Tech Guides - Cybersecurity

The ongoing World Economic Forum meeting 2019 has seen a vast array of discussions on political, technological and other industrial agendas. The meeting brings together the world’s foremost CEOs, government officials, policy-makers, experts and academics, international organizations, youth, technology innovators and representatives of civil society with an aim to drive positive change in the world on multiple facets. This article will focus on the talk ‘Computing Technology at a Tipping Point’ that was moderated by Nicholas Carlson from Business Insider with a panel consisting of Antonio Neri, president and Chief Executive Officer of Hewlett Packard Enterprise, Jeremy O’Brien, CEO of PsiQuantum  and Amy Webb, Adjunct Assistant Professor of NYU Stern School of Business. Their discussion explored questions of today's age, ranging from- why this is an important time for technology, the role of governments in encouraging a technological revolution, role of the community and business in optimizing tech and the challenges faced as we set out to utilize the next generation computing technologies like quantum computing and AI. Quantum Computing - The necessity of the future The discussion kicked off with the importance of Quantum computing at the present as well as the future. O’Brien defined Quantum computing as “Nothing short of a necessary tool that humans need to build their future”. According to him, QC is a “genuinely exponentially powerful technology”, due to the varied applications that quantum computing can impact if put to use in the correct way - from human health, energy, to molecular chemistry among others. Webb calls the year 2019 as the year of divergence, where we will move from the classic Von Neumann architecture to a more diversified Quantum age. Neri believes we are now at the end of Moore’s law that states overall processing power for computers will double every two years. He says that two years from now we will generate twice the amount of data as generated today and there will be a major divergence between the data generated and the computation power. This is why we need to focus on solving architectural problems of processing algorithms and computing data rather than focussing on the amount of data. Why is this an exciting time for tech? O’Brien: Quantum Computing, Molecular simulation for Techno-Optimism O’Brien expresses his excitement in the Quantum Computing and molecular simulation field where developers are just touching the waters with both these concepts. He has been in the QC field for the past 20 years and says that he has faith in Quantum computing and even though it's the next big thing to watch out for, he assures developers that it will not replace conventional computing.  Quantum computers can be used in fact to improve the performance of classical computing systems to handle the huge amounts of data and information that we are faced with today. In addition to QC, another concept he believes that ‘will transform lives’ is molecular simulation. Molecular simulation will design new pharmaceuticals, new chemicals and help build really sophisticated computers to solve exponentially large problems. Webb: The beginning of the end of smartphones “We are in the midst of a great transformation. This is an explosion happening in slow motion”. Based on data-driven models she says this is the beginning of the end of smartphones. 10 years from now, as our phones retrieve biometric information to information derived from what we wear and we use, the computing environments will look different. Citing an example of MagicLeap who creates spatial glasses, she mentions how computable devices we wear will turn our environment into a computable space to visualize data in a whole different way. She advises business' to rethink how they function;  even between the current cloud V/s edge and computer architectures change. Companies should start thinking in terms of 10 years rather than short term, since decisions made today will have long term consequences. While this is the positive side, Webb is pessimistic that there is no global alignment on the use of data. On the basis of GDPR and other data laws, systems have to be trained. Neri: continuous re-skilling to stay relevant Humans should continuously re-skill themselves with changing times and technologies to avoid an exclusion from new jobs as and when they arrive. He further states that, in the field of Artificial intelligence, there should not be a concentration of power in a few entities like Baidu, Alibaba, Tencent Google, Microsoft, Facebook, Apple and others. While these companies are at the foremost while deciding the future of AI, innovation should happen at all levels. We need guidelines and policy  for the same- not to regulate but to guide the revolution. Business, community and Government should start thinking about ethical and moral codes. Government’s role in Technological Optimism The speakers emphasized on the importance of the government's’ involvement in these ‘exciting times’ and how they can work towards making citizens feel safe against the possible abuse of technology. Webb: Regulation of AI doesn't make sense We need to have conversations on optimizing Artificial Intelligence using available data. She expresses her opinion that the regulation of AI doesn't make sense. This is because we shift from a group of people understanding and implementing optimization to lawmakers who do not understand technical know-how. Nowadays, people focus on regulating tech instead of optimizing it because most don’t understand the nitty-gritties of a system, nor do they understand a system’s limitations. Governments play a huge role in this optimization or regulation decision making. She emphasizes on the need to get hold of the right people to come to an agreement ,“ where companies are a hero to their shareholders and the government to their citizens” . Governments should start talking about and exploring Quantum computing such that its benefits are distributed equitably in a shortest amount of time. Neri: Human centered future of computing He adds that for a human centered future of computing, it is we who need to decide what is good or bad for us. He agrees with Webb’s point that since technology evolves in a way we cannot think of, we need to come to reasonable conclusions before a crisis arrives. Further, he adds that governments should inculcate moral ethics while adopting and implementing technology and innovation. Role of Politicians in technology During the discussion, a member of the European Parliament stated that people have a common notion that politicians do not understand technology and cannot keep up with changing times. Stating that many companies do not think about governance, human rights, democracy and possible abuse of their products; the questioner says that we need a minimum threshold to protect human rights and safeguard humans against abuse. Her question was centered around ways to invite politicians to understand tech better before it's too late. Expressing her gratitude that the European Parliament is asking such a thoughtful question, Webb suggested that creating some kind of framework that the key people on all sides of the spectrum can agree to and a mechanism that incentivises everyone to play fairly- will help parliaments and other law making bodies to feel inclusive in understanding technology. Neri also suggested a guiding principle to think ethically before using any technology without stopping innovation. Technological progress in China and its implications on the U.S. Another question that caught our attention was the progress of technology in China and its implications on the US. Webb says that the development of tools, technologies, frameworks and  data gathering mechanisms to mine, refine and monetize data have different approaches in US and China. In China, the activities related to AI and activities of Baidu, Alibaba and Tencent are under the leadership of the Chinese communist Party. She says that it is hard to overlook what is happening in Chain with the BRI (Belt to Road Initiative), 5G, digital transformation, expansion in fibre and expansion in e-commerce  and a new world order is being formed because of the same. She is worried that the US and its allies will be locked out economically from the BRI countries and AI will be one of the factors propelling the same . Role of the Military in technology The last question pointed out that some of the worst abuses of technology can be done by governments and the military has the potential to misuse technology. We need to have conversations on the ethical use of technology and how to design technology to fit ethical morals. Neri says that corporations do have a point of view on the military using technology for various reasons and the governments are consulting them on the impacts of technology on the world as well. This is a hard topic and the debate is ongoing even though it is not visible to the people. Webb says that the US always had ties with the government. We live in a world of social media where conversations spiral out of control because of the same.  She advises companies to meet quarterly to have conversations along this line and understanding how their work with the military/ government align with the core values of their company. Sustainability and Technology Neri states that 6% of the global power is used to power data centers. It is important to determine how to address this problem. The solutions proposed for the same are: Innovate in different ways. Be mindful the entire supply chain--->from the time you procure minerals to build the system and recycle it. We need to think of a circular economy. Consider if systems can be re-used by other companies, check parts to be re-cycled and reused. We can use synthetic DNA to back up data - this could potentially use less energy. To sustain human life on this planet, we need to optimise how we ruse resources- physical and virtual, QC tool will invent the future. Materials can be built using QC. You can listen to the entire talk at the World Economic Forum’s official page. What the US-China tech and AI arms race means for the world – Frederick Kempe at Davos 2019 Microsoft’s Bing ‘back to normal’ in China Facebook’s outgoing Head of communications and policy takes the blame for hiring PR firm ‘Definers’ and reveals more

