How automation can solve persistent cybersecurity problems.
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/archetype/C5ZAKRQUJFBRVMC745AIBMCF3A.jpg)
Think about the normal day for a security analyst. If we’re expecting them to
handle alerts, events that have come up, and new attacks that are happening
right now—that’s a lot of new information to look at and assess. How much time
do they have to read dozens of RSS feeds, research blogs, industry and
government reports, security vendor reports, news websites, and GitHub
repositories? Collecting and making sense of all that data becomes crucial, but
there’s no way individuals can do this on their own quickly enough. Being able
to automate that process so you can get to the information that you are going to
use now or later and filter out the noise is essential. Obviously, automation is
a fundamental capability to reduce the burden of manual review and
prioritization of alerts. But while a recent report on cybersecurity automation
adoption finds that confidence in automation is rising, only 18% of respondents
are applying automation to alert triage. Automation can also help mitigate risk
from vulnerabilities in legacy systems.
The Board’s Role in Advancing Digital Trust
Boards have reported the use of FAIR provides an organized means through which
to identify the value of assets, the design of probable loss scenarios, and
providing a means to allocate capital to get the most bang for the buck. Some
boards have reported FAIR has been useful in demonstrating to objective third
parties, like regulators, that they have been prudent in managing digital risk.
Reputational loss is widely considered the largest impact from a cyber incident.
Unfortunately, reliable statistics are not yet available, but anecdotal evidence
supports the popular belief. ... The ability of the board to appropriately
ensure the company has the proper level of cyber resilience requires an
understanding of an adverse event but also the total cost of controls, ranging
from the mundane to worst-case scenarios. Scenario-based exercises combined with
CRQ techniques, like FAIR, provide an objective means to assess materiality, and
the most appropriate capital allocation. The allocation of too little capital
leaves you exposed, while too much wastes capital that can be better applied
other places. Determining the cost of a control is almost always the easy
part.
Top employee cybersecurity tips for remote work and travel
Trip or no trip, lock your SIM card. SIM-jacking (or SIM-swapping, unauthorized
port-out or “slamming”) is a real and underreported crime where threat actors
pretend to be you, contact your wireless provider and “port over” your SIM card
to your (their) “new phone.” Imagine someone stealing your entire online life,
including your social media accounts. In other words, your phone number is now
theirs. All your password resets now run through the threat actor. Considering
how many work credentials, social media accounts and apps run through your phone
number, the nightmare of this crime quickly becomes evident. If you haven’t
already done so, lock down your SIM card with your wireless provider. ... Use
two-factor authentication (2FA) everywhere and with everything. When choosing
how to receive the authentication code, always opt for token over text as it’s
much more secure. At Black Hat 2022, a Swedish research team demonstrated
exactly how insecure text authentications are. If a hacker has your login
credentials and phone number, text-based authentication simply won’t protect
you.
AI accountability held back by ‘audit-washing’ practices
Published under the GMF think-tank’s Digital Innovation and Democracy
Initiative, the report said that while algorithmic audits can help correct for
the opacity of AI systems, poorly designed or executed audits are at best
meaningless, and at worst can deflect attention from, or even excuse, the harms
they are supposed to mitigate. This is otherwise known as “audit-washing”, and
the report said many of the tech industry’s current auditing practices provide
false assurance because companies are either conducting their own
self-assessments or, when there are outside checks, are still assessed according
to their own goals rather than conformity to third-party standards. “If
well-designed and implemented, audits can abet transparency and explainability,”
said the report. “They can make visible aspects of system construction and
operation that would otherwise be hidden. Audits can also substitute for
transparency and explainability. Instead of relying on those who develop and
deploy algorithmic systems to explain or disclose, auditors investigate the
systems themselves.
7 dos and don’ts for working with offshore agile teams
Many companies create business continuity plans to manage a crisis around key
business operations. But these plans may overlook specifics for small offshore
development teams or not account for intermittent disruptions to internet,
power, or other resources that impact an offshore team’s safety, health, or
productivity. “If you’re working with a global, distributed team, you need to
accept the responsibilities that come with supporting your workforce—whether
they are across the world or seated two desks away,” says Andrew Amann, CEO of
NineTwoThree Venture Studio. “This means having a plan in place for when a
global crisis limits your team members’ ability to work.” Amann offers several
recommendations for developing a practical plan. “Cross-train employees, build
relationships with development agencies, plan for difficulties with offshore
payments, and make sure you stand behind your distributed teams when they need
help,” he says.
