#Cybersecurity Mistakes in MEAN Stack Development | Explore Tumblr posts and blogs

gearupurcareer · 1 month ago

Text

Turning the Tide: A Personal Journey of Reinvention

For a long time, I believed that a college degree was all I needed to build a stable, high-paying career. Like many others, I followed the path laid out for me — study hard, graduate, and get a good job. But even after ticking all the right boxes, I found myself in a job that offered little growth and even less pay.

The truth hit hard: despite being professionally qualified, I lacked the up-to-date technical skills employers were actually looking for. The job market had changed, and I hadn’t changed with it.

Understanding the Skills Gap

The IT industry moves fast. Roles that were in demand five years ago now require entirely different skill sets. During my job hunt, I noticed repeated mentions of skills like cloud computing, data analytics, full-stack development, and cybersecurity. While I had a solid theoretical foundation, I had no real-world experience with these tools.

I wasn’t alone. According to the Centre for Monitoring Indian Economy (CMIE), India’s youth unemployment rate remains high — and many of those unemployed are graduates. The issue often isn’t education, but a gap between academic knowledge and job-ready skills.

Taking the First Step to Upskill

After months of frustration, I decided it was time to stop waiting for the right opportunity and start preparing for it. I began researching institutes offering advanced IT courses in Kochi, looking for programs that were practical, flexible, and suitable for someone like me — someone already working, but eager to grow.

I eventually enrolled in a course that offered training in full-stack development and cloud technologies. What drew me in was the structure: beginner-friendly modules that gradually moved into more complex topics, combined with weekend classes that fit my schedule.

Learning by Doing

One of the most rewarding parts of the experience was the hands-on approach. Rather than just reading or watching tutorials, we actually built projects — dashboards, web apps, APIs — all guided by experienced instructors. It felt less like a classroom and more like a collaborative workspace.

The environment encouraged questions, mistakes, and experimentation. And unlike traditional education, the focus was always on how these skills would be used in real work scenarios. I finally understood what employers meant when they asked for “practical experience.”

Support Beyond the Classroom

Equally important was the support system. I had access to mentors who shared their industry insights and pointed me toward tools and resources to build my portfolio. There were also group discussions, interview prep sessions, and resume workshops — all aimed at making us better prepared for the job market.

More than anything, the experience gave me confidence. I was no longer worried about the gaps in my resume — I had something to show, and something to say.

A New Outlook on the Future

Within a few months of finishing the course, I started getting callbacks for interviews that previously would’ve seemed out of reach. I could finally speak the language of today’s tech industry — not just in buzzwords, but in actual project work.

I didn’t magically land a dream job overnight, but I took a meaningful step toward a better career. Upskilling helped me move from being stuck to being proactive — and that shift made all the difference.

Why Upskilling Matters

The world of work is changing, and professionals across all fields are expected to adapt quickly. Whether you’re a fresh graduate or someone with years of experience, staying updated is no longer optional.

Advanced IT courses in Kochi — offered by several credible institutes — like Techmindz can provide that bridge between where you are and where you want to be. It’s not just about getting certified. It’s about being relevant, confident, and ready for a job that challenges and rewards you.

Final Thoughts

If there’s one thing I’ve learned, it’s this: upskilling doesn’t mean starting over. It means moving forward — with new tools, new knowledge, and a better understanding of what the job market really values. For anyone feeling stuck, frustrated, or uncertain about the future, taking that first step to learn something new can open unexpected doors.

Sometimes, the right course won’t just teach you a new skill — it will help you rediscover your motivation, your potential, and your path.

#upskill #careeradvancement #professional #self improvement #continuous upskill

0 notes

amsaveni · 4 months ago

Text

The Hidden Struggles of Full Stack Developers That Make the Job Exhausting

Being a Full Stack Developer sounds exciting—you get to build complete applications, work on both frontend and backend, and have the flexibility to switch between different technologies. But behind the impressive job title lies a series of struggles that can make the role overwhelming and exhausting. From unrealistic expectations to constant learning and burnout, here’s a look at the hidden challenges Full Stack Developers face every day. If you want to advance your career at the Full Stack Developer Course in Bangalore, you need to take a systematic approach and join up for a course that best suits your interests and will greatly expand your learning path.

1. Companies Expect You to Know Everything

Employers often look for Full Stack Developers who can do it all—frontend, backend, databases, DevOps, cloud computing, security, and even UI/UX design. The problem is that no single developer can truly master everything.

Job descriptions frequently list an excessive number of required skills, expecting candidates to have expertise in multiple technologies at once. This unrealistic expectation can lead to excessive workloads, making it difficult to stay efficient or even enjoy the job.

