Daily Tech Digest - January 29, 2021

Expert: Agile data-driven decision-making key to growth

"You can't achieve agility, and you can't be adaptive unless you empower your business users with as much self-service analytics and business intelligence and reporting as they can consume," Evelson said. "Self-service is really the only way to become agile and adaptive." That, however, is linked to data governance, which is also imperative to agile data-driven decision-making. "There is a very fine line between too much self-service and not enough governance, versus too much governance and not enough self-service," Evelson added. "Hopefully, there is a middle ground between the two, which we call Goldilocks data governance." All of the competencies together, meanwhile, enable an organization to be agile through what Evelson terms multi-modal analytics and reporting. They empower organizations to do descriptive analytics through dashboards and reports, diagnostic and predictive analytics to get insights, and ultimately prescriptive and actionable analytics to make decisions and trigger actions. And should organizations fail to become agile and adapt to constant change, they risk irrelevancy and ultimately insolvency. Forty years ago, the average lifespan of companies in the S&P 500 was about 30 years, Evelson said.


The Brain Is Neither a Neural Network nor a Computer

Autonomy is the idea that the brain is self-governing, receptive to the environment, but always in control. Somatic disorders ranging from improper sugar levels and hormone imbalances to diseases such as malaria or syphilis can cause mental dysfunction. Some individuals are placed in mental hospitals when correcting an underlying disorder would actually fix the problem. At the simplest level, no amount of mental determination would make you a world-class athlete if you did not have the right type of muscle fibers or hand-eye coordination. You cannot flap your arms and fly—the aerodynamics does not allow it. Paganini could only be the legendary violinist he was because of his flexibility. No amount of musicianship could provide that ability. Cognitive processes are embodied. They emerge from the interaction between physical organisms and their environment, not just their brains. For example, there is evidence that the nature of your gut bacteria can cause anxiety, stress, and even depression. Replacing a diseased organ with a healthy one can increase mental functioning. A kidney transplant will help remove poisons from the blood such as urea or ammonia which will increase brain health.


The state of corporate legal departments and the role of the Chief Legal Officer

The survey affirms we are in the “age of the CLO.” With 78 percent of respondents reporting to the CEO, the overall trend remains very positive. Further, while CLOs still spend around one quarter of their time providing legal advice, they also spend a significant amount of time on board matters and governance issues, contributing to strategy development, and advising other executives on non-legal issues. The survey found that 46 percent of CLOs are responsible for their company’s data privacy function, reflecting the growing integration of legal in business strategy and technology policy. In the order of functions reporting to the Chief Legal Officer, only compliance (74 percent) outranks privacy. CLOs are also increasingly engaging with environmental, social, and governance issues. This includes diversity and inclusion (D&I). A full 72.7 percent of CLOs expect diversity and inclusion specifically to accelerate in 2021. Encouragingly, even despite COVID-19, 32 percent of law departments plan to take on more lawyers in 2021, a slight increase over 30 percent from 2020.

Defense Against Vulnerabilities in the Cloud – Is It Too Late?

Apart from the traditional challenges around access management, data pilferage and threats from data communication with third party applications is gaining prominence. Communication with third party applications has found increased traction through APIs, which are increasingly being targeted by threat actors. Further, misconfigurations and policy violations in cloud assets create potential vulnerabilities and backdoors leading to risk of compromise. This is primarily due to the policies of some companies to not change the default security settings on their cloud workloads. These cloud vulnerabilities are accentuated by the increasing number of connected systems and their dependencies. The genesis of many vulnerabilities boil down to access and privilege management. Organizations need to plan for a deep inspection and vulnerability management system as part of their devsecops pipeline for building scalable cloud native applications. A comprehensive vulnerability management system goes a long way to enable organizations to effectively manage and minimizing their threat attack surface.


How to build a trustworthy and connected future

More broadly, big(ger) data from personal, commercial and government sources has the potential to address various challenges related to the Sustainable Development Goals. For instance, the Humanitarian and Resilience Investing Initiative aims to fill critical gaps in the available data that are preventing investors from accessing more humanitarian and resilience investing (HRI) opportunities. The pandemic has exposed and exacerbated existing gaps and inequalities, notably almost half of the global population remain offline and broadband services are too expensive for 50% of the population in developed countries. These “connectivity deserts” hamper access to health, education and economic inclusion. In a bid to improve access to the digital economy, during The Davos Agenda, the Forum launched the Essential Digital Infrastructure and Services Network, or EDISON Alliance, tasked with working to accelerate digital inclusion Meanwhile, in metropolises around the globe, which account for nearly two-thirds of CO2 emissions, smart energy infrastructure connected through data and digitalization is central to transitioning to “net zero” cities.


2020 Marked a Renaissance in DDoS Attacks

The sheer quantity of attacks in 2020 was surprising, Kaczmarek says. "We always expect the number of attacks to increase year over year and quarter over quarter, but we didn't expect that the quantity would increase by over 150%," he says. "This truly reflects the impact of the pandemic and the challenging precedent the 'new normal' has set for cybersecurity." The number of DDoS attacks that involved two or more vectors increased from 40% in 2019 to 72% in 2020, Kaczmarek added. "This means that the attackers as well as the tools they are using are improving," he says. According to Neustar, while the use of DDoS to try and extort ransoms is not new, these attacks grew in persistence, sophistication, and targeting in 2020. Cyber extortionists purporting to belong to well-known nation-state groups went after organizations in industries they have not regularly targeted previously, such as financial services, government, and telecommunications. "RDDoS attacks surged in Q4 2020 as groups claiming to be Fancy Bear, Cozy Bear, and the Lazarus Group attempted to extort organizations around the world," says Omer Yoachimik, product manager, DDoS protection at Cloudflare, another vendor that observed the same trend.


A better kind of cybersecurity strategy

The core of the matter involves deterrence and retaliation. In conventional warfare, deterrence usually consists of potential retaliatory military strikes against enemies. But in cybersecurity, this is more complicated. If identifying cyberattackers is difficult, then retaliating too quickly or too often, on the basis of limited information such as the location of certain IP addresses, can be counterproductive. Indeed, it can embolden other countries to launch their own attacks, by leading them to think they will not be blamed. “If one country becomes more aggressive, then the equilibrium response is that all countries are going to end up becoming more aggressive,” says Alexander Wolitzky, an MIT economist who specializes in game theory. “If after every cyberattack my first instinct is to retaliate against Russia and China, this gives North Korea and Iran impunity to engage in cyberattacks.” But Wolitzky and his colleagues do think there is a viable new approach, involving a more judicious and well-informed use of selective retaliation. “Imperfect attribution makes deterrence multilateral,” Wolitzky says. “You have to think about everybody’s incentives together. Focusing your attention on the most likely culprits could be a big mistake.”


US, China or Europe? Here's who is really winning the global race for AI

On almost all metrics, therefore, the EU seems to be taking a backseat; and according to the researchers, there is no doubt that this is due to stringent regulations that are in place within the bloc. "Many in Europe do not trust AI and see it as technology to be feared and constrained, rather than welcomed and promoted," concludes the report, recommending that the EU change its regulatory system to be "more innovation-friendly". The General Data Protection Regulation (GDPR), say the researchers, limits the collection and use of data that can foster developments in AI. Proposals for a Data Governance Act, while encouraging the re-use of public sector data, also restrains the transfer of some information; and by creating European data spaces, the regulation could inhibit global partnerships. Recent reports show that the last year has seen almost a 40% increase in GDPR fines issued by the EU compared to the previous 20 months, reaching a total of $332 million in fines since the new laws started applying. In that context, it is not rare to find that some firms are deterred from developing AI systems altogether, out of fear of receiving a fine – even for the most well-intentioned innovations.


