Daily Tech Digest - February 16, 2024

GitHub: AI helps developers write safer code, but you need to get the basics right

With cybercriminals largely sticking to the same tactics, it is critical that security starts with the developer. "You can buy tools to prevent and detect vulnerabilities, but the first thing you need to do is help developers ensure they're building secure applications," Hanley said in a video interview with ZDNET. As major software tools, including those that power video-conferencing calls and autonomous cars, are built and their libraries made available on GitHub, if the accounts of people maintaining these applications are not properly secured, malicious hackers can take over these accounts and compromise a library. The damage can be wide-reaching and lead to another third-party breach, such as the likes of SolarWinds and Log4j, he noted. Hanley joined GitHub in 2021, taking on the newly created role of CSO as news of the colossal SolarWinds attack spread. "We still tell people to turn on 2FA...getting the basics is a priority," he said. He pointed to GitHub's efforts to mandate the use of 2FA for all users, which is a process that has been in the works during the last one and a half years and will be completed early this year. 

Why Tomago Aluminium reversed course on its cloud journey

“An ERP solution like ours is massive,” he says, highlighting that this can make it difficult to keep track of everything you are, and not, using. For instance, he says if you’re getting charged $20,000 for electricity, you might want to check your meter and verify that your usage and bill align. “If your electricity meter is locked away and you just get a piece of paper at the end of the month telling you everything’s fine and you owe $20 000, you’re probably going to ask some questions,” he says. Tomago was told everything was secure and running as it should, but they had no way to verify what they were being told was accurate. “We essentially had a swarm of big black boxes,” he says. “We put dollars in and got services out, but couldn’t say to the board, with confidence, that we were really in control of things like compliance, security, and due diligence.” Then in 2020, Tomago moved its ERP system back on-prem — a decision that’s paying dividends. “We now know what our position is from a cyber perspective because we know exactly what our growth rates are, and we know that our systems are up-to-date, and what our cost is because it’s the same every month,” he says.

OpenAI and Microsoft Terminate State-Backed Hacker Accounts

Threat actors linked to Iran and North Korea also used GPT-4, OpenAI said. Nation-state hackers primarily used the chatbot to query open-source information, such as satellite communication protocols, and to translate content into victims' local languages, find coding errors and run basic coding tasks. "The identified OpenAI accounts associated with these actors were terminated," OpenAI said. It conducted the operation in collaboration with Microsoft. Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse techniques resulting from threat actors' usage of AI," the Redmond, Washington-based technology giant said. Microsoft's relationship with OpenAI is under scrutiny by multiple national antitrust authorities. A British government study published earlier this month concluded that large language models may boost the capabilities of novice hackers but so far are of little use to advanced threat actors. China-affiliated Charcoal Typhoon used ChatGPT to research companies and cybersecurity tools, debug code and generate scripts, and create content likely for use in phishing campaigns. 

Why Most Founders and Investors Are Wrong About Disruption

Recognizing disruption requires an open mind. In many instances, people can't believe or see something is disruptive at first. They think the idea is foolish or won't work. Disruption is usually caused by something that hasn't existed before or something new. Airbnb is a great example here as well. Its founders are said to have gone to every venture capitalist in Silicon Valley and were famously laughed out of meetings. People couldn't see what they saw — it hadn't been invented yet. Even the most seasoned business leaders can misunderstand and mistake disruption or fail to recognize it. Disruption doesn't always mean extinction. History has proven this for countless companies, processes, products, services, and ideas. Organizations can collapse after big changes. They did not or could not adapt. But something new or different tends to fill in the gap. It's often better, and the cycle continues. I have been on both sides of disruption at my company, BriteCo. We are one of the jewelry industry's disruptors – we were the first to move jewelry consumers to 100% paperless processes with technology and the internet. We also provide our customers with different ways to buy our coverage, unique to BriteCo, versus an outdated analog process at the retail point of sale.

Will generative AI kill KYC authentication?

Lee Mallon, the chief technology officer at AI vendor Humanity.run, sees an LLM cybersecurity threat that goes way beyond quickly making false documents. He worries that thieves could use LLMs to create deep back stories for their frauds in case someone at a bank or government level reviews social media posts and websites to see if a person truly exists. “Could social media platforms be getting seeded right now with AI-generated life histories and images, laying the groundwork for elaborate KYC frauds years down the line? A fraudster could feasibly build a ‘credible’ online history, complete with realistic photos and life events, to bypass traditional KYC checks. The data, though artificially generated, would seem perfectly plausible to anyone conducting a cursory social media background check,” Mallon says. “This isn’t a scheme that requires a quick payoff. By slowly drip-feeding artificial data onto social media platforms over a period of years, a fraudster could create a persona that withstands even the most thorough scrutiny. By the time they decide to use this fabricated identity for financial gains, tracking the origins of the fraud becomes an immensely complex task.”

