The future of biometrics in a zero trust world
Nearly one in three CEOs and members of senior management have fallen victim to
phishing scams, either by clicking on the same link or sending money. C-level
executives are the primary targets for biometric and deep fake attacks because
they are four times more likely to be victims of phishing than other employees,
according to Ivanti’s State of Security Preparedness 2023 Report. Ivanti found
that whale phishing is the latest digital epidemic to attack the C-suite of
thousands of companies. ... In response to the increasing need for better
biometric security globally, Badge Inc. recently announced the availability of
its patented authentication technology that renders personal identity
information (PII) and biometric credential storage obsolete. Badge also
announced an alliance with Okta, the latest in a series of partnerships aimed at
strengthening Identity and Access Management (IAM) for their shared enterprise
customers. Srivastava explained how her company’s approach to biometrics
eliminates the need for passwords, device redirects, and knowledge-based
authentication (KBA). Badge supports an enroll once and authenticate on any
device workflow that scales across an enterprise’s many threat surfaces and
devices.
Understanding CQRS Architecture
CRUD and CQRS are both tactical patterns, concentrating on the implementation
specifics at the level of individual services. Therefore, asserting that an
organization relies entirely on a CQRS architecture may not be entirely
accurate. While certain services may adopt this architecture, it is typical for
other services to employ simpler paradigms. The entire organization may not
adhere to a unified style for all problems. The CRUD architecture assumes the
existence of a single model for both read and update operations. CRUD operations
are typically linked with traditional relational database systems, and numerous
applications adopt a CRUD-based approach for data management. Conversely, the
CQRS architecture assumes the presence of distinct models for queries and
commands. While this paradigm is more intricate to implement and introduces
certain subtleties, it provides the advantage of enabling stricter enforcement
of data validation, implementation of robust security measures, and optimization
of performance. These definitions may appear somewhat vague and abstract at the
moment, but clarity will emerge as we delve into the details. It's important to
note here that CQRS or CRUD should not be regarded as an overarching philosophy
to be blindly applied in all circumstances.
Role of Wazuh in building a robust cybersecurity architecture
Wazuh is a free and open source security solution that offers unified XDR and
SIEM protection across several platforms. Wazuh protects workloads across
virtualized, on-premises, cloud-based, and containerized environments to
provide organizations with an effective approach to cybersecurity. By
collecting data from multiple sources and correlating it in real-time, it
offers a broader view of an organization's security posture. Wazuh plays a
significant role in implementing a cyber security architecture, providing a
platform for security information and event management, active response,
compliance monitoring, and more. It provides flexibility and interoperability,
enabling organizations to deploy Wazuh agents across diverse operating
systems. Wazuh is equipped with a File Integrity Monitoring (FIM) module that
helps detect file changes on monitored endpoints. It takes this a step further
by combining the FIM module with threat detection rules and threat
intelligence sources to detect malicious files allowing security analysts to
stay ahead of the threat curve. Wazuh also provides out-of-the-box support for
compliance frameworks like PCI DSS, HIPAA, GDPR, NIST SP 800-53, and
TSC.
Budget cuts loom for data privacy initiatives
In addition to difficulty understanding the privacy regulatory landscape,
organizations also face other data privacy challenges, including budget. 43%
of respondents say their privacy budget is underfunded and only 36% say their
budget is appropriately funded. When looking at the year ahead, only 24% say
that they expect budget will increase (down 10 points from last year), and
only one percent say it will remain the same (down 26 points from last year).
51% expect a decrease in budget, which is significantly higher than last year
when only 12% expected a decrease in budget. For those seeking resources,
technical privacy positions are in highest demand, with 62% of respondents
indicating there will be increased demand for technical privacy roles in the
next year, compared to 55% for legal/compliance roles. However, respondents
indicate there are skills gaps among these privacy professionals; they cite
experience with different types of technologies and/or applications (63%) as
the biggest one. When looking at common privacy failures, respondents
pinpointed the lack of or poor training (49%), not practicing privacy by
design (44%) and data breaches (42%) as the main concerns.
How to become a Chief Information Security Officer
In general, the CISO position is well-paid. Due to high demand and a limited
talent pool, top-tier CISOs have commanded salaries in excess of $2.3 million.
Nonetheless, executive remuneration may vary based on industry, company size
and specifics of a role. The CISO typically manages a team of cyber security
experts (sometimes multiple teams) and collaborates with high-level business
stakeholders to facilitate the strategic development and completion of cyber
security initiatives. ... While experience in cyber security does count for a
lot, and while smart and talented people do ascend to the CISO role without
extensive formal schooling, it can pay to get the right education. Most
enterprises will expect that a potential CISO have a bachelor’s degree in
computer science (or a similar discipline). There are exceptions, but an
undergraduate degree is often used as a credibility benchmark. ... When it
comes to real-world experience, most CISO roles require a minimum of five
years’ time spent in the industry. A potential CISO should maintain broad
knowledge of a variety of platforms and solutions, along with a strong
understanding of both cyber security history and modern day cyber security
threats.