A Guide to Find the Right IoT Module for Your Project

As more small and new module providers emerge into the IoT market, many cheaper IoT modules are becoming available to customers with extremely attractive tag price. If we simply look at the initial deployment cost of using cheaper modules, it might look like that it saves a lot of money for the customers. But is the quality of these modules guaranteed? The process of developing a new product and making it deliverable to the market takes long and is costly. Low-quality modules always accompany a higher risk of malfunction and, to the worst extent, result in the failure of the whole project. This will not help IoT companies to generate expected project income, in reverse, it causes a greater loss in investment. From a long-term perspective, even if the product was launched to the market, the unstable performance of the module is likely to cause unwanted surprises and require frequent maintenances. This will not be simply a higher operating cost to the business, it will also harm the reputation of the brand and damage the customers’ loyalty. For the long-term growth of the business, choosing a reliable partner and quality-guaranteed module products is wise and worthy.


Researchers: Beware of 10-Year-Old Linux Vulnerability

The vulnerability, called "Baron Samedit" by the researchers and officially tracked as CVE-2021-3156, is a heap-based buffer overflow in the Sudo utility, which is found in most Unix and Linux operating systems. Sudo is a utility included in open-source operating systems that enables users to run programs with the security privileges of another user, which would them give them administrative – or superuser - privileges. The bug, which appears to have been added into the Sudo source code in July 2011, was not detected until earlier this month, Qualys says. "Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploits and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable," the researchers say. After Qualys notified the authors of Sudo, a patch was included in version 1.5.5p2, published this week. Qualys and the Sudo authors are urging Linux and Unix users to immediately patch systems. Rob Joyce, who was recently named director of the National Security Agency's Cybersecurity Directorate, also flagged the alert on Twitter.



Quote for the day:

"Believe those who are seeking the truth. Doubt those who find it." -- Andre Gide

Daily Tech Digest - January 28, 2021

Engaging Employees to Accelerate Digital Banking Transformation

Many financial institutions are investing heavily in new technologies and processes to support their digital banking transformation goals. Research by the Digital Banking Report has found that banks and credit unions have increased investment in digital transformation in each of the past four years. There is no doubt that these investments are justified given the flight to digital by consumers and the game-changing technology that can support digital customer experience improvements. Unfortunately, with such a focus on data, analytics, technology and systems, most firms ignore the need to invest in employees to make sure they maximize the value of the new tools being deployed. Beyond open communication around how employees can be a part of the digital banking transformation process, it is important to invest in training the people to ensure that the digital banking transformation efforts succeed. If you don’t, it’s like buying a new car but failing to fill the gas tank (or charge the batteries). To respond to the need to reskill and upskill current employees, new models of managing learning and development have emerged. More than replicating legacy training methods, new learning officer positions have been created with the responsibility of not only creating ongoing learning opportunities, but also supporting cultural transformation.


Here’s why upskilling is crucial to drive the post-COVID recovery

We have a pressing societal problem: how to equip people with the skills they need to participate in the economy – now and in the future. As outlined in the World Economic Forum’s latest Future of Jobs Report, half of all employees around the world will need reskilling by 2025 – and that number doesn’t include all the people who are currently not in employment. If we don’t act now, this skills gap will only widen. With challenges come opportunities. Crisis events, like the pandemic, can and should shape economic thinking and represent a rare but narrow window of opportunity to reflect, reimagine, and reset priorities. So let’s seize this opportunity. We’re calling on governments, business leaders, and educators to join us in a global movement for upskilling. As you’ll see in our new report – Upskilling for Shared Prosperity – published as part of Davos Agenda Week to mark the first anniversary of the World Economic Forum’s Reskilling Revolution Platform, there’s a clear social and economic case for upskilling. If we commit to giving all people opportunities to build the skills they will need to fully participate in the future workplace, it will, in turn, lead to a prosperity dividend.


Law enforcement takes over Emotet, one of the biggest botnets

According to Europol, Emotet's infrastructure consisted of several hundred servers located across the world and serving different purposes, including making the botnet more resilient to takeover attempts. Law enforcement agencies had to work together to develop a strategy that involved gaining control of the infrastructure from the inside and redirecting victims to servers under their own control. As part of the investigation, the Dutch National Police seized data from the servers used by Emotet, including a list of stolen email credentials abused by the botnet. The agency set up a web page where users can check if their email address was among those affected. The information about infected computers that was gathered during the operation was also shared with national CERTs so the victims can be identified and contacted. "Only time will tell if the takedown will have long-term impact to Emotet operations," Jason Passwaters, COO of security firm Intel 471, tells CSO. "These groups are sophisticated and will have baked in some sort of recovery. Emotet itself does not appear to have any sort of inherent recovery mechanism, but a lot of the infected machines will have other malware installed as well, such as Qbot, Trickbot or something else. ..."


Top 5 Evolving Cybersecurity Threats to Cloud Computing in 2021

According to the Sophos Threat Report of 2020, misconfigurations can drive numerous data breaching incidents. Businesses are integrating themselves with cloud computing which guarantees the possibilities of cloud jacking emergence. Trend Marco predicts that code injection attacks can be utilized to attack cloud platforms. These attacks can be carried out through third-party libraries, from SQL injection and cross-site scripting. Attackers inject malicious code through third-party libraries and ensure that the code is downloaded and executed by individuals unintentionally. According to typical public cloud vendors, they are only responsible for the security of their infrastructure and individuals are responsible for protecting their data. ... Social engineering acquires phishing scams to steal user credentials for cloud-service tracks and on-premises attacks. Do you know that 78% of data breaching incidents that occurred during 2019 were related to phishing? This percentage increased in 2020. Innovative phishing attempts are launched through cloud applications rather than traditional emails. Phishing kits make it easier for cybercriminals to carry out illicit activities. Phishing kits require a very small amount of technical skills to carry out phishing operations.


What Is Robomorphic Computing?

A robot’s operation is a three-step process: gathering data using sensors or cameras; use mapping and localisation techniques to understand the environment; plotting the course of action. Advances in embedded vision and SLAM technology make data gathering and localisation easy. However, all these steps take a lot of time, especially when calculations are done on CPUs. Previously, the researchers have investigated the software side to develop an efficient algorithm to speed up robots. The MIT folks concluded it’s time to look beyond software. Hardware acceleration is the use of a specialised hardware unit to do certain computing tasks more efficiently. While Graphic Processing Units or GPUs have been availed for such tasks, the application is limited since the use cases are different for different robots. Hence, the researchers at MIT developed robomorphic computing to devise a customised hardware unit for individual robots. It considers the physical parameters of the robot and the tasks it needs to perform and translates it into mathematical matrices to design a specialised hardware architecture. The resulting chip design is unique to the robot and maximises its efficiency.


