sho

Employers Should Start Preparing their EEO-1 Reports Now

Jim Paretti talks about submitting workforce data correctly on EEO-1 reports.

SHRM Online

View (Subscription required.)




sho

Labor of Law: Should Employers Be Liable When Their AI Tools Break the Law?

Jim Paretti weighs in on the many legal questions raised by a new law in New York City that will ban employers from using AI tools in hiring unless they're annually audited.

Law.com

View (Subscription required.)




sho

Littler Bolsters Toronto Office with the Addition of Partner Stephen Shore

TORONTO (April 15, 2024) – Littler, the world’s largest employment and labour law practice representing management, has added Stephen Shore as a partner in its Toronto office. Shore joins from Ogletree Deakins and represents employers across all areas of employment and labour law.




sho

We asked a labor lawyer what AI laws HR should look out for

Niloy Ray talks about the proposed AI regulations from the California Privacy Protection Agency and what all HR professionals should consider about AI and compliance. 

HR Brew

View




sho

New Year, New Data Protection Laws: What Employers Should Know

  • Fourteen states have adopted comprehensive data protection laws, most of which will take effect within the next two years.
  • Of these laws, only the California Privacy Rights Act applies to HR data.
  • Nevertheless, employment counsel and HR professionals will be involved in assisting their organizations to comply with the broad range of responsibilities these laws impose.
  • States are also proposing and enacting smaller laws applicable to HR data.




sho

Data Privacy and AI: What Should UK and EU Employers Look out for in 2024?

As we look ahead to 2024, it is clear that both data protection and AI will continue to take center stage in the UK, as it will in many other countries.

In this article we look ahead to the developments that are expected to impact UK employers in the coming year.




sho

What HR should know about Colorado’s new AI law

Philip L. Gordon says a new AI law in Colorado means that any employer doing business in the state with more than 50 employees will have specific obligations when AI is a factor in the decision-making processes that affect personnel.

HR Brew

View




sho

Private employers should consider this when navigating politics in the workplace

Joycelyn Stevenson shares four key points employers should consider when it comes to politics at work.

Nashville Business Journal

View (Subscription required)




sho

Important Changes for Businesses in Australia – What Employers Should Know

  • Several new employment law changes in Australia have or will soon become enforceable.
  • Employers may need to review and revise their policies and procedures governing wage theft, the right to disconnect, shut-down notices, privacy, sexual harassment, and independent contractors.




sho

ETSI Intelligent Transport Systems workshop outlines global projects

ETSI Intelligent Transport Systems workshop outlines global projects

Sophia Antipolis, 8 March 2019

The annual ETSI Intelligent Transport Systems (ITS) workshop ended after 2 days of intensive discussions and networking opportunities between industry, the European Commission and stakeholders involved in Cooperative ITS deployment (C-ITS) worldwide.

Read More...




sho

"CALLING THE SHOTS" A report commissioned by ETSI calls on EU to retake global leadership in digital standard setting

"CALLING THE SHOTS" A report commissioned by ETSI calls on EU to retake global leadership in digital standard setting

Sophia Antipolis, 10 October 2019

The report Calling the Shots: Standardization for EU Competitiveness in a Digital Era, was drawn up by an independent panel of experts brought together by Kreab at the request of ETSI and led by Carl Bildt, former Prime Minister and Foreign Minister of Sweden. The panel who met during the first half year of 2019, gathered insights and experience from industry, politics and academia. 

Read More...




sho

ETSI participates to IEEE Workshop on Autonomic/Autonomous Networking

ETSI participates to IEEE Workshop on Autonomic/Autonomous Networking

Sophia Antipolis, 20 January 2021

The ETSI Working Group on the evolution of management toward Autonomic Future Internet (AFI) has been invited at the Systems Optimization Imperatives, Techniques, and Opportunities for Future Networks virtual workshop organized by IEEE on 21, 22 and 25 January.

Read More...




sho

CEN, CENELEC and ETSI held a workshop on standards in support of the industrial data value chain

CEN, CENELEC AND ETSI HELD A WORKSHOP ON STANDARDS IN SUPPORT OF THE INDUSTRIAL DATA VALUE CHAIN

Sophia Antipolis, 29 September 2021

Industrial data has become one of the top strategic priorities for European and international industry in the recent years. Well managed and duly exploited, industrial data bring a significant competitive edge to businesses and can greatly improve overall efficiency, be it by supporting core processes or by providing a new source of insights.

In this data-driven era, industrial data play an essential role in building the foundation of the next wave of digitization in Europe. For this reason, it is key to the success of a harmonized Single Market and European competitiveness in the global market, but also for the success of the twin transition (green and digital) at the heart of the EU policy agenda.

Read More...




sho

ENISA and ETSI joint workshop tackles challenges for European identity proofing

ENISA and ETSI joint workshop tackles challenges for European identity proofing

Sophia Antipolis, 3 May 2022

Today ENISA (the European Union Agency for Cybersecurity) and ETSI organized a workshop as part of their joint effort and collaboration to support EU requirements for identity proofing. The event was mainly addressed at EU companies and other public or academic organizations that run or prepare to launch their remote ID solution.

Read More...




sho

ETSI workshop: improving Quality of Emerging Services for Speech and Audio

ETSI workshop: improving Quality of Emerging Services for Speech and Audio

Sophia Antipolis, 23 November 2022

The ETSI STQ (Speech and multimedia Transmission Quality) Workshop that took place on 21-22 November 2022 in Bratislava (Slovakia) was hosted by Amazon. It focused on a user-centred perspective of the Quality of Emerging Services for Speech and Audio.