2. The Never-Ending Learning Curve

Technology moves at lightning speed. A framework that’s in demand today might be outdated in a year. React, Vue, Angular, Svelte, Node.js, Django, Express—keeping up with all of them is exhausting.

Full Stack Developers must constantly learn new tools, languages, and best practices to remain relevant. If you take a short break, you risk falling behind in an industry that never stops evolving. The pressure to stay updated can be overwhelming, leaving little time for deep mastery.

3. Jack of All Trades, Master of None

While knowing both frontend and backend is valuable, it often means you don’t have deep expertise in any one area. Many companies prefer hiring specialists who excel in a single field rather than generalists who know a little about everything.

For high-paying roles in AI, cybersecurity, cloud computing, or blockchain, specialized knowledge is required. Full Stack Developers may find it harder to compete with specialists who have dedicated years to mastering a single domain.

4. Constant Context Switching Drains Mental Energy

One moment, you’re debugging frontend code. The next, you’re fixing a database issue. Then, you’re setting up a server deployment. The need to switch between different tasks and technologies makes it harder to focus and be productive.

Unlike specialists who work deeply in one area, Full Stack Developers constantly jump between different responsibilities. This mental juggling can be exhausting, leading to slower work, increased mistakes, and overall frustration. Professionals in Full Stack are in greater demand, and numerous organizations are now providing the Best Online Training & Placement Programs.

5. Burnout Is Almost Inevitable

The pressure to handle multiple roles, meet tight deadlines, and keep learning new technologies can lead to severe burnout. Many Full Stack Developers work long hours, constantly feeling like they are behind.

Without proper work-life balance, the job can take a toll on mental health and motivation. Many developers find themselves exhausted and demotivated, questioning if the stress is worth it in the long run.

6. High Expectations, Low Pay

Many companies see Full Stack Developers as a cost-saving option—hiring one person instead of two specialists. The result is that you do double the work but don’t necessarily get double the pay.

Despite handling frontend, backend, databases, deployments, and more, Full Stack Developers often receive lower salaries than specialized developers. Many companies undervalue the complexity of the job, expecting more for less.

7. Career Growth Can Be Limited Without Specialization

Many senior roles require deep expertise in a particular field. Full Stack Developers, while highly skilled, often struggle to move into senior positions if they don’t specialize.

Without a clear focus, you may find yourself stuck in mid-level positions while specialists get promoted faster. If you want to maximize career growth, you may need to narrow your focus over time and build deep expertise in a high-demand area.

Final Thoughts

Full Stack Development isn’t for everyone. It’s a demanding role that requires balancing multiple technologies, constant learning, and handling unrealistic expectations. While it can be rewarding, it’s also one of the most exhausting jobs in tech.

Here’s how to make the most of it:

Learn both frontend and backend, but gradually specialize in a high-demand area.

Focus on deep skills like cloud computing, security, or AI to remain competitive.

Set boundaries to prevent burnout and demand fair compensation.

Think strategically about career growth—consider moving into specialized roles for higher pay and better opportunities.

Full Stack Development is a powerful career path, but it’s not always the golden opportunity it seems. If you love variety and thrive in fast-paced environments, it can be a great choice. But if you’re looking for stability and long-term career growth, specializing might be the smarter path.

#full stack developer

0 notes

internetandnetwork · 4 years ago

Text

Importance of Python for Cybersecurity Professionals

Python is one of the most popularly used programming languages today. This simple object-oriented language can be quickly learned and understood by beginners and skilled developers. It is currently being used across different areas ranging from data science to cybersecurity. In this blog, we will talk about the benefits of using Python language for cybersecurity and why it is crucial for the career growth of cybersecurity professionals.

PYTHON LANGUAGE FOR CYBERSECURITY

Contrary to other programming languages, Python is straightforward and easy to understand. It has an easy syntax, and new web developers or people who are just stepping into the cybersecurity industry can rapidly catch it. Moreover, Python also happens to be a favorite language among experienced and skilled developers as it can include numerous functionalities. Python scripts can be created quickly, and the simple syntax helps cybersecurity specialists spot and fix the blunders in the code instantly.

Python sticks to a clean and clear-cut execution process and does not leave much space for cyber attackers or hackers to target data or devices. Plus, developing and incorporating new and separate applications into older elements.

BENEFITS OF PYTHON PROGRAMMING IN CYBERSECURITY

Debugging/Troubleshooting Made Easier

Python uses minimal code, making it easier for the programmers to debug the mistakes while simultaneously minimizing the risk of language complications and issues. Moreover, its simple design and user-friendliness also improve its readability. This makes troubleshooting more manageable and less time-consuming. Plus, Python also incorporates an in-built debugger known as PDB, which carries out all the primary functions.

