Orgs Face Major SEC Penalties for Failing to Disclose Breaches
"It's a company issue, definitely not just CISO issue. Everybody will be very
leery about vetting statements — why should I say this? — without having legal
give it their blessing ... because they are so worried about having charges
against them for making a statement." The worries will add up to additional
costs for businesses. Because of the additional liability, companies will have
to have more comprehensive Directors and Officers (D&O) liability insurance
that not only covers the legal expenses for a CISO to defend themselves, but
also for their expenses during an investigation. Businesses who will not pay to
support and protect their CISO may find themselves unable to hire for the
position, while conversely, CISOs may have trouble finding supportive companies,
says Josh Salmanson, senior vice president of technology solutions at Telos
Corp., a cyber risk management firm. "We're going to see less people wanting to
be CISOs, or people demanding much higher salaries because they think it may be
a very short-term role until they 'get busted' publicly," he says. "The number
of people that will have a really ideal environment with support from the
company and the funding that they need will likely remain small."
Risk Management Strategies for Tech Startups
As you continue to grow, your risk management strategies will shift. One of the
best things you can do as your startup gains traction is to develop a
contingency plan. A contingency plan can keep things afloat if you run into an
unexpected loss of customers, funding problems, or even a data disaster. Your
contingency plan should include, first and foremost, strong cybersecurity
practices. Cyberattacks happen with even the largest and most successful
conglomerates. While you might not be able to completely stop cyber criminals
from getting in, prioritizing protective measures and developing a response plan
will make it easier for your business to bounce back if an attack happens.
Things like using cloud-based backups, developing strong passwords and
authentication practices, and educating your employees on how to keep themselves
safe are all great ways to protect your business from hackers. A successful
contingency plan should also cover unexpected accidents and incidents. If
someone gets injured on the job or your company gets sued, a strong insurance
plan needs to be in place to cover legal fees and damages.
The Architect’s Contract
The architect is a business technology strategist. They provide their clients
with ways to augment business with technology strategy in both localized and
universal scales. They make decisions which augment the value output of a
business model (or a mission model) by describing technology solutions which
can fundamentally alter the business model. Some architects specialize in one
or more areas of that. But the general data indicated that even pure business
architects are called on to rely on their technical skills quite often, and
the most technical software architects must have numerous business skills to
be successful. ... Governance is not why architects get into the job. The ones
that do are generally architect managers not competent architects themselves.
All competent architects started out by making things. Proactive, innovation
based teams create new architects constantly. Moving up to too high a level of
scope makes it very hard to stay a practicing architect. It takes radical
dedication to learning to be a real chief architect. Scope is one of the
biggest challenges of our field as it is based on the concept of scarcity.
Like having city planners ‘design’ homes or skyscrapers or
cathedrals.
Why DevOps is Key to Software Supply Chain Security
Organizations must also evaluate how well existing processes work to protect
the business, then strategically add/subtract from there as needed. No matter
what solutions are leveraged, more and different tools generate reams of more
and different data. What’s important — and to whom? How do I manage the data?
When can I trust it? Where do I store it? What problems does the new data help
me solve? Organizations will need a way to effectively sift this information
and deliver the right data to the right teams at the right time. To preserve
the ability to quickly and continuously innovate, it will be important to
focus on shifting security left as well as integrating automation whenever and
wherever possible. As new security metadata becomes available, such as from
SBOMs, new solutions for managing that metadata will be key. An open source
initiative sponsored by Google, GUAC is designed to integrate software
security information, including SBOMs, attestations and vulnerability data.
Users can query the resulting GUAC graph to help answer key security concerns,
including proactive, preventive and reactive concerns.
The Future of Computing: Harnessing Molecules for Sustainable Data Management
Molecular computing harnesses the natural propensity of molecules to form
complex, stable structures, allowing for parallel processing – an important
advantage that enables computational tasks to be performed simultaneously, a
feat that current supercomputers can only dream of. Enzymes like polymerases
can simultaneously replicate millions of DNA strands, each acting as a
separate computing pathway. This capability translates to potential parallel
processing operations in the order of 1015, dwarfing the 1010 operations per
second of the fastest supercomputers. Energy efficiency is another
game-changer. The energy profile of molecular computing is notably low. DNA
replication in a test tube requires minimal energy, estimated at less than a
millionth of a joule per operation, compared to the approximately 10-4 joules
consumed by a typical transistor operation. This translates to a potential
reduction in energy consumption by a factor of 105 or more, depending on the
operation. To prove our point, training models like GPT-4 require tens of
millions of kilowatt-hours; molecular computing could achieve similar results
in a fraction of the time and with exponentially less energy.
