PFH Office of the CTO Newsletter - Issue 5 - January 2025

Welcome to the January issue of PFH's From the Office of the CTO Newsletter. Happy 2025! It's going to be an interesting year from a technology standpoint, and also from many others.?

In this month's issue, we highlight a new vulnerability in Windows LDAP implementations that you’ll want to make sure gets patched, plus the CES 2025 Nvidia keynote – a supercomputer under your desk. Stephen O'Herlihy reflects on a customer workshop he attended the week before the Christmas break. Timing that he initially thought was a mistake. Additionally, PFH Security Division Lead Ian O'Callaghan has been reading Gartner's Identity and Access Management Primer for 2024, which was published last August. Ian outlines what IAM entails, the benefits it delivers, and what view Gartner articulates in their primer.

Patch this - LDAPNightmare PoC Exploit

A proof-of-concept exploit named "LDAPNightmare" has been released, targeting a now-patched vulnerability in Windows Lightweight Directory Access Protocol (LDAP). This flaw, identified as CVE-2024-49113 with a CVSS score of 7.5, was addressed by Microsoft in December 2024. The vulnerability allows for a denial-of-service (DoS) attack by crashing the Local Security Authority Subsystem Service (LSASS), leading to a forced reboot of Windows Domain Controllers.

The exploit operates by sending a DCE/RPC request to the target server, which then processes a specially crafted Connectionless LDAP (CLDAP) referral response. This sequence overloads LSASS, causing it to crash. More concerning is that, with modifications, attackers can adapt this exploit chain to achieve remote code execution (RCE), as demonstrated in a proof of concept by SafeBreach Labs. ?

The vulnerabilities were discovered by an independent security researcher. Microsoft's advisory notes that exploitation could involve sending RPC requests from untrusted networks to execute arbitrary code within the LDAP service context. Organisations should apply the December 2024 Microsoft security patches to address this risk.

If immediate patching isn't feasible, security teams should monitor for suspicious CLDAP referral responses, DsrGetDcNameEx2 calls, and DNS SRV queries to detect potential exploitation attempts. Read more via this HackerNews article - https://thehackernews.com/2025/01/ldapnightmare-poc-exploit-crashes-lsass.html.

Lots of other vulnerabilities were also patched in the December 2024 updates. Including one with a CVSS score of 9.8 (very high risk!) See more at?https://thehackernews.com/2024/12/microsoft-fixes-72-flaws-including.html.

Nvidia CES 2025: The Future is Here, and It Fits on Your Desk

By Stephen O'Herlihy - Chief Technology Officer at PFH Technology Group.

Did Nvidia's CES 2025 announcements underwhelm analysts? Their stock price after their event says yes! They showcased a range of incremental updates, and their next-gen RTX 50-series GPUs and Blackwell architecture grabbed the headlines. However, it was their new Project Digits desktop supercomputer that blew me away!

This compact, desk-sized AI supercomputer redefines what's possible in high-performance computing. Let me put it into perspective: Project Digits delivers one petaflop (that's 1,000 teraflops!) of compute power in a machine you can use at your desk. Five years ago, in the ancient times of 2020, achieving this level of performance required systems like the Summit Supercomputer. Summit was a giant in its day, but the hardware it required was mind-boggling:

• 4,608 nodes!
• Each node equipped with 2 IBM POWER9 CPUs and 6 Nvidia Volta V100 GPUs
• Extensive interconnects, power-hungry cooling infrastructure, and a warehouse-sized footprint

And now? Nvidia has squeezed all that power into a single unit costing just $3,000. Yes, you read that right: a college student could soon have their own supercomputer. This level of personal computing power is remarkable! It's no longer just researchers at national labs who can access petaflop performance; it's now available to developers, startups, and curious individuals on modest budgets.

This democratisation of AI-grade supercomputing has profound implications. Imagine:

·?AI Everywhere - From training massive AI models to real-time data analysis, Project Digits brings capabilities once reserved for elite organisations into the hands of everyday developers.

·?Acceleration of AI Innovation - By making cutting-edge hardware accessible, Nvidia is removing a significant barrier to entry for those working on transformative technologies.

?

A Game Changer for AI Development

Project Digits isn't just another AI product; it's a game changer. With this level of power, we'll see AI development accelerate at an even faster pace. AI researchers will no longer need to rely solely on shared HPC resources. Individual experimentation, small-scale development, and rapid iteration will become the norm, turbocharging innovation across industries.

?