Automatic Memory Management

Python also has a built-in memory management tool, which is undoubtedly another significant bonus point for programmers. This takes a great deal of burden off the shoulders of programmers and users, meaning they won’t have to worry about memory management, including elements like memory allocation, partitioning, and caching.

Open Source Programming Language

Python is designed as a free and open-source language, meaning anyone can help in improving it. Plus, it is available to users to download for free. This is the reason why it is one of the most favored programming languages among a massive number of large web development organizations.

Easy to Learn

Compared to other programming languages like C++ and Java, Python is undeniably the most comfortable and easiest language to learn and implement. It has been designed in this way on purpose. Coding is much easier in Python. When stacked against other programming languages, Python has a much simpler syntax, and it also uses less code.

REASONS WHY PYTHON IS CRUCIAL FOR CYBERSECURITY PROFESSIONALS

Python programming language is crucial for cybersecurity professionals since it can carry out numerous significant security functions, including penetration tests, malware analysis, scanning, etc. Its simplicity and ease of use make it an ideal programming language for everything – from testing microchips to developing video games. A wide range of security tools is written in Python language because of its easily accessible and understandable nature. Let’s take a look at some crucial points to see why Python plays such a vital role in the field of cybersecurity.

Social Media Data Extraction

Programmers can use Python scripts to download real-time data from different social media channels. There are several extensions and modules in Python that can be interfaced with various platforms, including WhatsApp, Facebook, Twitter, etc.

It Is Flexible

Python’s ease of use makes it easier for programmers to build new applications in a faster way. Moreover, it can also develop and improve modules in C++, Java, and ASP.NET. All these features make it much easier to respond to cybersecurity risks.

Packet Sniffing

Packet sniffing is broadly wiretapping a system. It can be avoided by either using a third-party tool or writing a simple Python script to achieve similar results.

Network Port Scanning

Generally, third-party tools are used to implement network port scanning. However, this can also be done without them by simply taking advantage of the Python socket programming instead.

Quick Scripts Development

Cybersecurity specialists can build solutions using Python with simple and lesser code while consuming the least amount of time. Additionally, it also allows cybersecurity professionals to spot errors and fix the problems quickly.

Extensive Library Support

One of the many reasons why Python is the most sought-after programming language today is its vast library of modules. It lets cybersecurity specialists access cybersecurity analysis and penetration testing tools easily every day.

Speed and Productivity

The minimal, simple, and object-oriented codes of Python helps increase the productivity of the programmers. It also has robust integrating and unit testing framework abilities to boost implementation speed.

Scalability

Python programming language is highly scalable, and its simplicity and flexibility can secure all applications.

Multifaceted Development for Cybersecurity

Python language is a bonanza for cybersecurity professionals since it can carry out any task (that can be done using coding) with simple and minimal code without consuming too much time. In the field of cybersecurity, Python programming language is used for various purposes, including malware analysis, network scanning, port scanning, sending and decoding packets, host discovery, accessing servers, and much more.

WRAPPING IT UP

We hope by now you have gotten a pretty clear understanding of the importance of Python in cybersecurity. It is incredibly beneficial in this field as it can perform a wide range of cybersecurity functions like malware analysis and scanning. So keeping these perks in mind, you can hire a python developer to secure your application. It will help keep your website secure and ensure its fast performance and help you respond quickly to any cyberattack.

Hariom Balhara is an inventive person who has been doing intensive research in particular topics and writing blogs and articles for Tireless IT Services. Tireless IT Services is a Digital Marketing, SEO, SMO, PPC, and Web Development company that comes with massive experiences. We specialize in digital marketing, Web Designing and development, graphic design, and a lot more.

SOURCE : Importance of Python for Cybersecurity Professionals

#Python #Cybersecurity #developer #hackers #tirelessitservices #cyberattack #web development #digital marketing #Web Designing

0 notes

cedricjohn150 · 5 years ago

Text

Digital Trends in Warehouse Management That will Transform Supply Chain Industries

In the course of the most recent thirty years, coordinations has experienced a colossal change: from a simply operational capacity that answered to deals or fabricating and concentrated on guaranteeing the flexibly of creation lines and the conveyance to clients, to an autonomous gracefully chain management work that in certain organizations is as of now being driven by a the Central Flexibly Chain Official. The focal point of the flexibly chain management work has moved to arrangement ahead of time forms, for example, scientific interest arranging or incorporated S&OP, which have become built up business forms in numerous organizations, while operational coordinations has regularly been re-appropriated to outsider LSPs. The gracefully chain work guarantees coordinated activities from clients to providers.

The times of lost or untraceable inventories ought to be a distant memory. With viable programming systems in addition to proficient management and skill, the exact area, status, and include of each thing in a gracefully chain ought to be in a split second recognizable. Shockingly, there are still organizations working with obsolete techniques. Today the best outsider Coordinations organizations (3PL) utilize systems and preparing that take into consideration ongoing acknowledgment. These techniques take into account shorter lead-times, lower stock levels, bringing about less mistakes, diminish crisis conveyances and can give straightforward cooperation between warehousing administrations and their customers.

