A vulnerability in a third-party library component has had a knock-on effect on software packages that rely on it, including the Drupal content management system.
The issue involves a cross-site scripting (XSS) bug in CKEditor, a rich text editor that comes bundled with various online applications.
An attacker might be able to exploit the XSS vulnerability to target users with access to CKEditor. This potentially includes site admins with privileged access.
Exploitation is far from straightforward and would involve tricking potential victims into copying maliciously crafted HTML code before pasting it into CKEditor in ‘WYSIWYG’ mode.
“Although this is an unlikely scenario, we recommend upgrading to the latest editor version,” developers of CKEditor explain in an advisory, issued earlier this month.
CKEditor 4.14 fixes this XSS vulnerability in the HTML data processor, discovered by Michał Bentkowski of Securitum, as well as offering featuring improvements and resolution for an unrelated XSS vulnerability in the third-party WebSpellChecker Dialog plugin.
An advisory from Drupal, issued on Wednesday, instructs users to update to a version of the CMS that feature the updated version of CKEditor in order to mitigate the vulnerability.
In practice, this means upgrading to either Drupal 8.8.4 or Drupal 8.7.12.
The security flaw is described as “moderately critical” by Drupal, even though attackers would need to be able to create or edit content in order to attempt exploitation.
READ MORE WordPress Terror: Researchers discover a massive 5,000 security flaws in buggy plugins
Did you know the TNW Conference has a track fully dedicated to exploring the latest work culture trends and the future of work this year? Check out the full program here.
The most exciting breakthroughs of the twenty-first century will not occur because of technology, but because of an expanding concept of what it means to be human. — John Naisbitt
Before we dive into why more women should lead AI teams, I want to share a fascinating story I heard from Tania Biland, a 3rd-year student of Lucerne University of Applied Sciences and Arts.
The story as narrated by Tania:
Last semester, our class got split into three different groups in order to develop a safety technology solution for Swiss or German brands:
Group 1:Only women (my group)
Group 2:Only men
Group 3:Four women and one man
After 4 weeks of work, each team had to present their work.
Group 1, composed of only women, developed a safety solution for women in the dark. As the jury was only male we decided to tell a story using a persona, music, and videos in order to make them feel what women are experiencing on a daily basis. We also put emphasis on the fact that everyone has a mother, sister, or wife in their life and that they probably don’t want her/them to suffer. In the end, our solution was rather simple, technologically: using light to provide safety but connected to the audience emotionally.
Group 2, mostly composed of men, presented a more high-tech solution using AI, GPS, and video conferences. They based their arguments on facts and numbers and pointed out their competitive advantages.
In Group 3,with 4 women and 1 man, the outcome didn’t seem finished. The only man in the group could not agree to be led by women and they, therefore, spend too much time discussing group dynamics instead of working.
The groups not only had different outputs but also approached the problem differently. My group (group 1) decided to start by defining each other’s work preferences and styles in order to distribute some responsibilities and keeping a hierarchy as flat as possible.
On the other hand, the two other groups elected a leader for the team. It turned out that these “leaders” were more perceived as dictators, which lead to heavy conflicts where the teams spent hours discussing and arguing while our group was just working and productive.
What science tells us about gender differences
The science landscape with regards to gender differences and effects on behavior is still evolving and has not come up with a clear set of scientific explanations for different behaviors yet. By compiling most of the research, there are two main factors that influence behaviors:
Potential physiological differences between men and women
Social norms and pressures forming different behaviors
In the above story, as told by Tania, women developed the solution in a Collaborative Leadership Style (adhocracy culture),adapting the leading position based on the tasks with an almost flat hierarchy. They derived their argumentation by involving all stakeholders (in this case the mothers and wives = users), showing empathy for their problems. They saw the bigger picture and also built a simpler solution that was actually finished.
Through the story, I was able to connect the dots on why most AI projects never end up moving out from the prototype phase to a real-world application.
Why AI products are not adopted?
Based on my experience, there are three main reasons why most AI and Machine Learning (ML) solutions do not move from the prototyping phase to the real-world:
Lack of trust:One of the biggest difficulty for AI or ML products is lack of trust. Millions of dollars have been spent on prototyping but with very little success in the real-world launches. Essentially, one of the most fundamental values of doing business and providing value to customers is trust, and Artificial Intelligence is the most-heavily debated technology when it comes to ethical concerns and related trust issues. Trust comes from involving different options and parties in the entire development phase, which is not done in the prototype phase.