A Reddit user named “DeepFakes” had posted real-looking explicit videos of celebrities last year. He made use of deep learning techniques to insert celebrities’ faces into the adult movies. Since then the term “Deepfakes” has been used to describe deep learning techniques that help create realistic looking fake videos or images. Video tampering is usually done using generative adversarial networks. Why is everyone afraid of deepfakes? Deepfakes are problematic as they make it very hard to differentiate between the fake and real videos or images. This gives people the liberty to use deepfakes for promoting harassment and illegal activities. The most common use of deepfakes is found in revenge porn, fake celebrities videos and political abuse. For instance, people create face-swap porn videos of ex-girlfriends, classmates, politicians, celebrities, and teachers. This not only counts as cyberbullying but poses major threat overall as one can create a fake video showing world leaders declaring war on a country. Moreover, given that deepfakes seem so real, its victims often suffer through feelings of embarrassment and shame. Deepfakes also cause major reputational harm. One such example is of a 24-year-old, Noelle Martin, whose battle with deepfake pornography started six years ago. Anonymous predators stole her non-sexual images online and then doctored them into pornographic videos. Martin says she faces harassment from people till this day. Other victims of deepfakes pornography include celebrities such as Michelle Obama, Emma Watson, Natalie Portman, Ivanka Trump, Kate Middleton, and so forth. But, Deepfakes isn’t just limited to pornography and has made its way to many other spheres. Deepfakes can also be used as a weapon of misinformation since they can be used to maliciously hoax governments, populations and cause internal conflict. From destroying careers by creating fake evidence of them doing something inappropriate to showing soldiers killing innocent civilians, deepfakes have been wreaking havoc. In defense of deepfakes Just as any tool can be used for good and bad, deepfakes is just an effective machine learning tool that creates realistic videos. Even though deepfakes are majorly used for inappropriate activities, some have put it to good use. For instance, GANs or generative adversarial networks (which help create deepfakes) can create realistic images of skin lesions and create examples of liver lesions, which plays a major role in medical research. Other examples include filmmakers using deepfakes for making great videos with swapped in backgrounds, snapchat face swap photo filters, and face swap e-cards (eg; jib jab app) among others.   Are deepfakes trick or treat? If we make pros and cons list for deepfakes, cons seem to outweigh the pros as of today. Although it has its potential good applications, it is majorly used as a tool for harassing and misinforming people. There is a long way to go till deepfakes achieves itself a good rep and right now, it is mostly fake videos, fake images, false danger warnings, and revenge porn. Trick or treat? I spy a total TRICK!

It is estimated that hacks and flaws in security have cost the US over $445B every year. It is clear at this point that the cost of hacking attacks and ransomware has increased and will continue to increase year by year. Therefore, industries—especially those that require large amounts of important data—will need to invest in technologies to continue to be more secure. By design, Blockchain is theoretically a secure means of storing data. Each transaction is detailed on an immutable ledger, which serves to prevent and detect any form of tampering. Besides this, Blockchain also eliminates the need for verification from trusted third parties, which can come at high costs. But is this a promise that the technology has yet to fulfill, or is it part of the security revolution of the future we so desperately need? How Blockchain is resolving security issues One security issue that can be resolved by Blockchain relates to the fact that many industries rely heavily on “cloud and on-demand services, where our data is accessed and processed by untrusted third parties.” There are also many situations where they may want to jointly work on data without revealing our portion to untrusted entities. Blockchain can be used to create a system where users can jointly store data and also remain anonymous. In this case, Blockchain can be used to record time-stamped events that can’t be removed—so in the case of a cyber attack, it is easy to see where it came from. The Enigma Project, originally developed at MIT, is a good example of this use case. Another issue that Blockchain can improve is data tampering. There have been a number of cyber attacks where the attackers don’t delete or steal data, but alter it. One infamous example of this is the Stuxnet malware, which severely and physically damaged Iran's nuclear program. If this data were altered on the Blockchain, the transactions will be marked and will not be able to be altered or covered, and therefore hackers will not be able to hide their tracks. Blockchain's security vulnerabilities The inalterability of Blockchain and its decentralization clearly has many advantages, however, it does not entirely remove the possibility of data being altered. It is possible to introduce data unrelated to transactions to the Blockchain, and therefore this Blockchain data could be exposed to malware. The extent to which malware could impact the entire Blockchain and all its data is not yet known, however, there have been some instances of proven vulnerabilities. One such proven vulnerability includes Vitaly Kamluk’s proof of concept software that could take information from a hacker’s Bitcoin address and essentially pull malicious data and store it on the Blockchain. Private vs. public Blockchain implementations When understanding security risks in Blockchain technology, it is also important to understand the difference between private and public implementations. On public Blockchains, anyone can read or write transactions and anyone can aggregate those transactions and publish them if they are able to solve a cryptographic puzzle. Solving these puzzles takes a lot of computer power, and therefore a high amount of energy is required to solve many of these problems. This leads to a market where most of the transactions and puzzle solving is done in countries where energy is cheapest. This, in turn, leads to centralization and potential collusion. Private Blockchains, in comparison, give the network operator control over who can read and write to the ledger. In the case of Bitcoin in particular, ownership is proven through a private key linked to a transaction and just like physical money, these can easily be lost or stolen. One estimate puts the value of lost Bitcoins at $950M. There are many pros and cons which should be considered when deciding whether or not to use Blockchain. It is important to note here that the most important thing Blockchain provides us is with the ability to track who committed a particular transaction—for good or for bad—and when. There are some security measures with which it certainly would help a great deal—especially when it comes to tracking what information was breached, altered, or stolen. However, it is not an end-all-be-all when it comes to keeping data secured. If Blockchain is to be used to store important data, such as financial information, or client health records, it should be a wrapped in a layer of other cyber security software. Lauren Stephanian is a software developer by training and an analyst for the structured notes trading desk at Bank of America Merrill Lynch. She is passionate about staying on top of the latest technologies and understanding their place in society. When she is not working, programming, or writing, she is playing tennis, traveling, or hanging out with her good friends in Manhattan or Brooklyn. You can follow her on Twitter or Medium at @lstephanian or via her website.