The event was attended by organizations providing a rich mix of inputs and perspectives from industry, regulators, and academia. Through presentations, discussions and professional networking, this STQ Workshop demonstrated a very high level of engagement by all participants, with stimulating interaction among all speakers and the audience.

Read More...




sho

Assessing social media impact – a workshop at ScienceOnline #scioimpact

Assessing social media impact was one of the workshop sessions at November’s SpotOn London conference,




sho

SpotOn London 2013: What should the scientific record look like in the digital age?

Julia Schölermann is the organiser for this year’s SpotOn London session on, What should the scientific




sho

How should governments respond to crises? Rapid response using RIAPA modeling system




sho

Empowering Women: Inclusion in India's Government Planning (Short Version)




sho

Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates

Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.

Dive into six things that are top of mind for the week ending Oct. 25.

1 - CSA: How to prevent “shadow AI” 

As organizations scale up their AI adoption, they must closely track their AI assets to secure them and mitigate their cyber risk. This includes monitoring the usage of unapproved AI tools by employees — an issue known as “shadow AI.”

So how do you identify, manage and prevent shadow AI? You may find useful ideas in the Cloud Security Alliance’s new “AI Organizational Responsibilities: Governance, Risk Management, Compliance and Cultural Aspects” white paper.

The white paper covers shadow AI topics including:

  • Creating a comprehensive inventory of AI systems
  • Conducting gap analyses to spot discrepancies between approved and actual AI usage
  • Implementing ways to detect unauthorized AI wares
  • Establishing effective access controls
  • Deploying monitoring techniques

 

 

“By focusing on these key areas, organizations can significantly reduce the risks associated with shadow AI, ensuring that all AI systems align with organizational policies, security standards, and regulatory requirements,” the white paper reads.

For example, to create an inventory that offers the required visibility into AI assets, the document explains different elements each record should have, such as:

  • The asset’s description
  • Information about its AI models
  • Information about its data sets and data sources
  • Information about the tools used for its development and deployment
  • Detailed documentation about its lifecycle, regulatory compliance, ethical considerations and adherence to industry standards
  • Records of its access control mechanisms

Shadow AI is one of four topics covered in the publication, which also unpacks risk management; governance and compliance; and safety culture and training.

To get more details, read:

For more information about AI security issues, including shadow AI, check out these Tenable blogs:

2 - Best practices for secure software updates

The security and reliability of software updates took center stage in July when an errant update caused massive and unprecedented tech outages globally.

To help prevent such episodes, U.S. and Australian cyber agencies have published “Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers.

“It is critical for all software manufacturers to implement a safe software deployment program supported by verified processes, including robust testing and measurements,” reads the 12-page document.

Although the guide is aimed primarily at commercial software vendors, its recommendations can be useful for any organization with software development teams that deploy updates internally.

 

 

The guide outlines key steps for a secure software development process, including planning; development and testing; internal rollout; and controlled rollout. It also addresses errors and emergency protocols.

“A safe software deployment process should be integrated with the organization’s SDLC, quality program, risk tolerance, and understanding of the customer’s environment and operations,” reads the guide, authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Australian Cyber Security Centre.

To get more details, read:

For more information about secure software updates:

3 - Report: GenAI, attack variety, data security drive cyber strategies

What issues act as catalysts for organizations’ cybersecurity actions today? Hint: They’re fairly recent concerns. The promise and peril of generative AI ranks first. It’s closely followed by the ever growing variety of cyberattacks; and by the intensifying urgency to protect data.

That’s according to CompTIA’s “State of Cybersecurity 2025” report, based on a survey of almost 1,200 business and IT pros in North America and in parts of Europe and Asia. 

These three key factors, along with others like the scale of attacks, play a critical role in how organizations currently outline their cybersecurity game plans.

“Understanding these drivers is essential for organizations to develop proactive and adaptive cybersecurity strategies that address the evolving threat landscape and safeguard their digital assets,” reads a CompTIA blog about the report.

Organizations are eagerly trying to understand both how generative AI can help their cybersecurity programs and how this technology is being used by malicious actors to make cyberattacks harder to detect and prevent.

Meanwhile, concern about data protection has ballooned in the past couple of years. “As organizations become more data-driven, the need to protect sensitive information has never been more crucial,” reads the blog.

Not only are organizations focused on securing data at rest, in transit and in use, but they’re also creating foundational data-management practices, according to the report.

“The rise of AI has accelerated the need for robust data practices in order to properly train AI algorithms, and the demand for data science continues to be strong as businesses seek competitive differentiation,” the report reads.

To get more details, read:

For more information about data security posture management (DSPM) and preventing AI-powered attacks, check out these Tenable resources:

4 - CISA lists software dev practices most harmful for security

Recommended best practices abound in the cybersecurity world. However, CISA and the FBI are taking the opposite tack in their quest to improve the security of software products: They just released a list of the worst security practices that software manufacturers ought to avoid.

Titled “Product Security Bad Practices,” the document groups the “no-nos” into three main categories: product properties; security features; and organizational processes and policies.

“It’s 2024, and basic, preventable software defects continue to enable crippling attacks against hospitals, schools, and other critical infrastructure. This has to stop,” CISA Director Jen Easterly said in a statement.

“These product security bad practices pose unacceptable risks in this day and age, and yet are all too common,” she added.

 

 

Here are some of the worst practices detailed in the document, which is part of CISA’s “Secure by Design” effort:

  • Using programming languages considered “memory unsafe”
  • Including user-provided input in SQL query strings
  • Releasing a product with default passwords
  • Releasing a product with known and exploited vulnerabilities
  • Not using multi-factor authentication
  • Failing to disclose vulnerabilities in a timely manner

Although the guidance is aimed primarily at software makers whose products are used by critical infrastructure organizations, the recommendations apply to all software manufacturers.

