7 ways to avoid a cloud misconfiguration attack
We tend to focus a lot on avoiding misconfiguration for individual cloud
resources such as object storage services (e.g., Amazon S3, Azure Blob) and
virtual networks (e.g., AWS VPC, Azure VNet), and it’s absolutely critical to do
so. But it’s also important to recognize that cloud security hinges on identity.
In the cloud, many services connect to each other via API calls, requiring IAM
services for security rather than IP-based network rules, firewalls, etc. For
instance, a connection from an AWS Lambda function to an Amazon S3 bucket is
accomplished using a policy attached to a role that the Lambda function takes
on—its service identity. IAM and similar services are complex and feature rich,
and it’s easy to be overly permissive just to get things to work, which means
that overly permissive (and often dangerous) IAM configurations are the norm.
Cloud IAM is the new network, but because cloud IAM services are created and
managed with configuration, cloud security is still all about configuration—and
avoiding misconfiguration.
A.I. Is Mastering Language. Should We Trust What It Says?
So far, the experiments with large language models have been mostly that:
experiments probing the model for signs of true intelligence, exploring its
creative uses, exposing its biases. But the ultimate commercial potential is
enormous. If the existing trajectory continues, software like GPT-3 could
revolutionize how we search for information in the next few years. Today, if you
have a complicated question about something — how to set up your home theater
system, say, or what the options are for creating a 529 education fund for your
children — you most likely type a few keywords into Google and then scan through
a list of links or suggested videos on YouTube, skimming through everything to
get to the exact information you seek. (Needless to say, you wouldn’t even think
of asking Siri or Alexa to walk you through something this complex.) But if the
GPT-3 true believers are correct, in the near future you’ll just ask an L.L.M.
the question and get the answer fed back to you, cogently and accurately.
Customer service could be utterly transformed: Any company with a product that
currently requires a human tech-support team might be able to train an L.L.M. to
replace them.
NSO Group faces court action after Pegasus spyware used against targets in UK
NSO argued in a response to the legal letters that UK courts have no
jurisdiction over NSO, which is based in Israel, and that legal action is barred
by “state immunity”. The company also argued that there was no proper basis for
showing that NSO acted as a “data controller or a data processor” under UK data
protection law. There is no basis to claim that NSO joined in a “common design”
with Saudi Arabia or the UAE that would make it “jointly liable” with the two
countries, it said. NSO said it provides surveillance software for the
“exclusive use” of state governments and their intelligence services. It claimed
to pride itself on being the only company in this field “operating under an
ethical governance framework that is robust and transparent”. The company said
it had policies in place to ensure its “products would not be used to violate
human rights”. It claimed that the legal letters repeated “misinformation” from
reports and statements by non-governmental organisations, including Citizen Lab,
Amnesty International and Forbidden Stories.
IP addressing could support effective network security, but would it be worth it?
VPNs actually provide pretty good protection against outside intrusion, but they
have one problem—the small sites. MPLS VPNs are expensive and not always
available in remote locations. Those sites often have to use the internet, and
that can mean exposing applications, which means increasing the risk of hacking.
SD-WAN, by adding any site with internet access to the corporate VPN, reduces
that risk. Or rather it reduces that particular risk. But hacking in from the
outside isn’t the only risk. These days, most security problems come from
malware planted on a computer inside the company. There, from a place that’s
already on whatever VPN the company might use, the malware is free to work its
evil will. One thing that can help is private IP addresses. We use private IP
addresses literally every moment of every day, because virtually all home
networking and a lot of branch-office networking are based on them. There are a
series of IPv4 and IPv6 addresses set aside for use within private subnetworks,
like your home. Within the private subnet, these addresses work like any IP
address, but they can’t be routed on the internet.
CIOs increasingly tap contract IT as talent gap filler
CIOs also typically find they can more easily get workers with high-demand
skills on a temporary basis, Mok says. Markow agrees, adding: “You can really
bring in new skill sets and capabilities more quickly in some cases.” But CIOs
must be careful not to misclassify workers as contract when they should be
staff, a legal distinction that could run the company afoul of labor laws, Mok
says. In addition to potentially misclassifying these workers, Mok says CIOs who
use contract and freelance workers too heavily or for extremely long stretches
are often also operating on a more reactionary versus strategic basis, which can
translate to missed opportunities, higher costs, and poor morale. “Using
contract workers can be more cost effective when you have ad-hoc needs that need
to be addressed,” Markow adds. “But that said, it can be more costly if those
projects run far longer than anticipated or roll into other needs or if there
are unintended requirements that come about and those workers need to stay
on.”
