Page 3,512«..1020..3,5113,5123,5133,514..3,5203,530..»

Machine learning algorithm from RaySearch enhances workflow at Swedish radiation therapy clinic – DOTmed HealthCare Business News

July 1, 2020 | Author: admin

RaySearch Laboratories AB (publ) has announced that by using a machine learning algorithm in treatment planning RayStation*, Mlar Hospital in Eskilstuna, Sweden, has made significant time savings in dose planning for radiation therapy. The algorithm in question is a deep learning method for contouring the patients organs. The decision to implement this advanced technology was made to save time, thereby alleviating the prevailing shortage of doctors specialized in radiation therapy at the hospital which was also exacerbated by the COVID-19 situation.

When creating a plan for radiation treatment of cancer, it is critical to carefully define the tumor volume. In order to avoid unwanted side-effects, it is also necessary to identify different organs in the tumors environment, so-called organs at risk. This process is called contouring and is usually performed using manual or semi-automatic tools.

The deep learning contouring feature in RayStation uses machine learning models that have been trained and evaluated on previous clinical cases to create contours of the patients organs automatically and quickly. Healthcare staff can review and, if necessary, adjust the contours. The final result is reached much faster than with other methods.

Ad StatisticsTimes Displayed: 105586Times Visited: 1296

Johan Lf, founder and CEO, RaySearch, says: Mlar Hospital was very quick to implement RayStation in 2015 and now it has shown again how quickly new technology can be adopted and brought into clinical use. The fact that this helps to resolve a situation where hospital resources are unusually strained is of course also very positive.

About RaySearchRaySearch is a medical technology company that develops innovative software solutions to improve cancer care. The company markets worldwide its treatment planning system RayStation and next-generation oncology information system RayCare. Over 2,600 clinics in more than 65 countries use RaySearch software to improve life and outcomes for patients. The company was founded in 2000 and the share has been listed on Nasdaq Stockholm since 2003.

About RayStationRayStation is a flexible, innovative treatment planning system, chosen by many of the leading cancer centers worldwide. It combines unique features such as unmatched adaptive therapy capabilities, multi-criteria optimization, market-leading algorithms for IMRT and VMAT optimization with highly accurate dose engines for photon, electron, proton and carbon ion therapy. RayStation supports a wide range of treatment machines, providing one control center for all treatment planning needs and ensuring centers get greater value from existing equipment. RayStation also seamlessly integrates with RayCare, the next-generation oncology information system. By harmonizing the treatment planning, we enable better care for cancer patients worldwide.

Back to HCB News

Read the original post:
Machine learning algorithm from RaySearch enhances workflow at Swedish radiation therapy clinic - DOTmed HealthCare Business News

Read More..
Posted in Machine Learning | Leave a Comment

Menten AIs combination of buzzword bingo brings AI and quantum computing to drug discovery – TechCrunch

June 30, 2020 | Author: admin

Menten AI has an impressive founding team and a pitch that combines some of the hottest trends in tech to pursue one of the biggest problems in healthcare new drug discovery. The company is also $4 million richer with a seed investment from firms including Uncork Capital and Khosla Ventures to build out its business.

Menten AIs pitch to investors was the combination of quantum computing and machine learning to discover new drugs that sit between small molecules and large biologics, according to the companys co-founder Hans Melo.

A graduate of the Y Combinator accelerator, which also participated in the round, Menten AI looks to design proteins from scratch. Its a heavier lift than some might expect, because, as Melo said in an interview, it takes a lot of work to make an actual drug.

Menten AI is working with peptides, which are strings of amino acid chains similar to proteins that have the potential to slow aging, reduce inflammation and get rid of pathogens in the body.

As a drug modality [peptides] are quite new, says Melo. Until recently it was really hard to design them computationally and people tried to focus on genetically modifying them.

Peptides have the benefit of getting through membranes and into cells where they can combine with targets that are too large for small molecules, according to Melo.

Most drug targets are not addressable with either small molecules or biologics, according to Melo, which means theres a huge untapped potential market for peptide therapies.

Menten AI is already working on a COVID-19 therapeutic, although the companys young chief executive declined to disclose too many details about it. Another area of interest is in neurological disorders, where the founding team members have some expertise.