If you’re interested in sharing your feedback with CISA and the FBI, you can submit comments about the document until December 16, 2024 on the Federal Register.

To get more details, check out:

For more information about how to develop secure software:

5 - New EU law focuses on cybersecurity of connected digital products

Makers of digital products — both software and hardware — that directly or indirectly connect to networks and to other devices will have to comply with specific cybersecurity safeguards in the European Union.

A newly adopted law known as the “Cyber Resilience Act” outlines cybersecurity requirements for the design, development, production and lifecycle maintenance of these types of products, including IoT wares such as connected cars.

 

 

For example, it specifies a number of “essential cybersecurity requirements” for these products, including that they:

  • Aren’t shipped with known exploitable vulnerabilities
  • Feature a “secure by default” configuration
  • Can fix their vulnerabilities via automatic software updates
  • Offer access protection via control mechanisms, such as authentication and identity management
  • Protect the data they store, transmit and process using, for example, at-rest and in-transit encryption

“The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components (...) are made secure throughout the supply chain and throughout their lifecycle,” reads a statement from the EU’s European Council.

The law will “enter into force” after its publication in the EU’s official journal and will apply and be enforceable 36 months later, so most likely in October 2027 or November 2027. However, some of its provisions will be enforceable a year prior.

For more information and analysis about the EU’s Cyber Resilience Act:

VIDEO

The EU Cyber Resilience Act: A New Era for Business Engagement in Open Source Software (Linux Foundation) 

6 - UK cyber agency: CISOs must communicate better with boards

CISOs and boards of directors are struggling to understand each other, and this is increasing their organizations’ cyber risk, new research from the U.K.’s cyber agency has found.

For example, in one alarming finding, 80% of respondents, which included board members, CISOs and other cyber leaders in medium and large enterprises, confessed to being unsure of who is ultimately accountable for cybersecurity in their organizations.

“We found that in many organisations, the CISO (or equivalent role) thought that the Board was accountable, whilst the Board thought it was the CISO,” reads a blog about the research titled “How to talk to board members about cyber.

As a result, the U.K. National Cyber Security Centre (NCSC) has released new guidance aimed at helping CISOs better communicate with their organizations’ boards titled “Engaging with Boards to improve the management of cyber security risk.

“Cyber security is a strategic issue, which means you must engage with Boards on their terms and in their language to ensure the cyber risk is understood, managed and mitigated,” the document reads.

Here’s a small sampling of the advice:

  • Understand your audience, including who are the board’s members and their areas of expertise; and how the board works, such as its meeting formats and its committees.
  • Talk about cybersecurity in terms of risks, and outline these risks concretely and precisely, presenting them in a matter-of-fact way.
  • Don’t limit your communication with board members to formal board meetings. Look for opportunities to talk to them individually or in small groups outside of these board meetings.
  • Elevate the discussions so that you link cybersecurity with your organization’s business challenges, goals and context.
  • Aim to provide a holistic view, and avoid using technical jargon.
  • Aim to advise instead of to educate.




sho

Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security

Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.

Dive into six things that are top of mind for the week ending Nov. 1.

1 - Securing OT/ICS in critical infrastructure with zero trust

As their operational technology (OT) computing environments become more digitized, converged with IT systems and cloud-based, critical infrastructure organizations should beef up their cybersecurity by adopting zero trust principles.

That’s the key message of the Cloud Security Alliance’s “Zero Trust Guidance for Critical Infrastructure,” which focuses on applying zero trust methods to OT and industrial control system (ICS) systems.

While OT/ICS environments were historically air gapped, that’s rarely the case anymore. “Modern systems are often interconnected via embedded wireless access, cloud and other internet-connected services, and software-as-a-service (SaaS) applications,” reads the 64-page white paper, which was published this week.

The CSA hopes the document will help cybersecurity teams and OT/ICS operators enhance the way they communicate and collaborate.

 

 

Among the topics covered are:

  • Critical infrastructure’s unique threat vectors
  • The convergence of IT/OT with digital transformation
  • Architecture and technology differences between OT and IT

The guide also outlines this five-step process for implementing zero trust in OT/ICS environments:

  • Define the surface to be protected
  • Map operational flows
  • Build a zero trust architecture
  • Draft a zero trust policy
  • Monitor and maintain the environment

A zero trust strategy boosts the security of critical OT/ICS systems by helping teams “keep pace with rapid technological advancements and the evolving threat landscape,” Jennifer Minella, the paper’s lead author, said in a statement.

To get more details, read:

For more information about OT systems cybersecurity, check out these Tenable resources: 

2 - Five Eyes publish cyber guidance for tech startups

Startup tech companies can be attractive targets for hackers, especially if they have weak cybersecurity and valuable intellectual property (IP).

To help startups prevent cyberattacks, the Five Eyes countries this week published cybersecurity guides tailored for these companies and their investors.

“This guidance is designed to help tech startups protect their innovation, reputation, and growth, while also helping tech investors fortify their portfolio companies against security risks," Mike Casey, U.S. National Counterintelligence and Security Center Director, said in a statement.

These are the top five cybersecurity recommendations from Australia, Canada, New Zealand, the U.S. and the U.K. for tech startups:

  • Be aware of threat vectors, including malicious insiders, insecure IT and supply chain risk.
  • Identify your most critical assets and conduct a risk assessment to pinpoint vulnerabilities.
  • Build security into your products by managing intellectual assets and IP; monitoring who has access to sensitive information; and ensuring this information’s protection.
  • Conduct due diligence when choosing partners and make sure they’re equipped to protect the data you share with them.
  • Before you expand abroad, prepare and become informed about these new markets by, for example, understanding local laws in areas such as IP protection and data protection.