There’s no other word for the destabilization of another nation through state action other than war -- even if it’s done with ones and zeros. Recent indictments of thirteen Russians and three Russian companies tampering with US elections is a stark reminder. Without hyperbole it is safe to say that we are in the throes of an international cyber war and the damage is spreading massively over the corporate economy. Reports have reached a fever pitch and the costs globally are astronomical. According to Cybersecurity Ventures, damage related to cybercrime in general is projected to hit $6 trillion annually by 2021. Over the past year, journalists for many news agencies have reported credible studies regarding the epidemic of state sponsored cyber attacks. Wired and The Washington Post among many others have outlined threats that have reached the US energy grid and other elements of US infrastructure. However, the cost to businesses is just as devastating. While many attacks have been government targeted, businesses are increasingly at risk from state sponsored cyber campaigns. A recent worldwide threat assessment from the US Department of Justice discusses several examples of state-sponsored cyber attacks that affect commercial entities including diminishing trust from consumers, ransomware proliferation, IoT threats, the collateral damage from disruptions of critical infrastructure, and the disruption of shipping lanes. How Cyberwar Affects Us on a Personal Level An outcome of cyberwarfare that isn’t usually considered, but a large amount of damage is reflected in human capital. This can be found in the undermining of consumer and employee confidence in the ability of a company to protect data. According to a recent study examining how Americans feel about internet privacy in 2018, 51% of respondents said their main concern was online threats stealing their information, and over a quarter listed that they were particularly concerned about companies collecting/sharing their personal data. This kind of consumer fear is justified by a seeming lack of ability of companies to protect the data of individuals. Computing and quantitative business expert Dr. Benjamin Silverstone points out that recent cyber-attacks focus on the information of consumers (rather than other confidential documentation or state secrets which may have greater protection). Silverstone says, “Rather than blaming the faceless cyber-criminals, consumers will increasingly turn to the company that is being impersonated to ask how this sort of thing could happen in the first place. The readiness to share details online, even with legitimate companies, is being affected and this will damage their business in the long term.” So, how can businesses help restore consumer confidence? You should: Increase your budget toward better cybercrime solutions and tell your consumers about it liberally. Proven methods include investing in firewalls with intrusion prevention tools, teaching staff how to detect and avoid malware software, and enforcing strict password protocols to bolster security. Invest in two-factor authorization so that consumers feel safer when accessing your product Educate your consumer base -- it is equally important that everyone be more aware when it comes to cyber attack. Give your consumers regular updates about suspected scams and send tips and tricks on password safety. Ransomware and Malware Attacks CSO Online reports that ransomware damage costs exceeded $5 billion in 2017, 15 times the cost in 2015. Accordingly, Cybersecurity Ventures says that costs from ransomware attacks will rise to $11.5 billion next year. In 2019, they posit, a business will fall victim to a ransomware attack every 14 seconds. But is This International Warfare? The North Korean government’s botnet has been shown to be able to pull off DDoS attacks and is linked to the wannacry ransomware attack. In 2017, over 400,000 machines were infected by the wannacry virus, costing companies  over $4 Billion in over 150 countries. To protect yourself from ransomware attacks: Back up your data often and store in non-networked spaces or on the cloud. Ransomware only works if there is a great deal of data that is at risk. Encrypt whatever you can and keep firewalls/two-factor authorization in place wherever possible. Keep what cyber experts call the  “crown jewels” (the top 5% most important and confidential documents) on a dedicated computer with very limited access. The Next Wave of Threat - IoT IoT devices make mundane tasks like scheduling or coordination more convenient. However, proliferation of these devices create cybersecurity risk. Companies are bringing in devices like printers and coffee makers that are avenues for hackers to enter a network.   Many experts point to IoT as their primary concern. A study from shared assessment found that 97% of IT respondents felt that unsecured IoT devices could cause catastrophic levels of damage to their company. However, less than a third of the companies represented reported thorough monitoring of the risks associated with third-party technology. Here’s a list of how to protect yourself from IoT threats: Evaluate what data IoT devices are accumulating and limit raw storage. Create policies regarding anonymizing user data as much as possible. Apply security patches to any installed IoT device. This can be as simple as making sure you change the default password. Vet your devices - make sure you are buying from sources that (you believe) will be around a long time. If the business you purchase your IoT device from goes under, they will stop updating safety protocols. Make a diversified plan, just in case major components of your software set up are compromised. While we may not be soldiers, a war is currently on that affects us all and everyone must be vigilant. Ultimately, communication is key. Consumers rely on businesses to protect them from individual attack. These are individuals who are more likely to remain your customers if you can demonstrate how you are maneuvering to respond to global threats. About the author           Zach is a freelance writer who likes to cover all things tech. In particular, he enjoys writing about the influence of emerging technologies on both businesses and consumers. When he's not blogging or reading up on the latest tech trend, you can find him in a quiet corner reading a good book, or out on the track enjoying a run. New cybersecurity threats posed by artificial intelligence Top 5 cybersecurity trends you should be aware of in 2018 Top 5 cybersecurity myths debunked  

AI and machine learning are quickly becoming integral parts of modern society. They’ve become common personal and household objects in this era of the Internet of Things. No longer are they relegated to the inner workings of gigantic global corporations or military entities. AI is taking center stage in our very lives and there’s little we can do about it. Tech giants like Google and Amazon have made it very easy for anyone to get their hands on AI-based technology in the form of AI assistants and a plethora of MLaaS (machine-learning-as-a-service) offerings. These AI-powered devices can do anything like telling you the weather, finding you a recipe for your favorite pasta dish, and even letting you know your friend Brad is at the door- and opening that door for you. What’s more, democratized AI tools make it easy for anyone (even without coding experience) to try their hands on building machine learning based apps. Needless to say, a future filled with AI is a future filled with convenience. If Disney’s film “Wall-e” was any hint, we could spend our whole lives a chair while letting self-learning machines do everything we need to do for us (even raising our kids). However, the AI of today could paint an entirely different picture of the future for our privacy. The price of convenience Today’s AI is hungry for your personal information. Of course, this isn’t really surprising seeing as they were birthed by companies like Google that makes most of its yearly income from ad revenue. In one article written by Gizmodo, a privacy flaw was found in Google’s then newest AI creation. The AI assistant would be built into every Google Pixel phone and would run on their messenger app “Allo”. Users could simply ask the assistant questions like “what’s the weather like tomorrow” or “how do I get to Brad’s house”. Therein lies the problem. In order for an AI assistant to adjust according to your own personal preferences, it has to first learn and remember all of your personal information. Every intimate detail that makes you, you. It does this by raking in all the information stored in your device (like your contacts list, photos, messages, location). This poses a huge privacy issue since it means you’re sharing all your personal information with Google (or whichever company manufactures your AI-driven assistant). In the end, no one will know you better than yourself- except Google. Another problem with this AI is that it can only work if your message is unencrypted. You can either opt for more privacy by choosing to use the built-in end-to-end encrypted mode or opt for more convenience by turning off encrypted mode and letting the AI read/listen to your conversations. There is no middle ground yet. Why is this such a big problem? Two reasons: Companies, like Google, use or sell your private information to third parties to make their money; and Google isn’t exactly the most trustworthy with users’ secrets. If your AI manufacturer behaves like Google, that privacy policy that you’re relying on will mean nothing once the government starts knocking on their door. VPNs vs AI How AI learns from your personal information is just the tip of the iceberg. There’s a deeper privacy threat looming just behind the curtain: bad actors waiting to use AI for their own nefarious purposes. One study compared human hackers with artificial hackers to see who could get more Twitter users to click on malicious phishing links. The results showed that artificial hackers substantially outperformed their human counterparts. The artificial hacker pumped out more spear-phishing tweets that resulted in more conversions. This shows how powerful AI can be once it’s weaponized by hackers. Hackers may already be using AI right now- though it’s still hard to tell. Users are not without means to defend themselves, though. VPNs have long been used as a countermeasure against hackers. The VPN industry has even grown due to the recent problems regarding user data and personal information like the Facebook-Cambridge Analytica scandal and how the EU’s GDPR effectively drove many websites to block IPs from the EU. A VPN (Virtual Private Network) protects your privacy by masking your IP. It also routes your internet traffic through secure tunnels where it is encrypted. Most VPNs on the market currently use military-grade 256-bit AES to encrypt your data along with a multitude of various security features. The problem is that anyone with the time and resources can still break through your VPN’s defense- especially if you’re a high profile target. This can either be done by getting the key through some nefarious means or by exploiting known vulnerabilities to break into the VPN’s encryption. Breaking a VPN’s encryption is no easy task as it will take lots of computation and time- we’re talking years here. However, with the rise of AI, the process of breaking a VPN’s encryption may have become easier. Just 2 years ago, DARPA, the US government agency that commissions research for the US Department of Defense, funded the Cyber Grand Challenge. Here, computers were pitted against each other to find and fix bugs in their systems. The winner, a computer named “Mayhem” created by a team named “ForAllSecure”, took home the $2 million prize. It achieved its goal by not only patching any holes it found in its own system but also by finding and exploiting holes in its opponents’ software before they could be patched. Although the whole point of the challenge was to speed up the development of AI to defend against hackers, it also showed just how powerful an artificial hacker can be. A machine that could quickly process heaps and heaps of data while developing more ways to defend/attack from its own processes is a double-edged sword. This is why some VPN companies have started incorporating AI to defend against hackers- human or otherwise. The future of VPNs is AI augmented “If you can’t beat them, join them.” One VPN that has started using AI as part of their VPN service is Perfect Privacy. Their AI takes the form of Neuro routing (AI-based routing). With this, the AI makes a connection based on where the user is connecting to. The AI chooses the closest server to the destination server and does so separately for all connections. This means that if you’re in Romania but you’re connecting to a website hosted in New York, the VPN will choose a New York-based location as an exit server. This not only reduces latency but also ensures that all traffic remains in the VPN for as long as possible. This also makes the user appear to have different IPs on different sites which only bolsters privacy even more. Also, because the AI is dynamic in its approach, it frequently changes its route to be the shortest route possible. This makes its routes nigh impossible to predict. If you’d like a more detailed look at Perfect Privacy and its AI-based routing, check out this Perfect Privacy review. Some experts believe that someday in the future, we may just let AI handle our security in the Internet of Things for us. Just recently this year, a wireless VPN router called “Fortigis” was released and touted AI-based defenses. The router uses self-learning AI to keep your connection safe by learning from attack attempts made on any Fortigis router. All devices are then updated to defend against such attacks thereby ensuring up-to-date security. It also allows you to control who can connect to your home network, alarms you when someone is connecting and informs you of all the devices connected to your home network. These are just some of the ways the VPN industry is keeping up with the security needs of the times. Who knows what else the future could bring just around the corner. Whatever it is, one thing is for sure: Artificial intelligence will be a big part of it. About Author Dana Jackson, an U.S. expat living in Germany and the founder of PrivacyHub. She loves all things related to security and privacy. She holds a degree in Political Science, and loves to call herself a scientist. Dana also loves morning coffee and her dog Paw.   10 great tools to stay completely anonymous online Guide to safe cryptocurrency trading