Image of peptide molecules. Image Courtesy: D-Wave

While Menten AIs targets are interesting, the approach that the company is taking, using quantum computing to potentially drive down the cost and accelerate the time to market, is equally compelling for investors.

Its also unproven. Right now, there isnt a quantum advantage to using the novel computing technology versus traditional computing. Something that Melo freely admits.

Were not claiming a quantum advantage, but were not claiming a quantum disadvantage, is the way the young entrepreneur puts it. We have come up with a different way of solving the problem that may scale better. We havent proven an advantage.

Still, the company is an early indicator of the kinds of services quantum computing could offer, and its with that in mind that Menten AI partnered with some of the leading independent quantum computing companies, D-Wave and Rigetti Computing, to work on applications of their technology.

The emphasis on quantum computing also differentiates it from larger publicly traded competitors like Schrdinger and Codexis.

So does the pedigree of its founding team, according to Uncork Capital investor, Jeff Clavier. Its really the unique team that they formed, Clavier said of his decision to invest in the early-stage company. Theres Hans the CEO who is more on the quantum side; theres Tamas [Gorbe] on the bio side and theres Vikram [Mulligan] who developed the research. Its kind of a unique fantastic team that came together to work on the opportunity.

Clavier has also acknowledged the possibility that it might not work.

Can they really produce anything interesting at the end? he asked. Its still an early-stage company and we may fall flat on our face or they may come up with really new ways to make new peptides.

Its probably not a bad idea to take a bet on Melo, who worked with Mulligan, a researcher from the Flatiron Institute focused on computational biology, to produce some of the early research into the creation of new peptides using D-Waves quantum computing.

Novel peptide structures created using D-Waves quantum computers. Image Courtesy: D-Wave

While Melo and Mulligan were the initial researchers working on the technology that would become Menten AI, Gorbe was added to the founding team to get the company some exposure into the world of chemistry and enzymatic applications for its new virtual protein manufacturing technology.

The gamble paid off in the form of pilot projects (also undisclosed) that focus on the development of enzymes for agricultural applications and pharmaceuticals.

At the end of the day what theyre doing is theyre using advanced computing to figure out what is the optimal placement of those clinical compounds in a way that is less based on those sensitive tests and more bound on those theories, said Clavier.

See original here:
Menten AIs combination of buzzword bingo brings AI and quantum computing to drug discovery - TechCrunch

Read More..
Posted in Quantum Computing | Leave a Comment

Better encryption for wireless privacy at the dawn of quantum computing – UC Riverside

June 30, 2020 | Author: admin

For the widest possible and mobile Internet coverage, wireless communications are essential. But due to the open nature of wireless transmissions, information security is a unique issue of challenge. The widely deployed methods for information security are based on digital encryption, which in turn requires two or more legitimate parties to share a secret key.

The distribution of a secrecy key via zero-distance physical contact is inconvenient in general and impossible in situations where too little time is available. The conventional solution to this challenge is to use the public-key infrastructure, or PKI, for secret key distribution. Yet, PKI is based on computational hardness of factoring, for example, which is known to be increasingly threatened by quantum computing. Some predictions suggest that such a threat could become a reality within 15 years.

In order to provide Internet coverage for every possible spot on the planet, such as remote islands and mountains, a low-orbiting satellite communication network is rapidly being developed. A satellite can transmit or receive streams of digital information to or from terrestrial stations. But the geographical exposure of these streams is large and easily prone to eavesdropping. For applications such as satellite communications, how can we guarantee information security even if quantum computers become readily available in the near future?

Yingbo Huas Lab of Signals, Systems and Networks in the Department of Electrical and Computer Engineering, which has been supported in part by Army, has aimed to develop reliable and secure transmission, or RESET, schemes for future wireless networks. RESET guarantees that the secret information is not only received reliably by legitimate receiver but also secure from eavesdropper with any channel superiority.

In particular, Huas Lab has developed a physical layer encryption method that could be immune to the threat of quantum computing. They are actively engaged in further research of this and other related methods.