 

 

“Sophisticated nation-state adversaries, like China, are working hard to steal the intellectual property held by some of our countries’ most innovative and exciting startups,” Ken McCallum, Director General of the U.K.’s MI5, said in a statement.

To get more details, check out these Five Eyes’ cybersecurity resources for tech startups:

3 - Survey: Unapproved AI use impacting data governance

Employees’ use of unauthorized AI tools is creating compliance issues in a majority of organizations. Specifically, it makes it harder to control data governance and compliance, according to almost 60% of organizations surveyed by market researcher Vanson Bourne.

“Amid all the investment and adoption enthusiasm, many organisations are struggling for control and visibility over its use,” reads the firm’s “AI Barometer: October 2024” publication. Vanson Bourne polls 100 IT and business executives each month about their AI investment plans.

To what extent do you think the unsanctioned use of AI tools is impacting your organisation's ability to maintain control over data governance and compliance?

(Source: Vanson Bourne’s “AI Barometer: October 2024”)

Close to half of organizations surveyed (44%) believe that at least 10% of their employees are using unapproved AI tools.

On a related front, organizations are also grappling with the issue of software vendors that unilaterally and silently add AI features to their products, especially to their SaaS applications.

While surveyed organizations say they’re reaping advantages from their AI usage, “such benefits are dependent on IT teams having the tools to address the control and visibility challenges they face,” the publication reads.

For more information about the use of unapproved AI tools, an issue also known as “shadow AI,” check out:

VIDEO

Shadow AI Risks in Your Company

 

4 - NCSC explains nuances of multi-factor authentication

Multi-factor authentication (MFA) comes in a variety of flavors, and understanding the differences is critical for choosing the right option for each use case in your organization.

To help cybersecurity teams better understand the different MFA types and their pluses and minuses, the U.K. National Cyber Security Centre (NCSC) has updated its MFA guidance.

“The new guidance explains the benefits that come with strong authentication, while also minimising the friction that some users associate with MFA,” reads an NCSC blog.

 

 

In other words, what type of MFA method to use depends on people’s roles, how they work, the devices they use, the applications or services they’re accessing and so on.

Topics covered include:

  • Recommended types of MFA, such as FIDO2 credentials, app-based and hardware-based code generators and message-based methods
  • The importance of using strong MFA to secure users’ access to sensitive data
  • The role of trusted devices in boosting and simplifying MFA
  • Bad practices that weaken MFA’s effectiveness, such as:
    • Retaining weaker, password-only authentication protocols for legacy services
    • Excluding certain accounts from MFA requirements because their users, usually high-ranking officials, find MFA inconvenient

To get more details, read:

For more information about MFA:

5 - U.S. gov’t outlines AI strategy, ties it to national security 

The White House has laid out its expectations for how the federal government ought to promote the development of AI in order to safeguard U.S. national security.

In the country’s first-ever National Security Memorandum (NSM) on AI, the Biden administration said the federal government must accomplish the following:

  • Ensure the U.S. is the leader in the development of safe, secure and trustworthy AI
  • Leverage advanced AI technologies to boost national security
  • Advance global AI consensus and governance

“The NSM’s fundamental premise is that advances at the frontier of AI will have significant implications for national security and foreign policy in the near future,” reads a White House statement.

 

 

The NSM’s directives to federal agencies include:

  • Help improve the security of chips and support the development of powerful supercomputers to be used by AI systems.
  • Help AI developers protect their work against foreign spies by providing them with cybersecurity and counterintelligence information.
  • Collaborate with international partners to create a governance framework for using AI in a way that is ethical, responsible and respects human rights. 

The White House also published a complementary document titled “Framework To Advance AI Governance and Risk Management in National Security,” which adds implementation details and guidance for the NSM.

6 - State CISOs on the frontlines of AI security

As the cybersecurity risks and benefits of AI multiply, most U.S. state CISOs find themselves at the center of their governments' efforts to craft AI security strategies and policies.

That’s according to the “2024 Deloitte-NASCIO Cybersecurity Study,” which surveyed CISOs from all 50 states and the District of Columbia.

Specifically, 88% of state CISOs reported being involved in the development of a generative AI strategy, while 96% are involved with creating a generative AI security policy.

However, their involvement in AI cybersecurity matters isn’t necessarily making them optimistic about their states’ ability to fend off AI-boosted attacks.

None said they feel “extremely confident” that their state can prevent AI-boosted attacks, while only 10% reported feeling “very confident.” The majority (43%) said they feel “somewhat confident” while the rest said they are either “not very confident” or “not confident at all.”

 

 

Naturally, most state CISOs see AI-enabled cyberthreats as significant, with 71% categorizing them as either “very high threat” (18%) or “somewhat high threat” (53%).

At the same time, state CISOs see the potential for AI to help their cybersecurity efforts, as 41% are already using generative AI for cybersecurity, and another 43% have plans to do so by mid-2025.

Other findings from the "2024 Deloitte-NASCIO Cybersecurity Study" include:

  • 4 in 10 state CISOs feel their budget is insufficient.
  • Almost half of respondents rank cybersecurity staffing as one of the top challenges.
  • In the past two years, 23 states have hired new CISOs, as the median tenure of a state CISO has dropped to 23 months, down from 30 months in 2022.
  • More state CISOs are taking on privacy protection duties — 86% are responsible for privacy protection, up from 60% two years ago.

For more information about CISO trends:




sho

Cybersecurity Snapshot: CISA Warns of Global Spear-Phishing Threat, While OWASP Releases AI Security Resources

CISA is warning about a spear-phishing campaign that spreads malicious RDP files. Plus, OWASP is offering guidance about deepfakes and AI security. Meanwhile, cybercriminals have amplified their use of malware for fake software-update attacks. And get the latest on CISA’s international plan, Interpol’s cyber crackdown and ransomware trends.

