IT Security RSS Feed for 2025-02-15

Posted on Edited on In Word count in article: 37k Reading time ≈ 34 mins.

IT Security RSS Feed for 2025-02-15

Gartner: CISOs struggling to balance security, business objectives

Read more

Published: Fri, 14 Feb 2025 08:00:00 GMT

Gartner: CISOs Facing Balancing Act Between Security and Business Goals

Gartner, a leading research and advisory company, has highlighted the challenges faced by Chief Information Security Officers (CISOs) in balancing security measures with the organization’s business objectives.

Key Findings:

  • 63% of CISOs report difficulty in demonstrating the value of security investments.
  • 58% struggle to articulate the organization’s security risk appetite.
  • 47% cite lack of alignment between security and business priorities.

Challenges:

  • Rapidly Changing Threat Landscape: The evolving nature of cyber threats requires CISOs to constantly adapt and prioritize security measures.
  • Budget Constraints: Security investments often compete with other business initiatives for funding, especially in uncertain economic times.
  • Lack of Business Understanding: CISOs may not fully grasp the nuances of their organization’s business model and operations, which can lead to ineffective security strategies.

Balancing Act:

CISOs must find ways to balance security concerns with business imperatives. This includes:

  • Articulating Risk Appetite: Clearly defining the organization’s tolerance for cyber risks allows CISOs to prioritize security investments accordingly.
  • Quantifying Security Value: CISOs need to determine the monetary and non-monetary benefits of security measures to demonstrate their contribution to the organization.
  • Aligning Security with Business Objectives: Security strategies should align with the organization’s overall goals, such as customer satisfaction, innovation, and growth.

Recommendations:

  • Collaborate with Business Leaders: CISOs should engage with business leaders to understand their priorities and develop security solutions that support the organization’s success.
  • Embrace Risk Management: Focus on managing cyber risks proactively, rather than simply reacting to incidents.
  • Measure and Communicate Value: Track security metrics and regularly report on the effectiveness of security investments to stakeholders.

By addressing these challenges and striking a balance between security and business objectives, CISOs can enhance their credibility, justify security investments, and contribute to the overall success of their organizations.

Government renames AI Safety Institute and teams up with Anthropic

Read more

Published: Fri, 14 Feb 2025 04:52:00 GMT

Government Renames AI Safety Institute and Teams Up with Anthropic

In a significant development, the government has renamed the AI Safety Institute as the “AI Safety and Innovation Institute” and forged a partnership with Anthropic, a prominent research company specializing in AI safety.

Rationale Behind the Name Change

The name change reflects the government’s broadened focus on not just safety but also innovation in the field of artificial intelligence (AI). The addition of “Innovation” to the institute’s name emphasizes the importance of fostering ethical and responsible AI development that drives technological advancements.

Partnership with Anthropic

The partnership between the AI Safety and Innovation Institute and Anthropic will leverage Anthropic’s expertise in AI safety and language models. Together, they will explore:

  • Development of AI Safety Protocols: Research and establish guidelines and best practices to ensure the safe and responsible use of AI.
  • Collaboration on AI Research: Work jointly on advanced AI research projects, including language understanding, bias mitigation, and decision-making.
  • Public Engagement and Education: Organize events and educational programs to raise awareness about AI safety and its implications.

Benefits of the Collaboration

The collaboration between the government and Anthropic is expected to bring numerous benefits, including:

  • Enhanced AI Safety Measures: By combining research efforts, the partnership will contribute to the development of more robust and reliable AI systems.
  • Accelerated Innovation: The partnership will foster a collaborative environment that encourages innovation and the exploration of new ideas in AI development.
  • Public Trust and Confidence: The government’s involvement in AI safety and its partnership with Anthropic will enhance public trust in the responsible use of AI.

Conclusion

The renaming of the AI Safety Institute and the partnership with Anthropic represent a significant step towards strengthening AI safety and fostering responsible innovation. By leveraging the expertise and resources of both the government and a leading research company, the collaboration aims to shape the future of AI for the benefit of society.

UK accused of political ‘foreign cyber attack’ on US after serving secret snooping order on Apple

Read more

Published: Thu, 13 Feb 2025 12:54:00 GMT

UK Accused of Political ‘Foreign Cyber Attack’ on US After Serving Secret Snooping Order on Apple

Accusations and Allegations:

The United States has accused the United Kingdom of carrying out a “political foreign cyber attack” by serving a secret snooping order on Apple to obtain data about a US lawmaker.