For the physical layer encryption proposed by Huas lab, only partial information is extracted from randomized matrices such as the principal singular vector of each matrix modulated by secret physical feature approximately shared by legitimate parties. The principal singular vector of a matrix is not a reversible function of the matrix. This seems to suggest that a quantum computer is unable to perform a task that is rather easy on a classical computer. If this is true, then the physical layer encryption should be immune from attacks via quantum computing. Unlike the number theory based encryption methods which are vulnerable to quantum attacks, Huas physical layer encryption is based on continuous encryption functions that are still yet to be developed.

Read the rest here:
Better encryption for wireless privacy at the dawn of quantum computing - UC Riverside

Read More..
Posted in Quantum Computing | Leave a Comment

Paper Outlines the Role of ERM in Managing Risks Related to New Technologies – Business Wire

June 30, 2020 | Author: admin

SANTA FE, N.M.--(BUSINESS WIRE)--The Shared Assessments Program today released a new briefing paper, The Role of ERM in Managing Risks Related to New Technologies. This collaborative, member-driven effort examines the challenges that come with significant technology shifts, such as IoT, AI, 5G and the encryption issues related to quantum computing.

Technology advances can fuel heightened productivity, important product development and enhance the ability to meet business objectives. Yet, along with these benefits, technology often introduces new risks. An incomplete understanding of those risks can lead to material consequences. The paper highlights the key role the board and C-suite should play in helping to recognize and respond to the risks that emerging technology presents.

Its important for Boards to ensure that a systemic process exists for recognizing and maximizing outcomes from new technologies. Executive management should evaluate whether appropriate structures and resources are in place to understand both opportunities and significant risks associated with emerging technologies, and where gaps exist, close them, notes Gary Roboff, Senior Advisor at the Shared Assessments Program.

Key practices that should be implemented when planning and adopting new technologies include:

Both internally and with third parties, the paper delves into challenges and opportunities of each of the four most significant emerging technologies. Appropriate actions include:

While specific emerging technologies each represent some level of risk, the interdependencies and cumulative effect of these technologies when integrated can present a significant increase in risk to an enterprise. A clear example is the current IoT environment, which will become a more powerful and capable technology once leveraging 5G and, in the process, yield a more formidable risk challenge for all organizations, said Shawn Malone, Founder & CEO, Security Diligence, LLC.

The briefing paper and companion executive summary can be downloaded at: https://sharedassessments.org/blog/the-role-of-erm/.

About the Shared Assessments Program

As the only organization that has uniquely positioned and developed standardized resources to bring efficiencies to the market for more than a decade, the Shared Assessments Program has become the trusted source in third party risk assurance. Shared Assessments offers opportunities for members to address global risk management challenges through committees, awareness groups, interest groups and special projects.

The rest is here:
Paper Outlines the Role of ERM in Managing Risks Related to New Technologies - Business Wire

Read More..
Posted in Quantum Computing | Leave a Comment

Airbus CTO Grazia Vittadini: Aviation needs to tap emerging technologies, diverse talent to get climate-neutral – Verdict Medical Devices – Medical…

June 30, 2020 | Author: admin

]]>

Airbus chief technology officer (CTO) Grazia Vittadini has urged the aviation world to explore new fields including AI and quantum computing in a bid to create a climate-neutral industry, writes Claudia Glover for CBR.

Speaking at an International Aviation Womens Association (IAWA) event, Vittadini said: As aerospace professionals we all know there is no one single solution to the climate change problem.

We need to push aerodynamic structures and smart materials. We need alternative fuels and alternative propulsion using hydrogen in the equation or hydro-electric configuration. We need to push for automated air traffic management and explore new fields like AI and quantum computing, which are enablers for these very ambitious targets.

And to get to this point, the industry needs to become much more diverse she said, adding that her dream of becoming a pilot in the Italian air force took a hit when I was rejected on the grounds that I am a woman. She added that she then paid for a pilots licence with her first salary as an engineer.

It is no secret that the aerospace sector is not exactly diverse when it comes to gender, said the CTO, who sits on the Airbus executive leadership. It is a systemic issue in all engineering-based companies and it will be a long-term effort (to address it).

Returning to a theme of climate change, Vittadini said that sustainability was good business.

There is no profit without climate protection, she said. Preserving our planet is not a nice add-on cherry on the cake that we may choose if we can afford; this is the prerequisite to the future of aviation, ecologically and economically.

