March 17, 2023

6 principles for building engaged security governance

No governance strategy can be built without knowing where the organization is currently and where it is going. Start by understanding the organization's core business practices, its product portfolio, customers, geographical footprint, and ethos and culture -- all from a security perspective. This should help answer key security-related questions, such as who does what, why they do it and for whom. Next gain a better understanding of the organizational structure and current security standards, guidelines, regulations and frameworks. Get a better grasp of how security functions operate. Take a comprehensive review of the security policies in place and how effective they are. Understand the current state of security procedures, projects and activities, tests and exercises as well as the current level of information security controls and future roadmap. Assess the skills and capabilities of security practitioners and their responsibilities, and benchmark it with best practices in the industry to expose the gaps in existing capabilities and activities.

Cyber attribution: Vigilance or distraction?

In some situations, effective attribution can be a valuable source of intelligence for organizations that suffered a cyber breach. Threat actors go to great lengths to cover their tracks, and any evidence and facts gathered through attribution can bring organizations closer to catching the perpetrators. Deploying a good Cyber Threat Intelligence (CTI) program helps organizations understand which current or future threats can impact their business operations. Some organizations don’t treat threat intelligence seriously because they already have their “go-to” to blame, or they simply believe no one will attack a small organization. During the Wannacry attack, we witnessed a prime example of a poor interpretation of threat intelligence, when organizations and ISPs started blocking access to a sinkhole URL discovered by security researcher Marcus Hutchins. Rather than being a malicious website, devices connecting to the URL prevented the malware’s payload from activating, so blocking it resulted in further infections.

A Comprehensive Checklist For IoT Project Success

IoT projects often require a variety of specialized knowledge and skills, from edge/gateway device knowledge, to networking, to cloud platform knowledge, to security and real-time dashboard displays. Building a team with the appropriate expertise to manage this technology and other necessary skills helps ensure that the project is designed, developed and implemented successfully. If you do not have team members on hand with the necessary expertise, consider outsourcing some or all of the work to third-party IoT experts. ... IoT systems often need to handle vast amounts of data and potentially millions of devices at once, and planning for scalability ensures that the system’s architecture can handle the expected load (network coverage, reliability, bandwidth, latency, etc.) at the edge and gateway device and cloud platform level (e.g., end user dashboards, alerts, and more). Best practices here would include designing for modularity and flexibility, using scalable technologies, implementing caching and load balancing, and generally planning for growth.

Principles for Adopting Microservices Successfully

While microservices architecture has many benefits, it also introduces new challenges and potential pitfalls. One common pitfall to avoid is creating too many or too few services. Creating too many services can lead to unnecessary complexity while creating too few services can make it difficult to maintain and scale the application. It is important to strike a balance by breaking the application into small, independent services that are focused on specific business functions. Another common pitfall is not considering the operational overhead of microservices. ... It is important to ensure the team has the necessary skills and resources to manage a microservices architecture, including monitoring, debugging, and deploying services. Finally, it is important to avoid creating overly coupled services. Services that are tightly coupled can create dependencies and make it difficult to make changes to the application. It is important to design services with loose coupling in mind, ensuring that each service is independent and can be modified or replaced without affecting other services.

Why Audit Logs Are Important

Audit logs have a different purpose and intended audience when compared to the system logs written by your application’s code. Whereas those logs are usually designed to help developers debug unexpected technical errors, audit logs are primarily a compliance control for monitoring your system’s operation. They’re helpful to regulatory teams, system administrators and security practitioners who need to check that correct processes are being followed. Audit logs also differ in the way they’re stored and retained. They’re usually stored for much longer periods than application logs, which are unlikely to be kept after an issue is solved. Because audit logs are a historical record, they could be retained indefinitely if you have the storage available. ... The information provided by an audit log entry will vary depending on whether the record relates to authentication or authorization. If it’s an authentication attempt, the request will have occurred in the context of a public session. Authorization logs, written by AuthZ services like Cerbos, will include the identity of the logged-in user.

Quantum Computing Is the Future, and Schools Need to Catch Up

Thankfully, things are starting to change. Universities are exposing students sooner to once-feared quantum mechanics courses. Students are also learning through less-traditional means, like YouTube channels or online courses, and seeking out open-source communities to begin their quantum journeys. And it’s about time, as demand is skyrocketing for quantum-savvy scientists, software developers and even business majors to fill a pipeline of scientific talent. We can’t keep waiting six or more years for every one of those students to receive a Ph.D., which is the norm in the field right now.?Schools are finally responding to this need. Some universities are offering non-Ph.D. programs in quantum computing, for example. In recent years, Wisconsin and the University of California, Los Angeles, have welcomed inaugural classes of quantum information masters’ degree students into intensive year-long programs. U.C.L.A. ended up bringing in a much larger cohort than the university anticipated, demonstrating student demand.?

Read more here ...