A Word on Quantum Computing

Interestingly, during the keynote, Nvidia's CEO Jensen Huang made a pointed statement about quantum computing. He suggested that it is still years away from delivering on the promise of quantum supremacy and that, for the foreseeable future, advancements in classical computing, such as Project Digits, will continue to lead the charge when solving real-world problems.

?This perspective is intriguing. While quantum computing holds immense theoretical potential, its practicality and accessibility remain out of reach. In contrast, Nvidia's tangible innovations are here now.

Final Thoughts

While the rest of Nvidia's CES announcements, like the RTX 50-series GPUs and DLSS 4, were incremental steps forward, Project Digits stole the show for me. The leap in compute density, accessibility, and affordability is revolutionary. As AI becomes integral to how we live and work, tools like Project Digits will redefine what's possible, empowering individuals and organisations. The future of computing is here, and it's smaller, faster, and more powerful than we ever imagined.

Seriously, a Customer Accelerator Workshop the week before Christmas?

By Stephen O'Herlihy - Chief Technology Officer at PFH Technology Group.

As each year winds down, it's easy to fall into the trap of thinking that December is when business slows to a halt. Just a week before Christmas, on December 18th, I admit I was sceptical about the value of attending a Dell customer “Accelerator“ workshop as I wondered if customers would even be interested. Would their minds already be on the holidays? I couldn't have been more wrong.

From the moment the customer's operations team gathered in the room, it was clear this wasn't going to be a typical meeting. The session was vibrant, filled with lively discussions, and surprisingly productive. The team took the opportunity to step back from their daily pressures, opened up about challenges, listed priorities, and even discussed some heated topics. It was a rare chance for them to get headspace, align on critical issues, and plan their roadmap for 2025.

A Fresh Perspective on Business Challenges

The workshop's agenda covered much more than typical infrastructure and technical insights. It focused on a much broader perspectives, such as people and process challenges, workload concerns, program and project priorities, and risk mitigation. The broad approach enabled the team to uncover deeper issues and develop actionable strategies.

One of the most valuable outcomes was a clear and aligned direction for 2025. The workshop's collaborative format helped the team cut through the noise, discuss priorities objectively, and create a detailed roadmap for success. For me, seeing the impact this session had on the customer reaffirmed the value of taking time out for strategic planning, even at the busiest times of the year.

Exploring New Technologies and Compliance Challenges

The workshop also provided a platform to explore emerging technologies like artificial intelligence (AI) and how they fit into the organisation's strategy. Dell's experts facilitated discussions on AI's opportunities and limitations, helping the team assess where the technology can deliver value and where it might not.

In addition to technology, the session touched on critical compliance topics, such as the implications of NIS2 (the updated EU Network and Information Security Directive). These discussions highlighted the interconnectedness of systems, people, and processes, emphasising the importance of a comprehensive approach to innovation and compliance.

What the Accelerator Workshop Offers

Dell designs their Accelerator Workshops to ignite innovation, maximise agility, and reduce complexity. Led by Dell Technologies Services experts, the workshops help organisations discuss and evaluate technologies such as:

·?AI - Prioritise GenAI use cases, understand data readiness, and evaluate multi-cloud options for AI.

·?Multicloud - Build successful IT service models, adopt cloud ecosystems, and embrace infrastructure as code.

·?Apps & Data - Modernise applications, simplify data governance, and enable unified analytics for better insights.

·?Modern Workforce - Improve collaboration, personalise device management, and enhance security with Zero Trust principles.

·?Security & Resiliency - Strengthen disaster recovery, align data protection strategies with future needs, and proactively address cybersecurity threats.

The sessions are collaborative and results-oriented, focusing on harmonising business and IT strategies. The approach ensures that organisations leave with tangible next steps tailored to their unique challenges and goals.

A Final Reflection

Looking back, my initial scepticism about the timing of the workshop seems laughable. The customer's entire operations team left the session with a renewed sense of direction and a practical plan for the year ahead. For me, it was a powerful reminder that even in the busiest seasons, taking time to focus, align, and plan can deliver extraordinary results.

If you're considering an Accelerator Workshop for your organisation, I can't recommend it highly enough. It's not just about technology. It's also about unlocking the full potential of your people and processes, and then devising strategies to achieve meaningful transformation.

Identity and Access Management: A Foundation of Modern Cybersecurity

By Ian O'Callaghan - Security Division Lead at PFH Technology Group.

Authentication and authorisation controls to restrict access to IT systems have existed for as long as computers have been used (in most scenarios). However, the days of using a simple username and password for login access are over. We need a more robust approach to authentication and authorisation for the modern threat landscape. Enter modern Identity and Access Management (IAM) solutions.?

