What is HTTP/3? The next-generation web protocol
HTTPS will still be used as a mechanism for establishing secure connections, but
traffic will be encrypted at the HTTP/3 level. Another way to say it is that TLS
will be integrated into the network protocol instead of working alongside it.
So, encryption will be moved into the transport layer and out of the app layer.
This means more security by default—even the headers in HTTP/3 are encrypted—but
there is a corresponding cost in CPU load. Overall, the idea is that
communication will be faster due to improvements in how encryption is
negotiated, and it will be simpler because it will be built-in at a lower level,
avoiding the problems that arise from a diversity of implementations. ... In
TCP, that continuity isn’t possible because the protocol only understands the IP
address and port number. If either of those changes—as when you walk from one
network to another while holding a mobile device—an entirely new connection must
be established. This reconnection leads to a predictable performance
degradation. The QUIC protocol introduces connection IDs or CIDs. For security,
these are actually CID sets negotiated by the server and client.
6 things hackers know that they don’t want security pros to know that they know
It’s not a coincidence that many attacks happen at the most challenging of
times. Hackers really do increase their attacks on weekends and holidays when
security teams are lean. And they’re more likely to strike right before
lunchtime and end-of-day, when workers are rushing and consequently less
attentive to red flags indicating a phishing attack or fraudulent activity.
“Hackers typically deploy their attacks during those times because they’re less
likely to be noticed,” says Melissa DeOrio, global threat intelligence lead at
S-RM, a global intelligence and cybersecurity consultancy. ... Threat actors
actively engage in open-source intelligence (OSINT) gathering, looking for
information they can use to devise attacks, Carruthers says. It’s not surprising
that hackers look for news about transformative events such as big layoffs,
mergers and the like, she says. But CISOs, their teams and other executives may
be surprised to learn that hackers also look for news about seemingly innocuous
events such as technology implementations, new partnerships, hiring sprees, and
executive schedules that could reveal when they’re out of the office.
Take the ‘Shift Left’ Approach a Step Further by ‘Starting Left’
This makes it vital to guarantee code quality and security from the start so
that nothing slips through the cracks. Shift left accounts for this. It
minimizes risks of bugs and vulnerabilities by introducing code testing and
analysis earlier in the SLDC, catching problems before they mount and become
trickier to solve or even find. Advancing testing activities earlier puts DevOps
teams in a position to deliver superior-quality software to customers with
greater frequency. As a practice, “shift left” requires a lot more vigilance in
today’s security landscape. But most development teams don’t have the mental (or
physical) bandwidth to do it properly — even though it should be an intrinsic
part of code development strategy. In fact, the Linux Foundation revealed in a
study recently that almost one-third of developers aren’t familiar with secure
software development practices. “Shifting left” — performing analysis and code
reviews earlier in the development process — is a popular mindset for creating
better software. What the mindset should be, though, is to “start left,” not
just impose the burden later on in the SDLC for developers. ... This mindset of
“start left” focuses not only on an approach that values testing early and
often, but also on using the best tools to do so.
ONCD Unveils BGP Security Road Map Amid Rising Threats
The guidance comes amid an intensified threat landscape for BGP, which serves as
the backbone of global internet traffic routing. BGP is a foundational yet
vulnerable protocol, developed at a time when many of today's cybersecurity
risks did not exist. Coker said the ONCD is committed to covering at least 60%
of the federal government's IP space by registration service agreements "by the
end of this calendar year." His office recently led an effort to develop a
federal RSA template that federal agencies can use to facilitate their adoption
of Resource Public Key Infrastructure, which can be used to mitigate BGP
vulnerabilities. ... The ONCD report underscores how BGP "does not provide
adequate security and resilience features" and lacks critical security
capabilities, including the ability to validate the authority of remote networks
to originate route announcements and to ensure the authenticity and integrity of
routing information. The guidance tasks network operators with developing and
periodically updating cybersecurity risk management plans that explicitly
address internet routing security and resilience. It also instructs operators to
identify all information systems and services internal to the organization that
require internet access and assess the criticality of maintaining those routes
for each address.
Efficient DevSecOps Workflows With a Little Help From AI
When it comes to software development, AI offers lots of possibilities to
enhance workflows at every stage—from splitting teams into specialized roles
such as development, operations, and security to facilitating typical steps like
planning, managing, coding, testing, documentation, and review. AI-powered code
suggestions and generation capabilities can automate tasks like autocompletion
and identification of missing dependencies, making coding more efficient.
Additionally, AI can provide code explanations, summarizing algorithms,
suggesting performance improvements, and refactoring long code into
object-oriented patterns or different languages. ... Instead of manually sifting
through job logs, AI can analyze them and provide actionable insights, even
suggesting fixes. By refining prompts and engaging in conversations with the AI,
developers can quickly diagnose and resolve issues, even receiving tips for
optimization. Security is crucial, so sensitive data like passwords and
credentials must be filtered before analysis. A well-crafted prompt can instruct
the AI to explain the root cause in a way any software engineer can understand,
accelerating troubleshooting. This approach can significantly improve developer
efficiency.