Digital Identity Is the New Security Control Plane

Digital identity — in the form of trusted contextual data defining who is accessing a system and how — provides this control plane. Users are already providing identity (and likely at multiple points). Systems are already consuming it — in the case of software-as-a-service (SaaS) environments, it may be one of the few configurable security controls available — but the decoupling of security from location and IP address is present in many other solutions. It can be tailored to an organization's needs and be risk-sensitive, with different methods and phases required, depending on the resource accessed. Even better, it's a control plane that can and should be implemented in a phased approach and provides a path to a zero-trust network architecture. The steps to building this are conceptually simple, and we can do extensive preparation. First, ensure even before you implement that the technologies you are investing in are identity-aware and able to make differentiated security decisions in the data plane based on that identity. This must extend to SaaS applications — one of the largest benefits of using identity as your control plane is the ability to bring these into the fold, as it were, and to match them to your security model. Second, consolidate identity to a single "source of trust" — that is, a single secure, consistent, and accurate repository for identity.

Data Privacy Day 2021: What to consider in the wake of Covid-19

The exit of the UK from the EU means that companies across the country that deal with Europe need to take extra steps to ensure correct compliance. According to Rich Vibert, CEO and co-founder of Metomic, this can be aided by considering this aspect at the start of any deployment. “This Data Privacy Day, we must confront the fact that UK companies aren’t equipped to protect their data now that we’ve Brexited,” said Vibert. “A large proportion of the responsibility for this lies with the UK government, whose failure to deliver guidance during the transition period resulted in businesses adopting a ‘wait and see’ approach. “Businesses need to take charge; proactively adapting compliance to UK-GDPR and analysing how a lack of adequacy could impact them and their customers. Only by doing so will they avoid the financial and reputational damage caused by non-compliance. “Regardless of whether the government holds the blame for the current status quo or not, leaders must see this as an opportunity to reset their approach to data protection. This means putting the privacy, compliance and security of data at the heart of their business strategy and using technology to facilitate this.


Marry IGA with ITSM to avoid the pitfalls of Identity 2.0

IAM solutions are too coarse-grained to handle such moves, in my experience. That forces admins to do IGA the hard way – taking care of onboarding, job changes, terminations, and so forth by hand. In addition to being a time- and labor-intensive hassle, manual IGA leads to numerous identity management errors. All too often, manual IGA grants access to new applications or information sources but doesn’t take away old ones, which exposes companies to security and compliance risks. Manual processes for managing patches, password resets, software updates, and more also increase risks. You don’t want an executive accessing highly confidential information from an app that doesn’t require two-factor authentication on a laptop that hasn’t been updated. But if IGA is managed from a spreadsheet, that’s exactly what happens. The employee lifecycle is only one of the IGA challenges that Identity 2.0 systems are not well-positioned to address. Take for example the expense and integration hassle of onboarding traditional IAM into manual IGA systems. The typical IGA system, like most enterprise systems, exists in a silo. Implementing manual IGA on systems such as HR, CRM, finance, and operations means writing numerous custom integrations.


What Happens If a Cloud Provider Shuts You Out?

There are other reasons, such as sudden outages or the shutdown of a cloud provider, for organizations to create plans to salvage their code and get back online quickly, Valentine says. Heikki Nousiainen, CTO at Aiven, also says the threat of getting cut off by all three major cloud providers is very low for most other businesses -- yet companies may want to maintain the ability to move code around for disaster recovery needs. “They are rare, but we sometimes see these big outages touch Google, AWS, or Azure in one or more regions,” he says. Companies with very time-sensitive online business needs, for example, may want to maintain the ability to roll over to a backup elsehwere, Nousiainen says. He recommends exploring true multi-cloud options where companies can select providers freely without being locked in, and also going with open source technology because that lets the same set of services run in different clouds. Some of these options can come at a bit of premium, though Nousiainen says the overall benefits may be worth it. “There are costs associated but typically when that investment goes into preparing infrastructure as a code it also helps for many other problems such as disaster recovery.”


Dead System Admin's Credentials Used for Ransomware Attack

In a case study published Tuesday, the researchers say the system administrator had died three months previously, but the account remained active. The researchers note that there are numerous reasons why the account could have been left open, including the possibility that the system admin had helped with the initial setup of the targeted firm's services. "Closing down the account would have stopped those services working, so keeping the account going was, we'd imagine, a convenient way of letting the dead person's work live on," according to the report. The Sophos report also notes that these types of "ghost" accounts are an increasing problem for security teams, especially if other parts of the company forget that they remain active after an employee has left or died. "In this case, the active use of the account of a recently deceased colleague ought to have raised suspicions immediately - except that the account was deliberately and knowingly kept going, making its abuse look perfectly normal and therefore unexceptionable, rather than making it seem weirdly paranormal and therefore raising an alarm," according to Sophos.



Quote for the day:

"The leadership team is the most important asset of the company and can be its worst liability." -- Med Jones

Daily Tech Digest - January 27, 2021

When Kubernetes is not the solution

Automation and orchestration are frequent reasons to leverage Kubernetes. Keep in mind that automation and orchestration often get confused, and for good reason. Automation can help make a business process more efficient by reducing or removing human involvement with software or hardware that performs specific tasks. For example, automation can launch a process to reorder raw materials automatically when other processes notice that supplies are below a specific level. In short, a single task is automated. Orchestration, in contrast, allows you to automate a workflow. Orchestration can keep track of sequence and activities, and can even invoke many single-task automations that are part of the workflow. Orchestration is a powerful Kubernetes tool that also allows you to invoke services such as database access across disparate systems. What's happening now is that many developers and architects choose Kubernetes to automate processes using the orchestration engine. That’s like hitting a thumbtack with a sledgehammer. You’ll end up spending way too many dollars on development and cloud resources to solve a simple, specific problem. Another fact that often gets overlooked is that Kubernetes is a complex system itself; it requires special expertise and at times can increase risk.


Learning from Incidents

When we use language that wraps up complexity in a neat parcel like “human error,” or we make counterfactual assertions (“system X should be able to detect this scenario,”) we give participants in our investigation the opportunity to agree with something that might be true given what we know in hindsight, but which does not help us understand the behaviour of the people or systems during the incident. Everyone in the room can nod and acknowledge that the human did indeed make a mistake, or that system “X” really should have detected the issue. Have you understood anything new about how your system really works? Unlikely. Secondly, when we ignore power structures and the social dynamics of the organizations we work in, we risk learning less. Asking “why” questions can put people on the defensive, which might make them less likely to speak frankly about their own experience. This is especially important when the person being asked is relatively less powerful in the organisation. “Why did you deploy that version of the code?” can be seen as accusatory. If the person being asked is already worried about how their actions will be judged, it can close down the conversation. “During this incident you deployed version XYZ. 

4 Ways Blockchain Could Catapult Into the Mainstream

We are used to storing valuables at home such as money, jewelry or art. However, when the value of these goods exceed what we can insure, or what we feel safe in keeping at home, we usually turn to banks or special custodians as more convenient safeguards for storing our liquid assets. Cryptocurrency offers alternative storage options via personal wallets or easy on-ramps to exchanges or a new category of crypto custodians that possess their own secure vaults. Today, many self-custody wallets already exist, allowing users to experience the self-service option for assets storage. Those same wallets also enable the storage of another blockchain novelty: “digitally unique” artifacts also known as non-fungible tokens (or NFTs; think CryptoKitties). In the long term, banks and old-style physical storage services may not be the most popular or safest storage methods anymore. Being your own custodian is an attractive value proposition that comes with a degree of freedom and efficiency, as long as its relative ease of use and trust levels continue to improve. Many users will gradually de-bank their assets and move them into self-custody to take advantage of new services that are only available in the blockchain world. 


