Market incentives in the pursuit of resilient software and hardware
For cyber security to continue to evolve as a discipline, we need both
quantitative and qualitative insights to understand those aspects that, when
combined, work most effectively to address threat and risk, along with human
factors and operational dimensions. These solutions then need to be coupled with
a compelling narrative to explain our conclusions and objectives to a range of
audiences. For the quantitative aspects, access to underlying data types and
sources is critical. When we think about software and hardware specifically,
there are many possible points of measurement which can contribute to our
understanding of its intrinsic security and support assurance. ... Improving the
resilience of our software and hardware technology stacks in ways that can scale
globally is a multi-faceted, sociotechnical challenge. Creating the right market
incentives is our priority. Without these in place, we cannot begin to make
progress at the pace or scale we need. Our collective interventions to improve
engineering best practices and more transparent behaviours must be driven by
data, and targeted by research and innovation. All of this requires better
access to skills and cyber education, improved tools, and accessible
infrastructure.
Related Articles
Is creating an in-house LLM right for your organization?
Before delving into the world of foundational models and LLMs, take a step
back and note the problem you are looking to solve. Once you identify this,
it’s important to determine which natural language tasks you need. Examples of
these tasks include summarization, named entity recognition, semantic textual
similarity, and question answering, among others. ... Before using an AI tool
as a service, government agencies need to make sure the service they are using
is safe and trustworthy, which isn’t usually obvious and not captured by just
looking at an example set of output. And while the executive order doesn’t
apply to private sector businesses, these organizations should take this into
consideration if they should adopt similar policies. ... Your organization’s
data is the most important asset to evaluate before training your own LLM.
Those companies that have accumulated high-quality data over time are the
luckiest in today’s LLM age, as data is needed at almost every step of the
process including training, testing, re-training, and beta tests. High-quality
data is the key to success when training an LLM, so it is important to
consider what that truly means.
Privacy Watchdog Cracks Down on Biometric Employee Tracking
In Serco's case, the ICO said Friday that the company had failed to
demonstrate why using facial recognition technology and fingerprint scanning
was "necessary or proportionate" and that by doing so it had violated the U.K.
General Data Protection Regulation. "Biometric data is wholly unique to a
person so the risks of harm in the event of inaccuracies or a security breach
are much greater - you can't reset someone's face or fingerprint like you can
reset a password," said U.K. Information Commissioner John Edwards. "Serco
Leisure did not fully consider the risks before introducing biometric
technology to monitor staff attendance, prioritizing business interests over
its employees' privacy." "There have been a number of warnings that facial
recognition and fingerprints are problematic," said attorney Jonathan
Armstrong, a partner at Cordery Compliance. "Most data protection regulators
don't like technology like this when it is mandatory for employees. If you're
looking at this you'll need a solid data protection impact assessment setting
out why the tech is needed, why there are no better solutions, and what you're
doing to minimize the impact on those affected.
Cloud providers should play by same rules as telcos, EU commissioner tells MWC
“Currently, our regulatory framework is too fragmented. We are not making the
most of our single market of 450 million potential customers. We need a true
digital single market to facilitate the emergence of pan-European operators
with the same scale and business opportunities as their counterparts in other
regions of the world. And we need a true level playing field, because in a
technological space where telecommunications and cloud infrastructures
converge, there is no justification for them not to play by the same rules,”
said the European Commissioner. This means, for Breton, “similar rights and
obligations for all actors and end-users of digital networks. This means,
first and foremost, establishing the ‘country of origin’ principle for
telecoms infrastructure services, as is already the case for the cloud, to
reduce compliance costs and investment requirements for pan-European
operators.” ... Finally, Breton advocated “Europeanizing the allocation of
licenses for the use of spectrum. In the technology race to 6G, we cannot
afford any more delays in the concession process, with huge disparities in the
timing of auctions and infrastructure deployment between Member States...”
Unlocking the Power of Automatic Dependency Management
Dependency automation relies on having a robust and reliable CI/CD system.
Integrating Automatic Dependency Updates into the development workflow is
going to exercise this system much more frequently than updates done by hand,
so this process demands robust testing and continuous integration practices.
Any update, while beneficial, can introduce unexpected behaviors or
compatibility issues. This is where a strong CI pipeline comes into play. By
automatically testing each update in a controlled environment, teams can
quickly identify and address any issues. Practices like automated unit tests,
integration tests and even canary deployments are invaluable. They act as a
safety net, ensuring that updates improve the software without introducing new
problems. Investing in these practices streamlines the update process, but
also reinforces overall software quality and reliability. ... Coupled with a
robust infrastructure that supports these tools, including adequate server
capacity and a reliable network, organizations can create an environment where
automatic dependency updates thrive, contributing to a more resilient and
agile development process.
What Is a Good Management Model in Agile Software Development?