With profoundly coordinated answers for transportation management and warehouse management, knowledge guarantees an ideal connection of the individual flexibly chain territories, warehouse coordinations, transportation management systems, and track and follow. What's more, as sharp trend-setters with a cozy relationship to Programming Arrangements, we are associated with the improvement of new SCM arrangements from the start. Likewise, we are available in 24 nations around the world, which means you can depend on our skill and nonstop help any place you are.

New patterns and innovations are affecting flexibly chains over all businesses. To meet the better standards, organizations are feeling the squeeze to decrease arranging cycles and find better approaches to wipe out gracefully chain unpredictability. This calls for far reaching and adaptable flexibly affix intending to guarantee quicker reactions. Organizations require compelling warehouse management, transportation management, and coordinations execution systems. Simultaneously, they have to deal with an all-encompassing flexibly chain where all arranging and gracefully chain execution forms are consistently associated. This requires the sharing of live data all through the flexibly organize. Constant IT encourages this coordinated effort, helping ventures get ready for any outcome.

A few uber patterns affect flexibly chain management: there is a proceeding with development of the provincial regions around the world, with riches moving into districts that have not been served previously. Strain to decrease carbon outflows just as guidelines of traffic for financial reasons add to the difficulties that coordinations are confronting. Yet, changing socioeconomics lead to decreased work accessibility just as expanding ergonomic prerequisites that emerge as the workforce age increments. The digitization of the flexibly anchor empowers organizations to address the new necessities of the clients, the difficulties on the gracefully side just as the rest of the desires in effectiveness improvement.

A Warehouse Management System, or WMS, is the fundamental programming that encourages effective tasks all through the gracefully chain. The systems track the exact area of every unit from the time it shows up until the item is stacked and dispatched to the following goal. At the point when gracefully chain accomplices are suitably adjusted, the systems can even track stock right from the maker/provider through warehousing administrations to the dissemination community or end client. Warehouse management systems can go in multifaceted nature beginning with a basic independent system which oversees stock inside the dividers of a warehouse. Warehouse Management System tracks stock got through all ordinary warehousing administrations of setting, putting away, picking, arranging and stacking. The entirety of the procedures are connected to money related systems that naturally create charging and new stock data.

New plans of action, for example, Gracefully Chain as an Assistance for flexibly chain arranging capacities or transport management, increment the adaptability in the gracefully chain association. Flexibly chain can be purchased as a help and paid for on a by-use premise as opposed to having the assets and abilities in-house. The specialization and focal point of specialist organizations permit them to make economies of scale just as economies of extension and furthermore appealing redistributing openings.

Take a web based business site, for instance. Its advanced gracefully chain incorporates the site's designers, its chairmen, and the cloud administrations organization that has the site's information, the CMS supplier, and the gadgets that buyers use to get to the site. Furthermore, every outsider innovation supplier whose code gives usefulness to the site internet business modules, customized proposal motors, progressed investigation administrations, stock following arrangements, custom item developer, chatbots, and so forth ought to likewise be viewed as a major aspect of the computerized flexibly chain.

In numerous cases, 3PLs have introduced motorized, PC driven opening and picking systems that naturally transport items from accepting to assign spaces for putting away. At the point when required for shipment, the systems can pick items and pass on them to an arranging zone for stacking. With included entrances and joint effort with sellers, deals accomplices, and customers, the Coordinations management organization's WMS system can connect all inward warehousing administrations with outer information. This ability gives a continuous, 360° perspective on the whole flexibly tie that can adjust to item stream rates to oblige lulls or volume floods. This straightforwardness can make the maker aware of accelerate or hinder creation, alter warehouse stock levels, and oversee conveyance volumes and frequencies.

This subsequent definition is particularly valuable for innovation organizations. Taking a gander at any computerized item, regardless of whether it's a web based business site, B2B programming item, or something different, one can find the not insignificant rundown of suppliers whereupon the item depends. Survey this rundown as a flexibly chain causes IT, cybersecurity, and different groups comprehend the dangers to the item and recognize open doors for development. Work force at innovation organizations can submit general direction to their counterparts at physical item organizations concerning the checking and relief of gracefully chain dangers. For instance, making a guide of the computerized flexibly chain to distinguish single purposes of disappointment among third-, fourth-, and fifth-party suppliers can support IT, cybersecurity, hazard, and item groups keep away from business interruptions and information penetrates.

Inside these definitions, expanded between organization coordinated effort and developing advancements are introducing new difficulties for gracefully chain management groups. New hazard normally follows not far behind new capacities, so organizations should concentrate on checking and alleviation techniques while they take a shot at creating and coordinating new advancements.