Developers are always on the verge of learning something new, which can add on to their skill and their experience. Organizations such as Red Hat, Microsoft, Oracle, and many more roll out certain courses and certifications for developers and other individuals. 2018 has brought in some exciting areas for security and system experts to explore. Our annual Skill Up survey highlighted few of the technologies that security and system specialists are planning to learn in this year. Docker emerged to be at the top with professionals wanting to learn more about it and its implementations in building up a software with the ‘everything at one place’ concept. The survey also highlighted specialists being interested in learning RedHat’s OpenStack, Microsoft Azure, and AWS technologies. OpenStack being a cloud OS keeps a check on large pools of compute, storage, and networking resources within any datacenter, all through a web interface. It provides users with a much modular architecture to build their own cloud platforms without restrictions faced in the traditional cloud infrastructure. OpenStack also offers a Red Hat® Certified System Administrator course using which one can secure private clouds on OpenStack. You can check out our book on OpenStack Essentials to get started. The survey also highlights that system specialists are interested in learning Microsoft Azure. The primary reason for their choice is it offers a varied range of options to protect one’s applications and the data. It offers a seamless experience for developers who want to build, deploy, and maintain applications on the cloud. It also supports compliance efforts and provides a cost-effective security for individuals and organizations. AWS also offers out-of-the-box features with its products such as Amazon EC2, Amazon S3, AWS Lambda, and many more. Read about why AWS is a preferred cloud provider in our article, Why AWS is the preferred cloud platform for developers working with big data? In response to another question in the same survey, developers expressed their interest in learning security. With a lot of information being hosted over the web, organizations fear that their valuable data might be attacked by hackers and can be used illegally. Read also: The 10 most common types of DoS attacks you need to know Top 5 penetration testing tools for ethical hackers Developers are also keen on learning about security automation that can aid them in performing vulnerability scans without any human errors and also decreases their time to resolution. Security automation further optimizes ROI of their security investments. Learn security automation using one of the popular tools Ansible with our book, Security Automation with Ansible 2. So here are some of the technologies that security and system specialists are planning to learn. This analysis was taken from Packt Skill Up Survey 2018. Do let us know your thoughts in the comments below. The entire survey report can be found on the Packt store. IoT Forensics: Security in an always connected world where things talk Top 5 cybersecurity assessment tools for networking professionals Pentest tool in focus: Metasploit

The past few months saw Facebook struggling to maintain its integrity considering the number of fake news and data scandals linked to it - Alex Jones, accusations of discriminatory advertising and more. Not to mention, Facebook Stocks fell $120 billion in market value after Q2 2018 earnings call. Amidst these allegations of providing fake news and allowing discriminatory content on its news feed, Facebook patented its news feed filter tool last week to provide more relevant news to its users. In the past also, Facebook has made several interesting patents to enhance their news feed algorithm in order to curb fake news. This made us look into what other recent patents that Facebook have been granted around news feeds and fake news. Facebook’s News Feed has always been one of its signature features. The news feed is generated algorithmically (instead of chronologically), with a mix of status updates, page updates, and app updates that Facebook believes are interesting and relevant to you. Officially Facebook, successfully patented its News Feed in 2012, after filing for it in 2006. The patent gave the company a stronghold on the ability to let users see status messages, pictures, and links to videos of online friends, but also the actions those friends take. [box type="shadow" align="" class="" width=""]Note: According to United States Patent and Trademark Office (USPTO), Patent is an exclusive right to invention and “the right to exclude others from making, using, offering for sale, or selling the invention in the United States or “importing” the invention into the United States”.[/box] Here are four Facebook patents in 2018 pertaining to news feeds that we found interesting. Dynamically providing a feed of stories Date of Patent: April 10, 2018 Filed: December 10, 2015 Features: Facebook filed this patent to present their news feed in a more dynamic manner suiting to a particular person. Facebook’s News feed automatically generates a display that contains information relevant to a user about another user. This patent is titled Dynamically providing a feed of stories about a user of a social networking system. As per the patent application, recently, social networking websites have developed systems for tailoring connections between various users. Typically, however, these news items are disparate and disorganized. The proposed method generates news items regarding activities associated with a user. It attaches an informational link associated with at least one of the activities, to at least one of the news items. The method limits access to the news items to a predetermined set of viewers and assigns an order to the news items. Source: USPTO This patent is a viable solution to limit access to the news items which a particular section of users may find obscene. For instance, Facebook users below the age of 18, may be restricted from viewing graphic content. The patent received criticism with people ridiculing the patent for seeming to go against everything that the patent system is supposed to do. They say that such automatically generated news feeds are found in all sorts of systems and social networks these days. But now Facebook may have the right to prevent others from doing, what other social networks are inherently supposed to do. Generating a feed of content items from multiple sources Date of Patent: July 3, 2018 Filed: June 6, 2014 Features:  Facebook filed a patent allowing a feed of content items associated with a topic to be generated from multiple content sources. Per the Facebook patent, their newsfeed generation system receives content items from one or more content sources. It matches the content items to topics based on a measure of the affinity of each content item for one or more objects. These objects form a database that is associated with various topics. The feed associated with the topic is communicated to a user, allowing the user to readily identify content items associated with the topic. Source: USPTO Let us consider the example of sports. A sports database will contain an ontology defining relationships between objects such as teams, athletes, and coaches. The news feed system for a particular user interested in sports (an athlete or a coach or a player) will cover all content items associated with sports. Selecting organic content and advertisements based on user engagement Date of Patent: July 3, 2018 Filed: June 6, 2014 Features: Facebook wants to dynamically adjust its organic content items and advertisements, generated to a user by modifying a ranking. Partial engagement scores will be generated for organic content items based on an expected amount of user interaction with each organic content item. Advertisements scores will be generated based on expected user interaction and bid amounts associated with each organic content item. These advertisement and partial engagement scores are next used to determine two separator engagement scores measuring the user's estimated interaction with a content feed. One engagement score is of organic content items with advertisements and one without them. A difference between both these scores will modify a conversion factor used to combine expected user interaction and bid amounts to generate advertisement scores. This mechanism has been patented by Facebook as Selecting organic content and advertisements for presentation to social networking system users based on user engagement. For example, if a large number of advertisements are presented to a user, the user may become frustrated with the increased difficulty in viewing stories and interact less with the social networking system. However, advertisements also generate additional revenue for the social networking system. A balance is necessary. So, if the engagement score is greater than the additional engagement score by at least a threshold amount, the conversion factor is modified (e.g., decreased) to increase the number of organic content items included in the feed. If the engagement score is greater than the additional engagement score but less than the threshold amount, the conversion factor is modified (e.g., increased) to decrease the number of organic content items included in the feed. Source: USPTO Displaying news ticker content in a social networking system Date of Patent: January 9, 2018 Filed: February 10, 2016 Features: Facebook has also patented, Displaying news ticker content in a social networking system. This Facebook patent describes a system that displays stories about a user’s friends in a news ticker, as friends perform actions. The system monitors in real time for actions associated with users connected with the target user. The news ticker is updated such that stories including the identified actions and the associated connected users are displayed within a news ticker interface. The news ticker interface may be a dedicated portion of the website’s interface, for example in a column next to a newsfeed. Additional information related to the selected story may be displayed in a separate interface. Source: USPTO For example, a user may select a story displayed in the news ticker; let’s say movies. In response, additional information associated with movies (such as actors, director, songs etc) may be displayed, in an additional interface. The additional information can also depend on the movies liked by the friends of the target user. These patents talk lengths of how Facebook is trying to repair its image and make amendments to its news feed algorithms to curb fake and biased news. The dynamic algorithm may restrict content, the news ticket content and multiple source extractions will keep the feed relevant, and the balance between organic content and advertisements could lure users to stay on the site. As such there are no details currently on when or if these features will hit the Facebook feed, but once implemented could bring Zuckerberg’s vision of “bringing the world close together”, closer to reality. Read Next Four IBM facial recognition patents in 2018, we found intriguing Facebook patents its news feed filter tool to provide more relevant news to its users Four interesting Amazon patents in 2018 that use machine learning, AR, and robotics