Despite that recognition, an approach referred to by Jurgen Appello as
“Management 2.0,” or “doing the right thing wrong” is still being used. This
management style involves a manager who sticks strictly to the organizational
hierarchy and forgets that human beings usually don’t like top-down control
and mandatory improvements. Within this approach, 1:1 meetings are conducted
with employees for individual goal setting. Although this could be considered
a good idea — to manage people and their interests — the key is the way
managers do it. They should be managing the system around their people instead
of managing the people directly. ... Management 3.0, or “Doing the right
thing,” can be the appropriate solution, in which organizations are considered
to be complex and adaptive systems. Jurgen Appelo describes this style of
management as “taking care of the system instead of manipulating the people.”
Or, in other words, improving the environment so that “it keeps workers
engaged and happy is one of the main responsibilities of management;
otherwise, the organization fails to generate value.”
Hacker group hides malware in images to target Ukrainian organizations
The attacks detected by Morphisec delivered a malware loader known as IDAT or
HijackLoader that has been used in the past to deliver a variety of trojans
and malware programs including Danabot, SystemBC, and RedLine Stealer. In this
case, UAC-0184 used it to deploy a commercial remote access trojan (RAT)
program called Remcos. “Distinguished by its modular architecture, IDAT
employs unique features like code injection and execution modules, setting it
apart from conventional loaders,” the Morphisec researchers said. “It employs
sophisticated techniques such as dynamic loading of Windows API functions,
HTTP connectivity tests, process blocklists, and syscalls to evade detection.
The infection process of IDAT unfolds in multiple stages, each serving
distinct functionalities.” ... To execute the hidden payload, the IDAT loader
employs another technique known as module stomping, where the payload is
injected into a legitimate DLL file — in this case one called PLA.dll
(Performance Logs and Alerts) — to lower the chances that an endpoint security
product will detect it.
“Ruthlessly prioritize what’s critical”: Check Point expert on CISOs and the evolving attack surface
Ford argues that CISOs need to face the fact that they cannot secure
everything and question how they can best spend their finite resources on
attack surface management. This attitude has been reflected in the rise of
strategies such as zero trust and Ford says in 2024 CISOs will continue to
struggle to secure an increasing number of devices and data and contend with a
landscape that is evolving in real time. “I think you have to do two things
really well: the first thing I think you have to do is truly identify what’s
critical and ruthlessly prioritize what’s critical. The second thing is you
have to deploy lasting and intelligent solutions”, Ford argued. “[Businesses]
have to deploy solutions that grow and contract with the business and can grow
and contract as the threat landscape grows and contracts.” Mitchelson offers
some examples of what this sort of deployment might look like in the future,
arguing the most potential lies in using technology to realize this elastic
functionality. “Internally within the structures of the organization, it could
be a matrix type structure whereby you’re actually able to expand and contract
internal resourcing within teams as to what you do”, Mitchelson suggests.
Gartner Identifies the Top Cybersecurity Trends for 2024
Security leaders need to prepare for the swift evolution of GenAI, as large
language model (LLM) applications like ChatGPT and Gemini are only the start
of its disruption. Simultaneously, these leaders are inundated with promises
of productivity increases, skills gap reductions and other new benefits for
cybersecurity. Gartner recommends using GenAI through proactive collaboration
with business stakeholders to support the foundations for the ethical, safe
and secure use of this disruptive technology. “It’s important to recognize
that this is only the beginning of GenAI’s evolution, with many of the demos
we’ve seen in security operations and application security showing real
promise,” said ... Outcome-driven metrics (ODMs) are increasingly being
adopted to enable stakeholders to draw a straight line between cybersecurity
investment and the delivered protection levels it generates. According to
Gartner, ODMs are central to creating a defensible cybersecurity investment
strategy, reflecting agreed protection levels with powerful properties, and in
simple language that is explainable to non-IT executives.
Using AI to reduce false positives in secrets scanners
Secrets scanners were created to find leaks of such secrets before they reach
malicious hands. They work by comparing the source code against predefined
rules (regexes) that cover a wide range of Secret types. Because they are
rule-based, secrets scanners often trade between high false-positive rates on
the one hand and low true-positive rates on the other. The inclination towards
relaxed rules to capture more potential secrets results in frequent false
positives, leading to alert fatigue among those tasked with addressing these
alarms. Some scanners implement additional rule-based filters to decrease
false alerts, like checking if the secret resides in a test file or whether it
looks like a code variable, function call, CSS selection, etc., through
semantic analysis. ... AI can play a role in overcoming this challenge. Large
Language Model (LLM) can be directed at vast amounts of code and fine-tuned
(trained) to understand the nuance of secrets and when they should be
considered false-positive. Given a secret and the context in which it was
introduced, this model would then know whether it should be flagged. Using
this approach will reduce the number of false positives while keeping true
positive rates stable.
Quote for the day:
''Leadership occurs any time you
attempt to influence the thinking, development of beliefs of somebody
else.'' -- Dr. Ken Blanchard
