Counting the Cost: The Price of Security Neglect
In the perfect scenario, the benefits of a new security solution will reduce the risk of a cyberattack. But, it’s important to invest with the right security vendor. Any time a vendor has access to a company’s systems and data, that company must assess whether the vendor’s security measures are sufficient. The recent Okta breach highlights the significant repercussions of a security vendor breach on its customers. Okta serves as an identity provider for many organizations, enabling single sign-on (SSO). An attacker gaining access to Okta’s environment could potentially compromise user accounts of Okta customers. Without additional access protection layers, customers may become vulnerable to hackers aiming to steal data, deploy malware, or carry out other malicious activities. When evaluating the privacy risks of security investments, it’s important to consider an organization’s security track record and certification history. ... Security and privacy leaders can bolster their case for additional investments by highlighting costly data breaches, and can tilt the scale in their favor by seeking solutions with strong records in security, privacy, and compliance.
Is Your Test Suite Brittle? Maybe It’s Too DRY
DRY in test code often presents a similar dilemma. While excessive duplication can make tests lengthy and difficult to maintain, misapplying DRY can lead to brittle test suites. Does this suggest that the test code warrants more duplication than the application code? A common solution to brittle tests is to use the DAMP acronym to describe how tests should be written. DAMP stands for "Descriptive and Meaningful Phrases" or "Don’t Abstract Methods Prematurely." Another acronym (we love a good acronym!) is WET: "Write Everything Twice," "Write Every Time," "We Enjoy Typing," or "Waste Everyone’s Time." The literal definition of DAMP has good intention - descriptive, meaningful phrases and knowing the right time to extract methods are essential when writing software. However, in a more general sense, DAMP and WET are opposites of DRY. The idea can be summarized as follows: Prefer more duplication in tests than you would in application code. However, the same concerns of readability and maintainability exist in application code as in test code. Duplication of concepts causes the same problems of maintainability in test code as in application code.
PCI Launches Payment Card Cybersecurity Effort in the Middle East
The PCI SSC plans to work closely with any organization that handles payments
within the Middle East payment ecosystem, with a focus on security, says Nitin
Bhatnagar, PCI Security Standards Council regional director for India and
South Asia, who will now also oversee efforts in the Middle East.
"Cyberattacks and data breaches on payment infrastructure are a global
problem," he says. "Threats such as malware, ransomware, and phishing attempts
continue to increase the risk of security breaches. Overall, there is a need
for a mindset change." The push comes as the payment industry itself faces
significant changes, with alternatives to traditional payment cards taking
off, and as financial fraud has grown in the Middle East. ... The Middle East
is one region where the changes are most pronounced. Middle East consumers
prefer digital wallets to cards, 60% to 27%, as their most preferred method of
payment, while consumers in the Asia-Pacific region slightly prefer cards, 43%
to 38%, according to an August 2021 report by consultancy McKinsey &
Company.
4 ways connected cars are revolutionising transportation
Connected vehicles epitomize the convergence of mobility and data-driven
technology, heralding a new era of transportation innovation. As cars evolve
into sophisticated digital platforms, the significance of data management and
storage intensifies. The storage industry must remain agile, delivering
solutions that cater to the evolving needs of the automotive sector. By
embracing connectivity and harnessing data effectively, stakeholders can
unlock new levels of safety, efficiency, and innovation in modern
transportation. ... Looking ahead, connected cars are poised to transform
transportation even further. As vehicles become more autonomous and
interconnected, the possibilities for innovation are limitless. Autonomous
driving technologies will redefine personal mobility, enabling efficient and
safe transportation solutions. Data-driven services will revolutionise vehicle
ownership, offering personalised experiences tailored to individual
preferences. Furthermore, the integration of connected vehicles with smart
cities will pave the way for sustainable and efficient urban transportation
networks.
Looking outside: How to protect against non-Windows network vulnerabilities
Security administrators running Microsoft systems spend a lot of time
patching Windows components, but it’s also critical to ensure that you
place your software review resources appropriately – there’s more out
there to worry about than the latest Patch Tuesday. ... Review the
security and patching status of your edge, VPN, remote access, and
endpoint security. Each of these endpoint software has been used as an
entryway into many governments and corporate networks. Be prepared to
immediately patch and or disable any of these software tools at a moment’s
notice should the need arise. Ensure that you have a team dedicated to
identifying and tracking resources to help alert you to potential
vulnerabilities and attacks. Resources such as CISA can keep you alerted
as can making sure you are signed up for various security and vendor
alerts as well as having staff that are aware of the various security
discussions online. These edge devices and software should always be kept
up to date and you should review life cycle windows as well as newer
technology and releases that may decrease the number of emergency patching
sessions your Edge team finds themselves in.