The coronavirus crisis has undoubtedly increased this global awareness of how dependent we are on a healthy environment; this is also why in Europe, economic stimulus plans are coming with a lot of green strings attached.

She added that Airbus was working on a range of emerging technologies to improve safety, including self-disinfecting coatings for plane interiors.

Grazia Vittadini became the CTO of the European aerospace giant in 2017, having been with the company since 2002, bringing with her engineering and industrial expertise gained on the Italian side of the Eurofighter project. Among other roles, Vittadini, an experienced engineer, headed up airframe design at the multinational before being appointed CTO.

Our parent business intelligence company

The rest is here:
Airbus CTO Grazia Vittadini: Aviation needs to tap emerging technologies, diverse talent to get climate-neutral - Verdict Medical Devices - Medical...

Read More..
Posted in Quantum Computing | Leave a Comment

Is IT regulation in the DARQ? – IT PRO

June 30, 2020 | Author: admin

This article originally appeared in May's edition of IT Pro 20/20,available here. To sign up to receive each new issue in your inbox, click here.

While the world grapples with the fallout of the COVID-19 coronavirus pandemic and the shift to mass remote working also dubbed the distributed workplace other trends are bubbling under the surface. The growing use of artificial intelligence (AI) in businesses of all stripes is no secret, but there are another three technologies distributed ledger, extended reality, and quantum computing that are becoming increasingly influential as well.

Advertisement - Article continues below

While SMAC Social, Mobile, Analytics, and Cloud has already changed the relationships service providers have with their customers over the course of recent years, DARQ, as these newer technologies are collectively known, looks set to become even more transformative.

With all these technologies, and AI in particular, becoming mainstream, do we need a new form of regulation to ensure DARQ technologies are used legally, fairly and ethically?

The digital change is not wafting like a gentle summer breeze over the beaches of Malta, says Felix Hufeld, president of the Federal Financial Supervisory Authority. Its sweeping over the industry like a storm and is shaking up business models, companies and even entire markets.

Advertisement - Article continues below

Regulators have already seen the rapid growth of FinTech, with new companies innovating outside of traditional banking and financial services. This has raised concerns that their regulatory regimes wont be able to keep up with the pace of development.

Advertisement - Article continues below

Here, some form of automation could deliver a regulatory environment fit for a world dominated by DARQ technologies. A late-2019 survey carried out by the Bank of England and Financial Conduct Authority found 57% of regulated services use AI for risk management and compliance.

Susannah Hammond, senior regulatory intelligence expert at Thomson Reuters, tells IT Pro: Traditionally, regulators [of financial services and data protection technologies] have sought to be technology-neutral when it comes to their rules and requirements, and have focused on the outcomes of the use of any technologies.

The emphasis is on senior managers understanding the new technologies, their limitations, any new risks which may arise (e.g. bias in machine learning, etc.) and the checks and balances to ensure that the technology is, in practice, working as intended. Equally, there is a focus on the resilience of IT infrastructures both in terms of ensuring good customer outcomes and cyber hygiene.

Go digital to meet todays critical compliance and security requirements

Digital transformation helps companies meet critical compliance and security requirements

DARQ offers businesses the tools they need to develop new personalised experiences for their customers. Each element of DARQ will independently usher in new opportunities and ways of working, but it's the convergence of these technologies that really drives innovation what Accenture called the reimagining of entire industries. Indeed, according to Accenture 89% of businesses are already experimenting with one or more DARQ technologies. For example, Volkswagen is using quantum computers to develop intelligent traffic guidance systems.

Advertisement - Article continues below

Using AI as a component of service automation for instance, opens up questions of accuracy and accountability. At the moment, the focus is on financial services as they expand and accelerate their use of technologies such as machine learning and biometric identification to combat fraud. When other DARQ technologies are added to the mix, this heady cocktail of data becomes difficult to police. Here, RegTech (Regulation Technology) could offer a solution.

The RegTech industry is expanding. According to KPMG, RegTechs predicted share of all regulatory spending by 2022 will reach 34%, with the management consultancy defining RegTech 3.0 as a move from know your customer to know your data. This shift is critical to understand as all of the DARQ technologies are developing to create highly personalised services all of which will need a degree of regulation.

