Thoughts on Cloud Security
With good security professionals in high demand, companies are better off
investing in their security professionals that show an interest in “cloud”; in
order to take their security organization to the next level. Solid training and
support, will enable them to better collaborate with development teams and
significantly raise the “security” bar of their cloud environment. There are
plenty of free resources available today, such as cloud security standards and
open source solutions, that can be leveraged. The Center for Internet Security
(CIS) controls and/or AWS’ Well-Architected Framework are great resources to
help get started. As a reformed cloud security professional, I can say that
embracing the cloud takes a shift in mindset. In general, security teams need to
stop saying “no” and getting in the way of innovation. Instead, they need to be
able to provide development teams the access they need — when they need it, and
put guardrails in place to ensure security. To be successful, it is key to do
this in a way that it does not have a significant impact in the development
experience.
85% of Data Breaches Involve Human Interaction: Verizon DBIR
"Credentials are the skeleton key," Bassett says. Most know stolen credentials
are a problem, but what they may not think about is how they spread across
attack patterns and enable the start of many different types of data breaches,
from phishing campaigns, to stealing the contents of a target mailbox, to a
ransomware campaign in which an attacker encrypts then steals data. The trend
toward simplicity is evident in the continued increase of business email
compromise (BEC), which followed phishing as the second most common form of
social engineering, reflecting a 15x spike in "misrepresentation," a type of
integrity breach. BEC doubled last year and again this year. Of the 58% of BEC
attacks that successfully stole money, the median loss was $30,000, with 95% of
BECs costing between $250 and $984,855, researchers learned. Of the breaches
analyzed, 85% had a human element. This is a broad term that encompasses any
attack that involves a social action: phishing, BEC, lost or stolen credentials,
using insecure credentials, human error, misuse, and even malware that has to be
clicked then downloaded.
Hybrid working: creating a sustainable model
The evolution of thinking around the workplace we’ve seen in such a short
space of time is quite something. Over the course of the last year, business
mindsets have shifted from complete allegiance to the physical office, to
fully embracing remote working to survive, to a realisation that a hybrid
working model may well be the best way for businesses to thrive. Now, as we
begin to move out of the pandemic, IT and business leaders should be
considering what their workplace strategy looks like in the long term. What
can we learn from the last 12 months? What are the tools, technologies and
processes we should keep in place? How do we facilitate a reimagined office
space? How do we empower employees to be productive and happy wherever they
are? There’s no doubt that hybrid working opens up huge opportunity for
businesses, from creating a flexible working environment that appeals to a
broad range of talent to enabling more efficient ways of working and a
healthier work-life balance. But how do we create a hybrid model that is
sustainable in the long term?
The Global Artificial Intelligence Race and Strategic Balance
Countries are under pressure to protect their citizens and even political
stability in the face of possible malicious/biased uses of AI and Big Data.
Because 5G networks are the future backbone of our increasingly digitised
economies and societies, ensuring its security and resilience is essential.
Even at current capability levels, AI can be used in the cyber domain to
augment attacks on cyberinfrastructure. There is no such thing as perfect
security, only varying levels of insecurity. These ‘smart’ technologies rely
on bidirectional wireless links to communicate with devices and global
services, which gives a larger ‘attack surface’ that cyber threats target.
Thus, 5G networks may lead to politically divided and potentially
noninteroperable technology spheres of influence, where one sphere would be
led by the US and another by China, with some others in between (for example
the EU, South Korea and Japan).All of these concerns are most significant in
the context of authoritarian states but may also undermine the ability of
democracies to sustain truthful public debates. For example, ‘deepfake’
algorithms can create fake images and videos that cannot easily be
distinguished from authentic ones by humans. It is threatening to global
security if deepfake methods are employed to promulgate misinformation.
5 developer tools for detecting and fixing security vulnerabilities
Dependabot - now a native Github solution - has a simple straightforward
workflow: automatically open Pull Requests for new dependency versions, and
alert on vulnerable dependencies. Dependabot will also clearly differentiate
between security-related PR and normal dependency upgrades by tagging
[Security] in the title and label, along with including a changelog of the
vulnerabilities fixed. ... Similar to Dependabot, Renovate is a GitHub or CLI
app that monitors your dependencies and opens Pull Requests when new ones are
available. While it supports fewer languages than Dependabot, the main
advantage of Renovate is that it's extremely configurable. Ever wished you
could write "schedule": "on the first day of the week" in your configs!? Well,
Renovate allows you to do that! It also provides fine-grained control of
auto-merging dependencies based on rules set in the config. ... Synk is a new
one for me, but I really like that it's a product built with developers in
mind, regardless of their previous experience with security. While Snyk is a
paid product for business+, their free tier covers open-source, personal
projects, and small teams, making it a great resource for personal projects
and learning, even if you don't have the opportunity to use it on the job!