What is BeyondCorp? Beyondcorp is an approach to cloud security developed by Google. It is a zero trust security framework that not only tackles many of today's cyber security challenges, it also helps to improve accessibility for employees. As remote, multi-device working shifts the way we work, it's a framework that might just be future proof. The principle behind it is a pragmatic one: dispensing with the traditional notion of a workplace network and using a public network instead. By moving away from the concept of a software perimeter, BeyondCorp makes it much more difficult for malicious attackers to penetrate your network. You're no longer inside or outside the network; there are different permissions for different services. While these are accessible to those that have the relevant permissions, the lack of perimeter makes life very difficult for cyber criminals. Read now: Google employees quit over company’s continued Artificial Intelligence ties with the Pentagon How does BeyondCorp work? BeyondCorp works by focusing on users and devices rather than networks and locations. It works through a device inventory service. This essentially logs information about the user accessing the service, who they are, and what device they're using. Google explained the concept in detail back in 2016: "Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to services and tools based on a user’s physical location or the originating network; instead, access policies are based on information about a device, its state, and its associated user." Of course, BeyondCorp encompasses a whole range of security practices. Implementation requires a good deal of alignment and effective internal communication. That's one of the challenges the Google team had when implementing the framework - getting the communication and buy-in from the whole organization without radically disrupting how people work. Is BeyondCorp being widely adopted by enterprises? Google has been developing BeyondCorp for some time. In fact, the concept was a response to the Operation Aurora cyber attack back in 2009. This isn't a new approach to system security, but it is only recently becoming more accessible to other organizations. We're starting to see a number of software companies offering what you might call BeyondCorp-as-a-Service. Duo is one such service: "Reliable, secure application access begins with trust, or a lack thereof" goes the (somewhat clunky) copy on their homepage. Elsewhere, ScaleFT also offer BeyondCorp services. Services like those offered by Duo and ScaleFT highlight that there is clearly an obvious demand for this type of security framework. But it is a nascent trend. Despite having been within Google for almost a decade, Thoughtworks' Radar first picked up on BeyondCorp in May 2018. Even then, ThoughtWorks placed it in the 'assess' stage. That means that it is still too early to adopt. It should simply be explored as a potential security option in the near future. Read next Amazon S3 Security access and policies IoT Forensics: Security in an always connected world where things talk

You must have been hearing the recent cambridge analytica scandal involving facebook and user data theft. As an aftermath of the recent Facebook Cambridge Analytica scandal, many have become cautious about using Facebook, and wondering how safe their personal data’s going to be. Now, Facebook has filed for a patent for a technology that will allow an ambient audio signal to activate your mobile phone’s microphone remotely, and record without you even knowing. This news definitely comes as a shock, especially after Facebook’s senate hearing early this year and their apologetic messages regarding the cambridge analytica scandal. If you weren’t taking your data privacy seriously, then it’s high time you do. According to Facebook, this is how the patent pending tech would work: Smartphones can detect signals outside of the human perception range - meaning we can neither hear or see those signals. Advertisements on TV or or any devices will be preloaded with such signals. When your smartphone detects such hidden signals from the adverts or any other commercials, it would automatically activate the phone microphone and start recording ambient noise and sounds. The sound recorded would include everything in the background - from your normal conversations to the ambient noise of the program or any other kind of noise. This would be stored online and sent back to Facebook for analysis. Facebook claim they will only look at the user reaction to the advert. For example, if the ambient advert is heard in the background, it means the users moved away from it after seeing it. If they change channels that means they are not interested either in the advert or in the product. If the ambient sound is direct then that means the users were bound to the couch as the ad was playing. This will give Facebook a rich set of data on which ads people are more interested to watch and also get a count of the people watching a particular ad. This data in turn will help Facebook place the right kind of ads for their users with prior knowledge of their interest in it. All these are explained from the point of view of Facebook which at the moment sounds very very idealistic. Do we really believe that Facebook is applying for this patent with such naive intentions to save our time from unwanted ads and show the ads that matter to us? Or is there something more devious involved? The capability to listen to our private conversations, recording them unknowingly and then saving them online with our identities attached to it sounds more like a plot from a Hollywood espionage movie. The patent was filed back in 2016 but has resurfaced in discussions now. The only factor that is a bit comforting is that Facebook is not actively pursuing this patent. Does it mean a change of heart? Or is it a temporary pause which will resume after the current tensions are doused. The Cambridge Analytica scandal and ethics in data science Alarming ways governments are using surveillance tech to watch you F8 AR Announcements