#WMS #Digital WMS #Warehousing #Digital Warehousing Management

0 notes

jonathanalumbaugh · 8 years ago

Text

Weekly Digest

Dec 23, 2017, 4th issue.

A roundup of stuff I consumed this week. Published weekly. All reading is excerpted from the main article unless otherwise noted.

Read

When women are discussed on the main economics discussion forum, the conversation moves from the professional to the personal...

Even with generous subsidies, low-income people are still unlikely to buy health insurance...

Managers are biased negatively against minority workers, and this, in turn, makes the minority workers perform worse...

Living standards may be growing faster than GDP growth...

The World Bank’s $1-a-day poverty line inadequately deals with local context, and a better measure can be derived through more complicated math...

Decriminalizing sex work makes it safer and more common...

Poor kids who grow up in rich neighborhoods do a lot better than poor kids who grow up in poor ones...

Better trained doctors mean fewer opioid related deaths...

After a bad outcome, female surgeon’s referrals went down much more than male surgeons...

The average worker does not value an Uber-like ability to set their own schedule...

Foreign finance has led to more inequality...

Preschool programs targeted at the poor don’t work nearly as well as universal pre-school programs...

Shocks to the economy in certain sectors can have larger effects on the entire economy than previously thought...

— 13 economists on the research that shaped our world in 2017

Comments section: Pilote345 - NO WONDER: Recently, the pilots' pay was less than it was in the 1980's. They might be trying to improve, but for example, I just now found Allegiant Air found pays MD-80 1st Officers $34,440.00, not much more than the $15/hour crowd wants for starting burger flippers.

— Airlines battle growing pilot shortage that could reach crisis levels in a few years

— APOLLO 10 0N BOARD V0ICE TRANSCRIPTION

Under Schmidt’s leadership, Google notched its fair share of not-quite-not-evil missteps. After getting everyone hooked on Gmail and Search, the company started to erode some of its original privacy promises.

— Be Kind of Evil

“People want to cast it as a choice between policy or technology as a solution but those should exist hand-in-hand. We would have never gotten renewable energy prices where they are today without really ambitious public policy. It shows the importance of bold goals,” Brown says.

— California Poised To Hit 50% Renewable Target A Full Decade Ahead Of Schedule

“Keep your phone away from your body,” the state health department writes. “Although the science is still evolving, some laboratory experiments and human health studies have suggested the possibility” that typical long-term cell phone use could be linked to “brain cancer and tumors of the acoustic nerve,” “lower sperm counts,” and “effects on learning and memory.”

— California says the only safe way to talk on your cell phone is to text

Developer infatuation with Chrome is not good — because competition between browsers is good.

— Chrome is Not the Standard

The initial physical deployment of 5G networks alone could pack a major economic punch. A 2017 Accenture report forecasts the cellular communications industry will invest $275 billion in new networks, which will create up to 3 million jobs and add some $500 billion to the United States’ gross domestic product. Longer term, researchers expect the new 5G networks to help stimulate productivity growth to rates not seen since the 1950s.

— The Coming 5G Revolution

In early tests, the company claims the feature helped to reduce ghosting behavior on its service by 25 percent.

— Dating app Hinge rolls out a new feature to reduce ‘ghosting’

Liberated from the diamond and pointing calmly eastward, perhaps a designer’s pure intent is revealed—direction for an otherwise aimless walk in the woods.

— Decoding the Mysterious Markers on the Appalachian Trail

Trade the ginkgo biloba for a bag of spinach during your next stop at the store: Leafy greens may be your best resource for boosting memory... The study involved 960 people, all between 58 and 99 and without dementia. Everyone enrolled in the study was part of the Memory and Aging Project, which has been ongoing since 1979 at the Knight Alzheimer's Disease Research Center at Washington University.

— EATING SALAD EVERY DAY KEEPS BRAINS 11 YEARS YOUNGER AND PREVENTS DEMENTIA, STUDY SHOWS

— Edward Snowden on Twitter

Commander Persera swam out into intergalactic space last week, she says in a forum post, piloting a ship called the Jack of Flames. The reason for the trip is simply to go further from Sol than anyone else (a previous record was set by one Commander Deluvian, who travelled 65,652 lightyears from Sol along a similar route). But also, she says, to bring a canister of mugs from the infamous Hutton Orbital space station into the void and leave them there. Just because.

— Elite Dangerous pilots are scrambling to rescue an explorer stranded in the void between galaxies

[Eminem says] that he's not making his music for other artists who aren't fans to begin with.