Security's Inevitable Shift to the Edge

Many security architects are initially attracted to the SASE model as it helps them apply security controls at the optimal location in their rapidly changing architecture. That optimal location is the edge of the Internet, which will be close to any infrastructure-as-a-service (IaaS) or co-location facility that the business uses today or in the future. The edge deployment model provides agility for hybrid multicloud organizations and is well suited to changes to IaaS vendor or new locations from mergers and acquisitions. The flexibility of deploying security inspection at the edge means that, regardless of shifts in the location of compute, security inspection can be performed at a local edge node. This provides for optimized routing of traffic and avoids what Gartner describes as the unnecessary "tromboning of traffic to inspection engines entombed in enterprise data centers." Furthermore, since multicloud is the predominant architecture, deploying security at a homogeneous edge makes more sense than trying to engineer consistent controls using heterogeneous capabilities available at various cloud security providers (CSPs). Another driver for SASE is the migration of users outside of the traditional corporate offices.


Cisco bolsters edge networking family with expanded SD-WAN, security options

Among the four new models is a low-end box – the Cisco Catalyst 8500L – that's aimed at entry-level 1G/10G aggregation use cases, Cisco stated. The 1RU form factor 8500L is powered by 12 x86 cores and features up to 64GB memory to support secure connectivity for thousands of remote sites and millions of stateful NAT and firewall sessions, wrote Archana Khetan, senior director of product management for Enterprise Routing and SD-WAN Infrastructure at Cisco, in a blog about the new boxes. Businesses find that establishing aggregation sites at either core locations or colocations helps them own the first mile on their branch and remote-worker connectivity to the internet and other software-defined cloud interconnects, Khetan stated. "The Catalyst 8500L provides ultra-fast IPsec crypto performance and advanced flow-based forwarding to keep up with the demands of today's high-speed, secure connectivity," Khetan stated. Targeting the branch, Cisco added the Catalyst 8200, which supports eight CPU cores for high-performance packet forwarding and 8GB of default RAM to run the latest security services, Khetan stated. The Catalyst 8200 Series supports up to 1Gbps of aggregate forwarding throughput, which is double the performance of its ISR 4300 predecessor, according to Khetan.


Ransomware: Should Governments Hack Cybercrime Cartels?

One proposal has been to ban all ransom payments. Whether such bans could be enforced is not clear. Also, organizations that did their best to safeguard themselves, but still saw their systems get crypto-locked, could go out of business or suffer devastating interruptions due to a ban. Short of a ban, Ciaran Martin, an Oxford University professor of practice in the management of public organizations who until last August served as the British government's cybersecurity chief, says governments should at least crack down on insurers being able to help victims funnel payoffs to attackers. "I see this as so avoidable. At the moment, companies have incentives to pay ransoms to make sure this all goes away," Martin tells The Guardian, expanding on suggestions he's previously made. "You have to look seriously [at] changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry." Responding to suggestions that ransom payments be banned, a spokesman for the Association of British Insurers tells Information Security Media Group: "Insurance is not an alternative to managing the cyber ransomware risk; it is part of a toolkit to combat this crime." The spokesman also notes that policyholders must have all "reasonable precautions" in place.


Experts predict hot enterprise architecture trends for 2021

There is increasing competition in enterprise architecture tools, with a lot of new players. There's going to be more investing in R&D. Hopefully, that means customers will get better tools for their EA initiatives. We'll see tools going in different directions and having different focuses. The newer generation of tools is typically data-driven. You don't draw your architecture. It is basically derived from the data you put into the tools. That opens up different uses for data analytics to create future-state scenarios, quantify the benefits to the business and use that to make strategic decisions. You can do organizational modeling. It's difficult to do that unless you have a data-driven approach, because you would have to create every single future-state scenario. The entire delivery vehicle for the newer tools is cloud only, so you can deploy more rapidly. Companies that have moved to the cloud over the last couple of years realize that you can't be in one cloud anymore. You have to be in multiple clouds in order to ensure redundancy. That's another area where EA tools are focusing, creating native integration with these modern-day cloud environments and using enterprise architecture practices to manage and model them.

Streamlining cloud compliance through automation

The first is inherent in compliance with any cybersecurity and privacy requirement, and the cloud doesn’t make it go away (in fact, it arguably makes it worse) – and that’s the time it takes to audit. Companies preparing for audits must sink significant time and effort (hundreds of hours, every audit, across multiple requirements) into collecting a vast amount of technical data on information security controls and processes. Manually collecting data, taking screenshots, and organizing evidence takes that time away from cloud and DevOps teams that could otherwise be spent building new products or services. ... Second, security capabilities meant for on-premises environments no longer apply when companies begin migrating to the cloud, making evidence gathering all the more complicated. Quite simply, the cloud creates a new paradigm, forcing companies to re-architect the best security practices they have spent years perfecting, i.e., to fundamentally start from scratch. Third, software development and change management in the cloud moves at light speed compared to more traditional monolithic application updates, and it can be difficult for companies to keep up with the security and privacy implications of that ever-changing cloud environment.


How to deliver an effective technology strategy in 2021

Technology strategies, like data strategies and digital transformations can no longer be considered in isolation. Having the right technology platform is just one of a number of critical enablers to being competitive, agile and innovative in the 2020s. The growing trend for business transformation is a holistic approach which recognises to succeed, technology, data and digital transformations need to be tackled together, or at least in parallel. In the 2020s businesses can be divided between those who are disrupting and those being disrupted. Disruptors enter categories with a transformative new product, service or customer experience — posing an existential threat to the existing players. Disruptors are digital, data and technology first companies, leveraging these as assets in the battleground of customer experience. Any technology strategy should be intertwined with a data strategy. It should be focused on delivering the customer approach to serve the overall business plan. I appreciate that sounds a lot harder than focusing just on technology, but the alignment needs to be embraced rather than avoided if the desired outcomes are to be achieved. The world is littered with technology that’s easy to buy, more challenging to implement and often only partially or completely unused.


Cybersecurity, Modernization Top Priorities for Federal CIOs

One significant focus not covered by the first 100 day plan but indicated in the proposed stimulus package is a response to something more recent -- the SolarWinds hack, which has impacted both government and commercial IT organizations. In response the new administration is putting a new focus on cybersecurity, adding provisions that cover this area to the COVID-19 stimulus package. While it needs to go through Congress, the American Rescue Plan from the administration calls for a total of more than $10 billion for cybersecurity and IT modernization efforts, plus some other IT-related areas. "In addition to the COVID-19 crisis, we also face a crisis when it comes to the nation's cybersecurity," a brief of the plan says. "The recent cybersecurity breaches of federal government data systems underscore the importance and urgency of strengthening US cybersecurity capabilities. President-elect Biden is calling on Congress to launch the most ambitious effort ever to modernize and secure federal IT and networks." Even if it doesn't remain in the stimulus package that Congress ultimately passes, the Biden administration's inclusion of funding for cybersecurity highlights just what a priority this area is for the administration going forward.