Understanding and implementing robust IAM has become crucial for organisations seeking to protect their systems, staff, and data while also delivering access for legitimate users. Gartner published their Identity and Access Management Primer for 2024 in August. If you have Gartner access, you can download the primer report from https://www.gartner.com/en/documents/5071731. I cover some of its content below.

?

What is IAM?

IAM is more than just a technology solution. It's a comprehensive security approach that ensures the right people and machine accounts can access allowed resources at the right time, and for legitimate reasons. IAM combines sophisticated technologies with well-defined business processes to create a secure, efficient, and user-friendly access environment.

In essence, IAM serves as your organisation's digital doorkeeper, managing not just who can enter but also what they can do once inside. It's the fundamental infrastructure that enables organisations to maintain security while supporting productivity in our increasingly complex digital world.

?

The Components of Well-Designed IAM

A robust IAM solution comprises several interconnected components, each serving an essential role in the overall security architecture:

Access Management and Authentication - At its core, access management verifies that human and machine users are who they claim to be. Modern authentication goes beyond simple username and password combinations, incorporating multiple factors and adaptive access controls.?Authentication protocols check that authenticated users have the right to access the IT resources they are requesting. (This authentication checking also plays a major role in zero-trust security models. But that's a topic for another time).

Privileged Access Management - Privileged Access Management (PAM) is an increasingly vital addon to an IAM deployment that focuses on protecting the organisation's most powerful accounts. Typically, those with administrative access or elevated access rights. PAM solutions manage privileged credentials, monitor privileged sessions, control the elevation of privileges., and provide data for post-event troubleshooting and analysis. This is crucial for preventing the misuse of powerful system access accounts, whether intentional or accidental, and for demonstrating to auditors and other stakeholders that adequate security provisions are in place.

Identity Verification - Identity verification serves as the foundation for trust in digital interactions. It combines various technologies and processes to confirm that a person is who they claim to be during remote interactions. This is particularly crucial for customer-facing services and remote workforce management, where establishing trust is paramount.

Identity Governance and Administration - Provides the framework for managing digital identity lifecycles and governing user access across on-premises and cloud environments. It aggregates and correlates identity data from various sources, enabling organisations to control access rights while delivering compliance with regulatory requirements.

?

Gartner's View on IAM

According to a recent Gartner analysis, IAM has become a security foundation for our remotely connected world. Their primer report emphasises that identity has become the ultimate control surface, combining context, continuousness and consistency (they do like alliteration!) to provide a complete understanding of both user and device identity.

Gartner advocates for an "identity-first" security approach, where identity-based controls form the foundational element of an organisation's cybersecurity architecture. This marks a significant shift from traditional perimeter-based security models, which have become obsolete in our decentralised computing landscape, where people increasingly work remotely at multiple locations.

Delivering IAM in the Real World

Implementing IAM isn't without its challenges. Organisations often struggle with:

Legacy System Integration - Many organisations maintain legacy systems not designed for modern authentication methods. Successfully integrating these systems requires careful planning and often custom solutions.

User Experience - Balancing security with usability is an ongoing challenge. Too much friction in the authentication process can lead to user frustration and attempts to circumvent security measures.

Cloud Migration - As organisations move to the cloud, managing identities across hybrid environments becomes increasingly complex. This requires careful consideration about how to maintain consistent security policies across all platforms.

The key to overcoming these challenges lies in developing a comprehensive IAM strategy that aligns with both security and business objectives. This includes careful consideration of user needs, technical capabilities, and regulatory requirements.

?

PFH are Here to Help

At PFH, we understand that implementing and maintaining an effective IAM solution can be daunting. Our security and infrastructure teams bring extensive experience in helping organisations of all sizes navigate their IAM journey. We can help you with:

IAM Assessment - Evaluate your current identity and access management practices, identifying gaps and opportunities for improvement.

Solution Design - Our experts design tailored IAM solutions that balance security requirements with user experience, ensuring adoption and effectiveness.

Implementation Support - From initial deployment to ongoing management, we provide the technical expertise to ensure your IAM solution delivers security and value.

Continuous Evolution - Security threats and authentication technologies continue to evolve. We can help you stay ahead of the curve by working with you to regularly review and update your IAM strategy to address new challenges and opportunities.

Reach out to your PFH contact to start a conversation about IAM in your organisation.

Final Thoughts

We welcome your feedback on the topics in this newsletter and our blogs, posts, and videos. Contact us if you would like to provide feedback or ask us a question. Our next newsletter will be out in early February.?

| PFH Office Of The CTO |