We’re living in a world that’s more connected than we once ever thought possible. Even 10 years ago, the idea of our household appliances being connected to our Nokias was impossible to comprehend. But things have changed now and almost every week we seem to be seeing another day-to-day item now connected to the internet. Twitter accounts like @internetofShit are dedicated to pointing out every random item that is now connected to the internet; from smart wallets to video linked toothbrushes to DRM infused wine bottles, but the very real side to all the laughing and caution - For every connected device you connect to your network you’re giving attackers another potential hole to crawl through. This weekend, save 50% on some of our very best IoT titles - or, if ones not enough pick up any 5 features products for $50! Start exploring here. IoT security has simply not been given much attention by companies. Last year two security researchers managed to wirelessly hack into a Jeep Cherokee, first by taking control of the entertainment system and windshield wipers before moving on to disable the accelerator; just months earlier a security expert managed to take over and force a plane to fly sideways by making a single engine go into climb mode. In 2013 over 40 million credit card numbers were taken from US retailer Target after hackers managed to get into the network via the AC company that worked with the retailer. The reaction to these events was huge, along with the multitude of editorials wondering how this could happen… when security experts were wondering in turn how it took so long. The problem until recently was that the IoT was seen mostly as a curio – a phone apps that turns your light on or sets the kettle at the right time was seen as a quaint little toy to mess around with for a bit, it was hard for most to fully realize how it could tear a massive hole in your network security. Plus the speed of which these new gadgets are entering the market is becoming much faster, what used to take 3-4 years to reach the market is now taking a year or less to capitalize on the latest hype; Kickstarter projects by those new to business are being sent out into the world, homebrew is on the rise. To give an example of how this landscape could affect us the French technology institute Eurecom downloaded some 32,000 firmware images from potential IoT device manufacturers and discovered 38 vulnerabilities across 123 products. These products were found in at least 140K devices accessible over the internet. Now imagine what the total number of vulnerabilities across all IoT products on all networks is, the potential number is scarily huge. The wind is changing slowly. In October, the IoT Security Summit is taking place in Boston, with speakers from both the FBI and US Homeland Security playing prominent roles as Speakers. Experts are finally speaking up about the need to properly secure our interconnected devices. As the IoT becomes mainstream and interconnected devices become more affordable to the general public we need to do all we can to ensure that potential security cracks are filled as soon as possible; every new connection is a potential entrance for attackers to break in and many people simply have little to no knowledge of how to improve their computer security. While this will improve as time goes on companies and developers need to be proactive in their advancement of IoT security. Choosing not to do so will mean that the IoT will become less of a tech revolution and more of a failure left on the wayside.

The battle for political influence and power is transcending all boundaries and borders. There are many interests at stake, and some parties, organizations, and groups are willing to pull out the “big guns” in order to get what they want. “Hacktivists” are gaining steam and prominence these days. However, governmental surveillance and even criminal (or, at the very least, morally questionable) activity can happen, too, and when it does, the scandal rises to the most relevant headlines in the world’s most influential papers. That was the case in the United States’ presidential election of 2016 and in France’s most recent process. Speaking of the former, the Congress and the Department of Investigations revealed horrifying details about Russian espionage activity in the heat of the battle between Democrat Hillary Clinton and Republican Donald Trump, who ended up taking the honors. As for the latter, the French had better luck in their quest to prevent the Russians to wreak havoc in the digital world. In fact, it wasn’t luck: it was due diligence, a sense of responsibility, and a clever way of using past experiences (such as what happened to the Americans) to learn and adjust. Russia’s objective was to influence the outcome of the process by publishing top secret and compromising conversations between high ranked officials. In their attempt to intervene the American elections, they managed to get in networks and systems controlled by the state to publish fake news, buy Facebook ads, and employ bots to spread the fake news pieces. How to stop cyber interference during elections Everything should start with awareness about how to avoid hacking attacks, as well as a smoother communication and integration between security layers. Since the foundation of it all is the law, each country needs to continually make upgrades to have all systems ready to avoid and fight cyber interference in the election and in all facets of life. Diplomatic relationships need to understand just how far a nation state can go in the case of defending their sovereignty against such crimes. Pundits and experts in the matter state that until the system is hacking-proof and can offer reliability, every state needs to gather and count hand votes as a backup to digital votes. Regarding this, some advocates recently told the Congress that the United States should implement paper ballots that are prepared to provide physical evidence of every vote, effectively replacing the unreliable and vulnerable machines currently used. According to J. Alex Halderman, who is a computer science teacher, this ballot might look “low tech” to the average eye, but they represent a “reliable and cost-effective defense.” Paying due attention to every detail Government authorities need to pay better attention to propaganda (especially Russian propaganda), because it may show patterns about the nation’s intentions. By now, we all know what the Russians are capable of, and figuring out their intentions would go a long way in helping the country prepare to future attacks in a better way. The American government may also require Russian media and social platforms to register under the FARA, which is the Foreign Agents Registration Act. That way, there will be a more efficient database about who is a foreign agent of influence. One of the most critical corrective measures to be taken in the future is prohibiting the chance of buying advertising that directly influences the outcome of certain processes and elections. Handing diplomatic sanctions just isn’t enough Lately, the US Congress, approved by president Trump, has been handing sanctions to people involved in the 2016 cyber attack. However, a far more effective measure to take would be enhancing cyber defense, because it can offer immediate detection of threats and is well-equipped to bring to an end any network intrusions. According to scientist Thomas Schelling, the fear of the consequences of any given situation can be a powerful motivator, but it can be difficult to deter individuals or organizations that can’t be easily tracked and identified, and act behind irrational national ideologies and political goals. Instead, adopting cyber defense can stop any intrusion in time and offer more efficient punishments. Active defense is legally viable and a very capable solution because it can disrupt the perpetrators outside networks. Enabling the “hack back” approach can allow countries to take justice into their own hands in case of any cyber attack attempt. The next step would be working on lowering the required threshold to enable this kind of response. Cyber defense is the way to go Cyber defense measures can be very versatile and have proven effectiveness. Take the example of France: in the most recent elections, French intelligence watched Russian cyber activity for the duration of the election campaign of Emmanuel Macron. Some strategies include letting the hackers steal fake files and documents, misleading them and making them waste their time. The cyber defense can also ensure to embed beacons that can disclose the attackers’ current location or mess with their networks. There is even a possibility of erasing stolen information. In the case of France, cyber defense specialists were one step ahead of the Russians: they made false email accounts and introduced numerous fake documents and files that discouraged the Russians. Known systems, networks, and platforms The automated capabilities of cyber defense can trump any malicious attempt or digital threat. For example, the LightCyber Magna platform can perceive big amounts of information. Such a system may have been able to stop Russian hackers from installing malware on the DMC (Democratic National Committee). Another cyber defense tool, the Palo Alto Network Traps, are known to block malware as strong as the WannaCry ransomware attack that encrypted more than 200,000 computers in almost a hundred countries. Numerous people lost their data or had to pay thousands of dollars to recover it. VPN: an efficient cybersecurity tool Another perfectly usable cyber defense tools are Virtual Private Networks. VPNs such as Surfshark can encrypt all traffic shared online, as well as the user’s IP address. They effectively provide anonymous browsing as well as privacy. Cyber defense isn’t just a luxury that just a handful of countries can afford: it is a necessity as a tool that helps combat cyber interference not only in elections but in every facet of life and international relationships. Author Bio Harold is a cybersecurity consultant and a freelance blogger. He's currently working on a cybersecurity campaign to raise awareness around the threats that businesses can face online. Top 5 cybersecurity myths debunked Skepticism welcomes Germany’s DARPA-like cybersecurity agency – The federal agency tasked with creating cutting-edge defense technology How cybersecurity can help us secure cyberspace