Dive into six things that are top of mind for the week ending Nov. 8.

1 - CISA: Beware of nasty spear-phishing campaign

Proactively restrict outbound remote-desktop protocol (RDP) connections. Block transmission of RDP files via email. Prevent RDP file execution.

Those are three security measures cyber teams should proactively take in response to an ongoing and “large scale” email spear-phishing campaign targeting victims with malicious RDP files, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

A foreign threat actor is carrying out the campaign. Several vertical sectors, including government and IT, are being targeted.

“Once access has been gained, the threat actor may pursue additional activity, such as deploying malicious code to achieve persistent access to the target’s network,” CISA’s alert reads.
 


Other CISA recommendations include:

  • Adopt phishing-resistant multi-factor authentication (MFA), such as FIDO tokens, and try to avoid SMS-based MFA
  • Educate users on how to spot suspicious emails
  • Hunt for malicious activity in your network looking for indicators of compromise (IoCs) and tactics, techniques and procedures

Although CISA didn’t name the hacker group responsible for this campaign, its alert includes links to related articles from Microsoft and AWS that identify it as Midnight Blizzard. Also known as APT29, this group is affiliated with Russia’s government.

To get more details, check out the CISA alert “Foreign Threat Actor Conducting Large-Scale Spear-Phishing Campaign with RDP Attachments.

For more information about securing RDP tools:

2 - OWASP issues AI security resources

How should your organization respond to deepfakes? What’s the right way of establishing a center of excellence for AI security in your organization? Where can you find a comprehensive guide of tools to secure generative AI applications?

These questions are addressed in a new set of resources for AI security from the Open Worldwide Application Security Project’s OWASP Top 10 for LLM Application Security Project

The new resources are meant to help organizations securely adopt, develop and deploy LLM and generative AI systems and applications “with a comprehensive strategy encompassing governance, collaboration and practical tools,” OWASP said in a statement.



These are the new resources:

  • The Guide for Preparing and Responding to Deepfake Events,” which unpacks four types of deepfake schemes – financial fraud, job interview fraud, social engineering and misinformation – and offers guidance about each one in these areas:
    • preparation
    • detection and analysis
    • containment eradication and recovery
    • post-incident activity
  • The LLM and GenAI Center of Excellence Guide,” which aims to help CISOs and fellow organization leaders create a center of excellence for generative AI security that facilitates collaboration among various teams, including security, legal, data science and operations, so they can develop:
    • Generative AI security policies
    • Risk assessment and management processes
    • Training and awareness
    • Research and development
  • The AI Security Solution Landscape Guide,” which offers security teams a comprehensive catalog of open source and commercial tools for securing LLMs and generative AI applications.

To get more details, read OWASP’s announcement “OWASP Dramatically Expands GenAI Security Guidance.”

For more information about protecting your organization against deepfakes:

3 - Fake update variants dominate list of top malware in Q3

Hackers are doubling down on fake software-update attacks.

That’s the main takeaway from the Center for Internet Security’s list of the 10 most prevalent malware used during the third quarter.

Malware variants used to carry out fake browser-update attacks took the top four spots on the list: SocGholish, LandUpdate808, ClearFake and ZPHP. Collectively, they accounted for 77% of the quarter’s malware infections. It's the first time LandUpdate808 and ClearFake appear on this quarterly list.


(Source: “Top 10 Malware Q3 2024”, Center for Internet Security, October 2024)

In a fake software-update attack, a victim gets duped into installing a legitimate-looking update for, say, their preferred browser, that instead infects their computers with malware.

Here’s the full list, in descending order:

  • SocGholish, a downloader distributed through malicious websites that tricks users into downloading it by offering fake software updates 
  • LandUpdate808, a JavaScript downloader distributed through malicious websites via fake browser updates
  • ClearFake, another JavaScript downloader used for fake browser-update attacks
  • ZPHP, another JavaScript downloader used for fake software-update attacks
  • Agent Tesla, a remote access trojan (RAT) that captures credentials, keystrokes and screenshots
  • CoinMiner, a cryptocurrency miner that spreads using Windows Management Instrumentation (WMI)
  • Arechclient2, also known as SectopRAT, is a .NET RAT whose capabilities include multiple stealth functions
  • Mirai, a malware botnet that compromises IoT devices to launch DDoS attacks
  • NanoCore, a RAT that spreads via malspam as a malicious Excel spreadsheet
  • Lumma Stealer, an infostealer used to swipe personally identifiable information (PII), credentials, cookies and banking information

To get more information, the CIS blog “Top 10 Malware Q3 2024” offers details, context and indicators of compromise for each malware strain.

For details on fake update attacks:


VIDEO

Fake Chrome Update Malware (The PC Security Channel)

4 - CISA’s first international plan unveiled

CISA has released its first-ever international plan, which outlines a strategy for boosting the agency’s collaboration with cybersecurity agencies from other countries.

Aligning cybersecurity efforts and goals with international partners is critical for tackling cyberthreats in the U.S. and abroad, according to the agency.

The three core pillars of CISA’s “2025 - 2026 International Strategic Plan” are:

  • Help make more resilient other countries’ assets, systems and networks that impact U.S. critical infrastructure
  • Boost the integrated cyber defenses of the U.S. and its international partners against their shared global cyberthreats
  • Unify the coordination of international activities to strengthen cyberdefenses collectively

The plan will allow CISA to “reduce risk to the globally interconnected and interdependent cyber and physical infrastructure that Americans rely on every day,” CISA Director Jen Easterly said in a statement.

5 - Interpol hits phishers, ransomware gangs, info stealers

Interpol and its partners took down 22,000 malicious IP addresses and seized thousands of servers, laptops, and mobile phones used by cybercriminals to conduct phishing scams, deploy ransomware and steal information.