Quote for the day:

"If we were a bit more tolerant of each other's weaknesses we'd be less alone." -- Juliette Binoche

Daily Tech Digest - January 25, 2021

DDoS Attackers Revive Old Campaigns to Extort Ransom

Radware's researchers say the tactics recently observed with the attacks launched by this particular group indicate a fundamental change in how it operates. Previously, the operators would target a company or industry for a few weeks and then move on. The 2020-2021 global ransom DDoS campaign represents a strategic shift from these tactics. DDoS extortion has now become an integral part of the threat landscape for organizations across nearly every industry since the middle of 2020," the report states. The other major change spotted is this threat group is no longer shy about returning to targets that initially ignored their attack or threat, with Radware saying companies that were targeted last year could expect another letter and attack in the coming months. "We asked for 10 bitcoin to be paid at (bitcoin address) to avoid getting your whole network DDoSed. It's a long time overdue and we did not receive payment. Why? What is wrong? Do you think you can mitigate our attacks? Do you think that it was a prank or that we will just give up? In any case, you are wrong," the second letter says, according to Radware. "The perseverance, size and duration of the attack makes us believe that this group has either been successful in receiving payments or they have extensive financial resources to continue their attacks," the report states.


Five Reasons You Shouldn't Reproduce Issues in Remote Environments

When attempting to reproduce an issue across multiple environments, one area that teams must have solid processes around is test data management. Test data can be critical in the reproduction of bugs in that if you don’t have the right test data in your environment, the bug may not be reproducible. Due to the sheer size of production data sets, teams must often work with subsets of that data across test environments. The holy grail of test data management processes is to allow teams to easily quickly subset production data based on the data needed to reproduce an issue. In practice, things don’t always work out so easily. It’s hard to know what attributes of your test data may be influencing a specific bug. In addition, data security when dealing with PII data can be a major challenge when subsets of data are used across environments. Teams need to ensure that they are in compliance with corporate data privacy standards by masking or generating new relevant data sets. Many times it takes lots of logging and hands on investigation to uncover how data discrepancies can cause those hard to find bugs. If you cannot easily manage and set up test data on demand, teams will suffer the consequences when it comes to trying to reproduce bugs in remote environments.


AI ethics: Learn the basics in this free online course

If you are interested, an excellent place to start might be the free online course The Ethics of AI, offered by the University of Helsinki in partnership with "public sector authorities" in Finland, the Netherlands, and the UK. Anna-Mari Rusanen, a university lecturer in cognitive science at the University of Helsinki and course coordinator, explains why the group developed the course: "In recent years, algorithms have profoundly impacted societies, businesses, and us as individuals. This raises ethical and legal concerns. Although there is a consensus on the importance of ethical evaluation, it is often the case that people do not know what the ethical aspects are, or what questions to ask." Rusanen continues, "These questions include how our data is used, who is responsible for decisions made by computers, and whether, say, facial recognition systems are used in a way that acknowledges human rights. In a broader sense, it's also about how we wish to utilize advancing technical solutions." The course, according to Rusanen, provides basic concepts and cognitive tools for people interested in learning more about the societal and ethical aspects of AI. "Given the interdisciplinary background of the team, we were able to handle many of the topics in a multidisciplinary way," explains Rusanen.


Zero trust: A solution to many cybersecurity problems

CISOs of organizations that have been hit by the attackers are now mulling over how to make sure that they’ve eradicated the attackers’ presence from their networks, and those with very little risk tolerance may decide to “burn down” their network and rebuild it. Whichever decision they end up making, Touhill believes that implementing a zero trust security model across their enterprise is essential to better protect their data, their reputation, and their mission against all types of attackers. And, though a good start, this should be followed by the implementation of the best modern security technologies, such as software defined perimeter (SDP), single packet authorization (SPA), microsegmentation, DMARC (for email), identity and access management (IDAM), and others. SDP, for example, is an effective, efficient, and secure technology for secure remote access, which became one of the top challenges organizations have been faced with due to the COVID-19 pandemic and the massive pivot from the traditional office environment to a work-from-anywhere environment. Virtual private network (VPN) technology, which was the initial go-to tech for secure remote access for many organizations, is over twenty years old and, from a security standpoint, very brittle, he says.


Comparing Different AI Approaches to Email Security

Supervised machine learning involves harnessing an extremely large data set with thousands or millions of emails. Once these emails have come through, an AI is trained to look for common patterns in malicious emails. The system then updates its models, rules set, and blacklists based on that data. This method certainly represents an improvement to traditional rules and signatures, but it does not escape the fact that it is still reactive and unable to stop new attack infrastructure or new types of email attacks. It is simply automating that flawed, traditional approach – only, instead of having a human update the rules and signatures, a machine is updating them instead. Relying on this approach alone has one basic but critical flaw: It does not enable you to stop new types of attacks it has never seen before. It accepts there has to be a "patient zero" – or first victim – in order to succeed. The industry is beginning to acknowledge the challenges with this approach, and huge amounts of resources – both automated systems and security researchers – are being thrown into minimizing its limitations. This includes leveraging a technique called "data augmentation," which involves taking a malicious email that slipped through and generating many "training samples" using open source text augmentation libraries to create "similar" emails.


Why Is Agile Methods Literacy Key To AI Competency Enablement?

First, quality AI is a highly iterative experimentation, design, build and review process. Organizations that are aspiring to build strong AI and data sciences competency centers will flounder if their core cultures are not building agile skills into all operating functions, from top to bottom. Given the incredible speed and uncertainties of everything becoming more digital and smarter, the imperative for all talent to continually adapt, reflect, and make decisions based on new information is a business imperative. Leaders do not have the luxury to procrastinate too long before acting on the new insights, and making decisions with confidence. Some times, cultures can build a capacity for inaction versus action oriented behavior. Agile leadership demands rapid precision, involving diverse stakeholders, which in turn, yields more positive change dynamics (momentum) and more importantly innovation capacity grows as a result of this energy force. In a recent Harvard article, the authors pointed out that, “If people lack the right mindset to change and the current organizational practices are flawed, digital transformation will simply magnify those flaws.” Truly agile organizations are able to capitalize on new information and make the next move because they have what we call the capacity to act.


10 ways to prep for (and ace) a security job interview

Hiring managers typically look for strong technical skills and specific cybersecurity experience in the candidates they want to interview, particularly for candidates filling entry- and mid-level positions within enterprise security. But managers use interviews to determine how well candidates can apply those skills and, more specifically, whether candidates can apply those skills to support the broader objectives of the organization, says Sounil Yu, CISO-in-resident at YL Ventures. As such, Yu says he and others look for “T-shaped individuals”—those with deep expertise in one area but with general knowledge across the broader areas of business. The candidates who get job offers are those who have, and demonstrate, both. “Security is a multidisciplinary problem, so that depth is an important asset,” Yu adds. Candidates love to say they’re passionate about security, but many can’t figure out how to showcase it. Those who can, however, stand out. Yu once interviewed a candidate via video and could see a server rack in the background of this person’s home office. “He clearly liked tinkering outside of work. You could see that he had tech skills and a passion for them and a drive to learn about new technologies,” Yu says. 


The changing role of IT & security – navigating remote work cybersecurity threats

The move to remote working and the complication of multiple devices and locations is also raising the important questions related to software licensing. Are you licensed for the apps that people are using at home, or are you licensed on their computer in the office and on their computer at home? Several businesses are now having to buy thousands of additional software licenses so that employees can work on more than one computer, at a time when cost optimisation is extremely important. One of the related threats to businesses is running afoul of regulatory data privacy protections like GDPR and CCPA, among others. Given the current state of things, it is unlikely that a regulator would currently be hunting for companies that might be improperly managing employee and customer data. It appears regulators are largely being more lenient at this stage while companies are busy just trying to survive. Whilst it is reasonably to consider that, for a time, this will continue, there will come a time when we see a return to enforcement and, in the meantime, there is no guarantee that regulators will not review issues that come up as a result of a data breach or loss. It’s always important to reinforce the best security practices to your workforce, but it is especially important when your employees are out of their normal routines.