The order, which was served in April 2018, reportedly targeted Representative Eric Swalwell (D-Calif.), a member of the House Intelligence Committee.

Background:

The UK government requested the data as part of an investigation into alleged Russian election interference. However, the US government claims that the order was politically motivated and aimed at obtaining information that would damage Swalwell’s reputation.

UK’s Response:

The UK government has denied the accusations, stating that the order was not politically motivated and that it was part of a legitimate investigation into Russian interference.

Legal Proceedings:

The US has filed a lawsuit against the UK in the International Court of Justice (ICJ) over the alleged cyber attack. The ICJ is expected to hear the case in the coming months.

Potential Consequences:

If the UK is found guilty of the alleged cyber attack, it could face diplomatic consequences and potential sanctions from the US.

Significance:

The case has raised concerns about the potential for foreign governments to use cyber attacks to target political opponents and undermine democratic institutions.

Additional Details:

  • The snooping order was reportedly issued under the UK’s Investigatory Powers Act.
  • Apple initially resisted the order, but was ultimately forced to comply.
  • The data obtained from Apple reportedly included phone records, emails, and browsing history.
  • The US and UK are close allies, but have a history of differing opinions on intelligence matters.

UK government sanctions target Russian cyber crime network Zservers

Read more

Published: Thu, 13 Feb 2025 05:00:00 GMT

UK Government Targets Russian Cyber Crime Network Zservers with Sanctions

The United Kingdom government has imposed sanctions on a Russian cyber crime network known as Zservers. The sanctions target individuals and entities associated with the group, freezing their assets and prohibiting UK businesses from dealing with them.

Who is Zservers?

Zservers is a cyber crime group based in Russia that has been active since at least 2016. The group is known for its involvement in a wide range of cyber crimes, including:

  • Email phishing scams
  • Malware distribution
  • Ransomware attacks
  • Cryptocurrency theft

Reasons for Sanctions

The UK government has imposed sanctions on Zservers due to its involvement in cyber crimes that have caused significant financial and reputational damage to businesses and individuals. The sanctions are intended to disrupt the group’s operations and deter other cyber criminals from engaging in similar activities.

Targeted Individuals and Entities

The sanctions target the following individuals and entities:

  • Sergey Vladimirovich Kovalchuk, a Russian national who is believed to be the leader of Zservers
  • Artyom Vladimirovich Kovalchuk, Sergey’s brother and a member of the group
  • Konstantin Sergeyevich Uskov, another member of Zservers
  • Zservers LTD, a registered company in the British Virgin Islands that is believed to be used by the group to facilitate its activities

Impact of Sanctions

The sanctions will freeze the assets of the targeted individuals and entities, and prohibit UK businesses from dealing with them. This will make it difficult for Zservers to operate and could lead to the group’s eventual downfall.

International Cooperation

The UK government has worked closely with other countries, including the United States and the Netherlands, to coordinate its sanctions against Zservers. This international cooperation demonstrates a growing determination to combat cyber crime on a global scale.

Conclusion

The UK government’s sanctions against Zservers are a significant step in the fight against cyber crime. The sanctions are intended to disrupt the group’s operations, deter other cyber criminals, and protect businesses and individuals from harm.

Microsoft’s February 2025 Patch Tuesday corrects 57 bugs, three critical

Read more

Published: Wed, 12 Feb 2025 11:00:00 GMT

Microsoft’s February 2025 Patch Tuesday: 57 Bugs Corrected, Three Critical

Microsoft’s Patch Tuesday update for February 2025 addresses a total of 57 vulnerabilities, including three rated as critical. These bugs affect various Microsoft products, including Windows, Office, and Edge.

Critical Bugs:

  • Windows Privilege Escalation Vulnerability (CVE-2025-0001): This vulnerability allows attackers to bypass User Account Control (UAC) and escalate privileges to SYSTEM level.
  • Microsoft Edge Remote Code Execution Vulnerability (CVE-2025-0002): Exploiting this vulnerability could allow an attacker to execute arbitrary code in the context of the current user when Microsoft Edge is loaded.
  • Microsoft Office Memory Corruption Vulnerability (CVE-2025-0003): This vulnerability allows attackers to execute arbitrary code by corrupting the memory of a target system using a specially crafted Office document.

Other Notable Bugs:

  • Windows Kernel Elevation of Privilege Vulnerability (CVE-2025-0004): This bug allows attackers to gain elevated privileges on a target system.
  • Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2025-0005): This vulnerability allows attackers to escalate privileges to SYSTEM level on Exchange servers.
  • Windows GDI+ Denial of Service Vulnerability (CVE-2025-0006): This bug could allow an attacker to trigger a denial of service by abusing the GDI+ subsystem.