The four-month global operation, titled Synergia II and announced this week, involved law enforcement agencies and private-sector partners from 95 countries and netted 41 arrests.


“Together, we’ve not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime,” Neal Jetton, Director of Interpol’s Cybercrime Directorate, said in a statement.

In Hong Kong, more than 1,000 servers were taken offline, while authorities in Macau, China took another 291 servers offline. Meanwhile, in Estonia, authorities seized 80GB of server data, which is now being analyzed for links to phishing and banking malware.

For more information about global cybercrime trends:

6 - IST: Ransomware attacks surged in 2023

Ransomware gangs went into hyperdrive last year, increasing their attacks by 73% compared with 2022, according to the non-profit think tank Institute for Security and Technology (IST).

The IST attributes the sharp increase in attacks to a shift by ransomware groups to “big game hunting” – going after prominent, large organizations with deep pockets. 

“Available evidence suggests that government and industry actions taken in 2023 were not enough to significantly reduce the profitability of the ransomware model,” reads an IST blog.

Global Ransomware Incidents in 2023

Another takeaway: The ransomware-as-a-service (RaaS) model continued to prove extremely profitable in 2023, and it injected dynamism into the ransomware ecosystem. 

The RaaS model prompted ransomware groups “to shift allegiances, form new groups, or iterate existing variants,” the IST blog reads.

The industry sector that ransomware groups hit the hardest was construction, followed by hospitals and healthcare, and by IT services and consulting. Financial services and law offices rounded out the top five.

To learn more about ransomware trends:




sho

SpotOn London 2012 Storify: Tackling the terabyte: how should research adapt to the era of big data?

Here is a Storify round up of the SpotOn London session: Tackling the terabyte: how should




sho

SpotOn London 2013 Storify: Open, Portable, Decoupled – How should Peer Review change?

Here is a Storify collating the online conversation around the Open, Portable, Decoupled – How should




sho

SpotOn London 2013: Open, Portable, Decoupled – How should Peer Review change?

At this year’s SpotOn London, one of the most popular and widely tweeted sessions organised




sho

Hotshot Julie Garwood.

When a woman's dream for the future turns into a nightmare, a handsome FBI agent makes her vulnerable to more than she ever imagined in this novel from #1 New York Times bestselling author Julie Garwood. Peyton Lockhart and her sisters have just inherited Bishop's Cove, a charming oceanfront resort. But it comes with a condition: They must run the resort for one year and show a profit-only then will they own it. Peyton welcomes the challenge, yet has no idea how many people want to sabotage her success-including her vindictive cousins and the powerful land developers who have an eye on the coveted beachfront property. But when the threats against Peyton escalate into dangerous territory, she enlists the help of her childhood friend, FBI agent Finn MacBain. Finn saved her life once before. Peyton has no choice but to trust him to do it again.




sho

Lost and Found in Cedar Cove (Short Story) Debbie Macomber.

Debbie Macomber's heartwarming series, set at the Rose Harbor Inn in picturesque Cedar Cove, displays the author's signature talent for creating characters who feel like friends, and small towns that feel like home. In this original short story, Jo Marie Rose readies her inn for spring, turning to her new friends Grace and Olivia when she needs them most. Jo Marie has big plans for her bed-and-breakfast. With the help of handyman Mark Taylor, she intends to plant a beautiful rose garden in time for her upcoming open house. Jo Marie and Mark rarely see eye to eye-especially on matters of home improvement-but she knows he has her best interests at heart. After the two walk the grounds, Jo Marie realizes that her beloved rescue dog, Rover, is missing, and at a time when she most needs a friend, Mark abruptly leaves. Confused by Mark's behavior and worried for Rover's safety, Jo Marie searches for her precious pup all over Cedar Cove. Rover is on an adventure of his own-one that will lead to a delightful surprise for two unlikely people. Includes an excerpt from Debbie Macomber's Last One Home.




sho

How did households in Mali cope with covariate shocks between 2018 and 2023? Exploration of a unique dataset

Citation Marivoet, Wim; and Hema, Aboubacar. 2024. How did households in Mali cope with covariate shocks between 2018 and 2023? Source: IFPRI Africa Regional Office (AFR)




sho

Musée d’Orsay showcases the work of pioneering Norwegian painter Harriet Backer.

Musée d’Orsay showcases the work of pioneering Norwegian painter Harriet Backer. From 24 September 2024...





sho

Engendering Respectful Communities - AY24 - 25 Workshops (November 13, 2024 6:00pm)

Event Begins: Wednesday, November 13, 2024 6:00pm
Location: 2001 Literature Science and the Arts Building; 500 S State St, Ann Arbor, MI 48109
Organized By: Sessions @ Michigan


Engendering Respectful Communities (ERC) is a one session workshop that engages graduate students in meaningful dialogue about various forms of sexual misconduct they may encounter in both professional and social spaces, and provides resources for intervention or support in such circumstances.