Almost half of customers have left a vendor due to poor digital trust: Report
The road to digital trust is not always smooth sailing. The number one IT
challenge cited was managing digital certificates, rated as important by 100%
of enterprises, while regulatory compliance and handling the massive scope of
what they are protecting was deemed important by 99% of respondents. Other
challenges cited in the research included the difficulty of securing a complex
dynamic, multivendor network, and a lack of staff expertise. The report also p
oint sout that many common security practices have yet to be implemented. ...
For companies still looking for ways to improve digital trust, DigiCert
recommends making it a strategic imperative securand recognizing the impact it
has on business outcomes such as customer loyalty and revenue. DigiCert said
it’s also important to remember that digital trust awareness is rising among
users and customers, meaning that your business success and reputation are
directly tied an organization’s ability to ensure digital trust at a high
level.
A far-sighted approach to machine learning
The researchers focused on a problem known as multiagent reinforcement
learning. Reinforcement learning is a form of machine learning in which an AI
agent learns by trial and error. Researchers give the agent a reward for
“good” behaviors that help it achieve a goal. The agent adapts its behavior to
maximize that reward until it eventually becomes an expert at a task. But when
many cooperative or competing agents are simultaneously learning, things
become increasingly complex. As agents consider more future steps of their
fellow agents, and how their own behavior influences others, the problem soon
requires far too much computational power to solve efficiently. This is why
other approaches only focus on the short term. “The AIs really want to think
about the end of the game, but they don’t know when the game will end. They
need to think about how to keep adapting their behavior into infinity so they
can win at some far time in the future. Our paper essentially proposes a new
objective that enables an AI to think about infinity,” says Kim.
Demand for IT pros remains high even as layoffs continue
Even as layoffs continue, unemployment in the tech sector has remained at
near-historic lows, hovering around 2.2%. That compares with the overall US
unemployment rate of 3.7% as of October. So far this year, tech industry
employment has increased by 193,900 jobs, 28% higher than the same period in
2021, according to a jobs report from CompTIA, a nonprofit association for the
IT industry and workforce. “Tech hiring activity remains steady, but there are
undoubtedly concerns of a slowing economy,” CompTIA CEO Tim Herbert said in a
statement. While November’s job data is not expected to be as robust as the
same period a year earlier (when 73,600 jobs were added), the overall
projection is that it will remain at a status quo level, with hiring
continuing at the same rate as in the last two quarters. “All-in-all,
experienced IT Professionals will be in high demand,” Janco said. “Especially
those who exhibit a strong work ethic and are results-oriented. Positions that
will be in low demand will be administrative and non-line supervisors and
managers.”
What I Learned in My First 6 Months as a Director of Data Science
The FAANG companies (Facebook-Apple-Amazon-Netflix-Google) can afford to pay
amazing salaries. But most companies hiring data scientists are not like that.
Don’t get me wrong! Data scientists still can make a very decent living! But
in the world of actual practicing, non-tech data scientists, things are much
more realistic. Unfortunately though, it means I am competing for talent
against the FAANG companies. As such I have had to get very creative in where
I advertise my postings and do my recruiting. Data scientists will always look
for jobs at the FAANG companies, but they don’t always think about non-tech
companies as employing data scientists. So this means I have learned that I
have to be much more proactive in marketing my open roles. LinkedIn is great
and recruiters can be helpful. However, I have also found great success in
recruiting in unusual online forums — places like Discord, Slack, and Twitter.
But make no mistake: recruiting data scientists is a full-contact sport! It is
messy. You have to move quickly.
Five Key Components of an Application Security Program
Once an application architecture and design are defined, security risk
assessments should be performed that identify and categorize the inherent
security risk of the planned application architecture and the application’s
expected functional capabilities. These assessments should be inclusive of
types of data, business processes, third-party systems and platforms, and/or
information infrastructure with which the application will interact and/or to
and from which it will store, process, and transmit data. By gaining insight
into inherent security risk, appropriate security control objectives and
associated security controls can be defined to manage risk appropriately
within the applications. Controls can include, but are not limited to, the use
of web application firewalls (WAFs) and application program interface (API)
security gateways, encryption capabilities, authentication and secrets
management, logging requirements, and other security controls. The
identification of security instrumentation requirements should also be
included in the architecture and design stage of application
development.
Quote for the day:
"Problem-solving leaders have one
thing in common: a faith that there's always a better way." --
Gerald M. Weinberg