The complexity of a launch:Building a prototype is easy, but there are tens of other external entities that need to be considered when moving into the real world. Besides technical challenges, there are other areas of focus that need to be integrated with the prototyping (such as marketing, design, and sales).
AI products often do not take into account all stakeholders:I heard the story that Alexa and Google Home are being used by men to lock out their spouses in instances of domestic violence. They are turning up the music really loud, or they are locking them out of their homes. It is possible that in an environment with mostly male engineers building these products, no one is thinking about these kinds of scenarios. Additionally, there are many instances about how artificial intelligence and data sensors can be biased, sexist and racist .
Interestingly, none of the three points relate to the technical challenges, and all of them can be overcome by creating the right team.
How to make AI more successfully adopted?
In order to solve the above challenges and build more successful AI products, we need to focus on a more collaborative and community-driven approach.
This takes into account opinions from different stakeholders, especially those who are under-represented. Below are steps to achieve that:
Step 1. Involve different groups esp. women from the middle of the talent pyramid
In technology, most companies focus on hiring people at the top of the talent pyramid, where for primarily historical reasons, are fewer women. For example, most Computer Science classes have less than 10 percent of women. However, many talented women are hidden in the middle of the pyramid, educating themselves through online courses but lack opportunities and encouragement.
To give an example, I was talking with the president of Geek Girls Carrot, which is an organization promoting women in tech. They are organizing an AI workshop where over 125 women applied but they had only 25 seats, so naturally, they have to leave behind more than 100 talented women.
Imagine, if we can involve most of the other 100 women instead of only at the top. This would give a lot more women the opportunity to work in new technologies like AI.
Step 2. Build a communal and collaborative bottom-up team with different stakeholders
Next, we need more collaboration between men and women as well as different stakeholders to launch products successfully in the real market. This can be achieved through forming inclusive project communities that build AI products based on common values, beliefs, and often a bigger vision.
Proving the point, in the past six months, we brought together a group of more than 50 male and female students to build an ML model. Within a short time, members started collaborating and helping each other to build the models. Four subgroups got formed, and one of them was driven by two women and supported by two men (data taggers). The other groups were all men. In 4 months, the group with the two women and two male built the most accurate model. From the beginning, the women were much more willing to collaborate than men. However, more interestingly, I saw that men in the group also ended up behaving more collaboratively because of the other women in the group. This was fascinating!!
Step 3. Create the right Organizational Structure for collaboration
What if we could create organizational structures and practices that don’t need empowerment because, by design, everybody is powerful and no one powerless? I have seen that this can be achieved by connecting intrinsic and extrinsic motivations (which is not related to money) and creating an incentive structure that is not competitive.
In my case, I built the community where the mentor was at the top of the pyramid, followed by the community manager, then engineers working on building models and finally data taggers. Members from each team were striving to move up the ladder to reach the next level, which created an extrinsic motivation. However, the monetary compensation for people on the same level was the same. This fostered collaboration.
Why women should lead AI teams
In the story from the beginning, the female group followed a more Collaborative Leadership Style by showing more customer empathy and willingness to collaborate.
Considering the limited experiment in the solar project, we saw that the approach to use the community to build products helped as well to foster collaboration and build trust among community members.
While none of the mentioned qualities can be generalized, the following graphic aims to summarize some of the reasons why many women are a great fit for Collaborative Leadership.
In conclusion, I am arguing that we should think more holistically and do our best to create the right environment where we look beyond gender, race, and cultural background and focus on how we can collaborate as humans to build a better future.
This article was originally published on Towards Data Science by Rudradeb Mitra. He started his career as an AI researcher and published 10 research papers. After graduating from University of Cambridge, he was part of building various startups in US, UK, Belgium, and Poland. His current focus is driving innovation bottom-up and solving various social problems around the world using AI through global collaboration of changemakers from over 75 countries. He also wrote a book on AI and have been invited to speak at over 100 events. Besides that he has no phone, meditates a couple of hours a day, and lives life with no goals in life and in a state of Wu wei.’