The term “security” often evokes negative feelings among software developers because it is associated with additional programming effort, uncertainty and roadblocks to fast development and release cycles. To secure software, developers must follow numerous guidelines that; while intended to satisfy some regulation or other, can be very restrictive and hard to understand. As a result, a lot of fear, uncertaintyand doubt can surround software security.  First, let’s consider the survey conducted by SpiceWorks, in which IT pros were asked to rank a set of threats in order of risk to IT security. According to the report, the respondents ranked the following threats as their organization’s three biggest risks to IT security as follows:  Human error Lack of process External threats  DevOps can positively impact all three of these major risk factors, without negatively impacting stability or reliability of the core business network. Let’s discuss how security in DevOps attempts to combat the toxic environment surrounding software security; by shifting the paradigm from following rules and guidelines to creatively determining solutions for tough security problems. Human error We’ve all fat-fingered configurations and code before. Usually we catch them, but once in a while they sneak into production and wreak havoc on security. A number of “big names” have been caught in this situation, where a simple typo introduced a security risk. Often these occur because we’re so familiar with what we’re typing that we see what we expect to see, rather than what we actually typed.  To reduce risk from human error via DevOps you can: Use templates to standardize common service configurations Automate common tasks to avoid simple typographical errors Read twice, execute once Lack of process First, there’s the fact that there’s almost no review of the scripts that folks already use to configure, change, shutdown, and start up services across the production network. Don’t let anyone tell you they don’t use scripts to eliminate the yak shaving that exists in networking and infrastructure, too. They do. But they aren’t necessarily reviewed and they certainly aren’t versioned like the code artifacts they are;they rarely are reused. The other problem is simply there’s no governed process. It’s tribal knowledge.  To reduce risk from a lack of process via DevOps: Define the deployment processclearly. Understand prerequisites, dependencies and eliminate redundancies or unnecessary steps. Move toward the use of orchestration as the ultimate executor of the deployment process, employing manual steps only when necessary. Review and manage any scripts used to assist in the process. External threats At first glance, this one seems to be the least likely candidate for being addressed with DevOps. Given that malware and multi-layered DDoS attacks are the most existential threats to businesses today, that’s understandable. There are entire classes of vulnerabilities that can only be detected manually by developers or experts reviewing the code. But it doesn’t really extend to production, where risks becomes reality when it’s exploited. One way that DevOps can reduce potential risk is, more extensive testing and development of web app security policies during development that can then be deployed in production.  Adopting a DevOps approach to developing those policies — and treating them like code too — provides a faster and a more likely, thorough policy that does a better job overall of preventing the existential threats from being all-too-real nightmares.  To reduce the risk of threats becoming reality via DevOps: Shift web app security policy development and testing left, into the app development life cycle. Treat web app security policies like code. Review and standardize. Test often, even in production. Automate using technology such as dynamic application security testing (DAST) and when possible, integrate results into the development life cycle for faster remediation that reduces risk earlier. Best DevOps practices Below is a list of the top five DevOps practices and tooling that can help improve overall security when incorporated directly into your end-to-end continuous integration/continuous delivery (CI/CD) pipeline: Collaboration Security test automation Configuration and patch management Continuous monitoring Identity management Collaboration and understanding your security requirements Many of us are required to follow a security policy. It may be in the form of a corporate security policy, a customer security policy, and/or a set of compliance standards (ex. SOX, HIPAA, etc). Even if you are not mandated to use a specific policy or regulating standard, we all still want to ensure we follow the best practices in securing our systems and applications. The key is to identify your sources of information for security expertise, collaborate early, and understand your security requirements early so they can be incorporated into the overall solution. Security test automation Whether you’re building a brand new solution or upgrading an existing solution, there likely are several security considerations to incorporate. Due to the nature of quick and iterative agile development, tackling all security at once in a “big bang” approach likely will result in project delays. To ensure that projects keep moving, a layered approach often can be helpful to ensure you are continuously building additional security layers into your pipeline as you progress from development to a live product. Security test automation can ensure you have quality gates throughout your deployment pipeline giving immediate feedback to stakeholders on security posture and allowing for quick remediation early in the pipeline. Configuration management In traditional development, servers/instances are provisioned and developers are able to work on the systems. To ensure servers are provisioned and managed using consistent, repeatable and reliable patternsit’s critical to ensure you have a strategy for configuration management. The key is ensuring you can reliably guarantee and manage consistent settings across your environments. Patch management Similar to the concerns with configuration management, you need to ensure you have a method to quickly and reliably patch your systems. Missing patches is a common cause of exploited vulnerabilities including malware attacks. Being able to quickly deliver a patch across a large number of systems can drastically reduce your overall security exposures. Continuous monitoring Ensuring you have monitoring in place across all environments with transparent feedback is vital so it can alert you quickly of potential breaches or security issues. It’s important to identify your monitoring needs across the infrastructure and applicationand then take advantage of some of the tooling that exists to quickly identify, isolate, shut down, and remediate potential issues before they happen or before they become exploited. Part of your monitoring strategy also should include the ability to automatically collect and analyze logs. The analysis of running logs can help identify exposures quickly. Compliance activities can become extremely expensive if they are not automated early. Identity management DevOps practices help allow us to collaborate early with security experts, increase the level of security tests and automation to enforce quality gates for security and provide better mechanisms for ongoing security management and compliance activities. While painful to some, it has to be important to all if we don’t want to make headlines.  About the Author Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades.

What do Sys Admins and Security specialists need to get the best salary they can get in the world today? What skills are companies looking for their employees to have mastered? We interviewed over 2,000 sys admins and security specialists to see the latest trends so far this year for you to take advantage of. Which industries value admins the most hightly? Do Linux or Windows lead the way with superior tools? What role does Python have for the budding pentester in the community today? And what comes out on top – Puppet, Chef, Ansible, or Salt? With this animation on our Skill Up survey results you can get the answers you need and more! View the full report here: www.packtpub.com/skillup/sys-admin-salary-report