Advertisement - Article continues below

The initial focus has been on how technologies such as AI are being applied to financial services and the businesses that supply them. RegTech, though, is expected to increase in importance as regulators realise they need new platforms to ensure DARQ technologies remain compliant.

Advertisement - Article continues below

With regards to AI or quantum, regulations will be crucial for the wider adoption of these technologies as they will provide protection to consumers. This will allow the public to trust that they can safely rely upon these services, explains Benot Sauvage, director of regulatory strategy at Deloitte.

The main issue is that regulations do not yet fully comprehend these technologies. For instance, for AI, it is expected that regulations demand to explain the algorithms and show how results can be overridden or stopped. For quantum there might be a need to adapt cybersecurity rules and data protection rules, he adds.

Businesses and regulators alike are considering how automated systems could help them keep pace with the technological change that will only accelerate when DARQ is considered.

Removing human compliance officers from the decision-making processes is risky, as many of the DARQ technologies are often a black box. RegTech will evolve and become an essential tool. Compliance officers will have little choice than to use these systems if they are to understand the avalanche of regulation that DARQ will attract and how these regulations impact their businesses.

Businesses are striving to implement more automation and DARQ will help them achieve those goals. However, these technologies can seem opaque to the uninitiated and how machine language systems arrive at a conclusion must be explainable. Here, ensuring bias isnt present in the system is vital and must contain some form of oversight.

Advertisement - Article continues below

However, as Franois-Kim Hug, a partner at Deloitte tells IT Pro, its important not to forget the importance of human input.

The advent of RegTech does not mean the end of the compliance officer, Hug explains. We are still far from a global compliance solution that can anticipate, understand, interpret and implement the ongoing avalanche of regulations impacting all businesses. This means the profile of compliance officers will need to adjust to this new digital reality where new solutions and new ways of working are created daily.

All of the DARQ technologies are on an accelerating upward trajectory, although not all of them will develop at the same pace. Already we see the first widespread applications of AI particularly machine learning whereas other components of the DARQ collective, such as quantum computing, are still in their infancy.

As such, regulators will move forward with defining the compliance regime DARQ must be used within as each component becomes more mainstream and begins to impact consumers.

Advertisement - Article continues below

For businesses, while most recognise the massive impact SMAC has had, they may not be aware of DARQ or know that its impact could be even more disruptive. Once they wake up to this reality, their development roadmap should come into focus as soon as possible and they can start taking their first steps in using these technologies.

Regulators will, as always, be watching and RegTech could deliver a helpful dose of automated compliance. But that doesnt mean its time to say goodbye to your human compliance officers they will have a vital role to play as we start to more confidently explore the DARQ.

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Putting a spotlight on cyber security

An examination of the current cyber security landscape

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

More here:
Is IT regulation in the DARQ? - IT PRO

Read More..
Posted in Quantum Computing | Leave a Comment

Sen. Warner: 5G ORAN Bill Added to Must-Pass Legislation – Multichannel News

June 30, 2020 | Author: admin

Sen. Mark Warner (D-Va.) said an ORAN (open radio access network)-targeted 5G funding bill he has championed has been added to the next managers' amendment for the must-pass National Defense Authorization Act, which he said will pass by the end of the year. That is the good news, he said on a USTelecom webinar Tuesday (June 30).

Related: Open RAN Group Sees Cloud on 5G Horizon...and That's a Good Thing

The bad news is that the funding levels have been dramatically cut down to a "minuscule" amount, says Warner, who is ranking member of the Senate Intelligence Committee, an amount that does not signal the U.S. is serious to moving toward a more cloud-base, less Huawei tech-based model for 5G network architecture, he said.

The bill as initially drawn up would provide $1 billion-plus, including $750 million for ORAN R&D and another $500 million for collaboration with international partners. In order to get it into the Defense bill, those numbers have been cut to $50 million (in the first year) for R&D and $25 million for collaboration.

ORAN is open, interoperable more software-centric (virtualized) 5G network architecture that is easier to secure from foreign malware and allows for U.S. and other companies to be bigger network players.

Warner said it is short of 5G as industrial policy, but also a signal that the U.S. recognizes that it is tough for the Samsungs and Nokia's and Ericcsons to compete with Chinese tech suppliers like Huawei that are bankrolled by the Chinese government. Given that, the U.S. has to start thinking differently, he said.