The Cyberspace Solarium Commission will recommend that the Department of State establish a bureau focused on international cybersecurity efforts and emerging technologies as part of its forthcoming report, commissioners said March 3 at the Carnegie Endowment for International Peace.
The suggestion from the commission, made up of government and non-government cybersecurity experts developing cyber policy recommendations, comes as part of a broader belief in the group that the State Department needs to be more involved on cybersecurity issues.
Among the report’s 75 recommendations, set for release March 11, will be the proposal for a new State Department office called the “Bureau for Cyberspace Security and Emerging Technologies,” in addition to a new assistant secretary of state position to coordinate international outreach for cyber issues and emerging tech.
The new position would report to the deputy secretary of state or undersecretary of political affairs, according to Rep. Jim Langevin, D-R.I., a member of the commission. The goal of the new office is to take cybersecurity issues at the department and “raising its level of importance and stature … to reinforce that this is an international approach that we need to and want to take,” Langevin said.
In its fiscal 2021 budget request, released in February, the State Department asked Congress for $6 million in new funding for establish an “Cyberspace Security and Emerging Technologies” office. According to the budget request, the office would “allow the Department of State to ensure the development of long-term, comprehensive expertise in order to fully support U.S. foreign policy and diplomatic initiatives needed to meet the national security challenges posed by cyberspace and emerging technologies.”
Right now, the top cybersecurity official at the State Department is Robert Strayer, who has headed 5G policy and international outreach for that issue. That effort has centered on convincing allies not to use hardware from the China-based Huawei company in their 5G networks — an effort that has had limited success.
For example, Great Britain announced last month that it would allow Chinese tech in non-critical portions of its 5G network. Germany is also reportedly expected to make a decision soon. Chris Inglis, former deputy director of the NSA and current Solarium commissioner, said that the United States may have had limited success on the issue because U.S. policymakers were “late to the game” and there wasn’t an agency charged with that role. That’s a gap the suggested bureau would fill.
The commission is needed “so that in the future hopefully 6G, 7G, 10G will be the responsibility of somebody at least in terms of the international portfolio,” Inglis said.
Sign up for our Daily Brief
Get the top Cyber headlines in your inbox every weekday morning.
By giving us your email, you are opting in to the Daily Brief.
Two weeks ago, the State Department was a key part of an international effort attributing a 2019 cyberattack on the country of Georgia to Russian military intelligence. Langevin wants to see more.
“They need more resources, more people, more expertise within the State Department to raise the profile and also to be able to be proactive in being involved with international …. groups that are involved in setting international cyber norms,” he said.
Cybersecurity is the set of practices, processes and systems for protecting Information Technologies (IT), which consists of computers, networks, software and stored information, from digital attack. Cybersecurity has become a preoccupation for the government, private sector, institutions and individuals. Billions are spent annually to defend governmental, corporate, and personal IT from cyber intrusion. Innovative companies have developed new ways of providing security.
A major aspect of cybersecurity is the protection of critical infrastructure. The Department of Homeland Security defines critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” There are 16 critical infrastructure sectors, including energy, communications, food and agriculture, transportation, water and wastewater, nuclear power and materials, major manufacturing, and defense industries.
All these sectors are dependent on IT, not merely for communications or billing, but for the operation of major physical systems. Most of them employ IT-based supervisory control and data acquisition (SCADA) systems to monitor and operate a wide variety of hardware. For example, the energy sector is critically dependent on SCADA technology to manage the flow of power, direct the operation of production and storage facilities, and monitor the state of energy usage.
The threat to these large, complex systems, essential to not only the way we live but our very lives, is quite severe. The same IT and SCADA systems that allow for the efficient management and operation of critical infrastructure sectors also create enormous vulnerabilities that adversaries will seek out to exploit. The cyber threat to our energy sector, perhaps the most critical of all, has been growing for years. According to a report by the Idaho National Laboratory prepared for the Department of Energy: “Cybersecurity for energy delivery systems has emerged as one of the Nation’s most serious grid modernization and infrastructure protection issues.”
The dominant focus of infrastructure security is on protecting computers and networks from the introduction of malware. When it comes to critical infrastructure, hackers look for ways of entering the networks and then wend their way to the software programs that control operations. Often, the hackers will look for easy entry points, such as electronic billing systems or supply chain communications, from which they can then launch attacks against SCADA systems or other IT-based means of monitoring and directing operations within a sector.