Weighing Doubts of Transformation in the Face of the Future

You don’t have to [change], but you will be left behind. Seventy-four percent of CEOs believe that their talent force and organization need to be a digitally transformed organization, yet they feel like only 17% of their talent is capable and ready to do that. That gap is glaring. That’s coming from the tops of organizations and businesses. The first mover advantage has kind of passed already. Now we’re getting into the phase of cloud migration and the concept of everything-as-a-service. Digital transformation is easier to attain. You don’t have to be the first mover or early adopter. The companies that help you live, work, and play inside your home were pretty resilient during the COVID-19 pandemic. Tech, media, and fitness companies like NordicTrack and Peloton that helped you stay inside your house, they were the ones that needed to transform digitally immediately to deal with the significant increase in demand along with significant supply chain challenges. Now we are seeing other industries that saw a bit of a pause during COVID -- consumer, travel, entertainment, energy -- those businesses are seeing or expecting this uptick in the summer travel period, the pent-up demand of Americans. Interest rates are very low, and they haven’t been able to spend [as much] money for the last 12 to 18 months by the time the summer comes around.


Good News: Cryptocurrency-Enabled Crime Took a Dive in 2020

While the total cryptocurrency funds received by illicit entities declined in 2020, Chainalysis reports, criminals continue to love cryptocurrency - with bitcoin still dominating - because using pseudonymizing digital currencies gives them a way to easily receive funds from victims. Cryptocurrency also supports darknet market transactions, with many markets offering escrow services to help protect buyers and sellers against fraud. Using cryptocurrency, criminals can access a variety of products and services, such as copies of malware or hacking tools, complete sets of credit card details known as fullz, and tumbling or mixing services, which are provided by a third-party service or technology that attempts to mix bitcoins by routing them between numerous addresses, as a way of laundering the bitcoins. Criminals have also been using a legitimate concept called "coinjoin," which is sometimes built into cryptocurrency wallets as a feature. It allows users to mix virtual coins together while paying for separate transactions, which can complicate attempts to trace any individual transactions. Intelligence and law enforcement agencies have some closely held ability to correlate the cashing out of cryptocurrency with deposits that get made into individuals' bank accounts.



Quote for the day:

"To have long term success as a coach or in any position of leadership, you have to be obsessed in some way." -- Pat Riley

Daily Tech Digest - January 24, 2021

The work-from-home employee’s bill of rights

Keeping business and personal data separate is straightforward for most cloud services, so legitimate security concerns can be addressed in such hybrid environments. Only in areas where IT cannot reasonably ensure security may businesses disallow specific optional technologies or hybrid usage. (The employee should be made aware that in such mixed-usage cases that, should there ever be a legal proceeding, their personal devices used for work could be subject to discovery and thus be taken during the course of an investigation.) IT also must allow the use of personal services in such mixed-usage environments, such as allowing users to use personal Slack, Zoom, or Skype accounts for personal communications rather than blocking such software to force the use of a corporate standard. Instead, managers would enforce the use of corporate-standard technology for business purposes, not IT through technology barriers. The basic principle should be that employees can bring their own technology into the mix unless it creates a clear security issue — and not a theoretical one, since IT too often cites security as an easy reason to say no to employee requests despite any real evidence of a risk.


Artificial Intelligence Collaboration in Asia’s Security Landscape

Though the field of AI – a catchall term for a set of technologies that enable machines to perform tasks that require human-like capabilities – has been around for decades, interest in it has surged over the past few years, including across the Asia-Pacific, with individual countries beginning to develop their own national approaches and multilateral groupings such as the OECD formulating guidance such as principles on AI. In the security realm more specifically, AI is emerging as a key topic for defense policymakers and communities alike in a range of areas, from assessments of its impact on geopolitical competition to areas of potential collaboration between some Indo-Pacific partners and their expert communities. It has also been a topic of discussion among scholars and policymakers in annual Asian security fora such as the Shangri-La Dialogue and the Xiangshan Forum. Seen from this perspective, Mohamad’s highlighting of AI as an area of focus for Asian defense establishments was very much in keeping with these trends. As he noted in his keynote address, AI represents an emerging domain where armed forces and defense establishments can play a key role in efforts to “strengthen the international order and enhance practical cooperation” by promoting responsible state behavior, building confidence, and fostering international stability. 


Is neuroscience the key to protecting AI from adversarial attacks?

For the new research, Cox and DiCarlo joined Joel Dapello and Tiago Marques, the lead authors of the paper, to see if neural networks became more robust to adversarial attacks when their activations were similar to brain activity. The AI researchers tested several popular CNN architectures trained on the ImageNet dataset, including AlexNet, VGG, and different variations of ResNet. They also included some deep learning models that had undergone “adversarial training,” a process in which a neural network is trained on adversarial examples to avoid misclassifying them. The scientist evaluated the AI models using the BrainScore metric, which compares activations in deep neural networks and neural responses in the brain. They then measured the robustness of each model by testing it against white-box adversarial attacks, where an attacker has full knowledge of the structure and parameters of the target neural networks. “To our surprise, the more brainlike a model was, the more robust the system was against adversarial attacks,” Cox says. “Inspired by this, we asked if it was possible to improve robustness (including adversarial robustness) by adding a more faithful simulation of the early visual cortex — based on neuroscience experiments — to the input stage of the network.”


Speed Limits in Software Development

For software development there aren’t road signs telling us a safe speed to deploy at, but perhaps we can extend the driving metaphor a bit more to help us think this through. One thing that relates to safe speed is responsiveness. A slick road makes it harder for your car to respond to changes in direction, and slow deployment makes it hard to respond to problems with your application. How easy is it to respond to issue in your application? Don’t forget that an F1 race car with new tires and perfect tuning can respond a lot better than the little commuter car you might have. We can tune our code and deployments and get better at responsiveness over time. If the road is foggy and you can’t see where you are going when you drive, I hope you slow down. If you can’t see what is going in your application and understand how it is being used, I hope you slow down. ... So how fast can we go in software development? Well, in the ideal case if we know everything and have a smooth path ahead of us, pretty fast. I don’t think we can get to a land speed record since software development doesn’t often involve going in a straight line, but with a bit of work on the code and deployment process and with investment in observability and operations, I think we can go pretty fast, pretty safely. Just be careful.


Why the brain will always win in the battle against AI

What we call ‘intelligence’ is an activity of the brain. The outcome of that activity forms our ‘mind’ about things. Even when we sleep, our intelligence is awake and our mind is being formed. In this context, we must pay attention to the concept of duality as the first level of multivariate analysis. A hallmark of intelligence is the willingness to change one's mind. Humans can think in terms of ranges, options and spectral possibilities. Machines are only about specificity and exactness. Computing doesn’t entertain opinion. Yet, calculation is merely one aspect of our mental ability. It has been exaggerated in our education system. This kind of logic-based intelligence is quite self-conscious. We are assessed for deductive ability. We are tutored to think and know but not trained to ‘think about thinking’ or ‘know about not knowing’. We are barely taught any self-awareness. Emotional Intelligence is neglected. We are coached in analytical hindsight and acquire a punter’s foresight based on the computation of odds. No one educates us on esteem, gratification, empathy, or seduction. We learn these things by ourselves. The irony is that machines have beaten us on all those aspects that we acquire via structured learning and tutoring. It is in the emotional, subjective and artistic areas that mankind holds the advantage.