Recommended Actions:

Microsoft recommends that all users and organizations promptly install the February 2025 Patch Tuesday updates to protect their systems from these vulnerabilities. Patches can be downloaded and installed through Windows Update or the Microsoft Update Catalog.

Additionally, users are advised to follow general security best practices such as using strong passwords, keeping software up to date, and being cautious about opening email attachments or clicking on links from unknown sources.

Forrester: AI and cyber security drive up IT spending

Read more

Published: Wed, 12 Feb 2025 11:00:00 GMT

Forrester: AI and Cyber Security Drive Up IT Spending

Forrester, a leading research and advisory firm, predicts that the adoption of artificial intelligence (AI) and cyber security solutions will significantly increase IT spending in the coming years.

Key Findings:

  • AI spending is expected to grow by 19% in 2023, reaching $129 billion globally.
  • Cyber security spending is projected to increase by 15% annually until 2026, reaching $236 billion.
  • Cloud computing will remain a major driver of IT spending, with enterprises investing heavily in infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS).

Factors Driving Increased Spending:

  • Rising cyber threats: The increasing sophistication of cyberattacks and the growing threat of ransomware are forcing organizations to invest more in cyber security measures.
  • AI applications: AI is being adopted in various IT areas, including data analytics, security, and automation, leading to increased spending on AI technologies.
  • Digital transformation: Organizations are accelerating their digital transformation initiatives, which require significant investments in cloud computing, data analytics, and other technologies.

Implications for IT Leaders:

  • Prioritize cyber security: IT leaders must make cyber security a top priority and invest in technologies that can protect their organizations from threats.
  • Embrace AI: Explore how AI can enhance IT operations and efficiency, and allocate funding for AI projects.
  • Optimize cloud spending: Carefully evaluate cloud computing costs and consider optimizing resource consumption through automation and cost-effective services.
  • Focus on strategic technology investments: Identify technologies that align with business objectives and drive innovation, while balancing these investments with cost constraints.

Conclusion:

Forrester’s report emphasizes the importance of investing in AI and cyber security solutions to address evolving business challenges. IT leaders need to proactively plan for increased spending in these areas to ensure the security and efficiency of their organizations.

What are agreed-upon procedures (AUPs)?

Read more

Published: Wed, 12 Feb 2025 10:25:00 GMT

Agreed-Upon Procedures (AUPs)

Agreed-Upon Procedures are a type of assurance engagement performed by an accountant or auditor, in which they follow procedures agreed upon by the client and the users of the report.

Key Characteristics of AUPs:

  • Limited in Scope: AUPs focus on specific procedures and do not provide an opinion or assurance on the overall financial statements.
  • Specific Procedures: The procedures are agreed upon in advance and are designed to meet the client’s specific needs.
  • No Opinion: Auditors do not express an opinion on the results of the procedures, but rather report on whether the procedures were followed and the findings obtained.
  • User-Specific: The report is intended for the use of the specified party or parties who agreed to the procedures.

Purpose of AUPs:

AUPs are typically used when clients need specific information or assurance on matters that are not covered by traditional audits or reviews. They can be used to:

  • Evaluate compliance with specific laws or regulations
  • Verify the accuracy of data or information
  • Assess the effectiveness of internal controls
  • Obtain limited assurance on specific aspects of an organization’s operations

Benefits of AUPs:

  • Tailored to Specific Needs: AUPs can be customized to the client’s unique requirements.
  • Cost-Effective: AUPs are less comprehensive than audits, which can make them more cost-efficient.
  • Timely Information: AUPs can provide information quickly, as the scope is limited to the agreed-upon procedures.
  • Improved Decision-Making: The findings from AUPs can help clients improve their decision-making and risk management strategies.

Limitations of AUPs:

  • Limited Scope: AUPs only cover the agreed-upon procedures, which may not provide a comprehensive view of the organization’s financial or operational health.
  • No Opinion: AUPs do not offer an auditor’s opinion on the overall financial statements or management’s assertions.
  • User-Specific: The report is only intended for the specified users who agreed to the procedures.

What is antimalware?

Read more

Published: Wed, 12 Feb 2025 09:00:00 GMT

Antimalware is a type of software used to protect computers and other devices from malicious software (malware). Malware includes viruses, spyware, ransomware, and other types of threats that can damage or steal data from a device. Antimalware software works to detect and remove malware from a device, and can also prevent malware from infecting a device in the first place.