Warner is speaking from experience as the former founder of Nextel.

Warner urged the companies on the Webinar to get their CEOs to weigh in so those figures could be boosted in a further iteration of the bill and the U.S. could reassert its leadership in the 5G competition with the Chinese government.

Related: Tech Companies Coalesce Around Safer 5G RAN Supply Chain

Warner said on the webinar that he thought over the past 20 years or so that we, by which he meant the U.S. and U.S. companies and the West "writ large" were so used to leading in wireless on rules and standards and protocols that "we kind of fell asleep at the switch."

He said that included both the Obama Administration and the Trump Administration, the latter which he said had made things worse, neither of which he said had articulated a clear path forward for 5G.

Warner said that path should be ORAN-centric, which means more modular, cloud-based, and software-centric, which translates to a network based more on the software side that the U.S. has dominated, and which is easier to secure than one based in Huawei tech backed by the Chinese Communist party.

He said not since Sputnik has the U.S. not dominated in standards to the extent it is currently not doing so in 5G.

He also warned that China's rise in 5G tech and standard-setting and the issue of network security could be the blueprint for similar issues with artificial intelligence and quantum computing.

He said the Chinese model was to encourage ferocious competition in the domestic market, then when a "national champion" emerges, support their dominance of the Chinese market, like Huawei in 5G (with 70%-80% of the domestic market), which translates to %20-30% of the global market, which makes it hard competitors that don't have that government incubation.

He said he feared that could happen with AI and cloud computing if the U.S. doesn't get 5G right.

China recently announced a trillion-dollar investment in AI, cloud and other new tech.

See the rest here:
Sen. Warner: 5G ORAN Bill Added to Must-Pass Legislation - Multichannel News

Read More..
Posted in Quantum Computing | Leave a Comment

Voice recordings from domestic violence alerting app exposed on the internet – Security Boulevard

June 30, 2020 | Author: admin

One the face of it, it sounded like a good idea.

A smartphone app, disguised as a regular app delivering the top world, sports, and entertainment news, containing a secret feature that allows victims of domestic abuse to send a covert distress call for help at the touch of a button.

That was the idea behind the free Aspire News App, launched some years ago by When Georgia Smiled, a US non-profit founded by Robin McGraw and her husband US TV star Dr Phil to help victims of domestic violence and sexual assault.

To be honest, that still sounds like a good idea to me if the app is coded well, and if any data it collects is properly secured.

But what isnt a good idea is for voice recordings made by the app to be left exposed on an unsecured Amazon Web Services (AWS) S3 bucket, allowing anyone with internet access to download them and listen if they so wish.

According to security researchers at VPN Mentor, who found the exposed data, over 4,000 voice recordings of emergency messages left by victims of domestic violence were available to access no password required.

Some of the 230MB worth of recordings included personally identifiable information such as names, home addresses, as well as the identities of violent abusers.

Transcripts of just two of the recordings that were exposed reveal the seriousness of the situation:

[Full Name] is threatening or hurting me. Please send help now. [Full address]

and

Please call the police right away and have them come to [Full Address]. I am in great danger. I need you to send the police right away, please

Potentially, if the information fell into the wrong hands it could not only expose people who did not want the data revealed at the risk of extortion, but it could also put victims in greater physical danger if their abuser found out.

The researchers attempted to reach out to When Georgia Smiled and the Dr. Phil Foundation to get the serious data breach fixed last Wednesday, but ultimately it took the involvement of AWS itself to get the unsecured web bucket shut down.

So, thats a happy end to the story, right?

Well, perhaps not.

You see, a security failure like this could lead to victims of domestic abuse losing confidence in Aspire News App. If they do not feel safe any longer using the app, they may find it harder to escape abusive relationships safely.

That clearly wasnt what Dr Phil and his wife Robin McGraw wanted the Aspire News app was supposed to help people escape dangerous situations, not make it even harder to find a way out.