PricewaterhouseCoopers’ new CAIO – workers need to know their role with AI
“AI is becoming a natural part of everything we make and do. We’re moving past
the AI exploration cycle, where managing AI is no longer just about tech, it is
about helping companies solve big, important and meaningful problems that also
drive a lot of economic value. “But the only way we can get there is by bringing
AI into an organization’s business strategy, capability systems, products and
services, ways of working and through your people. AI is more than just a tool —
it can be viewed as a member of the team, embedding into the end-to-end value
chain. The more AI becomes naturally embedded and intrinsic to an organization,
the more it will help both the workforce and business be more productive and
deliver better value. “In addition, we will see new products and services that
are fully AI-powered come into the market — and those are going to be key
drivers of revenue and growth.” ... You need to consider the bigger picture,
understanding how AI is becoming integrated in all aspects of your organization.
That means having your RAI leader working closely with your company’s CAIO (or
equivalent) to understand changes in your operating model, business processes,
products and services.
What Is Active Metadata and Why Does It Matter?
Active metadata’s ability to update automatically whenever the data it describes
changes now extends beyond the data profile itself to enhance the management of
data access, classification, and quality. Passive metadata’s static nature
limits its use to data discovery, but the dynamic nature of active metadata
delivers real-time insights into the data’s lineage to help automate data
governance: Get a 360-degree view of data - Active metadata’s ability to
auto-update ensures that metadata delivers complete and up-to-date descriptions
of the data’s lineage, context, and quality. Companies can tell at a glance
whether the data is being used effectively, appropriately, and in compliance
with applicable regulations. Monitor data quality in real time - Automatic
metadata updates improve data quality management by providing up-to-the-minute
metrics on data completeness, accuracy, and consistency. This allows
organizations to identify and respond to potential data problems before they
affect the business. Patch potential governance holes - Active metadata allows
data governance rules to be enforced automatically to safeguard access to the
data, ensure it’s appropriately classified, and confirm it meets all data
retention requirements.
How to Get IT and Security Teams to Work Together Effectively
Successful collaboration requires a sense of shared mission, Preuss says.
Transparency is crucial. "Leverage technology and automation to effectively
share information and challenges across both teams," she advises. Building and
practicing trust and communication in an environment that's outside the norm is
also essential. One way to do so is by conducting joint business resilience
drills. "Whether a cyber war game or an environmental crisis [exercise],
resilience drills are one way to test the collaboration between teams before an
event occurs." ... When it comes to cross-team collaboration, Scott says it's
important for members to understand their communication style as well as the
communication styles of the people they work with. "At Immuta, we do this
through a DiSC assessment, which each employee is invited to complete upon
joining the company." To build an overall sense of cooperation and teamwork,
Jeff Orr, director of research, digital technology at technology research and
advisory firm ISG, suggests launching an exercise simulation in which both teams
are required to collaborate in order to succeed.
Protecting national interests: Balancing cybersecurity and operational realities
A significant challenge we face today is safeguarding the information space
against misinformation, disinformation, manipulation and deceptive content.
Whether this is at the behest of nation-states, or their supporters, it can be
immensely destabilising and disruptive. We must find a way to tackle this
challenge, but this should not just focus on the responsibilities held by social
media platforms, but also on how we can detect targeted misinformation, counter
those narratives and block the sources. Technology companies have a key role in
taking down content that is obviously malicious, but we need the processes to
respond in hours, rather than days and weeks. More generally, infrastructure
used to launch attacks can be spun up more quickly than ever and attacks
manifest at speed. This requires the government to work more closely with major
technology and telecommunication providers so we can block and counter these
threats – and that demands information sharing mechanisms and legal frameworks
which enable this. Investigating and countering modern transnational cybercrime
demands very different approaches, and of course AI will undoubtedly play a big
part in this, but sadly both in attack and defence.
How leading CIOs cultivate business-centric IT
With digital strategy and technology as the brains behind most business
functions and operating models, IT organizations are determined to inject more
business-centricity into their employee DNA. IT leaders have been burnishing
their business acumen and embracing a non-technical remit for some time. Now,
there’s a growing desire to infuse that mentality throughout the greater IT
organization, stretching beyond basic business-IT alignment to creating a
collaborative force hyper-fixated on channeling innovation to advance enterprise
business goals. “IT is no longer the group in the rear with the gear,” says
Sabina Ewing, senior vice president of business and technology services and CIO
at Abbott Laboratories. ... While those with robust experience and expertise in
highly technical areas such as cloud architecture or cybersecurity are still
highly coveted, IT organizations like Duke Health, ServiceNow, and others are
also seeking a very different type of persona. Zoetis, a leading animal health
care company, casts a wider net when seeking tech and digital talent, focusing
on those who are collaborative, passionate about making a difference, and
adaptable to change. Candidates should also have a strong understanding of
technology application, says CIO Keith Sarbaugh.
Quote for the day:
''When someone tells me no, it doesn't
mean I can't do it, it simply means I can't do it with them.'' --
Karen E. Quinones Miller
No comments:
Post a Comment