Role of AI in Data Management Evolution – Interview with Rakesh Singh
Embracing AI-based solutions presents a challenge to organizations centered
around governance and maintaining a firm grip on the overall processes. This
challenge is particularly present in the financial sector, where maintaining
control is not only a preference but a crucial necessity. Therefore, in tandem
with the adoption of AI-driven solutions, a concerted emphasis must be placed
on ensuring robust governance measures. For financial institutions, the
imperative extends beyond the mere integration of AI; it encompasses a
holistic commitment to upholding data security, enforcing comprehensive
policies, safeguarding privacy, and adhering to stringent compliance
standards. Recognizing that the implementation of AI introduces complexities
and potential vulnerabilities, it becomes imperative to establish a framework
that not only facilitates the effective utilization of AI but also fortifies
the organization against risks. In essence, the successful adoption of AI in
the financial domain necessitates a dual focus – one on leveraging the
transformative potential of AI solutions and the other on erecting a resilient
governance structure.
Ransomware Operation LockBit Reestablishes Dark Web Leak Site
Law enforcement agencies behind the takedown, acting under the banner of
"Operation Cronos," suggested they would reveal on Friday the identity of
LockBit leader LockBitSupp - but did not. "We know who he is. We know where he
lives. We know how much he is worth. LockBitSupp has engaged with Law
Enforcement :)," authorities instead wrote on the seized leak site. "LockBit
has been seriously damaged by this takedown and his air of invincibility has
been permanently pierced. Every move he has taken since the takedown is one of
someone posturing, not of someone actually in control of the situation," said
Allan Liska, principal intelligence analyst, Recorded Future. The
re-established leak site includes victim entries apparently made just before
Operation Cronos executed the takedown, including one for Fulton County, Ga.
LockBit previously claimed responsibility for a January attack that disrupted
the county court and tax systems. County District Attorney Fani Willis is
pursing a case against former President Donald Trump and 18 co-defendants for
allegedly attempting to stop the transition of presidential power in 2020.
Toward Better Patching — A New Approach with a Dose of AI
By default, the NIST operated National Vulnerability Database (NVD) is the
source of truth for CVSS scores. But NVD gets its entries from the CVE
database, and if there is no completed CVE entry, there is no NVD entry — and
therefore no immediately trusted and verifiable CVSS score. Despite this,
security teams use whatever CVSS they are told as a primary factor in their
vulnerability patch triaging — the higher the score, the greater the perceived
likelihood of exploitation with a greater potential for harm – and it is
likely to be a score applied by the vulnerability researcher. There is an
inevitable delay and confusion (due to ‘responsible disclosure’, possible
delays in posting to the CVE database, and an element of subjectivity in the
CVSS score). “The delay in CVE scoring often means that defenders face two
uphill battles regarding vulnerability management. First, they need a
prioritization method to determine which of the thousands of CVEs published
each month they should patch,” notes Coalition. “Second, they must patch these
CVEs before a threat actor leverages them to target their organization.”
Apple Beefs Up iMessage With Quantum-Resistant Encryption
"To our knowledge, PQ3 has the strongest security properties of any at-scale
messaging protocol in the world," Apple's SEAR team explained in a blog post
announcing the new protocol. The addition of PQ3 follows iMessage's October
2023 enhancement featuring Contact Key Verification, designed to detect
sophisticated attacks against Apple's iMessage servers while letting users
verify they are messaging specifically with their intended recipients.
IMessage with PQ3 is backed by mathematical validation from a team led by
professor David Basin, head of the Information Security Group at ETH Zürich
and co-inventor of Tamarin, a well-regarded security protocol verification
tool. Basin and his research team at ETH Zürich used Tamarin to perform a
technical evaluation of PQ3, published by Apple. Also evaluating PQ3 was
University of Waterloo professor Douglas Stebila, known for his research on
post-quantum security for Internet protocols. According to Apple's SEAR team,
both research groups undertook divergent but complementary approaches, running
different mathematical models to test the security of PQ3.
Is "Secure by Design" Failing?
The threat landscape around new Common Vulnerabilities and Exposures (CVEs) is
one that every organization should take seriously. With a record-breaking
28,092 new CVEs published in 2023, bad actors are simply waiting to be handed
easy footholds into their target organizations, and they don't have to wait
long. Research from Qualys showed that three quarters of CVEs are exploited by
attackers within just 19 days of their publication. And yet, organizations are
failing to equip their DevOps teams with the secure coding skills and
knowledge they need to eliminate vulnerabilities in the first place. Despite
47% of organizations blaming skills shortages for their vulnerability
remediation failures, only 36% have their developers learn to write secure
code. ... Firstly, developers need to understand the role they play in
securing overall application development. This begins with writing more secure
code, but this knowledge is also essential in code reviews. As developers
write faster, or even leverage generative AI and open-source code to deliver
quicker applications, being able to properly review and remediate insecure
code becomes crucial.
Quote for the day:
"Great achievers are driven, not so
much by the pursuit of success, but by the fear of failure." --
Larry Ellison
No comments:
Post a Comment