Daily Tech Digest - February 25, 2024

Orgs Face Major SEC Penalties for Failing to Disclose Breaches

"It's a company issue, definitely not just CISO issue. Everybody will be very leery about vetting statements — why should I say this? — without having legal give it their blessing ... because they are so worried about having charges against them for making a statement." The worries will add up to additional costs for businesses. Because of the additional liability, companies will have to have more comprehensive Directors and Officers (D&O) liability insurance that not only covers the legal expenses for a CISO to defend themselves, but also for their expenses during an investigation. Businesses who will not pay to support and protect their CISO may find themselves unable to hire for the position, while conversely, CISOs may have trouble finding supportive companies, says Josh Salmanson, senior vice president of technology solutions at Telos Corp., a cyber risk management firm. "We're going to see less people wanting to be CISOs, or people demanding much higher salaries because they think it may be a very short-term role until they 'get busted' publicly," he says. "The number of people that will have a really ideal environment with support from the company and the funding that they need will likely remain small."

Risk Management Strategies for Tech Startups

As you continue to grow, your risk management strategies will shift. One of the best things you can do as your startup gains traction is to develop a contingency plan. A contingency plan can keep things afloat if you run into an unexpected loss of customers, funding problems, or even a data disaster. Your contingency plan should include, first and foremost, strong cybersecurity practices. Cyberattacks happen with even the largest and most successful conglomerates. While you might not be able to completely stop cyber criminals from getting in, prioritizing protective measures and developing a response plan will make it easier for your business to bounce back if an attack happens. Things like using cloud-based backups, developing strong passwords and authentication practices, and educating your employees on how to keep themselves safe are all great ways to protect your business from hackers. A successful contingency plan should also cover unexpected accidents and incidents. If someone gets injured on the job or your company gets sued, a strong insurance plan needs to be in place to cover legal fees and damages. 

The Architect’s Contract

The architect is a business technology strategist. They provide their clients with ways to augment business with technology strategy in both localized and universal scales. They make decisions which augment the value output of a business model (or a mission model) by describing technology solutions which can fundamentally alter the business model. Some architects specialize in one or more areas of that. But the general data indicated that even pure business architects are called on to rely on their technical skills quite often, and the most technical software architects must have numerous business skills to be successful. ... Governance is not why architects get into the job. The ones that do are generally architect managers not competent architects themselves. All competent architects started out by making things. Proactive, innovation based teams create new architects constantly. Moving up to too high a level of scope makes it very hard to stay a practicing architect. It takes radical dedication to learning to be a real chief architect. Scope is one of the biggest challenges of our field as it is based on the concept of scarcity. Like having city planners ‘design’ homes or skyscrapers or cathedrals. 

Why DevOps is Key to Software Supply Chain Security

Organizations must also evaluate how well existing processes work to protect the business, then strategically add/subtract from there as needed. No matter what solutions are leveraged, more and different tools generate reams of more and different data. What’s important — and to whom? How do I manage the data? When can I trust it? Where do I store it? What problems does the new data help me solve? Organizations will need a way to effectively sift this information and deliver the right data to the right teams at the right time. To preserve the ability to quickly and continuously innovate, it will be important to focus on shifting security left as well as integrating automation whenever and wherever possible. As new security metadata becomes available, such as from SBOMs, new solutions for managing that metadata will be key. An open source initiative sponsored by Google, GUAC is designed to integrate software security information, including SBOMs, attestations and vulnerability data. Users can query the resulting GUAC graph to help answer key security concerns, including proactive, preventive and reactive concerns.

The Future of Computing: Harnessing Molecules for Sustainable Data Management

Molecular computing harnesses the natural propensity of molecules to form complex, stable structures, allowing for parallel processing – an important advantage that enables computational tasks to be performed simultaneously, a feat that current supercomputers can only dream of. Enzymes like polymerases can simultaneously replicate millions of DNA strands, each acting as a separate computing pathway. This capability translates to potential parallel processing operations in the order of 1015, dwarfing the 1010 operations per second of the fastest supercomputers. Energy efficiency is another game-changer. The energy profile of molecular computing is notably low. DNA replication in a test tube requires minimal energy, estimated at less than a millionth of a joule per operation, compared to the approximately 10-4 joules consumed by a typical transistor operation. This translates to a potential reduction in energy consumption by a factor of 105 or more, depending on the operation. To prove our point, training models like GPT-4 require tens of millions of kilowatt-hours; molecular computing could achieve similar results in a fraction of the time and with exponentially less energy.