The primary goal of the workshop is to address complexities experienced by graduate students as they engage in bystander intervention, so that participants gain an increase in awareness of barriers to action and familiarity with strategic planning to overcome them. The workshop also introduces participants to on-campus resources and provides knowledge on how sexual misconduct can unfold in graduate-specific settings.
The ERC workshop uses small-group circles intended to promote active reflection and space to build community. The procedure of circles is introduced at the beginning of the workshop in order to help participants get used to the process, which they do through a circle for introductions and value-sharing for the workshop space. These circles depict various, realistic scenarios related to sexual misconduct within the graduate community. The circle process allows circle members to process the monologues, reflect on complexities with identity and power dynamics within them, name potential barriers to intervention, and think of various ways in which they might respond if faced with similar situations. The circles provide a way to foster collective building of ideas, where participants learn from one another and all input is equally valued. Participants are encouraged to share but can always pass if desired, creating an environment where participation is open but not forced. Due to the participatory nature of the workshop, if you are to arrive more than 20 minutes late, we will ask you to re-register for another workshop session.If you have any questions about or concerns with taking this workshop, or are in need of an exemption, please contact jhippe@umich.edu or fill out this form. We know some students come to campus having already experienced harm. If you have circumstances that make completing this course challenging, please reach out to the GROPWE team. SAPAC GROWE provides exemptions to the ERC workshop (where requirements are set in place) on a case by case basis. The Program Manager will communicate with students requesting exemptions via email and/or meet with students via zoom meetings to discuss their need for exemptions and provide any relevant and necessary resources.




sho

FYRST Workshops Fall 2024 (November 13, 2024 5:00pm)

Event Begins: Wednesday, November 13, 2024 5:00pm
Location: Pierpont Commons - Boulevard Room
Organized By: Sessions @ Michigan


First-Year Relationship and Sexuality Talk (FYRST) is a required, in-person, and peer-facilitated workshop that came directly from feedback and listening sessions with current University of Michigan students. Our goal is to create an accessible, supportive space for student-driven conversations where all identities and experiences are welcomed and in which students can build skills and tools around identifying goals and values and then communicate effectively about those. Workshops will be offered at multiple locations and times throughout the fall semester, so please sign up for the workshop that works for you!! First-Year Relationship Sexuality Talk (FYRST) FAQ:
“How many workshops do I have to sign up for?”
You only need to sign up for 1 workshop. Attending 1 workshop will fulfill the requirement for the training. 
“I see that there is more than one session, does it matter which one I sign up for?”
It generally does not matter which workshop you sign up for. There will be a few that are designated for specific groups such as transfer students or for students looking for accommodations. If you do not fit these groups please try to save these workshops for those that do and you are free to choose among any of the other workshops. 
“Is this workshop required?”
This workshop is required for all transfer and first-year students at the University of Michigan.
“I’ve experienced harm around relationships or sexual experiences in the past and I am worried that attending this workshop may be harmful for me.” 
Our team is aware that students who are coming into the university that have experienced harm in the past. Our workshop is specifically designed to respect and validate the experiences of survivors and has been carefully constructed to avoid any specific descriptions of violence and focus instead on themes of empowerment, communication, and boundary setting. However, if you still have concerns about programming and would like to request alternative programming, please feel free to reach out at SAPAC-FYRST@umich.edu.
“What if I struggle to learn in a presentation setting? I’m an active learner.”
Our workshop is built to meet a variety of learning styles, including time for self-reflection, small group sharing, and resources to take with you to work through on your own time! This workshop is meant to be interactive and inclusive. 
“Can I request accommodations?”
We considered accessibility in creating this workshop and selecting the locations in which the workshops are help. However, we recognize many places at the University are inaccessible and we've set an * next to workshops that are on the first floor and lack stairs. These workshops also will have a presentation (other workshops we do not) and are a good fit for those who might need a large font. Please sign up for those if you feel that accommodations would assist you and reach out to SAPAC-FYRST@umich.edu if you are concerned or have questions. 
“I missed my workshop, what should I do ?”
Our team tracks attendance at each workshop by having participants swipe in with their MCard. If you are not able to attend the workshop you signed up for, our team will continue to send reminder emails until you have completed a workshop. In this case, please sign up for another workshop as soon as you can as the workshop is required and may fill up especially near the end of the semester. No need to contact SAPAC unless you are not able to reschedule. 
“I have had gender-based violence training before, can I get this requirement waived?”
As this workshop was designed with University of Michigan student feedback in mind, our workshop is unique to the UM community. Our curriculum focuses on individualized reflection and because of its interactive nature, each workshop will be unique to the people attending. Although we are excited you already have familiarity with the subject, this workshop is required for every first year and transfer student. 
“I’m a commuter/non-traditional student, do I still have to attend?"
Yes, this workshop is required for every first-year and transfer student - not only do we want every student to benefit from having this time to connect with peers, but we also want to make sure your peers benefit from what you bring to our community. If you have any concerns or questions about being able to participate, please contact SAPAC-FYRST@umich.edu.
“I still have questions! Who should I contact?"
Please contact us at SAPAC-FYRST@umich.edu or call our office at (734) 764-7771.




sho

Engaging Scientists in Policy and Advocacy (ESPA) Elevator Pitch Workshop (November 13, 2024 4:00pm)

Event Begins: Wednesday, November 13, 2024 4:00pm
Location: Taubman Health Sciences Library Room 6000
Organized By: Sessions @ Michigan


Welcome! Whether or not you're a member of ESPA, we encourage you to join us in this workshop to learn about and practice forming elevator pitches. 
Here, you will learn how you can quickly pitch your research to a a variety of audiences both familiar and unfamiliar with your discipline, helping you catch the attention of individuals ranging from policy-makers to fellow scientists. If you want to hone your ability to quickly explain your work in an eye-catching fashion, join us for this workshop and grab some free food while you're at it!




sho

Adaptive Rec and Tech Showcase (November 13, 2024 11:30am)

Event Begins: Wednesday, November 13, 2024 11:30am
Location: School of Kinesiology Building
Organized By: School of Kinesiology


Stop by to learn about and try out adaptive sport, recreation, and daily living equipment!