It is becoming harder to protect entire networks from hacking. The explosive growth in the use of IT for personal and business purposes, and the move to a world where the so-called Internet of Things is ubiquitous, has resulted in a massive increase in potential entry points for hackers. Recently, it was discovered that IT-enabled baby monitors could be hacked. Moreover, hackers keep finding new network vulnerabilities and investing in ever-more sophisticated malware.
Protecting critical infrastructure is a never-ending problem. Operating systems must be constantly patched as vulnerabilities are uncovered. Computer systems and networks are routinely needing upgrades as new malware is developed. The expense of that is significant. Some experts have characterized IT security spending as a “black hole.” Any new approach that does not have to be constantly enhanced would significantly reduce future costs of cyber defense.
An alternative approach to establishing a high level of infrastructure security at an affordable cost is by focusing on operational technologies or OT. OT consists of hardware, such as valves, pumps, generators and SCADA-enabled machinery, all of which are critical to the operation of networks that deliver power, water, and oil and gas.
By focusing appropriate critical infrastructure protection on keeping OT secure, utility companies and others in critical infrastructure sectors can simplify their cybersecurity requirements and significantly reduce costs. The key is to focus on protecting IT-directed OT, rather than an entire network. This can be done by placing a device that only allows pre-defined, legitimate signals to be sent to the OT on a network. No non-specified commands could pass through a protective device. Even if a hacker could penetrate an electric utility’s network, no malware intended to cause OT malfunction could penetrate a device or machine.
Such a system, called Binary Armor, already exists. It could revolutionize the protection of OT. Essentially, it places an in-line barrier to cyber intrusion on a network in front of the OT device. The Binary Armor unit monitors all communications to a piece of OT. Only legitimate commands within the defined operating parameters of the OT can pass through. A command that would cause the OT to behave improperly, or self-destructively, could not pass, regardless of how cleverly the malware was written. This system also will prevent accidentally sending the wrong command to the OT, which is what happened in the Chernobyl disaster.
Because the system is “pre-loaded” with the legitimate commands and operating parameters for that OT, it will rarely need to be upgraded, unlike typical cybersecurity systems. Moreover, Binary Armor would allow utilities and other critical infrastructure sectors to use commercial networks, rather than proprietary ones, further reducing cybersecurity costs. Finally, it would radically increase the problem and costs for the hacker, primarily because a Binary Armor unit must be physically accessed to be reprogrammed.
Currently, a Binary Armor unit must be installed on a network. This is not difficult. The current Binary Armor unit is a 3x2x2 inch box with two Ethernet access ports and a power source. It weighs about six pounds. But in the future, the basic technologies could be embedded into OT, simplifying the cybersecurity challenge.
Strong action needs to be taken now by all critical infrastructure sectors, particularly for energy, to enhance their cybersecurity protections. Public utilities would be remiss in not testing Binary Armor to understand its applicability for their networks.
Whenever we hear about major cyber security attacks such as data breaches, it’s typically larger enterprises that are the victims. That makes sense, considering those events can potentially impact a lot of people and therefore are more likely to grab headlines and garner attention.
But that doesn’t mean small and mid-sized companies (SMBs) are immune to such attacks. In fact, smaller organizations are frequent targets of cyber incidents, and they generally have far fewer resources with which to defend themselves.
A recent study by the Ponemon Institute, which conducts research on a variety of security-related topics, presents a clear picture of the cyber security challenges SMBs are facing. The report, “The 2019 Global State of Cybersecurity in SMBs,” states that for the third consecutive year small and medium-sized companies reported a significant increase in targeted cyber security breaches.
For its report, Ponemon conducted an online survey of 2,391 IT and IT security practitioners worldwide in August and September 2019, and found that attacks against U.S., U.K., and European businesses are growing in both frequency and sophistication.
Nearly half of the respondents (45%) described their organization’s IT posture as ineffective, with 39% reporting that they have no incident response plan in place.
Cyber criminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their crosshairs, noted Larry Ponemon, chairman and founder of the Ponemon Institute. The report shows that cyber attacks are a global phenomenon, as is the lack of awareness and preparedness by businesses globally, he said.
Overall, cyber attacks are increasing dramatically, the report said. About three quarters of the U.S. companies surveyed (76%) were attacked within the previous 12 months, up from 55% in a 2016 survey. Globally, 66% of respondents reported attacks in the same timeframe.
Attacks that rely on user deception are on the rise, the study said. Overall, attacks are becoming more sophisticated, with phishing (57%), compromised or stolen devices (33%), and credential theft (30%) among the most common attacks waged against SMBs globally.
Data loss is among the most common impact of cyber security events. Worldwide, 63% of businesses reported an incident involving the loss of sensitive information about customers and employees in the previous year.
SMBs around the world increasingly are adopting emerging technologies such as mobile devices and apps, the Internet of Things (IoT), and biometrics, despite having a lack of confidence in their ability to protect their sensitive information.
Nearly half of the survey respondents (48%) access more than 50% of their business-critical applications from mobile devices, yet virtually the same portion of respondents said the use of mobile devices to access critical applications diminishes their organization’s security posture.
Furthermore, a large majority of respondents (80%) think it is likely that a security incident related to unsecured IoT devices could be catastrophic. Still, only 21% monitor the risk of IoT devices in the workplace.
The report also suggests that biometrics might finally be moving toward the mainstream. Three quarters of SMBs currently use biometrics to identify and authenticate users or have plans to do so soon.
Small and mid-sized companies can take several steps to bolster their cyber security programs. One is to educate users and managers throughout the organization about the importance of strong security and taking measures to keep data safe.
Because so many attacks begin with employees opening suspicious email attachments or clicking on links that lead to malware infestations or phishing, training users to identify these threats is vital. Companies can leverage a number of free training resources online to help spread the word about good security hygiene.
Smaller companies, particularly those will limited internal cyber security skills, can also consider hiring a managed security services provider (MSSP) to help build up a security program. Many of these firms are knowledgeable about in the latest threats, vulnerabilities, and tools, and can help SMBs quickly get up to speed from security standpoint.
And companies can deploy products and services that are specifically aimed at securing small businesses. Such tools provide protection for common IT environments such as Windows, macOS, Android, and iOS devices. They are designed to protects businesses against ransomware and other new and existing cyber threats, and prevent data breaches that can put personal and financial data at risk.
Some of these offerings can be installed in a matter of minutes with no cyber security or IT skills required, which is ideal for smaller companies with limited resources and a need to deploy stronger defenses quickly.
Chief information security officer, or CISO for short—it’s a very popular title lately, being added to C-suites at companies of all sizes. It seems corporate boards feel a company isn’t considered serious if it doesn’t have a CISO or similarly titled executive in board meetings. And due to their popularity, they are not cheap positions to fill. According to Salary.com, the average base salary for a CISO runs $168,000 to $287,000 per year. And yet, a survey by Bitglass showed that 38% of the Fortune 500 did not have a named CISO.
Company size alone may not indicate when it’s appropriate to add a CISO to your executive team. Other factors come into play, including regulatory requirements, industry, geography and whether there’s a focus on information security as a corporate priority.
Do You Need a CISO?
The most important factor as to whether a company has a CISO seems to be how regulated their industry is. In fact, many compliance regulations require having a named officer in charge of security, privacy or related matters. The FDIC and OCC, major regulators of the finance sector, both highly recommend in their guidance documents having an owner at the executive level for security functions. The GDPR (the sweeping EU privacy regulation) and CCPA (a similar law covering California residents) require officers managing the privacy of their customer’s data. Health care, gaming, legal, transportation, energy and many sectors of manufacturing also require various levels of executive involvement in information security.
When a company is highly regulated, the size really doesn’t matter. Even the smallest community bank will generally have an information security officer, though sometimes these roles have a dual responsibility. Even if your industry regulations don’t specifically require a CISO position, you may want a CISO just to coordinate the large amount of security and compliance reporting at the management and board level. However, in compliance-focused industries, it is not generally recommended that CISOs report up through IT or operational lines. You don’t want the person checking the security of your corporate infrastructure to be the same person building that infrastructure.
Does Your Industry Need a CISO?