— Eminem Responds to Vince Staples’ Criticism of Him

Reports so far claim the spec will offer support for low, mid, and high-band spectrum from below 1 GHz (like 600 and 700 MHz) all the way up to around 50 GHz while including the 3.5 GHz band. It’s been said that the first 5G networks for consumers will begin rolling out in 2019 and this will continue throughout 2020.

— First 5G Specification has been Declared Complete by the 3GPP

As Brian and his wife wandered off toward the No. 2 train afterward, it crossed my mind that he was the kind of guy who might have ended up a groomsman at my wedding if we had met in college. That was four years ago. We’ve seen each other four times since. We are “friends,” but not quite friends. We keep trying to get over the hump, but life gets in the way.

— Friends of a Certain Age

Comment section: Blaming Amazon for this is wrong. The people make a choice to work for them. This is an indictment on our society that forces these people to have to work. Amazon isn’t a charity that should have to take care of people. But it’s all of us who are to blame.

— A Glimpse Inside CamperForce, Amazon's Disposable Retiree Laborers

Effective filmmakers, no matter their genre or taste, put their fingers in the air, feel for a current, and then make art that either complements or pushes against it. They distill the world they live in, which is why there’s no such thing as an apolitical film.

— How Big Screen Sci-Fi and Horror Captured 2016’s Political Paranoia

The Legislative Analyst’s Office predicts California will eventually make more than $1 billion annually from taxing recreational marijuana.

— HOW RECREATIONAL MARIJUANA IN CALIFORNIA LEFT CHEMISTS IN THE DARK

What makes for an effective office environment? Random encounters with your coworkers. And food. Lots and lots of food.

— How to Build a Collaborative Office Space Like Pixar and Google

Fidelity suggests having your yearly income saved at 30, three times your income at 40, seven times your income at 55, and 10 times your income at 67.

— How Much Should You Have Saved at Every Age?

HCI (human-computer interaction) is the study of how people interact with computers and to what extent computers are or are not developed for successful interaction with human beings.

— Human-computer interaction, from University of Birmingham

The company says it is now focused on “on developing and investing in globally scalable blockchain technology solutions,” but, as reported by Bloomberg, it has exactly zero partnerships in the works with crypto firms

— Iced Tea Maker's Stock Price Triples After Adding 'Blockchain' to Name”

9 “Should you invite someone who assaulted you to your wedding.” No.

— It Came From The Search Terms: “I Can See The Sun In Late December”

The best way to cook a steak is medium rare. Plenty of people will disagree with this statement, for different reasons.

— Medium Rare: The Best Way to Cook a Steak

It sounds like it was made by an algorithm. It checks off so many boxes it could land in anyone’s “Because you watched” recommendations.

— Netflix’s first big movie “Bright” feels like a blockbuster built by an algorithm

State law that is rarely invoked requires tied elections to be settled by “lot.”

— Oyster shucking? A duel? No, Virginia will pull a name from a film canister to settle tied election

— Parents give teacher wine with son's face on label

— Reggie Watts: Fuck Shit Stack

— Reggie Watts: Humor in music

Self-efficacy is defined as a personal judgement of "how well one can execute courses of action required to deal with prospective situations".

— Self-efficacy (Wikipedia)

The problem Haven aims to address is known as an “evil maid” attack. Basically, many of the precautions you might take to protect your cybersecurity can go out the window if someone gains physical access to your device.

— Snowden's New App Turns Your Spare Android Phone into a Pocket-Sized Security System

After doing a lot of online research and making a terrible mess, I thought I could make a tutorial for humble people like me. If I can do it, you can do it too.

— The Ultimate Guide to DIY Screw Post Book Binding

The robot obediently appeared in the distance, floating next to Miller. Miller then walked into the same space as the robot and promptly disappeared. Well, mostly disappeared, I could still see his legs jutting out from the bottom of the robot. My first reaction was, “Of course that’s what happens.” But then I realized I was seeing a fictional thing created by Magic Leap technology completely obscure a real-world human being. My eyes were seeing two things existing in the same place and had decided that the creation, not the engineer, was the real thing and simply ignored Miller, at least that’s how Abovitz later explained it to me.

— We Need to Talk About Magic Leap's Freaking Goggles

What’s this mistake so many make? It’s using your current job title as your headline.

— What Your LinkedIn Headline Reveals About Your Self-Confidence At Work

With the Dec. 14 repeal, Comcast and others will be able to charge content companies exorbitant fees without, technically, blocking. This fundamentally changes how the internet works, argues Ryan Singel, a fellow at the Center for Internet and Society at Stanford Law School.