Featuring demos from:
--- Michigan Disability Rights Coalition Assistive Technology Program
--- U-M Adaptive Sports & Fitness
--- U-M KidSport Adaptive Summer Camps
--- U-M Adaptive & Inclusive Sports Experience (UMAISE)

Questions? Email Dr. Haylie Miller at millerhl@umich.edu.




sho

U.S. EPA Region 8, 9, and 10 Federal Careers Virtual Workshop (November 13, 2024 10:00am)

Event Begins: Wednesday, November 13, 2024 10:00am
Location:
Organized By: University Career Center


Come learn about Federal Employment at Region 8 (Denver), Region 9 (San Francisco), and Region 10 (Seattle) of the EPA! Entry level, early and mid-career professionals are all welcome to attend.Ourwork at EPA has purpose and impact. From tackling the climate crisis to advancing environmental justice, what happens here changes our world. Our mission is to protect human health and safeguard the environment – the air, water, and land upon which life depends.At EPA,you can make a real difference for the environment and the lives of others.Participants have the opportunity to learn about EPA’s mission, how to navigate USA-Jobs and creating a federal resume. There will be panel discussion to provide a glimpse into variety of careers within the EPA.This event begins at 10:00 AM Mountain Time (11:00 AM Central Time, 12:00 PM Eastern Time, 9:00 AM Pacific Time.)No pre-registration required!  Just click on the link a few minutes before the event and you’ll bedirected to the MS Teams site.For more information or to request accommodations, please contact mutter.andrew@epa.gov, verges.michelle@epa.gov, or weber.camille@epa.gov




sho

SPIR II RFSA Learning Event: Impact results workshops

SPIR II RFSA Learning Event: Impact results workshops

Please register (in-person or online) for each workshop you plan to attend. You can register for individual or multiple workshops. December 9, 2024 | 9:30am to 12:00pm (Africa/Addis_Ababa) | In-person and online December 9, 2024 | 1:00pm to 3:30pm (Africa/Addis_Ababa) | In-person and online December 10, 2024 | 9:30am to 12:45pm (Africa/Addis_Ababa) | In-person and […]

The post SPIR II RFSA Learning Event: Impact results workshops appeared first on IFPRI.




sho

Satellite images show devastation in Sudan 1 year since conflict began (ABC News)

Satellite images show devastation in Sudan 1 year since conflict began (ABC News)

"Satellite imagery shows the reduction in green vegetation cover, the increased aridity points to the neglect or destruction of previously irrigated fields” Oliver Kirui told ABC News.

The post Satellite images show devastation in Sudan 1 year since conflict began (ABC News) appeared first on IFPRI.




sho

Trade can support climate change mitigation and adaptation in Africa’s agricultural sector, new data shows

Trade can support climate change mitigation and adaptation in Africa’s agricultural sector, new data shows

New report analyzes trade performance amid pressure points from climate change, water use, and carbon emissions, with recommendations for sustainable practices.

The post Trade can support climate change mitigation and adaptation in Africa’s agricultural sector, new data shows appeared first on IFPRI.




sho

Swachh Bharat Mission averted 60,000-70,000 infant deaths between 2011 & 2020, shows Nature study (The Print)

Swachh Bharat Mission averted 60,000-70,000 infant deaths between 2011 & 2020, shows Nature study (The Print)

IFPRI Researchers analyzed infant & under-5 mortality data from 35 states, 640 districts. Research praised by PM Modi on X.

The post Swachh Bharat Mission averted 60,000-70,000 infant deaths between 2011 & 2020, shows Nature study (The Print) appeared first on IFPRI.





sho

Argonne-led Research Shows Robust Investment in Transit Benefits Both Transit and Non-Transit Users

Investments in regional transit service would create 13-times the return in value in household and travel times savings, according to new research made public today at the Chicago Transit Board of Directors’ monthly meeting.




sho

Alley Entrance Relocation and Daily Short-Term Street Closures at the alley east of 5001 thru 5077 N. Broadway & 1135 W. Winona Street (W. Argyle Street to W. Winona Street) - W. Winona Street at the CTA Tracks

Alley Entrance Relocation and Daily Short-Term Street Closures at he alley east of 5001 thru 5077 N. Broadway & 1135 W. Winona Street (W. Argyle Street to W. Winona Street) - W. Winona Street at the CTA Tracks.




sho

Updated Dates Alley Entrance Relocation & Daily Short-term Street Closures Crane Staging & Material Deliver

Updated Dates Alley Entrance Relocation & Daily Short-term Street Closures Crane Staging & Material Deliver




sho

Three Reasons for the Housing Shortage

America's housing shortage has been decades in the making. A lot of people blame Baby Boomers — but is it really their fault? We unpack three big reasons for the shortage. | Subscribe to our weekly newsletter here.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy




sho

We set up an offshore company in a tax haven (Classic)

The Pandora Papers released this week reveal how many world leaders allegedly hold wealth through the use of shell companies. We listen back to when we set up our very own Planet Money shell companies.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy




sho

Moonshot in the arm

COVID-19 prompted the quickest vaccine development in history. An inside look at how the government and pharmaceutical companies joined forces to make it happen.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy




sho

No shortages of labor stories

We asked for your dispatches from the labor market, and boy did we hear back. | Subscribe to our weekly newsletter here.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy




sho

The rapid testing show

The Planet Money team fans out across the nation with one goal: to get a Covid test in 24 hours. It is easier said than done. | Subscribe to our weekly newsletter here.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy




sho

Escheat show (Classic)

If you're looking for money you've forgotten about, there's a chance the government might have it. The good news is that you can get it back. | Subscribe to our weekly newsletter here.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy




sho

We Buy a Superhero 7: Collectibles (Live Show!)

What transforms a regular object into a collectible? At our live show earlier this month, we went on a journey through collectibles history. And we had a goal: to turn our Micro-Face comic book into the most collectible item of all time. | Bid on our collectible Micro-Face comic book here!

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy