Cyber security and Compliance: The Convergence of Regtech Solutions
/pcq/media/media_files/HSHrfZcv7l4P6Ab0c0kS.png)
While cybersecurity, in itself, is an area that requires significant resources
to ensure compliance, a business organisation needs to deal with numerous other
regulations. The business regulatory ecosystem is made up of over 1,500 acts and
rules and more than 69,000 compliances. As such, each enterprise needs to figure
out the regulatory requirements applicable to their business. The complexity of
the compliance framework is such that businesses are often lagging behind their
compliance timelines. Take, for instance, a single-entity MSME with a
single-state operation involved in manufacturing automotive components. Even
such an operation requires the employer to keep up with 624 unique compliances.
These requirements can reach close to 1,000 for a pharmaceutical enterprise.
Persisting with manual compliance methods while technology has taken over every
other business operation has become the root cause of delays, lapses, and
defaults. While businesses are investing in the best possible technological
solutions for cybersecurity issues, they are disregarding the impact of
technology on their compliance functions.
Millions of Websites Susceptible to XSS Attack via OAuth Implementation Flaw
Essentially, the ‘attack’ requires only a crafted link to Google (mimicking a
HotJar social login attempt but requesting a ‘code token’ rather than simple
‘code’ response to prevent HotJar consuming the once-only code); and a social
engineering method to persuade the victim to click the link and start the attack
(with the code being delivered to the attacker). This is the basis of the
attack: a false link (but it’s one that appears legitimate), persuading the
victim to click the link, and receipt of an actionable log-in code. “Once the
attacker has a victim’s code, they can start a new login flow in HotJar but
replace their code with the victim code – leading to a full account takeover,”
reports Salt Labs. The vulnerability is not in OAuth, but in the way in which
OAuth is implemented by many websites. Fully secure implementation requires
extra effort that most websites simply don’t realize and enact, or simply don’t
have the in-house skills to do so. From its own investigations, Salt Labs
believes that there are likely millions of vulnerable websites around the world.
The scale is too great for the firm to investigate and notify everyone
individually.
How to Build a High-Performance Analytics Team
The first approach, which he called the “artisan model,” involves building a
small team of highly experienced (and highly paid) data scientists. Such skilled
and capable team members can generally tackle all aspects of solving a business
problem, from subject matter expert engagement to hypothesis testing,
production, and iteration. The “factory approach,” on the other hand, resembles
more of an assembly line, with a large group of people divvying up tasks based
on their areas of expertise: some working on the business problem definition,
others handling data acquisition, and so on. This second approach requires
hiring more people than the first approach, but the pay differential between the
two types of team members is significant enough that the two approaches cost
roughly the same. ... An analytics team needs to grow and evolve to survive, and
management must treat its staff accordingly. “Data scientists are some of the
most sought-after talent in the economy right now,” Thompson stressed, “So I’m
working every day to make sure that my team is happy and that they’re getting
work they’re interested in – that they’re being paid well and treated well.”
Securing remote access to mission-critical OT assets
The two biggest challenges around securing remote access to mission-critical OT
assets are different depending on whether it’s a user or machine that needs to
connect to the OT asset. In terms of user access, the fundamental challenge is
that the cyber security team doesn’t know what the assets are, and who the users
are. That’s where the knowledge of the OT engineers – coupled with an inventory
of the assets comes into play. The security team can leverage the inventory,
experience, and knowledge of the OT engineers to operate as the “first line of
defense” to stand up the organizational defenses. With respect to
machine-to-machines access organizations typically don’t have an understanding
of what “known good” traffic should look like between these assets. Without this
understanding knowledge, it’s impossible to spot the anomalies from the
baseline. That’s where a good cyber-physical system protection platform comes
into play, providing the ability to understand the typical communication
patterns that can eventually be operationalized in network segmentation rules to
ensure effective security.
CrowdStrike debacle underscores importance of having a plan
To CrowdStrike’s credit, as well as its many partners and the CISO/InfoSec
community at large, a lot of oil was burned in the initial days after the faulty
update was transmitted as the community collectively jumped in and lent a hand
to mitigate the situation. ... “Moving forward, this outage demonstrates that
continuous preparation to fortify defenses is vital, especially before outages
occur,” Christine Gadsby, CISO at Blackberry, opined. She continued, “Already
understanding what areas are most vulnerable within a system prevents a panicked
reaction when something looks amiss and makes it more difficult for hackers to
wreak havoc. In a crisis, defense is the best offense; the value of confidence
that comes with preparation cannot be underestimated.” ... CISOs should also
review what needs to be changed, included, or deleted from their emergency
response and business continuity playbooks. ... Now is the time for each CISO to
do a bit of introspection on their team’s ability to address a similar scenario,
and plan, exercise, and be prepared for the unexpected. Which could happen
today, tomorrow, or hopefully never.
How Searchable Encryption Changes the Data Security Game
Organizations know they must encrypt their most valuable, sensitive data to
prevent data theft and breaches. They also understand that organizational data
exists to be used. To be searched, viewed, and modified to keep businesses
running. Unfortunately, our Network and Data Security Engineers were taught
for decades that you just can't search or edit data while in an encrypted
state. ... So why, now, is Searchable Encryption suddenly becoming a gold
standard in critical private, sensitive, and controlled data security?
According to Gartner, "The need to protect data confidentiality and maintain
data utility is a top concern for data analytics and privacy teams working
with large amounts of data. The ability to encrypt data, and still process it
securely is considered the holy grail of data protection." Previously, the
possibility of data-in-use encryption revolved around the promise of
Homomorphic Encryption (HE), which has notoriously slow performance, is really
expensive, and requires an obscene amount of processing power. However, with
the use of Searchable Symmetric Encryption technology, we can process "data in
use" while it remains encrypted and maintain near real-time, millisecond query
performance.
How Cloud-Based Solutions Help Farmers Improve Every Season
At the start of each growing season, farmers can use previous years’ data to
strategically plan where and when to plant seeds, identifying the areas of the
field where plants often grow strongly or are typically not as prosperous.
From there, planters equipped with robotics, sensors, and camera vision,
augmented with field boundaries, guidance lines, and other data provided from
the cloud, can precisely place hundreds of seeds per second at an optimal
depth and with optimal spacing, avoiding losses from seeds being planted too
shallow, deep, or close to another plant. ... Advanced machines gather a wide
range of data to support the next step of nurturing plant growth. That data is
critical, because while plants are growing, so are weeds. And weeds need to be
treated in a timely manner to give crops the best possible conditions to grow.
With access to the prior year’s data, farmers can anticipate where weeds are
likely to grow and target them directly. Today’s sprayers use computer vision
and machine learning to detect where weeds are located as the sprayer moves
throughout a field, applying herbicide only where it is needed. This not only
reduces costs but is also more sustainable.
Thinking Like an Architect
The world we're in is not simple. The applications we build today are complex
because they are based on distributed systems, event-driven architectures,
asynchronous processing, or scale-out and auto-scaling capabilities. While
these are impressive capabilities, they add complexity. Models are an
architect’s best tool to tackle complexity. Models are powerful because they
shape how people think. Dave Farley illustrated this with an example: long
ago, people believed the Earth was at the center of the universe and this
belief made the planets' movements seem erratic and complicated. The real
problem wasn't the planets' movements but using an incorrect model. When you
place the sun at the center of the solar system, everything makes sense.
Architects explaining things to others who operate differently may believe
that others don't understand when they simply use a different mental model.
... Architects can make everyone else a bit smarter by seeing multiple
dimensions. By expanding the problem and solution space, architects enable
others to approach problems more intelligently. Often, disagreements arise
when two parties view a problem from different angles, akin to debating
between a square and a triangle without progress.
CrowdStrike Outage Could Cost Cyber Insurers $1.5 Billion
Most claims will center on losses due to "business interruption, which is a
primary contributor to losses from cyber incidents," it said. "Because these
losses were not caused by a cyberattack, claims will be made under 'systems
failure' coverage, which is becoming standard coverage within cyber insurance
policies." But, not all systems-failure coverage will apply to this incident,
it said, since some policies exclude nonmalicious events or have to reach a
certain threshold of losses before being triggered. The outage resembled a
supply chain attack, since it took out multiple users of the same technology
all at once - including airlines, doctors' practices, hospitals, banks, stock
exchanges and more. Cyber insurance experts said the timing of the outage will
also help mitigate the quantity of claims insurers are likely to see. At the
moment CrowdStrike sent its update gone wrong, "more Asia-Pacific systems were
online than European and U.S. systems, but Europe and the U.S. have a greater
share of cyber insurance coverage than does the Asia-Pacific region," Moody's
Reports said. The outage, dubbed "CrowdOut" by CyberCube, led to 8.5 million
Windows hosts crashing to a Windows "blue screen of death" and then getting
stuck in a constant loop of rebooting and crashing.
Open-source AI narrows gap with proprietary leaders, new benchmark reveals
As the AI arms race intensifies, with new models being released almost weekly,
Galileo’s index offers a snapshot of an industry in flux. The company plans to
update the benchmark quarterly, providing ongoing insight into the shifting
balance between open-source and proprietary AI technologies. Looking ahead,
Chatterji anticipates further developments in the field. “We’re starting to
see large models that are like operating systems for this very powerful
reasoning,” he said. “And it’s going to become more and more generalizable
over the course of the next maybe one to two years, as well as see the context
lengths that they can support, especially on the open source side, will start
increasing a lot more. Cost is going to go down quite a lot, just the laws of
physics are going to kick in.” He also predicts a rise in multimodal models
and agent-based systems, which will require new evaluation frameworks and
likely spur another round of innovation in the AI industry. As businesses
grapple with the rapid pace of AI advancement, tools like Galileo’s
Hallucination Index will likely play an increasingly crucial role in informing
decision-making and strategy.
Quote for the day:
"Uncertainty is a permanent part of
the leadership landscape. It never goes away." -- Andy Stanley