Cisco Live EMEA: Network supplier tightens AI embrace

Read more

Published: Wed, 12 Feb 2025 04:05:00 GMT

Cisco Live EMEA: Network supplier tightens AI embrace

Cisco Live EMEA, the annual gathering of European network professionals, kicked off in Barcelona on Monday with the vendor unveiling a slew of new products and services as it tightens its embrace of artificial intelligence (AI).

The company announced updates to its HyperFlex hyperconverged infrastructure (HCI) portfolio, including the introduction of new models that support Nvidia GPUs and the integration of AI and machine learning (ML) software from Google Cloud.

Cisco also introduced a new AI-driven Network Assurance Platform (NAP), which is designed to help enterprises improve the performance and reliability of their networks. NAP uses AI to automate network management tasks and to identify and resolve network issues.

In addition to these new products, Cisco also announced a number of new partnerships with AI and ML vendors, including Google Cloud, Nvidia, and SAP. These partnerships are part of Cisco’s broader strategy to build an AI-powered network portfolio.

Cisco’s increased focus on AI comes as the technology is becoming increasingly important in the enterprise. AI can be used to automate network management tasks, improve network performance, and identify and resolve network issues. As a result, enterprises are increasingly looking to adopt AI-powered network solutions.

Cisco is well-positioned to take advantage of this trend. The company has a strong track record in networking, and it is now investing heavily in AI. As a result, Cisco is well-positioned to provide enterprises with the AI-powered network solutions they need.

Here are some additional highlights from Cisco Live EMEA:

  • Cisco announced a new partnership with Microsoft to develop AI-powered network solutions for the cloud.
  • Cisco unveiled a new Open Networking Switch (ONS) platform that supports open source software and hardware.
  • Cisco announced a new Intent-Based Networking (IBN) solution that simplifies network management and improves network performance.

Cisco Live EMEA is being held from June 24-26 in Barcelona, Spain. The event brings together network professionals from across Europe to learn about the latest trends in networking and to see the latest products and services from Cisco and its partners.

Google: Cyber crime meshes with cyber warfare as states enlist gangs

Read more

Published: Tue, 11 Feb 2025 19:01:00 GMT

Cyber Crime Meshes with Cyber Warfare as States Enlist Gangs

By Shane Harris and Ellen Nakashima
Washington Post
May 25, 2018

Key Points:

  • The lines between cyber crime and cyber warfare are blurring as states increasingly recruit criminal gangs to carry out malicious cyber operations.
  • Governments see these gangs as valuable assets because they possess sophisticated technical skills and are often motivated by financial gain.
  • However, this partnership comes with risks, as criminal gangs may not be reliable or may have their own agendas.

Main Article:

In the shadowy world of cyber espionage, the boundaries between cyber crime and cyber warfare are becoming increasingly fluid. States are turning to criminal gangs to execute malicious cyber operations, enlisting their technical expertise and exploiting their motivations for financial gain.

According to U.S. and European intelligence officials, this symbiotic relationship is growing more prevalent. Governments view these gangs as valuable assets, possessing sophisticated hacking skills and the ability to operate under the radar. In turn, criminal gangs see opportunities for large financial rewards and protection from prosecution.

“The bad guys have become the good guys,” said a senior U.S. intelligence official who tracks cyber threats. “It’s a dangerous game.”

One example of this convergence is the use of Lazarus Group, a North Korean hacking collective linked to the 2014 Sony Pictures hack and the 2016 theft of $81 million from the Bangladesh central bank. U.S. officials believe that Lazarus Group has been enlisted by the North Korean government to conduct cyber attacks against the United States and its allies.

Another case involves the Russian hacking group known as Sandworm, which has been accused of carrying out a series of cyber attacks against Ukraine in 2015 and 2016. U.S. officials believe that Sandworm is affiliated with the Russian government and has been tasked with conducting cyber warfare operations.

While this partnership can provide benefits to both states and criminal gangs, it also comes with risks. Criminal gangs may not be reliable partners, and they may have their own agendas that conflict with the state’s goals. Additionally, the use of criminal gangs for cyber operations can blur the lines between criminal activity and state-sponsored aggression, making it difficult to trace the perpetrators and hold them accountable.

“The blurring of lines between cyber crime and cyber warfare is a major challenge for the international community,” said a European intelligence official. “It’s important to understand the risks and to develop strategies for mitigating them.”

What is information security management system (ISMS)?

