or racist content, expose credit card information, or espouse misinformation. The only way to effectively protect AI apps from this volume of attack vectors is with data. A lot of it. Safeguarding against AI threats requires extensive knowledge of what those threats are.
Rejection Doesn't Have to Be a Bad Thing. Here's How You Can Use It as a Tool for Success.
Pain is inevitable, but suffering is optional. Recognize that you have a choice in how you feel about rejection. Whatever story you tell yourself about rejection comes from you. It's up to you to interpret the information that exists in your world. You have the power to flip the script, change the narrative and tell yourself a different story. You can choose to view rejection as a good thing — it means you put yourself out there, asked a tough question and exuded courage. It means you got out of your comfort zone, which always helps us grow and evolve. It means you got to practice a skill (the skill of asking, influencing or selling). That practice will help you grow thicker skin and hone your craft, making you stronger and tougher. With that in mind, you can choose to view rejection as a good thing. ... Once you've been rejected and know why, you can adjust your strategy. You might learn that making calls at lunch time isn't effective because no one answers the phone. You might learn you've been targeting the wrong demographic and need to pick different prospects. You might learn prospecting on the weekdays isn't as effective as prospecting on weekends.
You should be worried about cloud squatting
The core issue is that cloud asset deletions often occur without removing
associated records, which can create security risks for subdomains. Failure to
also delete records allows attackers to exploit subdomains by creating
unauthorized phishing or malware sites. This is called cloud squatting.
Resources are provisioned and deallocated programmatically, typically.
Allocating assets such as virtual servers and storage space is quick, generally
done in seconds, but deallocation is more complex, and that’s where the screwups
occur. ... To mitigate this risk, the security teams design internal tools to
comb through company domains and identify subdomains pointing to cloud provider
IP ranges. These tools check the validity of IP records assigned to the
company’s assets. These are assigned automatically by cloud providers. I always
get nervous when companies create and deploy their own security tools,
considering that they may create a vulnerability. Mitigating cloud squatting is
not just about creating new tools. Organizations can also use reserved IP
addresses. This means transferring their owned IP addresses to the cloud, then
maintaining and deleting stale records, and using DNS names systemically.
Great business partners drive great business performance
A core part of the finance team is also risk management and the ability to say
“No”. Too often finance teams say “No”. My boss says that a CFO is many times a
CF-No. There are two aspects here. To use football parlance, a CFO has not just
to keep score but to score goals. This means that finance teams have to enable
risk-taking. No risk, no gain. Capital allocation and building resilience to
take measured risks is a critical function of the CFO. In a VUCA world,
understanding the risks is a critical imperative. The Covid pandemic and the
Ukraine war have resulted in significant supply chain risks. The rapid pace of
digitisation, AI, and other developments threaten business models. Making sense
of the developments and allowing strategic choices to develop, capital
allocation to be done and monies invested is now engaging CFOs significantly.
The CFO, at times, has to be a CF-No. Exercising this has to be done very
carefully. Done too often, the finance teams become a blocker. But if the teams
have done enough to provide insights, engage well with the business, and develop
trust – saying a “No” is accepted as sage advice by the business. Getting this
right is an art. But this is something that finance teams now have to constantly
work on.
How the new Instegogram threat creates liability for organizations
Under Section 230 of the Communications Decency Act (CDA), companies that offer
web-hosting services are typically shielded from liability for most content that
customers or malicious users place on the websites they host. However, such
protection may cease if the website controls the information content. A company
that uses a social media network to create the picture or develop information
would arguably control that information and thus may not be immune. That is, if
a service provider is "responsible, in whole or in part, for the creation or
development of the offending content," its actions could fall outside the CDA's
protections. Whether the CDA protections extend to damage caused by malware is
still largely an open question of law. Companies could therefore be liable for
third-party damage resulting from an Instegogram attack, even if they did not
know the digital image was infected. As no statutory immunities exist to shield
social media users, a company could be liable for any resulting damage caused by
a criminal hacker's embedded command-and-control infrastructure.
The only CIO resolution that matters
CIOs need to own, or at the very least contribute substantively to, the
overarching narrative regarding IT’s business context — what is going on, what
has gone right, what has gone wrong, which technology developments require
action, and so on. Ideally, the office of the CIO would brief the enterprise
on a systemic basis on these matters. I am thinking of something similar to
the President’s Daily Brief. Four critical decisions need to be made to
establish such a brief: what form should the briefing to take, what subject
areas should we keep an eye on, which constituencies need to be briefed, and
what time frame should we use. Once those decisions have been made, a systemic
program of insight capture must also be instituted for the briefings to be
effective. Such a learning process — observe, orient — can’t be left to
chance. The CIO could assign an individual or set of deputies responsible for
enumerating and sharing targeted insights to critical constituencies on a
daily, weekly, or monthly basis. This knowledge wrangling — and ignorance
vanquishing — operation could work at a departmental or group level and rotate
around the staff on an episodic basis.