Adding Security to Testing to Enable Continuous Security Testing
Security testing is a variant of software testing which ensures that the
system and applications in an organization are free from any loopholes that
may cause a big loss, Thalayasingam said. Security testing of any system is
about finding all possible loopholes and weaknesses of the system which might
result in a loss of information at the hands of the employees or outsiders of
the organization. To kick off security testing, security experts should train
quality engineers about security and how to do manual security testing. Next,
quality engineers can work with security experts to narrow down the tests for
security testing and add value to existing test cases. This will lead to
executing the security tests in sprint level activities, automating them, and
making them part of continuous integration. Quality engineers should add the
security checks to their test process for each story, Thalayasingam suggested.
This would help to find the obvious security vulnerabilities and a very early
stay. The right guidance and training will help quality engineers to gain the
security testing mindset.
Building AI Leadership Brain Trust Is A Business Imperative: Are You Ready?
There are sufficient markers painting this stark prediction if one chooses to
dig deeper. Did you know that over half of technology executives in the 2019
Gartner CIO Survey say they intend to employ AI before the end of 2020, up
from 14% today? Board directors and CEO have to accelerate their investments
in AI, and ensure they are managing the journey wisely with the right AI
leadership skills in place and Machine Learning toolkits required to advance
AI with sustainability enablements to modernize your business.. In a recent
report by NewVantage Partners, 75% of companies cited fear of disruption from
data-driven digital competitors as the top reason they’re investing. There are
many questions that board directors and CEOs must ask in the face of any large
investment consideration, and AI is not inexpensive. On average an AI project
can range from as low as $30K to $1 million plus for a MVP, depending on the
complexity of the data set, use case being solved to build a baseline AI model
to predict an accurate outcome.
Maximizing a hybrid cloud approach with colocation
Companies are increasingly deploying a hybrid cloud approach to balance the
benefits and challenges presented by both the public and private cloud. With
the hybrid cloud, both types of cloud environments are integrated, allowing
data to move seamlessly between platforms. This hybrid architecture can be
designed as a bifurcated system in which the private cloud hosts a company’s
sensitive data and mission critical components, and the public cloud hosts the
rest. With this type of architecture, the data and applications live
permanently in their assigned cloud environment, but the two systems are able
to communicate seamlessly. Another option – the cloud bursting model – houses
all of a company’s information in the private cloud, but when spikes in demand
occur the public cloud provides supplementary capacity. Both hybrid approaches
give companies greater control over and access to their IT environments and
the ability to implement more stringent security protocols on the private
cloud portion of their deployment. In addition, a hybrid approach gives
organizations flexibility to build a solution that meets their current needs,
but that can also evolve as their needs change.
Fake Android, iOS apps promise lucrative investments while stealing your money
The operators have created dedicated websites linked to each individual app,
tailored to appear as the impersonated organizations in an effort to improve
the apparent legitimacy of the software -- and the likelihood of a scam being
successful. Sophos' investigation into the apps began with a report of a
single malicious app masquerading as a trading company based in Asia,
Goldenway Group. The victim, in this case, was targeted through social media
and a dating website and lured to download the fake app. Rather than relying
on mass spam emails or phishing, attackers may now also take a more personal
approach and try to forge a relationship with their victim, such as by
pretending to be a friend or a potential love match. Once trust is
established, they will then offer some form of time-sensitive financial
opportunity and may also promise guaranteed returns and excellent profits.
However, once a victim downloads a malicious app or visits a fake website and
provides their details, they are lured into opening an account or
cryptocurrency wallet and transferring funds.
When AI Becomes the Hacker
The core question Schneier asks is this: What if artificial intelligence
systems could hack social, economic, and political systems at the computer
scale, speed, and range such that humans couldn't detect it in time and
suffered the consequences? It's where AIs evolve into "the creative process of
finding hacks." "They're already doing that in software, finding
vulnerabilities in computer code. They're not that good at it, but eventually
they will get better [while] humans stay the same" in their vulnerability
discovery capabilities, he says. In less than a decade from now, Schneier
predicts, AIs will be able to "beat" humans in capture-the-flag hacking
contests, pointing to the DEFCON contest in 2016 when an AI-only team called
Mayhem came in dead last against all-human teams. That's because AI technology
will evolve and surpass human capability. Schneier says it's not so much AIs
"breaking into" systems, but AIs creating their own solutions. "AI comes up
with a hack and a vulnerability, and then humans look at it and say, 'That's
good,'" and use it as a way to make money, like with hedge funds in the
financial sector, he says.
Quote for the day:
"Effective team leaders realize they
neither know all the answers, nor can they succeed without the other members
of the team." -- Katzenbach & Smith