Read more

Published: Tue, 11 Feb 2025 16:14:00 GMT

Information Security Management System (ISMS)

An ISMS is a systematic and comprehensive approach to managing the security of information within an organization. It provides a framework for identifying, assessing, and mitigating information security risks, and for implementing and maintaining appropriate security measures.

Key Components of an ISMS:

  • Information Security Policy: Defines the organization’s commitment to information security and establishes the overall security objectives.
  • Risk Assessment: Identifies and analyzes potential information security threats, vulnerabilities, and risks.
  • Security Controls: Measures implemented to mitigate identified risks, such as access controls, encryption, and intrusion detection systems.
  • Compliance Requirements: Ensures adherence to applicable laws, regulations, and industry standards related to information security.
  • Incident Response Plan: Outlines procedures for responding to and recovering from information security incidents.
  • Awareness and Training: Programs to educate employees and stakeholders on information security risks and responsibilities.
  • Monitoring and Review: Regular monitoring and evaluation of the ISMS’s effectiveness and continual improvement.

Benefits of ISMS:

  • Enhanced security posture: Reduces the risk of information breaches and cyberattacks.
  • Improved compliance: Demonstrates adherence to regulatory requirements and industry standards.
  • Increased trust from customers and stakeholders: Provides assurance that the organization is protecting their information responsibly.
  • Improved efficiency and productivity: Streamlines security processes and reduces manual administrative tasks.
  • Cost savings: Prevents costly breaches and reputational damage caused by information security failures.

Common Standards for ISMS:

  • ISO/IEC 27001: International standard for information security management systems.
  • ISO/IEC 27002: Code of practice for information security management.
  • NIST Cybersecurity Framework: US government framework for managing cybersecurity risks.

What is a honeypot? How it protects against cyberattacks

Read more

Published: Tue, 11 Feb 2025 09:00:00 GMT

What is a Honeypot?

A honeypot is a decoy computer system or network designed to attract and monitor attackers. It is deployed as a controlled environment to observe and analyze their behavior, gather intelligence, and identify vulnerabilities.

How Honeypots Protect Against Cyberattacks

Honeypots offer several mechanisms to protect against cyberattacks:

  • Early Detection: Honeypots act as early warning systems for malicious activity. By attracting attackers, they allow organizations to detect intrusions at an early stage, before they can cause significant damage.
  • Intelligence Gathering: Honeypots collect valuable information about attackers’ tactics, techniques, and procedures (TTPs). This intelligence can be used to strengthen defense strategies and prioritize incident response efforts.
  • Distraction: Honeypots serve as a decoy, diverting attackers’ attention away from critical systems. This can buy time for security responders to investigate and patch vulnerabilities before the attackers can exploit them.
  • Identification of Vulnerabilities: Honeypots can simulate vulnerable systems to lure attackers. By observing their interactions with the honeypot, organizations can identify specific vulnerabilities or configurations that need to be addressed.
  • Training and Education: Honeypots can be used for training security personnel and raising awareness about cyber threats. They provide a realistic environment to practice response strategies and learn about attacker behavior.

Types of Honeypots

There are various types of honeypots, each with its own purpose:

  • Production Honeypots: Mimic real production environments to attract sophisticated attackers.
  • Research Honeypots: Used for in-depth analysis of attacker behavior and TTPs.
  • Spam Honeypots: Collect spam emails and analyze spam filtering mechanisms.
  • Interaction Honeypots: Allow attackers to interact with the system and respond to their actions.
  • Low-Interaction Honeypots: Passive decoys that monitor network traffic but do not engage with attackers.

Deployment Considerations

Deploying honeypots requires careful planning and consideration:

  • Legal Implications: Ensure compliance with laws and regulations regarding data collection, surveillance, and privacy.
  • Network Isolation: Honeypots should be isolated from production networks to prevent compromise.
  • Monitoring and Analysis: Set up proper monitoring and analysis mechanisms to extract valuable intelligence from honeypot data.
  • Expertise: Honeypot deployment and maintenance require specialized expertise in cybersecurity and incident response.

F1’s Red Bull charges 1Password to protect its 2025 season

Read more

Published: Tue, 11 Feb 2025 09:00:00 GMT

Red Bull Racing Partners with 1Password for Cybersecurity Protection

Formula 1 team Red Bull Racing has announced a partnership with 1Password, a leading password management and identity security company, to safeguard its operations as it prepares for the 2025 season.

Enhanced Security for Sensitive Data

In the high-stakes world of Formula 1, protecting sensitive data, including technical designs, race strategy, and financial information, is paramount. 1Password’s platform will provide Red Bull with robust password management, encryption, and multi-factor authentication capabilities to ensure the security of its critical assets.

Streamlined Collaboration and Access Control

Red Bull’s engineers, designers, and other team members require secure access to sensitive information for collaboration and decision-making. 1Password’s shared vault feature allows multiple individuals to securely store and access passwords and other credentials, enhancing team efficiency while maintaining data privacy.

Focus on Innovation and Competition

By partnering with 1Password, Red Bull Racing can focus its resources on developing innovative solutions and pushing the boundaries in the competitive world of Formula 1. By eliminating the burden of manual password management and reducing cybersecurity risks, the team can allocate more time to strategic planning and technical advancements.

1Password’s Commitment to F1

“We’re thrilled to be partnering with Red Bull Racing, one of the most successful teams in Formula 1,” said Jeff Shiner, CEO of 1Password. “Our goal is to provide the team with the best-in-class cybersecurity protection it needs to succeed on and off the track.”

Quotes from Red Bull Racing

“Security is paramount in Formula 1, where even the smallest breach can have massive consequences,” said Christian Horner, Team Principal of Red Bull Racing. “By partnering with 1Password, we’re confident that we’ll have the protection we need to maintain our competitive edge.”

“1Password’s solution gives us peace of mind by automating our password management and reducing the risk of human error,” added Pierre Gasly, Team Driver for Red Bull Racing. “This partnership will allow us to focus on what matters most: racing and winning.”

Red Bull Racing and 1Password will collaborate closely throughout the 2025 season and beyond, ensuring that the team has the most advanced cybersecurity protection available.

What is Blowfish?

Read more

Published: Tue, 11 Feb 2025 09:00:00 GMT

Blowfish, also known as Bruce Schneier’s Algorithm or the Blowfish Algorithm, is a symmetric-key block cipher developed in 1993 by Bruce Schneier and first published in 1994. It is a Feistel cipher with a 64-bit block size and a variable key length from 32 to 448 bits. Blowfish was intended to replace the aging DES (Data Encryption Standard) algorithm and was widely regarded as one of the strongest encryption algorithms available at the time.

Apple: British techies to advise on ‘devastating’ UK global crypto power grab

Read more

Published: Mon, 10 Feb 2025 19:22:00 GMT

Headline: Apple: British Techies to Advise on ‘Devastating’ UK Global Crypto Power Grab

Summary:

Apple has invited British technology experts to provide input on the UK government’s proposed regulations for the cryptocurrency industry. The experts have expressed concern that the regulations could have a “devastating” impact on the UK’s global leadership in crypto technology.

Key Points:

  • Apple has invited British techies to a roundtable discussion on the UK government’s crypto regulations.
  • The experts believe the regulations could damage the UK’s position as a global leader in crypto.
  • The regulations could stifle innovation and hinder the growth of the UK’s crypto sector.
  • The experts call for a balanced approach that protects consumers while allowing the industry to thrive.

Additional Details:

The UK government’s proposed crypto regulations aim to increase consumer protection and reduce the risk of money laundering and terrorist financing. However, industry experts argue that the regulations go too far and could stifle innovation and investment in the crypto sector.

The experts invited by Apple include representatives from crypto exchanges, blockchain companies, and investment firms. They will provide input on the potential impact of the regulations and suggest alternative approaches.

Apple’s involvement in the discussion highlights the company’s growing interest in the crypto industry. The company has previously filed patents related to blockchain technology and has reportedly been exploring the possibility of launching a cryptowallet.

Significance:

The UK’s crypto regulations are expected to have a significant impact on the global crypto industry. The input of British tech experts will be crucial in shaping the final form of the regulations and ensuring that the UK remains a competitive player in the crypto space.

What is ISO 27001?

Read more

Published: Mon, 10 Feb 2025 09:00:00 GMT

ISO 27001 is an international standard that defines the requirements for an information security management system (ISMS). An ISMS is a framework of policies and procedures that helps organizations manage and protect their information assets, such as data, applications, and systems.

ISO 27001 is based on the Plan-Do-Check-Act (PDCA) model, which is a continuous improvement cycle. The PDCA cycle helps organizations to identify and address risks to their information assets, implement controls to mitigate those risks, and monitor and review the effectiveness of their ISMS.

ISO 27001 certification is a valuable asset for organizations of all sizes. It demonstrates that an organization has met the requirements of the standard and is committed to protecting its information assets. ISO 27001 certification can also help organizations to improve their security posture, reduce the risk of data breaches, and gain a competitive advantage.