Recent Articles By Author

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Graham Cluley. Read the original post at: https://hotforsecurity.bitdefender.com/blog/voice-recordings-from-domestic-violence-alerting-app-exposed-on-the-internet-23609.html

Originally posted here:
Voice recordings from domestic violence alerting app exposed on the internet - Security Boulevard

Read More..
Posted in Internet Security | Leave a Comment

How to Build the Right Security Assessment – Security Boulevard

June 30, 2020 | Author: admin

While ISO/IEC 27000, the NIST Cybersecurity Framework, the Shared Assessment SIG, Cloud Security Alliance CAIQ, the Center for Internet Security Top 20 and other standards now prevail in the cybersecurity industry, the third-party risk management discipline is still fragmented in its methods. Security risk in the supply chain has increased exponentially given complex, often global supplier networks, mounting cyberthreats and increased government regulations.

In trying to keep up, companies have implemented lengthy vendor assessments that regularly prove burdensome for their internal teams to manage. Theyre also onerous for suppliers, which must respond to similar questions asked in slightly different ways by every company they sell to. That muddies data collection and makes a consistent cross-industry evaluation difficult to impossible.

For instance, during some recent research exploring hundreds of security assessment questions, my firm discovered 10 iterations of a basic question asking if a supplier conducts penetration testing! Considering questionnaires can have hundreds of questions, its easy to see the scope of the challenge.

A natural response would be to seek a set of standards for use in creating and implementing third-party risk assessment instruments. For example, the Shared Assessments Program, a global membership organization focused on best practices for third-party risk assurance, has created a useful tool with its Standardized Information Gathering (SIG) Shared Assessment. The SIG offers a great starting place for assessing risk management across 18 service provider business domains, using a common taxonomy for hundreds of questions.

The benefit of this and similar resources is that they are created by experts who evaluate a huge set of questions, intake a breadth of third-party risk management expertise and codify it. They apply an industry-agnostic, global perspective. They also continually update question banks as new information is uncovered and analyzed. Because its their core business mission, the output is high-quality, comprehensive and likely better than any company could do on its own.

As valuable as this resource can be, organizations still often modify standard SIG questions to apply their own terminology or otherwise adjust them to meet their specific risk appetite. That exacerbates the inconsistency problem.

The pentesting question dilemma is a prime example. Assessment questionnaires not aligned to a standard framework require those completing the assessment to stop, read, understand and interpret a question for any nuance contained in it. Perhaps theres even a follow-up question included. This takes time and may actually increase errors.

Instead, given the availability of rich standardized tools and expertise, its far more efficient for all concerned if organizations customize the way they apply standardized questions, mapping them back to their specific organizational risk threshold. For instance, think through which of the 18 SIG domains applies to your unique situation and select standard questions that align to your corresponding areas of risk. There are hundreds to choose from.

For those who insist that customized questions are necessary, consider standing in the vendors shoes. Read your entire assessment questionnaire and honestly consider your reaction if you were told to complete it. If youre not willing to fill it out, its the wrong thing to be sending.

Whats more, the vendor cost burden is already prohibitive. Buyers who make the process too complex and consequently too expensive stand to drive away the best vendors, which will look for paths of less resistance. Those that do stay with you will pass the costs back to you in some other form.

It ultimately comes down to time, cost and sanity. Given the extensive supply chains that so many businesses depend on, yesterdays system no longer works. Third-party security assessments will remain a critical part of effectively managing the security risk thats inherent in the supply chainbut critical doesnt have to be complicated. Instead of recreating the wheel, embracing tools already available will help all of us reach the same objectives, improve efficiencies and secure the interdependent global business ecosystem.

Read the original post:
How to Build the Right Security Assessment - Security Boulevard

Read More..
Posted in Internet Security | Leave a Comment

Cascading Security Through the Internet of Things Supply Chain – Lawfare

June 30, 2020 | Author: admin

The internet of things (IoT) has been insecure since the first connected refrigerator woke up and asked for more milk. But while having your fridge hacked seems at best amusing and at worst inconvenient, the nightmare scenario is a matter of national security. Imagine hundreds of thousands of smart refrigerators, all with the same default password, hacked to direct a flood of web traffic against key internet servers, paralyzing them. Swap smart fridges for security cameras and DVD players, and you have the Dyn cyberattack of 2016.