— What will happen now that net neutrality is gone? We asked the experts

The story [Cat Person] stuck with me because I, too, have felt like the story’s main character, Margot. I have belittled myself to make a man in a vulnerable situation feel more comfortable. I have allowed myself to spend time with boys who I did not like that much but who I felt I owed my time to because they really liked me. And I have also taken part in the practice of ghosting- ignoring somebody who is texting me, instead of outright rejecting them. With time, I have gotten much better at being straightforward when someone is interested in me and the feeling is not reciprocated, but I still do the dance many women do: We exert energy into finding the most polite, passive way to get ourselves out of uncomfortable situations with men.

— Why Women Are Ghosting You

#weekly digest

1 note · View note

z3459079 · 6 years ago

Text

Initial thoughts on the course.

Why I'm doing this course.

I've been working as a frontend developer for almost two years now, and have been meaning to educate myself in cybersecurity for a while. I'd imagine that my software is full of security holes and I aim to learn to defend against them throughout this course. On that note, I think I will be basing my SA project on Web Application Security too. At the moment, I'm keen to just cover the many different types of attacks, e.g. XXS, CSRF, SQLi, how to write them, how to prevent them, etc. and the best way to demonstrate might be to create "the dodgiest website possible". These are just early thoughts, I'll revise my idea later.

Some reflection on first lecture

I really like how this course introduces with the importance of analytical thinking and communication skills in becoming a good software engineer. From my personal experience I can definitely agree that being a software engineer (of any kind) means being able to gather technical requirements by identifying key points, communicate effectively to stakeholders, and stay efficient and organised to achieve good outcomes as a team.

In my opinion, analytical thinking and effective communication are the most critical parts of being an effective employee and programming skills only form a small part of the job.

Notes on First Lecture

What is security engineering?

I think it's basically the science of protecting a system from its attackers. Often in cybersecurity we are protecting data from potential hackers but there is security and insecurity everywhere - in physical facilities (e.g. University buildings) as well as in computers.

Homework reflection: What does successful engineering look like? What makes engineering reliable and safe to use?

I think it comes down to two main things... - Identifying problems accurately and providing a solution under realistic constraints - Using scientific method to provide a predictable and safe outcome Engineers work to obtain outcomes for other people (the users), and because it is used by people, it is always constrained to a number of factors in the real world. As one can't predict that a meteor strike might happen one day, a well-engineered bridge is still not meteor-proof, and hence "not perfect". A well-engineered bridge is, however, able to withstand weight, with a good margin of safety (can withstand pressure well-above normal or even heavy use), is intuitive for users to ride on, and is scientifically proven to work through data.

History of security engineering: how did insecurity arise?

We've evolved our technology from stones to aeroplanes, and we make increasingly complex things all the time - leading to vulnerability because we don't fully comprehend all the flaws in what we invent.

We know how to make a safe bridge but we don't know how to write secure software!

Complexity leads to vulnerability. We can't fit a system in our heads, so we will create vulnerabilities due to complexity. Some things will be unpredictable, and no one will foresee what could be vulnerable until it is compromised. Basically anything can be compromised, and the cyber security discipline represents our attempt to understand and defend from the attacks that we've discovered and/or have experienced in history. Without a proper security framework, it's like we're playing Wack-a-mole with flaws popping up in our system. As an engineer, we need our own plan. Security engineers learn from history, mistakes, and flaws in humans.

Note to self: some good books were mentioned in the first lecture https://www.openlearning.com/courses/securityengineering19t2/19lecture_1_2/

Some hacking terms

Vulnerability: a weakness or flaw in the system

Exploit: a script or method that uses vulnerable parts to compromise a system

Threat model: analysis of vulnerabilities from a hypothetical attacker's POV

What makes a good security engineer

1) Good at analysis - Being able to scan past the trivial information and get to the crux of the problem. - Develop informed solutions using said imporant information. - Come up with many solutions, never jump to the first answer, and weigh them up. 2) Good with ambivalence - Weighing up pros and cons of a solution or perspective. - Never settle for an easy answer. Try again and again until there has been a good amount of thought and discussion around the topic. Think about your thinking (Metacognition). - Make an informed decision. Drive the solution forward and take ownership, recognising that it's never going to be perfect. 3) Good with people - Understand other humans. - Understand how humans interact with technology. - Learn to communicate solutions effectively and with empathy. The above seem to be core to the security engineer role, as much as it is important to be cyber and crypto literate.

Security through obscurity

Relying on secrecy or complexity for security. This was introduced to us as a "fallacy", like a common pitfall for those uneducated in security. Through our discussions it was clear why this was the case. - Secrecy is only good until it is discovered, which can definitely happen (e.g. Black Chambers period: everyone knew how to decrypt everyone else's messages). - Additional complexity for the sake of complexity (Rather than representing a more robust system) can actually introduce new vulnerabilities as the author does not fully understand nor utilise their program's design.

A quick google search gave me a useful analogy to remember this by.