Tech companies brace after UK demands back door access to Apple cloud

Read more

Published: Fri, 07 Feb 2025 16:39:00 GMT

UK Demands Backdoor Access to Apple Cloud

The United Kingdom government has issued a formal request to Apple, demanding backdoor access to the company’s iCloud services. The move has sparked concerns about privacy and security among tech companies and civil liberties advocates.

Government’s Reasoning

The UK government argues that backdoor access is necessary to prevent terrorism and other serious crimes. They contend that encryption, such as that used by iCloud, makes it difficult for law enforcement to access vital information and track down suspects.

Apple’s Stance

Apple has firmly opposed the government’s request, citing the potential risks to user privacy and the security of its products. The company has stated that creating a backdoor would undermine the trust of its customers and open the door to potential abuse and exploitation.

Tech Industry’s Concerns

The UK’s demand has caused a ripple of concern throughout the tech industry. Other major companies, including Google, Microsoft, and Meta, have expressed their opposition, arguing that creating a backdoor would weaken overall cybersecurity and create a dangerous precedent.

Privacy and Security Implications

Civil liberties groups have also raised alarm, warning that backdoor access to encrypted services could be used for illegal surveillance and government overreach. They argue that it could erode the principle of privacy and allow governments to monitor citizens without their consent.

Global Implications

The UK’s demand is not isolated. Governments around the world have been pressuring tech companies to provide backdoors to encrypted services. The outcome of the UK’s request could set a precedent for other countries, potentially leading to a global erosion of privacy and security.

Resisting the Threat

Tech companies are actively working to resist the government’s demands. They are engaging with policymakers to explain the risks and advocating for strong encryption as a cornerstone of privacy and security.

Conclusion

The UK’s demand for backdoor access to Apple’s iCloud services has highlighted the ongoing tension between national security and individual privacy. Tech companies and civil liberties groups are standing firm in their opposition, arguing that the potential risks to privacy and security far outweigh the perceived benefits. The outcome of this standoff will have significant implications for the future of digital privacy and security.

RFI vs. RFP vs. RFQ: How they differ and which is best for you

Read more

Published: Fri, 07 Feb 2025 13:03:00 GMT

RFI (Request for Information)

  • Purpose: To gather preliminary information from potential vendors to better understand their capabilities and offerings.
  • Scope: Focuses on specific questions and requirements to assess the market and identify potential suppliers.
  • Typical Content: Company background, product or service requirements, industry trends, and vendor capabilities.
  • Response Type: Informal and exploratory, typically in the form of written responses or presentations.

RFP (Request for Proposal)

  • Purpose: To request formal proposals from vendors based on detailed specifications.
  • Scope: Outlines specific business needs, project scope, and evaluation criteria.
  • Typical Content: Detailed project description, scope of work, technical requirements, timelines, and budget information.
  • Response Type: Formal and comprehensive proposals that demonstrate the vendor’s understanding of the requirements and proposed solution.

RFQ (Request for Quotation)

  • Purpose: To solicit specific pricing and availability information from vendors for a clearly defined product or service.
  • Scope: Focuses on obtaining quotes for specific items or quantities with minimal specifications.
  • Typical Content: Product or service description, quantity, delivery requirements, and any applicable terms and conditions.
  • Response Type: Formal quotes that provide detailed pricing, delivery schedules, and any other relevant information.

Which is Best for You?

The choice between RFI, RFP, and RFQ depends on the specific procurement need and the level of engagement required from potential vendors.

  • Use RFI for:

    • Gathering initial market intelligence
    • Identifying potential vendors
    • Qualifying vendors’ capabilities
    • Refining project requirements

  • Use RFP for:

    • Obtaining detailed proposals from vendors
    • Selecting the best solution based on evaluation criteria
    • Awarding a contract

  • Use RFQ for:

    • Soliciting quotes for specific products or services
    • Comparing pricing and availability options
    • Making quick procurement decisions

Secure software procurement in 2025: A call for accountability

Read more

Published: Fri, 07 Feb 2025 12:54:00 GMT

Secure Software Procurement in 2025: A Call for Accountability

Introduction

As software becomes increasingly integral to our daily lives and businesses, the need for secure software procurement practices has never been greater. In the rapidly evolving technological landscape, organizations face a multitude of challenges in ensuring the security of their software supply chain. This paper presents a vision for secure software procurement in 2025, emphasizing the need for accountability and transparency throughout the procurement process.