At the heart of most home networks, and many industrial ones, is the humble wireless router. The security of these popular hubs is a prominent concern because they form the core of IoT networks. Against the steady drumbeat of major security flaws disclosed in the code running these devicesincluding several in just the past monthresearchers have seen little progress in router security over the past 15 years. Serious vulnerabilities in home Wi-Fi routers can open the door for attackers to gain access to local networks and other connected systems. As the U.S. faces a surge of attacks exploiting the widespread uncertainty and confusion wrought by the coronavirus pandemic, these concerns have become all the more urgent.

Routers exemplify the challenges for IoT security: widening dependence, poor security practices, and manufacturers based around the world beyond the reach of a single jurisdiction.

This issue of jurisdiction is critical. Even with a clear security framework for manufacturers, supported by the kind of congressionally backed enforcement proposed by the U.S. Cyberspace Solarium Commission, most manufacturers in this market are based outside the United States. The IoT supply chain is global, and any policy solution must account for this fact.

In a new paper, we propose to leverage these supply chains as part of the solution. Selling to U.S. consumers generally requires that IoT manufacturers sell through a U.S. subsidiary or, more commonly, a domestic distributor like Best Buy or Amazon. The Federal Trade Commission can apply regulatory pressure to this distributor to sell only products that meet the requirements of a security framework developed by U.S. cybersecurity agencies. That would put pressure on manufacturers to make sure their products are compliant with the standards set out in this security framework, including pressuring their component vendors and original device manufacturers to make sure they supply parts that meet the recognized security framework.

Companies are asking for testable IoT standards that would help them accurately and consistently communicate the safety of the products they sell to customers. Distributors like Target already have internal processes in place to ensure that all products on their shelves comply with relevant safety and quality standards. Efforts like the recent NIST Internal Report 8259 are good candidates for such a framework, preventing the Federal Trade Commission from having to endorse or promulgate its own standards. Other examples, like the Japanese governments IoT Security Safety Framework, evince welcome concern about the issue but, at present, are too abstract to be enforceable on manufacturing and design processes.

Additionally, a national labeling scheme would help distributors identify compliant products and provide a pathway for consumer pressure on manufacturers. One recent survey found 87 percent of consumers believe it is the manufacturers responsibility to secure their IoT products. A labeling scheme would provide another pathway for that sentiment to shape the marketplace. The Cyberspace Solarium Commissions recommendation for a National Cybersecurity Certification and Labeling Authority would help concentrate market information about good security practices and provide accessible ratings to users. Last month, Carnegie Mellons CyLab demonstrated a prototype IoT security labeling scheme, based on several years of work meant to condense key security measures into a concise set of words and images.

These policy tools are not limited to the United States. Earlier this year, Singapore unveiled its own plan for such a labeling scheme for Wi-Fi routers and smart home products, an encouraging sign that this could be a feasible way to remove poorly secured IoT devices from the global market. The U.K.s Code of Practice presents a similar opportunity to hold retailers and distributors accountable for products they sell, offering 13 security guidelines for IoT manufacturers and service providers. Following a public consultation in 2019, the U.K. government explored a mandatory security labeling scheme, as well as an outright ban of the sale of products that do not adhere to the top three guidelines: no default passwords, implementation of a vulnerability disclosure policy, and regular software updates backed by an end-of-life policy. Building on the U.K.s work, the European Telecommunications Standards Institute (ETSI) launched its consumer IoT security standard last year, while the EU Agency for Cybersecurity published its Good Practices report outlining baseline security recommendations for the IoT. A proposal from Australias IoT Alliance for an independent certification scheme, called Trust Mark, would provide the kind of security labeling we call for.

Any of these efforts could provide an effective candidate for an international security framework, especially if harmonized with a U.S. standard. Cross-national coordination with other countries that have major markets for IoT products is crucial for preventing jurisdiction hopping by manufacturers. Europe is an important partner for such cooperation, given the EUs recent focus on security standards and certification.

The poor state of IoT security is nothing new, but the growing array of policy initiatives and security standards to address it is a welcome sign. It would be a genuine loss for the public interest if these efforts floundered due to jurisdictional boundaries and the limitations of domestic enforcement. Establishing and harmonizing security standards across borders is an important step toward a more secure IoT ecosystem. The IoT supply chain has so far been a channel for risk into our homes. We can use that same channel to push security back up through the supply chain.

Read the original post:
Cascading Security Through the Internet of Things Supply Chain - Lawfare

Read More..
Posted in Internet Security | Leave a Comment