Role of AI in Data Management Evolution – Interview with Rakesh Singh

Embracing AI-based solutions presents a challenge to organizations centered around governance and maintaining a firm grip on the overall processes. This challenge is particularly present in the financial sector, where maintaining control is not only a preference but a crucial necessity. Therefore, in tandem with the adoption of AI-driven solutions, a concerted emphasis must be placed on ensuring robust governance measures. For financial institutions, the imperative extends beyond the mere integration of AI; it encompasses a holistic commitment to upholding data security, enforcing comprehensive policies, safeguarding privacy, and adhering to stringent compliance standards. Recognizing that the implementation of AI introduces complexities and potential vulnerabilities, it becomes imperative to establish a framework that not only facilitates the effective utilization of AI but also fortifies the organization against risks. In essence, the successful adoption of AI in the financial domain necessitates a dual focus – one on leveraging the transformative potential of AI solutions and the other on erecting a resilient governance structure.

Ransomware Operation LockBit Reestablishes Dark Web Leak Site

Law enforcement agencies behind the takedown, acting under the banner of "Operation Cronos," suggested they would reveal on Friday the identity of LockBit leader LockBitSupp - but did not. "We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with Law Enforcement :)," authorities instead wrote on the seized leak site. "LockBit has been seriously damaged by this takedown and his air of invincibility has been permanently pierced. Every move he has taken since the takedown is one of someone posturing, not of someone actually in control of the situation," said Allan Liska, principal intelligence analyst, Recorded Future. The re-established leak site includes victim entries apparently made just before Operation Cronos executed the takedown, including one for Fulton County, Ga. LockBit previously claimed responsibility for a January attack that disrupted the county court and tax systems. County District Attorney Fani Willis is pursing a case against former President Donald Trump and 18 co-defendants for allegedly attempting to stop the transition of presidential power in 2020.

Toward Better Patching — A New Approach with a Dose of AI

By default, the NIST operated National Vulnerability Database (NVD) is the source of truth for CVSS scores. But NVD gets its entries from the CVE database, and if there is no completed CVE entry, there is no NVD entry — and therefore no immediately trusted and verifiable CVSS score. Despite this, security teams use whatever CVSS they are told as a primary factor in their vulnerability patch triaging — the higher the score, the greater the perceived likelihood of exploitation with a greater potential for harm – and it is likely to be a score applied by the vulnerability researcher. There is an inevitable delay and confusion (due to ‘responsible disclosure’, possible delays in posting to the CVE database, and an element of subjectivity in the CVSS score). “The delay in CVE scoring often means that defenders face two uphill battles regarding vulnerability management. First, they need a prioritization method to determine which of the thousands of CVEs published each month they should patch,” notes Coalition. “Second, they must patch these CVEs before a threat actor leverages them to target their organization.”

Apple Beefs Up iMessage With Quantum-Resistant Encryption

"To our knowledge, PQ3 has the strongest security properties of any at-scale messaging protocol in the world," Apple's SEAR team explained in a blog post announcing the new protocol. The addition of PQ3 follows iMessage's October 2023 enhancement featuring Contact Key Verification, designed to detect sophisticated attacks against Apple's iMessage servers while letting users verify they are messaging specifically with their intended recipients. IMessage with PQ3 is backed by mathematical validation from a team led by professor David Basin, head of the Information Security Group at ETH Zürich and co-inventor of Tamarin, a well-regarded security protocol verification tool. Basin and his research team at ETH Zürich used Tamarin to perform a technical evaluation of PQ3, published by Apple. Also evaluating PQ3 was University of Waterloo professor Douglas Stebila, known for his research on post-quantum security for Internet protocols. According to Apple's SEAR team, both research groups undertook divergent but complementary approaches, running different mathematical models to test the security of PQ3.

Is "Secure by Design" Failing?

The threat landscape around new Common Vulnerabilities and Exposures (CVEs) is one that every organization should take seriously. With a record-breaking 28,092 new CVEs published in 2023, bad actors are simply waiting to be handed easy footholds into their target organizations, and they don't have to wait long. Research from Qualys showed that three quarters of CVEs are exploited by attackers within just 19 days of their publication. And yet, organizations are failing to equip their DevOps teams with the secure coding skills and knowledge they need to eliminate vulnerabilities in the first place. Despite 47% of organizations blaming skills shortages for their vulnerability remediation failures, only 36% have their developers learn to write secure code. ... Firstly, developers need to understand the role they play in securing overall application development. This begins with writing more secure code, but this knowledge is also essential in code reviews. As developers write faster, or even leverage generative AI and open-source code to deliver quicker applications, being able to properly review and remediate insecure code becomes crucial.

Quote for the day:

"Great achievers are driven, not so much by the pursuit of success, but by the fear of failure." -- Larry Ellison

No comments:

Post a Comment