Application Delivery Controllers: A Key to App Modernization
As the infrastructure running our applications has grown more complex, the
supporting systems have evolved to be more sophisticated. Load balancers,
for example, have been largely superseded by application delivery
controllers (ADCs). These devices are usually placed in a data center
between the firewall and one or more application servers, an area known as
the demilitarized zone (DMZ). While first-generation ADCs primarily
handled application acceleration and load balancing between servers,
modern enterprise ADCs have considerably expanded capabilities and have
evolved into feature-rich platforms. Modern ADCs include such capabilities
as traffic shaping, SSL/TLS offloading, web application firewalls (WAFs),
DNS, reverse proxies, security analytics, observability and more. They
have also evolved from pure hardware form factors to a mixture of hardware
and software options. One leader of this evolution is NetScaler, which
started more than 20 years ago as a load balancer. In the late 1990s and
early 2000s, it handled the majority of internet traffic.
Curbing shadow AI with calculated generative AI deployment
IT leaders countered by locking down shadow IT or making uneasy peace with
employees consuming their preferred applications and compute resources.
Sometimes they did both. Meanwhile, another unseemly trend unfolded, first
slowly, then all at once. Cloud consumption became unwieldy and costly,
with IT shooting itself in the foot with misconfigurations and
overprovisioning among other implementation errors. As they often do when
investment is measured versus business value, IT leaders began looking for
ways to reduce or optimize cloud spending. Rebalancing IT workloads
became a popular course correction as organizations realized applications
may run better on premises or in other clouds. With cloud vendors
backtracking on data egress fees, more IT leaders have begun reevaluating
their positions. Make no mistake: The public cloud remains a fine
environment for testing and deploying applications quickly and scaling
them rapidly to meet demand. But it also makes organizations susceptible
to unauthorized workloads. The growing democratization of AI capabilities
is an IT leader’s governance nightmare.
CIOs eager to scale AI despite difficulty demonstrating ROI, survey finds
“Today’s CIOs are working in a tornado of innovation. After years of IT
expanding into non-traditional responsibilities, we’re now seeing how AI
is forcing CIOs back to their core mandate,” Ken Wong, president of
Lenovo’s solutions and services group, said in a statement. There is a
sense of urgency to leverage AI effectively, but adoption speed and
security challenges are hindering efforts. Despite the enthusiasm for AI’s
transformative potential, which 80% of CIOs surveyed believe will
significantly impact their businesses, the path to integration is not
without its challenges. Notably, large portions of organizations are not
prepared to integrate AI swiftly, which impacts IT’s ability to scale
these solutions. ... IT leaders also face the ongoing challenge of
demonstrating and calculating the return on investment (ROI) of technology
initiatives. The Lenovo survey found that 61% of CIOs find it extremely
challenging to prove the ROI of their tech investments, with 42% not
expecting positive ROI from AI projects within the next year. One of the
main difficulties is calculating ROI to convince CFOs to approve budgets,
and this challenge is also present when considering AI adoption, according
to Abhishek Gupta, CIO of Dish TV.
AI Bias and the Dangers It Poses for the World of Cybersecurity
Without careful monitoring, these biases could delay threat detection,
resulting in data leakage. For this reason, companies combine AI’s power
with human intelligence to reduce the bias factor shown by AI. The empathy
element and moral compass of human thinking often prevent AI systems from
making decisions that could otherwise leave a business vulnerable. ... The
opposite could also occur, as AI could label a non-threat as malicious
activity. This could lead to a series of false positives that cannot even
be detected from within the company. ... While some might argue that this
is a good thing because supposedly “the algorithm works,” it could also
lead to alert fatigue. AI threat detection systems were added to ease the
workload in the human department, reducing the number of alerts. However,
the constant red flags could cause more work for human security providers,
giving them more tickets to solve than they originally had. This could
lead to employee fatigue and human error and take away the attention from
actual threats that could impact security.
The Peril of Badly Secured Network Edge Devices
The biggest risks involved anyone using internet-exposed Cisco Adaptive
Security Appliance devices, who were five times more likely than non-ASA
users to file a claim. Users of internet-exposed Fortinet devices were
twice as likely to file a claim. Another risk comes in the form of Remote
Desktop Protocol. Organizations with internet-exposed RDP filed 2.5 times
as many claims as organizations without it, Coalition said. Mass scanning
by attackers, including initial access brokers, to detect and exploit
poorly protected RDP connections remains rampant. The sheer quantity of
new vulnerabilities coming to light underscores the ongoing risks network
edge devices pose. ... Likewise for Cisco hardware: "Several critical
vulnerabilities impacting Cisco ASA devices were discovered in 2023,
likely contributing to the increased relative frequency," Coalition said.
In many cases, organizations fail to patch these vulnerabilities, leaving
them at increased risk, including by attackers targeting the Cisco
AnyConnect vulnerability, designated as CVE-2020-3259, which the vendor
first disclosed in May 2020.
Quote for the day:
"Disagree and commit is a really important principle that saves a lot of
arguing." -- Jeff Bezos
/pcq/media/media_files/irms4rHwjUn6108Aw5YO.jpg)