The industry also takes a larger role than size when it comes to needing a CISO. Certain industries seem to be more security-focused than others, which might be due to the regulatory concerns listed above, the value of trade secrets and IP, public safety or other considerations. For example, the transportation industry has the highest rate of CISO positions overall. This seems obvious when you consider we don’t want hackers inside our self-driving cars or accessing airliner flight systems. Technology companies also seem to have a higher number of CISOs, especially in the security sector, since their work is more likely to have digital and online outputs. The same study by Bitglass found the hospitality industry has the lowest level of security officer positions. And, possibly not unrelated, that industry has been the target of a number of high-profile, large breaches, with both the Hilton and Marriott chains suffering multi-million record breaches in the last few years.
Does Location Matter?
Geography also has a bit to do with whether a company has a CISO. Midsized companies in the European Union are more likely to have appointed a security officer due to the GDPR regulation, which affects every size of a company in the EU. Companies located in the United States and other first-world countries also have a higher rate of CISO penetration of the C-suite compared to those in less developed countries. Hackers are generally after the richer, more established companies, and where more of a premium is placed on information security.
Should Your Company Invest in a CISO?
Forward-thinking board of directors, even at midsized companies, are adding CISOs. This isn’t always just because of regulations or significant IP to protect, but because threats to company security are being seen as existential threats more than ever before. The near-total reliance on the internet and IT services at most companies means that having secure and available information services is as essential as having functional sales, marketing and accurate financial reporting. Indeed, with the increasing use of external SaaS services for those functions, the security and availability of those services must be there for the other departments to do their jobs properly.
So there are many reasons that a midsized company may decide to add a CISO to its management team. Above the smallest companies, it seems that size does not have as much to do with it as the company’s industry, the amount of compliance and regulation it faces, location and an increasing belief among boards and top company leaders that information security and privacy is a core business function worthy of C-level responsibility and management.
Source: National Cyber Security – Produced By Gregory Evans Guest Contribution by Harold Kilpatrick, PR Consultancy A recent study showed that 66% of consumers had made an online purchase as a result of marketing campaigns. But most don’t even need research to know how useful email marketing can be. Between extensive reach, low cost, and […]
View full post on AmIHackerProof.com
Ring camera doorbells gained fame for catching porch pirates steal packages but after several high-profile cases where hackers gained control of them they are being held up by the cybersecurity industry as a prime example why companies and homeowners need to take IoT security seriously.
cases revolve around malicious actors hijacking these devices and using them to
communicate with people inside the home. In an incident in Mississippi a
malicious actor used an internal Ring camera to talk to a young girl using racial
slurs and back in October another hacker gained control of a Nest camera and
threatened to kidnap a baby.
It is believed in each case the malicious actors took advantage of the device’s poor security to gain access. In the case of the Ring camera, which his owned by Amazon, the company recommended to those buying or who already have a Ring to not reuse old passwords and to implement MFA to make it more difficult to hack.
devices up to date with secure logins and having the latest security patches is
now a must for anyone who has installed this or any type of IoT said Avast Vice
President Leena Elias.
people now need to be able to assess the security of new tech devices that
could be used against them,” We need to use a wide variety of security measures
to ensure that devices connected to our home networks are secure,” she said,
adding to not forget about the home’s router which is frequently shipped with a
standard admin login that needs to be changed.
One of the reasons consumers don’t update is that they are simply unaware of the need and the benefits of doing so. Another factor is difficulty. Gaining access to the admin functions is not always a simple matter for the average person.
studies in the financial industry have found consumers are willing to embrace
more engagement around fraud prevention if it means their information is
secured (think: multi-factor authentication.) However, if consumers aren’t
aware of the benefits associated with taking more control, they leave
themselves vulnerable to malicious attacks. Sherif Samy, senior vice president,
North America for Entersekt.
Source: National Cyber Security – Produced By Gregory Evans You only have one “you” that hackers, criminals and scammers would love to steal. We’re talking about identity theft, which is a bigger threat than you’re probably aware of. It’s estimated every two seconds there is another identity theft victim. And this type of theft often […]
View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans We are living in a world where data is a currency, offering businesses leverage in the market. Hence data ought to be treated as a resource that needs to be exploited to the maximum potential. Normally, companies make use of structured data to collect information. However, […]
View full post on AmIHackerProof.com