December 28, 2020
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
6 habits of successful IT leaders in 2021
“One of the many things we have learned from this crisis is how much improvement many of us need as IT leaders. Getting into the habit of working on developing our emotional intelligence daily will make us better leaders. This is often pointed out in others. However, we need to examine ourselves and find better ways to deal with the many emotions that arise from our current circumstances. IT leaders need to examine their own level of empathy as they manage folks they may no longer be able to walk over to and have a conversation with as you please. As we lead during this time of flexible schedules and distributed workforce, focus on developing more empathy and, honestly, just a bit more grace.” “Be vulnerable and provide an atmosphere that will allow your team to feel supported to still do their best work even in this difficult time. Do not be that leader with a team that looks to get as far away from you following this crisis, or the leader whose team members throw in the towel before this crisis ends just to maintain their sanity.” – Cedric Wells, Director, IT Infrastructure Services, The Gorilla Glue Company ... Meditation is a powerful habit that can unlock this superpower. Many top business leaders like Ray Dalio, bestselling authors like Yuval Harari owe all their success to meditation.
SolarWinds Attack Gives Rise to New Runtime Security Models
A critical observation to make about this attack is that even though the attackers already had a digitally signed backdoor, they still needed to bring additional malicious code into the environment. The backdoor was a pretty big chunk of code and contained several C2 (command and control) functions compiled as part of the legitimate product. And yet, even this unusually big backdoor had no means to spread and perform sophisticated injection and theft scenarios. It required a post-deployment file-less malware (FireEye called it TEARDROP). It is thought that TEARDROP deployed a version of the Cobalt Strike BEACON payload, a penetration testing tool made for red teams that can also be used by attackers. This fact is critical since it is true to almost any attack and most of other backdoor cases. They look like tiny innocent coding oversights – basically, like any other vulnerabilities created as an honest mistake. From this point on, intentional backdoors and incidental vulnerabilities are used in very similar ways. Both are utilized to bring real malicious code – the exploit – into the target environment and perform the actual attack.
2021 will be the year open source projects overcome their diversity problems
In October 2020, the Linux Foundation announced a new Software Developer Diversity and Inclusion project to draw on science and research to deliver resources and best practices that increase diversity and inclusion in software engineering. Following the age-old tenet that “you cannot manage what you don’t measure”, the Hyperledger Diversity, Civility, and Inclusion (DCI) Working Group is focused on “measuring and improving the health of our open source community.” In the OpenJS community, the Node+JS diversity scholarship program provides support to those from traditionally underrepresented or marginalized groups in the technology or open source communities who may not otherwise have the opportunity to attend the event for financial reasons. At KubeCon + CloudNativeCon this year, The Cloud Native Computing Foundation announced The Inclusive Naming Initiative to help remove harmful, racist, and unclear language in software development. At IBM, we had a similar program underway, and we have joined the CNCF initiative to further the cause. ... The AI Inclusive initiative seeks to increase the representation and participation of gender minority groups in AI. They offer offers events, tutorials, workshops, and discussions to guide community members in their AI careers.
Homomorphic Encryption: The 'Golden Age' of Cryptography
The origins of homomorphic encryption date back to 1978. That's when a trio of researchers at MIT developed a framework that could compute a single mathematical operation (usually addition or multiplication) under the cover of encryption. The concept gained life in 2009, when Craig Gentry, now a research fellow at the blockchain-focused Algorand Foundation, developed the first fully homomorphic encryption scheme for his doctoral dissertation at Stanford University in 2009. Gentry's initial proof was simply a starting point. Over the past decade, security concerns related to cloud computing, the Internet of Things (IoT), and the growing demand for shared and third-party data have all pushed the concept forward. Along the way, more powerful homomorphic algorithms have emerged. Today, the likes of IBM and Microsoft have entered the space, along with the US Defense Advanced Research Projects Agency (DARPA) and an array of startups. "There is a tremendous benefit to being able to perform computations directly on encrypted data," says Josh Benaloh, senior cryptographer at Microsoft Research. "This allows computations to be outsourced without risk of exposing the data."
How to securely hash and store passwords in your next application
A "salt" is a random piece of data that is often added to the data you want to hash before you actually hash it. Adding a salt to your data before hashing it will make the output of the hash function different than it would be if you had only hashed the data. When a user sets their password (often on signing up), a random salt should be generated and used to compute the password hash. The salt should then be stored with the password hash. When the user tries to log in, combine the salt with the supplied password, hash the combination of the two, and compare it to the hash in the database. Without going into too much detail, hackers commonly use rainbow table attacks, dictionary attacks, and brute-force attacks to try and crack password hashes. While hackers can't compute the original password given only a hash, they can take a long list of possible passwords and compute hashes for them to try and match them with the passwords in the database. This is effectively how these types of attacks work, although each of the above works somewhat differently. A salt makes it much more difficult for hackers to perform these types of attacks. Depending on the hash function, salted hashes take nearly exponentially more time to crack than unsalted ones.
SaaS security in 2021
It’s clear to IT leaders that unvetted SaaS solutions (shadow IT) pose a variety of risks, including exposure of sensitive information, data ownership issues and regulatory compliance problems. The question is who is best suited to mitigate those risks, and in 2021, more companies will find that it takes a multidisciplinary strategy. A proactive governance approach requires a defined process involving a multidisciplinary team that ensures visibility and directly addresses risks to keep exposure within acceptable levels. Companies have to classify data in terms of integrity, confidentiality and availability to find the ideal balance between security and costs and determine acceptable risk levels. Cloud providers share responsibility to keep data secure along with the company, so it’s important to define exactly who is responsible for what. Companies typically manage user access, endpoint devices and data while SaaS vendors oversee apps, virtual machines, databases, etc. To fulfill their governance objectives, IT leaders will look for SaaS providers that offer multiple configuration options, including password settings/identity federations and authorization models, as well as availability plans to meet goals related to recovery time and recovery points.
Read more here ...