I thought software subscriptions were a ripoff until I did the math
Selling perpetual licenses means you get a big surge in revenue with each new
release. But then you have to watch that cash pile dwindle as you work on the
next version and try to convince your customers to pay for the upgrade. If you
want the opportunity to continually improve your software, you need to bring
in enough revenue each year to justify the time and resources you spend on the
project. That's the difference between a sustainable business and a hobby. It
strikes me that the real objection to software as a subscription isn't to the
business model, but rather to the price. If you think a fair price for a piece
of software is closer to $50 than $500, and you should be able to use it in
perpetuity, you're telling the developer that you're willing to pay them no
more than a few bucks a month. They're trying to tell you that's not enough to
sustain a software business, and maybe you should try a free, open-source
option instead. All the developers that are migrating to a cloud-based
subscription model are taking a necessary step to help ensure their long-term
survival. The challenge for companies playing in this space is to make it
crystal clear that their subscriptions offer real value
Filling the Cybersecurity Talent Gap
Thankfully, there is a talented group in the veteran community ready and
willing to meet the challenge. Through their unique skills, discipline, and
unmatched experience, veterans are perfectly suited to help address the talent
gap and growing cyber threats we face. Not only that, but veterans will find
that IT and cybersecurity provide a second career as they transition out of
their service. Veterans leave service with a wide range of talents that have
several applications outside of the military. This includes both what are
often called "soft skills," or those that are beneficial in a number of
settings, as well as technical abilities well-suited for cybersecurity and IT.
... As the industry continues to incorporate more secure by design principles
that guide how we approach security and cyber resiliency, we need a workforce
that understands the importance of security and defense. To make this a
reality, we need both the government and private companies to step up and
create the right pathways for veterans to enter the workforce. This can
include expanding the GI Bill to add additional incentives for careers in
cybersecurity. Private companies should also offer more hands-on workshops and
training that can both provide a way for applicants to learn and help
companies fill their open positions.
How Much Architecture Is “Enough?”: Balancing the MVP and MVA Helps You Make Better Decisions
/filters:no_upscale()/articles/mva-enough-architecture/en/resources/1figure-1-resized-1705943271137.jpg)
The critical challenge that the MVA must solve is that it must answer the
MVP’s current challenges while anticipating but not actually solving future
challenges. In other words, the MVA must not require unacceptable levels of
rework to actually solve those future problems. Some rework is okay and
expected, but the words "complete rewrite" mean that the architecture has
failed and all bets on viability are off. As a result of this, the MVA hangs
in a dynamic balance between solving future problems that may never exist, and
letting technical debt pile up to the point where it leads to, metaphorically,
architectural bankruptcy. Being able to balance these two forces is where
experience comes in handy. ... The development team creates the initial MVA
based on their initial and often incomplete understanding of the problems the
MVA needs to solve. They will not usually have much in the way of QARs,
perhaps only broad organizational "standards" that are more aspirational than
accurate. These initial statements are often so vague as to be unhelpful, e.g.
"the system must support very large numbers of concurrent users", "the system
must be easy to support and maintain", "the system must be secure against
external threats", etc.
Group permission misconfiguration exposes Google Kubernetes Engine clusters
The problem is that in most other systems “authenticated users” are users that
the administrators created or defined in the system. This is also the case in
privately self-managed Kubernetes clusters or for the most part in clusters
set up on other cloud services providers such as Azure or AWS. So, it’s not
hard to see how some administrators might conclude that system:authenticated
refers to a group of verified users and then decide to use it as an easy
method to assign some permissions to all those trusted users. “GKE, in
contrast to Amazon Elastic Kubernetes Service (EKS) and Azure Kubernetes
Service (AKS), exposes a far-reaching threat since it supports both anonymous
and full OpenID Connect (OIDC) access,” the Orca researchers said. “Unlike AWS
and Azure, GCP’s managed Kubernetes solution considers any validated Google
account as an authenticated entity. Hence, system:authenticated in GKE becomes
a sensitive asset administrators should not overlook.” The Kubernetes API can
integrate with many authentication systems and since access to Google Cloud
Platform and all of Google’s services in general is done through Google
accounts, it makes sense to also integrate GKE with Google’s IAM and OAuth
authentication and authorization system.
Will the Rise of Generative AI Increase Technical Debt?
The rise of generative AI-related tools will likely increase technical debt,
both due to the rush to hastily adopt new capabilities and the need to mold AI
models to suit specific requirements. “New LLMs and generative AI applications
will undoubtedly increase technical debt in the future, or at a minimum,
greatly increase the need to manage that debt proactively,” said Quillin. “It
starts with new requirements to continually manage, maintain, and nurture
these models from a broad range of new KPIs from bias, concept drift, and
shifting business, consumer, and environmental inputs and goals,” he said.
Incorporating AI may require a significant upfront commitment, leading to
additional technical debt. “It won’t be just a build-and-maintain scenario,
but rather, the first of many steps on a long road ahead,” said Prince Kohli,
CTO of Automation Anywhere. Product companies with a generative AI focus must
invest in creating a data and model strategy, a data architecture to work with
AI, controls for the AI and more. “Technology disruptions and pivots such as
this always lead to this kind of technical debt that must be continually paid
down, but it’s the price of admittance,” he said.
Quote for the day:
''The best preparation for tomorrow is
doing your best today.'' -- H. Jackson
No comments:
Post a Comment