Generative AI: Shaping a New Future for Fraud Prevention

A new category called "AI Risk Decisioning" is poised to transform the landscape of fraud detection. It leverages the strengths of generative AI, combining them with traditional machine learning techniques to create a robust foundation for safeguarding online transactions. ... The first pillar involves creating a comprehensive knowledge fabric that serves as the foundation for the entire platform. This fabric integrates various internal data sources unique to the company, such as transaction records and real-time customer profiles. ... The third pillar of the AI Risk Decisioning approach focuses on automatic recommendations, offering powerful capabilities for real-time and effective risk management. It can automatically monitor transactions and identify trends or anomalies, suggest relevant features for risk models, conduct scenario analyses independently, and recommend the next best action to optimize performance. ... The fourth pillar of the AI Risk Decisioning approach emphasizes human-understandable reasoning. This pillar aims to make every decision, recommendation, or insight provided by the AI system easily understandable to human users.

Implementing a Digital Transformation Strategy

Actionable intelligence has been accepted as the “new normal” of the data-first enterprise. In the data-first enterprise, data and digital technologies not only open up innovative revenue channels but also create the most compliant (governed) business operations. However, in order for an enterprise to successfully plan, develop, and execute a data-first operating model, the business owners and operators have to first develop a digital transformation strategy – connecting the data piles, digital technologies, business processes, and marketing staff. The digital transformation strategy develops around the need to bridge the gaps between the current data-driven goals and processes and intended future business goals and processes. In a nutshell, the digital transformation strategy strikes a harmonious balance between traditional IT and marketing functions. Global businesses have witnessed firsthand the immense benefits of digital processes, such as improved efficiencies, reduced operating costs, and growth of additional revenue channels. A recent industry survey report indicated that 92% of businesses are already pursuing digital transformation in more than one way. However, the transformation across businesses is at various stages of maturity.

Planning a data lake? Prepare for these 7 challenges

Storing data in a central location simplifies compliance in the sense that you know where your data resides, though it also creates compliance challenges. If you store many different types of data in your lake, different assets may be subject to different compliance standards. Data that contains personally identical information (PII), for instance, must be managed differently in some ways than other types of data to comply with laws like DPA, GDPR or HIPAA. While a data lake won’t prevent you from applying granular security controls to different data assets, it doesn't make it easier, either – and it can make it more difficult if your security and compliance tools are not capable of applying different policies to different data assets within a centralized repository. ... Placing your data into a central location to create a data lake is one thing but connecting it to various applications and the workforce who needs access is another. Until you develop the necessary data integrations – and unless you keep them up to date – your data lake will deliver little value. Building data integrations takes time, effort, and expertise and users sometimes underestimate how difficult it is to create successful data integrations. Be sure and prioritize data integration strategy as part of your overall process.

Does Cloud Native Change Developer Productivity and Experience?

When management focuses too much on developer productivity, developer experience can suffer and thus hurt morale and, paradoxically, productivity as well. It’s important for management to have a light touch to avoid this problem, especially with cloud native. Cloud native environments can become so dynamic and noisy that both productivity and developer experience can decline. Management must take special care to support its developers with the right platforms, tools, processes and productivity metrics to facilitate the best outcomes, leveraging platform engineering to create and manage IDPs that facilitate cloud native development despite its inherent complexity. After all, the complexity of cloud native development alone isn’t the problem. Complexity presents challenges to be sure, but developers are always up for a challenge. Complexity coupled with a lack of visibility brings frustration, lowering productivity and DX. With the right observability, for example, with Chronosphere and Google Cloud, developers have a good shot at untangling cloud native’s inherent complexity, delivering quality software on time and on budget, while maintaining both productivity and DX.

Vulnerability to Resilience: Vision for Cloud Security

In the recent era of cloud-native development and DevSecOps, CISOs face the challenge of fostering a security-conscious culture that spans across various cross-functional teams. However, by adopting deliberate, disruptive, engaging, and enjoyable approaches that also provide a return on investment, a sustainable security culture can be achieved. It is essential to instill the concept of shared responsibility for security and focus on enhancing awareness and adhering to advanced security practices. If you don't already have a secure development lifecycle, it is imperative to integrate one immediately. Recognizing and rewarding individuals who prioritize security is one of the ways to encourage a security-focused culture. Additionally, creating a security community and making security more engaging and enjoyable can also help cultivate a sustainable security culture. CISOs should leverage technical tools and best practices to facilitate the seamless integration of security into the Continuous Integration/Continuous Deployment (CI/CD) pipeline. This can be achieved through various measures, such as conducting threat modeling, adopting a shift-left security approach, incorporating IDE security ...

Quote for the day:

"You may have to fight a battle more than once to win it." -- Margaret Thatcher

No comments:

Post a Comment