Today’s enterprise is effectively borderless, because customers and suppliers transact from anywhere in the world, and previously siloed systems are converging on the core network. The shift of services (and data) into the cloud, or many clouds, adds further complexity to the security model. Organizations that continue to invest in traditional information security approaches either fall prey to cyber threats or find themselves unprepared to deal with cyber crimes.  I think it is about time for organizations to move their cyber security efforts away from traditional defensive approaches to a proactive approach aligned with the organization’s business objectives.  To illustrate and simplify, let’s classify traditional information security approaches into three types. IT infrastructure-centric approach In this traditional model, organizations tend to augment their infrastructure with products of a particular vendor, which form building blocks for their infrastructure. As the IT infrastructure vendors extend their reach into security, they introduce their security portfolio to solve the problems their product generally introduces. Microsoft, IBM, and Oracle are some examples who have complete a range of products in IT Infrastructure space. In most such cases the decision maker would be the CIO or Infrastructure Manger with little involvement from the CISO and Business representatives. Security-centric approach This is another traditional model whereby security products and services are selected based upon discrete needs and budgets. Generally, only research reports are referred and products with high rating are considered, with a “rip-and-replace” mentality rather than any type of long-term allegiance. Vendors like FireEye, Fortinet, Palo Alto Networks, Symantec, and Trend Micro fall in this category. Generally, the CISO or security team is involved with little to no involvement from the CIO or Business representatives. Business-centric approach This is an emerging approach, wherein decisions affecting cybersecurity of an organization are made jointly by corporate boards, CIOs, and CISOs. This new approach helps organizations to plan for an effective security program which is driven by business requirements with a holistic scope including all business representatives, CIO, CISO, 3rd parties, suppliers& partners; this improves the cybersecurity effectiveness, operational efficiency and helps to align enterprise goals and objectives.  The traditional approaches to cybersecurity are no longer working, as the critical link between the business and cybersecurity are missing. These approaches are generally governed by enterprise boundaries which no longer exist with the advent of cloud computing, mobile & social networking. Another limitation with traditional approaches, they are very audit-centric and compliance driven, which means the controls are limited by audit domain and driven largely by regulatory requirements. Business-centric approach to security Add in new breeds of threat that infiltrate corporate networks and it is clear that CIOs should be adopting a more business-centric security model. Security should be a business priority, not just an IT responsibility.  So, what are the key components of a business-centric security approach? Culture Organizations must foster a security conscious culture whereby every employee is aware of potential risks, such as malware propagated via email or saving corporate data to personal cloud services, such as Dropbox. This is particularly relevant for organizations that have a BYOD policy (and even more so for those that don’t and are therefore more likely to beat risk of shadow IT). According to a recent Deloitte survey, 70 per cent of organizations rate their employees’ lack of security awareness as an ‘average’ or ‘high’ vulnerability. Today’s tech-savvy employees are accessing the corporate network from all sorts of devices, so educating them around the potential risks is critical. Policy and procedures As we learned from the Target data breach, the best technologies are worthless without incident response processes in place. The key outcome of effective policy and procedures is the ability to adapt to evolving threats; that is, to incorporate changes to the threat landscape in a cost-effective manner. Controls Security controls deliver policy enforcement and provide hooks for delivering security information to visibility and response platforms. In today’s environment, business occurs across, inside and outside the office footprint, and infrastructure connectivity is increasing. As a result, controls for the environment need to extend to where the business operates. Key emergent security controls include: Uniform application security controls (on mobile, corporate and infrastructure platforms) Integrated systems for patch management Scalable environment segmentation (such as for PCI compliance) Enterprise Mobility Application Management for consumer devices Network architectures with Edge-to-Edge Encryption Monitoring and management A 24×7 monitoring and response capability is critical. While larger enterprises tend to build their own Security Operations Centers, the high cost of having staff around the clock and the need to find and retain skilled security resources is too costly for the medium enterprise. Moreover, according to Verizon Enterprise Solutions, companies only discover breaches through their own monitoring in 31 per cent of cases. An outsourced solution is the best option, as it enables organisations to employ sophisticated technologies and processes to detect security incidents, but in a cost-effective manner. A shift in focus It’s never been more critical for organizations to have a robust security strategy. But despite the growing number of high-profile data breaches, too much information security spending is dedicated to the prevention of attacks, and not enough is going into improving (or establishing) policies and procedures, controls and monitoring capabilities. A new approach to security is needed, where the focus is on securing information from the inside out, rather than protecting information from the outside in. There is still value in implementing endpoint security software as a preventative measure, but those steps now need to be part of a larger strategy that must address the fact that so much information is outside the corporate network.  The bottom line is, planning Cybersecurity with a business-centric approach can lead to concrete gains in productivity, revenue, and customer retention. If your organization is among the majority of firms that don’t, now would be a great time to start.  About the Author  Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades. 

Security has been a problem for web developers since before the Internet existed. By this, I mean network security was a problem before the Internet—the network of networks—was created. Internet and network security has gotten a lot of play recently in the media, mostly due to some high-profile hacks that have taken place. From the personal security perspective, very little has changed. The prevalence of phishing attacks continues to increase as networks become more secure. This is because human beings remain a serious liability when securing a network. However, this type of security discussion is outside the scope of this blog.  Due to the vast breadth of this topic, I am going to focus on one specific area of web security; we will discuss securing websites and apps from the perspective of an open source developer, and I will focus on the tools that can be used to secure Node.js. This is not an exhaustive guide to secure web development. Consider this blog a quick overview of the current security tools available to Node.js developers.  A good starting point is a brief discussion on injection theory. This article provides a more in-depth discussion if you are interested. The fundamental strategy for injection attacks is figuring out a way to modify a command on the server by manipulating unsecured data. Aclassic example is the SQL injection, in which SQL is injected through a form into the server in order to compromise the server’s database. Luckily, injection is a well-known infiltration strategy and there are many tools that help defend against it.  One method of injection compromises HTTP headers. A quick way to secure your Node.js project from this attack is through the use of the helmet module. The following code snippet shows how easy it is to start using helmet with the default settings:  var express = require('express') var helmet = require('helmet') var app = express() app.use(helmet()) Just the standard helmet settings should go a long way toward a more secure web app. By default, helmet will prevent clickjacking, remove the X-Powered-By header, keep clients from sniffing the MIME type, add some small cross-site scripting protections (XSS), and add other protections. For further defense against XSS, use of the sanitizer module is probably a good idea. The sanitizer module is relatively simple. It helps remove syntax from HTML documents that could allow for easy XSS.   Another form of injection attacks is the SQL injection. This attack consists of injecting SQL into the backend as a means of entry or destruction. The sqlmap project offers a tool that can test an app for SQL injection vulnerabilities. There are many tools like sqlmap, and I would recommend weaving a variety of automated vulnerability testing into your development pattern. One easy way to avoid SQL injection is the use of parameterized queries. The PostgreSQL database module supports parameterized queries as a guard against SQL injection.  A fundamental part of any secure website or app is the use of secure transmission via HTTPS. Accomplishing encryption for your Node.js app can be fairly easy, depending on how much money you feel like spending. In my experience, if you are already using a deployment service, such as Heroku, it may be worth the extra money to pay the deployment service for HTTPS protection. If you are categorically opposed to spending extra money on web development projects, Let’s Encrypt is a free and open way to supply your web app with browser-trusted HTTPS protection. Furthermore, Let’s Encrypt automates the process of using an SSL certificate. Let’s Encrypt is a growing project and is definitely worth checking out, if you haven’t already.  Once you have created or purchased a security certificate, Node’s onboard https can do the rest of the work for you. The following code shows how simply HTTPS can be added to a Node server once a certificate is procured:  // curl -k https://localhost:8000/ const https = require('https'); const fs = require('fs'); const options = {   key: fs.readFileSync('/agent2-key.pem'),   cert: fs.readFileSync('/agent2-cert.pem') }; https.createServer(options, (req, res) => { res.writeHead(200); res.end('hello securityn'); }).listen(8000); If you are feeling adventurous, the crypto Node module offers a suite of OpenSSL functions that you could use to create your own security protocols. These include hashes, HMAC authentication, ciphers, and others.  Internet security is often overlooked by hobbyists or up-and-coming developers. Instead of taking a back seat, securing a web app should be one of your highest priorities, especially as threats on the Web become greater with each passing day. As far as the topic of the blog post, what’s new and what’s not, most of what I have discussed is not new. This is in part due to the proliferation of social engineering as a means to compromise networks instead of technological methods. Most of the newest methods for protecting networks revolve around educating and monitoring authorized network users, instead of more traditional security activities. What is absolutely new (and exciting) is the introduction of Let’s Encrypt. Having access to free security certificates that are easily deployed will benefit individual developers and Internet users as a whole. HTTPS should become ubiquitous as Let’s Encrypt and other similar projects continue to grow.  As I said at the beginning of this blog, security is a broad topic. This blog has merely scratched the surface of ways to secure a Node.js app. I do hope, however, some of the information leads you in the right, safe direction.  About the Author Erik Kappelman is a transportation modeler for the Montana Department of Transportation. He is also the CEO of Duplovici, a technology consulting and web design company.