A lifecycle is a thing that exists from beginning to end. A product lifecycle
lasts from inception to decommission. A production lifecycle is a regular way
of producing products. A business lifecycle may go from order to ship. A
lifecycle is often not even a thing itself, but just the process a thing goes
through. I am aging each year. ... Architects build things. We are creative
professionals. We make cathedrals. We make solutions. We make better business
outcomes in particular ways. I have never seen a group of people who so deeply
care about the products they create. Delivery of an outcome based on a
business and technology strategy is 90% of architects jobs in practice. This
means we touch a LOT of lifecycles. And that is why we must be so very good at
navigating them. At discussing pros/cons without religious belief, even
without emotion. Building beautiful things is its own reward. How we get there
is part of the price we pay to do it. The actual architecture lifecycle then
is the method used by ALL of the architects in the practice to deliver value
to the organization! But beware, this means all of them. You can’t put
business architects in one stack and solution in another and enterprise in a
third.
The Elusive Quest for DevSecOps Collaboration
While the concept of DevSecOps has been discussed for years as a best practice
for integrating security into development lifecycles, actual adoption has been
gradual at best. As Or Shoshani, CEO of cloud security provider Stream
Security, explains, "In most of the organizations that we have been working
with and exposed to, the SecOps and DevOps are still being separated into two
different groups." The reality is that despite widespread consensus on the
need for closer collaboration between security and development teams,
real-world progress has lagged. Shoshani attributes this to the constant
tension between an exciting vision and on-the-ground implementation realities.
Just as with past innovations like multi-cloud, he notes, "Everybody talks
about it, but the industry isn't ready." Systemic culture shifts take
patience. What's behind this lagging evolution? Incumbent challenges around
processes, mindsets, and communication persist. Groups accustomed to working
in silos and throwing issues "over the wall" resist new rhythms. Security
teams are trying to validate each release phase before the next begins trip up
accelerated development timetables. And without air cover from leadership,
there's little incentive to try.
Building A Secure Foundation: Embracing Best Practices For Coding
Not sure where to start when investing in secure coding practices? Begin with
these tips: Organizations should provide developers with comprehensive
training on secure coding practices. This training should cover topics such as
common vulnerabilities, mitigation techniques and security tools;
Organizations should invest in static analysis tools to help developers
identify and address vulnerabilities in their code. These tools can automate
the process of detecting security flaws, saving developers time and effort;
Organizations should create a culture of security awareness within the
development team. This culture should encourage open communication about
security concerns and promote a shared responsibility for building secure
software applications; Developers should stay up to date on the latest
security threats and vulnerabilities, which can be achieved by reading
security blogs, attending conferences and participating in online forums;
Developers should utilize security tools and resources to identify and address
potential security flaws in their code. These tools can include static
analysis tools, code review tools and security libraries.
From Compliance-First to Risk-First: Why Companies Need a Culture Shift
A paradigm shift is undеrway as businеssеs еvolvе – transitioning from a
traditional "Compliancе-First" approach to a more dynamic and forward-thinking
"Risk-First" mindset. This cultural shift rеcognizеs that compliancе, whilе
еssеntial, should not bе viеwеd in isolation but as an intеgral componеnt of a
broadеr risk managеmеnt strategy. This еvolution is not mеrеly a concеptual
adjustmеnt but a pragmatic nеcеssity, as organizations sееk to proactivеly
idеntify, undеrstand, and mitigatе risks, еnhancing thеir rеsiliеncе and
adaptability in an еvеr-changing businеss еnvironmеnt. This еxamination divеs
into the importance of companies adopting a cultural transformation. This
shift involves shifting from a narrow еmphasis solely on compliancе to a broad
and morе stratеgic еmbracе of risk. Bеyond mеrе obligation, this shift fostеrs
a culturе that mееts rеgulatory rеquirеmеnts and positions organizations to
thrivе amidst uncеrtainty, bolstеring thеir long-tеrm sustainability as wе
еxplorе thе complеxitiеs of this changе, wе uncovеr thе fundamеntal connеction
bеtwееn compliancе and risk.
Quote for the day:
"Great leaders go forward without
stopping, remain firm without tiring and remain enthusiastic while growing"
-- Reed Markham
No comments:
Post a Comment