Data bill: The security vs privacy debate

Encryption is widely acknowledged as the strongest feature of data protection. Digital banking and financial transactions have increased manifold with the Reserve Bank of India prescribing the encryption standards. The telecom sector, however, is limping along on 40-bit key encryption, which is considered to be low. Both cellular voice and messaging are vulnerable to off-air interceptions, with experts pointing at the weakness of SMS being used as second factor authentication in banking, payments and Aadhaar identification. The Telecom Regulatory Authority of India has rightly recommended an update of regulation policy and is of the view that encryption is a reliable tool which should not be interfered with. The end-to-end encryption on chat platforms is the most secure method of keeping data safe from hackers and break-ins. The General Data Protection Regulation of the European Union strongly favours use of encryption for protecting individual data. However, security agencies around the world want decrypted data and favour legislation in this regard. The United States, United Kingdom and Australia support a legislation for decryption, while France and Germany are pro-encryption.


New motto for CIOs: Move even faster and make sure nothing breaks

The stakes are high for IT professionals running digital transformation projects with consequences ranging from missed bonuses to going out of business, according to a new survey. The current motto for survival is "Move even faster and make sure nothing breaks," IT leaders told Kong in the company's 2021 Digital Innovation Benchmark report. Sixty-two percent of tech leaders said they are at risk of being replaced by competitors who innovate more quickly, according to the survey. Also, 51% of respondents said they will survive only three years before being acquired or simply going out of business if they can't evolve fast enough. That number goes up to 84% when the make-or-break timeline extends to six years. This number is up from 71% in last year's survey. ... The survey reinforces what many companies realized at the end of 2020: The pandemic accelerated digital transformation in general and cloud migrations in particular. Almost 40% of tech leaders in the US and Europe said that their companies also implemented microservices sooner than expected due to the pandemic.  A majority of respondents (87%) said that microservice-based applications, distributed applications, and open source software are the future of IT architecture. 


Reflect brings automated no-code web testing to the cloud

Every company is now a software company, or so we’re told, meaning they have to employ designers and developers capable of building websites and apps. In tandem, the much-reported software developer shortage means companies across the spectrum are in a constant battle for top talent. This is opening the doors to more automated tools that democratize some of the processes involved in shipping software, while freeing developers to work on other mission-critical tasks. It’s against this backdrop that Reflect has come to market, serving as an automated, end-to-end testing platform that allows businesses to test web apps from an end user’s perspective, identifying glitches before they go live. Founded out of Philadelphia in 2019, the Y Combinator (YC) alum today announced a $1.8 million seed round of funding led by Battery Ventures and Craft Ventures, as it looks to take on incumbents with a slightly different proposition. Similar to others in the space, Reflect hooks into the various elements of a browser so it can capture actions the user is taking, including scrolls, taps, clicks, hovers, field entry, and so on. This can be replicated later as part of an automated test to monitor the new user signup flow for a SaaS app, for example.


Immigration exemption in data protection law faces further legal challenge

Speaking to Computer Weekly about the appeal, Scotland director at ORG Matthew Rice said the exemption, which is the first derogation of its kind in 20 years of UK data protection law, has been justified by the UK government on the grounds it needs to “stop people from learning that they’re about to be removed from the country” and consequently absconding. “There was no evidence to suggest that under previous data protection law…people were making subject access requests [SARs], getting back that they were due to get a visit from the immigration services, and then running away,” he said. “The other thing to bear in mind is that the exemption is blunt because immigration control isn’t defined in the act or in any part of UK law, and it’s not just about the Home Office or borders. Any data controller can apply this exemption – it’s available to your doctor, your landlord, your school, your local authority, any number of persons that might hold personal data about you.” ... The non-disclosure of personal data under the immigration exemption therefore not only interferes with the individual’s access rights, but a host of other digital rights granted by the GDPR as well, including the rights to rectification, erasure and restriction of processing.


How security pros can prepare for a tsunami of new financial industry regs in 2021

Biometrics can add an extra layer of security when unlocking a smartphone using a person’s face or fingerprint. But other technologies have raised privacy concerns among consumers, such as law enforcement leveraging facial recognition to identify wanted criminals via security cameras in a public space. This has led to outright bans of facial recognition technology in several cities, including Boston, San Francisco, Oakland, Portland, Oregon and Portland, Maine, to name a few. As these technologies become mainstream, we’ll need regulations to retain (or in some cases, regain) the trust of consumers and policymakers. As a step forward, we see international organizations push for global standards around the use of biometrics, for example, the FIDO Alliance and the Financial Action Task Force (FATF), which recently issued guidance on how to apply a risk-based approach to using digital identity systems for customer identification and verification. However, the U.S. lags behind other regions, which have been more progressive in their adoption of regulations, such as the General Data Protection Regulation (GDPR) in Europe. In lieu of federal standards, states such as California have implemented their own regulations, such as the California Consumer Protection Act (CCPA) and its upgrade, the California Privacy Rights Act (CPRA). 



Quote for the day:

"The first step of any project is to grossly underestimate its complexity and difficulty." -- Nicoll Hunt

Daily Tech Digest - January 22, 2021

Why it's vital that AI is able to explain the decisions it makes

The effort to open up the black box is called explainable AI. My research group at the AI Institute at the University of South Carolina is interested in developing explainable AI. To accomplish this, we work heavily with the Rubik’s Cube. The Rubik’s Cube is basically a pathfinding problem: Find a path from point A – a scrambled Rubik’s Cube – to point B – a solved Rubik’s Cube. Other pathfinding problems include navigation, theorem proving and chemical synthesis. My lab has set up a website where anyone can see how our AI algorithm solves the Rubik’s Cube; however, a person would be hard-pressed to learn how to solve the cube from this website. This is because the computer cannot tell you the logic behind its solutions. Solutions to the Rubik’s Cube can be broken down into a few generalized steps – the first step, for example, could be to form a cross while the second step could be to put the corner pieces in place. While the Rubik’s Cube itself has over 10 to the 19th power possible combinations, a generalized step-by-step guide is very easy to remember and is applicable in many different scenarios. Approaching a problem by breaking it down into steps is often the default manner in which people explain things to one another.


Why KubeEdge is my favorite open source project of 2020

The KubeEdge architecture allows autonomy on an edge computing layer, which solves network latency and velocity problems. This enables you to manage and orchestrate containers in a core data center as well as manage millions of mobile devices through an autonomous edge computing layer. This is possible because of how KubeEdge uses a combination of the message bus (in the Cloud and Edge components) and the Edge component's data store to allow the edge node to be independent. Through caching, data is synchronized with the local datastore every time a handshake happens. Similar principles are applied to edge devices that require persistency. KubeEdge handles machine-to-machine (M2M) communication differently from other edge platform solutions. KubeEdge uses Eclipse Mosquitto, a popular open source MQTT broker from the Eclipse Foundation. Mosquitto enables WebSocket communication between the edge and the master nodes. Most importantly, Mosquitto allows developers to author custom logic and enable resource-constrained device communication at the edge.


DevOps, DevApps and the Death of Infrastructure

The godfather of the DevOps movement, Patrick Debois, often speaks about how we are moving to a more service-oriented or serviceful intranet. I have been calling this riff on DevOps deployment methodology, DevApps. This is an emerging design pattern where cloud native applications are a combination of bespoke services (like Twilio, Salesforce, and many others) alongside custom software deployed as functions on scale-to-zero web services like Amazon Lambda. Services are being managed with Terraform, just as the services of the past had been managed by Chef or Puppet. Once organizations tackle the well-accepted practice to automate deployment, the next frontier is to create applications that are composable via automated means. What we’re talking about here is layering integration-as-code on top of infrastructure-as-code. With a wide variety of cloud services at their disposal, application developers need not worry about the latter — just the former. At TriggerMesh, we are seeing more and more organizations looking to create applications that are configured with automated workflows on the fly.