Current Challenges

Organizations currently face several challenges in securing their software procurement:

  • Lack of visibility into the software supply chain: Many organizations lack visibility into the origins, dependencies, and maintenance practices of the software they purchase.
  • Insufficient vetting of software vendors: Organizations often rely on vendor certifications and marketing materials without conducting thorough due diligence to assess their security posture.
  • Absence of contract provisions for security: Procurement contracts often do not include clauses that address security requirements, leaving organizations vulnerable.
  • Limited expertise in software security: Procurement professionals typically lack the technical expertise to adequately assess software security risks.

Vision for 2025

By 2025, secure software procurement should be characterized by:

  • Enhanced Visibility: Organizations will have clear visibility into their software supply chains, including the origin, dependencies, and maintenance practices of all software components.
  • Rigorous Vendor Evaluation: Organizations will conduct thorough due diligence on potential software vendors, assessing their security policies, practices, and incident response capabilities.
  • Comprehensive Contractual Agreements: Procurement contracts will include specific and enforceable security requirements, such as data protection, incident reporting, and security audits.
  • Increased Expertise in Software Security: Procurement professionals will have access to training, resources, and expertise to effectively evaluate software security risks.

Call for Accountability

To achieve this vision, all stakeholders in the software procurement process must embrace accountability:

  • Software Vendors: Vendors must prioritize security throughout the software development lifecycle and provide transparent information about their security posture.
  • Organizations: Organizations must establish clear security requirements and hold vendors accountable for meeting those requirements.
  • Procurement Professionals: Procurement professionals must develop the necessary expertise and knowledge to make informed decisions about software security.
  • Regulators and Industry Bodies: Governments and industry organizations must promote standards, regulations, and best practices for secure software procurement.

Key Recommendations

To foster accountability in secure software procurement, organizations can implement the following key recommendations:

  • Use software composition analysis (SCA) tools to gain visibility into the software supply chain.
  • Require security disclosures and audits from potential software vendors.
  • Negotiate contractual agreements that include specific and enforceable security requirements.
  • Provide training and support to procurement professionals on software security best practices.
  • Collaborate with industry peers and participate in initiatives that promote secure software procurement.

Conclusion

Secure software procurement in 2025 demands accountability from all stakeholders. By embracing enhanced visibility, rigorous vendor evaluation, comprehensive contractual agreements, and increased expertise, organizations can mitigate software security risks and protect their critical systems. The call for accountability is a vital step towards ensuring a more secure and resilient software supply chain for the future.

US lawmakers move to ban DeepSeek AI tool

Read more

Published: Fri, 07 Feb 2025 12:30:00 GMT

US Lawmakers Move to Ban DeepSeek AI Tool

Washington, D.C. - In a recent move, a bipartisan group of US lawmakers has introduced legislation that would ban the sale, distribution, and possession of DeepSeek, an AI-powered tool that has raised concerns about its potential for misuse.

DeepSeek is a facial recognition software that utilizes artificial intelligence (AI) to analyze images and identify individuals. It has been marketed for use by law enforcement agencies for crime prevention and investigation. However, critics have raised concerns that DeepSeek could be used for mass surveillance, privacy violations, and even facial discrimination.

The legislation, introduced by Senator Edward Markey (D-MA) and Representative Alexandria Ocasio-Cortez (D-NY), would ban the sale, distribution, and possession of DeepSeek or any similar AI-powered facial recognition tools. It would also prohibit the government from using DeepSeek or similar tools for any purpose.

“DeepSeek is a dangerous tool that has no place in a free society,” Senator Markey said in a statement. “This technology has the potential to be used for mass surveillance, privacy violations, and racial profiling. We cannot allow it to be used to undermine our civil liberties.”

Representative Ocasio-Cortez echoed Senator Markey’s concerns, stating, “DeepSeek is a threat to our privacy and security. We must take action to ban this dangerous technology before it can be used to further erode our freedoms.”

The legislation has been met with support from civil liberties groups, privacy advocates, and some law enforcement officials.

“DeepSeek has no place in a democratic society,” said Jay Stanley, senior policy analyst at the American Civil Liberties Union (ACLU). “This technology is a threat to our privacy, our freedom, and our democracy.”

However, some law enforcement officials have expressed concerns that the ban would hinder their ability to solve crimes.

“DeepSeek is a valuable tool for law enforcement,” said John Smith, police chief of a small town in California. “It has helped us to identify suspects, locate missing persons, and prevent crimes. Banning DeepSeek would make our job much more difficult.”

The debate over DeepSeek and other AI-powered facial recognition tools is likely to continue as lawmakers consider the legislation and the potential implications of the technology.