Cybersecurity litigation risks: 4 top concerns for CISOs
The risk of litigation is not limited to corporations. CISOs themselves face
being subject to legal action for breach of duty where insufficient steps were
taken to prevent a breach, or the aftermath of the breach was handled badly,
says Simon Fawell, partner at Signature Litigation LLP. Jinivizian agrees: “The
role of the CISO has never been more critical for mid/large enterprises, and
potentially more in the crosshairs and held accountable for security incidents
and data breaches, as illustrated by the ongoing class action against
SolarWinds’ CISO and other executives following the devastating supply chain
attack in 2020,” he states. This is also evidenced by the charges against Uber’s
CSO for allegedly trying to cover up a ransomware payment relating to the 2016
attack that compromised data of millions of users and drivers, Armstrong adds.
If a CISO acts as a company director, then they could face shareholder actions
for breach of duty following data and privacy breaches based on damage to
company value, says Fawell. “Shareholder actions against directors have been on
the rise in the UK and, where a data breach has led to a drop in value for
shareholders, claims against directors are increasingly being considered.
The Cybersecurity Threats Facing Smart Buildings
IoT devices are common appliances that you might even find around your home but
that are connected to the internet. Examples of IoT devices include doorbell
cameras, smart meters, fitness trackers, smart speakers, and connected cars. An
unprotected device is like leaving the backdoor open or a key under the mat.
There were even security doubts raised about whether Joe Biden could bring his
Peloton bike into the White House when he became president. Ensuring that every
single device connected in a smart building has adequate security is a must if
companies want to avoid data breaches. While as much autonomy as possible is
better for smart buildings, there ultimately must be some human input. Often,
the people using the systems are the ones who can leave them the most
vulnerable. Everyone makes mistakes, but when it comes to cybersecurity, one
mistake is all it takes for a network to be breached and data to be mined. Human
error in this instance might be accidentally downloading or clicking a link to
malware, or using an old password and not changing it.
How IT departments enable analytics operations
Modern IT organizations need a mix of infrastructure and data skills because
both enable an insight-driven enterprise. Infrastructure skills are necessary to
achieve an architecture that can support data analytics requirements, including
scalability, data governance and data security. Today, the building, operating
and innovating of the value proposition using AI is getting simpler with the aid
of advanced AI cloud platforms. "This means we will need business, product and
technology teams who bring skills with deep experience in leveraging data and to
offer comprehensive products and capabilities that are aligned to the business
context," said Rizwan Akhtar, executive vice president and CTO of business
technology at real estate services company Realogy Holdings. Fundamentally, IT
needs to have stronger math skills, including linear algebra, statistics,
calculus and maybe inferential geometry -- skills which data scientists tend to
have. However, given the mainstream adoption of AI and machine learning (ML),
there are now tools that make it easier for non-data scientists to do more.
EF Core 7 Finally Divorces Old .NET Framework
In fact, it was only last summer that we reported the dev team was still playing
catch-up to the old version of EF (which stopped at version 6) in the article
"EF Core 6 Dev Team Plays Catch-Up with EF6." However, while it plays catch-up,
the team also introduces new goodies not to be found in the .NET Framework
version. Microsoft guidance says: "EF Core has always supported many scenarios
not covered by the legacy EF6 stack, as well as being generally much higher
performing. However, EF6 has likewise supported scenarios not covered by EF
Core. EF7 will add support for many of these scenarios, allowing more
applications to port from legacy EF6 to EF7. At the same time, we are planning a
comprehensive porting guide for applications moving from legacy EF6 to EF Core."
And in the first preview release of EF Core 7.0 that was announced last week, an
important milestone was reached. "EF7 will not run on .NET Framework," said
Microsoft senior program manager Jeremy Likness in a Feb. 17 blog post.
Dynamic Value Stream Mapping to Help Increase Developer Productivity
In other industries such as manufacturing, supply chain, or distribution we can find a wide adoption of process analysis and lean practices for efficiency gain. Let’s consider Value Stream Mapping, the key practice facilitating process analysis and further improvement. A Value Stream Map depicts every step in the process and categorizes each step in terms of the value it adds and what value is wasted. Despite the fact that the software industry has been adopting lean principles [Lean Software Development Principles (Poppendieck and Poppendieck, 2003) and The Principles of Product Development Flow (Reinertsen, 2009)] the technique of value stream mapping has not gained a lot of traction in the software industry. So what prevents software engineering organizations from adopting value stream mapping as a foundation for software delivery capability optimization? Even though the practice has existed for a long time and is well known among agile and lean coaches, knowledge and adoption among enterprises are falling behind.
Quote for the day:
"Never doubt that a small group of
thoughtful, committed citizens can change the world. Indeed, it is the only
thing that ever has." -- Margaret Mead