5 Qualities Of Highly Engaged Teams

Trust is not just the cornerstone of leadership. It is also a fundamental building block in high-performance teams. When teams trust each other, it gives them more confidence in their abilities. They know they will get support when needed. Also, they will be willing to provide support to teams in need. This collaboration and cooperation help the sharing of best practices, which brings the level of the whole team, or teams higher. Trust is one of those reflexive qualities; the more the leader shows trust, the more they will be trusted. The more we trust our teams, the more they will trust themselves and each other. Leaders need to be the role model when it comes to this but also need to go that extra step to providing support and also to ask for it. Leaders who can show this vulnerability make it ok for their teams to ask for help when needed, as well as give it. Teams that consistently deliver are teams that feel empowered, teams that understand what needs to be done and have the tools to achieve it. This empowerment boost self-confidence and belief that the teams will reach their goals. Being engaged is great, but if you’re empowered, this can lead to frustration and disengagement.


Four key real world intelligent automation trends for 2021

In 2021, there will be an overdue re-think of how organisations choose RPA and intelligent automation technologies. We’ll see greater selection rigour fuelling more informed assessments of these technologies’ abilities to successfully operate and scale in large, demanding, front-to back-office enterprise environments, where performance, security, flexibility, resilience, usability, and governance are required. ... For a RPA or intelligent automation programme to really deliver, a strategy and purpose is needed. This could be improving data quality, operational efficiency, process quality and employee empowerment, or enhancing stakeholder experiences by providing quicker, more accurate responses. By examining the experiences and proven outcomes experienced by those organisations with mature automation programs, we’ll see more meaningful methods of measuring the impact of RPA and intelligent automation. ... This year, there will also be a greater understanding of which vendor software robots really possess the ability to be ‘the’ catalyst for digital transformation. These robots are typically pre-built, smart, highly productive and self-organising processing resources, that perform joined up, data-driven work across multiple operating environments of complex, disjointed, difficult to modify legacy systems and manual workflows.


Why North Korea Excels in Cybercrime

The cybercrime market's size and the scarcity of effective protection continue to be a mouth-watering lure for North Korean cyber groups. The country's cyber operations carry little risk, don't cost much, and can produce lucrative results. Nam Jae-joon, the former director of South Korea's National Intelligence Service, reports that Kim Jong Un himself said that cyber capabilities are just as important as nuclear power and that "cyber warfare, along with nuclear weapons and missiles, is an 'all-purpose sword' that guarantees our [North Korea's] military's capability to strike relentlessly." Other reports note that in May 2020, the North Koreans recruited at least 100 top-notch science and technology university graduates into its military forces to oversee tactical planning systems. Mirim College, dubbed the University of Automation, churns out approximately 100 hackers annually. Defectors have testified that its students learn to dismantle Microsoft Windows operating systems, build malicious computer viruses, and write code in a variety of programming languages. The focus on Windows may explain the infamous North Korean-led 2017 WannaCry ransomware cyberattack, which wrought havoc in more than 300,000 computers across 150 countries by exploiting vulnerabilities in the popular operating system.


To see the future more clearly, find your blind spots

There are multiple causes for the blind spots. One is a persistent state of denial, described in four parts by an emergency management professional after Hurricane Katrina: “One is, it won’t happen. Two is, if it does happen, it won’t happen to me. Three: If it does happen to me, it won’t be that bad. And four: If it happens to me and it’s bad, there’s nothing I can do to stop it anyway.” To this, I’m sure we can now add a fifth rationalization: “It won’t happen again.” Denial, however, has never been a successful strategy. An additional cause of blind spots is an overreliance on available data. Executives have benefited greatly from increased insights derived through analytics and other sophisticated methods of pattern recognition. The limitation of these tools, however, is that they can’t detect the “dog that didn’t bark,” a reference to a Sherlock Holmes case in which the crucial clue is not what happened but what did not. Leading is, in part, about bringing an organization into the future, and so executives should sharpen their thinking to include not only what they can see clearly but also what they can’t. A third cause is conditions that can tightly bind thinking.


Being Future Ready Is The Only Way To Survive In Data Science Field

There are three key skills for any data scientist– a stronghold on mathematics and statistics. Secondly, you need a programming language base for different tasks such as data processing, storage, etc. Lastly, domain knowledge. When you are working in a company, you must think about what value you are adding. Having acquired these skills next comes constant upgradation and upskilling. There is a sea of resources available online. For example, Coursera and EDx are good sources for theoretical introductions to a variety of topics. For a more practical approach, aspirants may check Datacamp and Udemy. I would also suggest using Kaggle, participating in hackathons, and undertaking internships to gain an edge. It is also important to think from the perspective of being ready for future challenges, given this field’s dynamic nature. It does get difficult to catch up with every new model or concept. I find it difficult too. What I tend to do is I try to look at the bigger picture, and once a tech starts picking pace, I spend time understanding it. The secret lies in following a broad macro trend, not just in DS but in complete tech space.


How to implement a DevOps toolchain

A good DevOps toolchain is a progression of different DevOps tools used to address a specific business challenge. Connected in a chain, they guarantee a profitable cycle between the front-end and back-end developers, quality analyzers, and customers. The goal is to automate development and deployment processes to ensure the rapid, reliable, and budget-friendly delivery of innovative solutions. We found out that building a successful DevOps toolchain is not a simple undertaking. It takes experimentation and nonstop refinement to guarantee that essential processes are fully automated. A DevOps toolchain automates all of the technical elements in your workflow. It also gets different teams on the same page so that you can focus on a business strategy to drive your organization into the future. We have come to identify five all the more valid benefits in support of the DevOps toolchain implementation. ... A fully enabled and properly implemented DevOps toolchain propels your innovation initiatives from start to end and ensures prompt deployment. Your toolchain will look different than this, depending on your requirements, but I hope seeing our workflow gives you a sense of how to approach automation as a solution.


3 Essential Steps to Exploit the Full Power of AI

A key to generating a good ROI is in executing data, automation, analytics and AI initiatives. Close to 23% of respondents have already set up or are in the process of setting up an AI Center of Excellence that shares and coordinates resources across different areas of the company. This number has risen from 18% just a year back. Also, nearly 19% of companies have a company-wide AI leader who oversees AI strategy and governance. The reason why such an integrated delivery model makes sense is the convergence of the cloud infrastructure that provides the storage and compute, the data that is the raw material for the analysis, the automation that operates on the technology infrastructure, the analytics that operates on the data to generate better insights, and the AI that enhances both the automation and the analytics resulted in decreased costs and better revenues. In large (greater than $1 billion revenues) companies the existing data and analytics group have expanded their remit to include AI. Companies that currently have separate centers of excellence (COE) for analytics and/or automation and/or AI must integrate, or the very least, coordinate their initiatives. Doing so would provide more seamless integration and yield better ROI. Companies that are just starting their journey in analytics and AI can start with an analytics or automation COE that expands to include AI capabilities.



Quote for the day:

"Our expectation in ourselves must be higher than our expectation in others." -- Victor Manuel Rivera