"Security through obscurity is burying your money under a tree. It's only safe because no one knows it's there." - Rex M, Stack Overflow

Kerckoff's Principle: Antithesis to security through obscurity

Kerckoff's principle states that for an actually secure system, how the system works should basically be public information (like an open-source project), and falling into anyone's hands does not compromise its security. This sounds antithetic to the whole security through obscurity logic, which is good.

Kerckoff's principle is actually the second axiom of out six that Kerckoff talks about in his articles about security.

Below are the six axioms (Reference: crypto-it.net) 1. The system must be practically, if not mathematically, indecipherable. 2. It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience. 3. Its key must be communicable and retainable without the help of written notes, and changeable or modifiable at the will of the correspondents. 4. It must be applicable to telegraphic correspondence. 5. Apparatus and documents must be portable, and its usage and function must not require the concourse of several people. 6. Finally, it is necessary, given the circumstances that command its application, that the system be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.

Note to self: think like an attacker!

This was an interesting paradigm stating that security engineers must learn to look for vulnerabilities and weaknesses rather than strengths when analysing the security of something. On a superficial level it is easy to conclude that a system is secure because it has a number of security-enhancing features, and this is a mistake. We should always think about how one might break a system in order to analyse the level of security. This is how Threat Modeling is performed.

Cryptoliteracy.CIA: Confidentiality, integrity, authenticity

Confidentiality: only authorised users can access the secure documents Integrity: documents are true to the original, i.e. not altered or destroyed Authenticity: documents are created as intended by real and authenticated users

0 notes

shah2323-madtitan · 5 years ago

Text

Thinking of a Cyber_Security Career? Read This — Krebs on Security

Hundreds of folks graduate from schools and universities every year with cybersecurity or laptop science levels solely to seek out employers are lower than thrilled about their hands-on, foundational expertise. Right here’s a have a look at a current survey that recognized some of the larger expertise gaps, and a few ideas about how these searching for a profession in these fields can higher stand out from the group.

Nearly each week KrebsOnSecurity receives at the very least one e mail from somebody searching for recommendation on how to break into cybersecurity as a profession. Typically, the aspirants ask which certifications they need to search, or what specialization in laptop safety would possibly maintain the brightest future.

Hardly ever am I requested which sensible expertise they need to search to make themselves extra interesting candidates for a future job. And whereas I at all times preface any response with the caveat that I don’t maintain any computer-related certifications or levels myself, I do converse with C-level executives in cybersecurity and recruiters on a common foundation and often ask them for his or her impressions of right this moment’s cybersecurity job candidates.

A typical theme in these C-level government responses is that a nice many candidates merely lack hands-on expertise with the extra sensible considerations of working, sustaining and defending the knowledge methods which drive their companies.

Granted, most individuals who’ve simply graduated with a diploma lack sensible expertise. However fortunately, a considerably distinctive side of cybersecurity is that one can achieve a honest diploma of mastery of hands-on expertise and foundational data via self-directed research and quaint trial-and-error.

One key piece of recommendation I almost at all times embrace in my response to readers entails studying the core parts of how computer systems and different gadgets talk with each other. I say this as a result of a mastery of networking is a elementary talent that so many different areas of studying construct upon. Attempting to get a job in safety with out a deep understanding of how information packets work is a bit like making an attempt to turn into a chemical engineer with out first mastering the periodic desk of components.

However please don’t take my phrase for it. The SANS Institute, a Bethesda, Md. based mostly safety analysis and coaching agency, lately performed a survey of greater than 500 cybersecurity practitioners at 284 totally different corporations in an effort to suss out which expertise they discover most helpful in job candidates, and that are most often missing.

The survey requested respondents to rank numerous expertise from “essential” to “not wanted.” Totally 85 p.c ranked networking as a essential or “essential” talent, adopted by a mastery of the Linux working system (77 p.c), Home windows (73 p.c), widespread exploitation strategies (73 p.c), laptop architectures and virtualization (67 p.c) and information and cryptography (58 p.c). Maybe surprisingly, solely 39 p.c ranked programming as a essential or essential talent (I’ll come again to this in a second).

How did the cybersecurity practitioners surveyed grade their pool of potential job candidates on these essential and essential expertise? The outcomes could also be eye-opening:

“Employers report that scholar cybersecurity preparation is basically insufficient and are pissed off that they must spend months looking earlier than they discover certified entry-level staff if any may be discovered,” mentioned Alan Paller, director of analysis on the SANS Institute. “We hypothesized that the start of a pathway towards resolving these challenges and serving to shut the cybersecurity expertise hole can be to isolate the capabilities that employers anticipated however didn’t discover in cybersecurity graduates.”

The reality is, some of the neatest, most insightful and proficient laptop safety professionals I do know right this moment don’t have any computer-related certifications underneath their belts. Actually, many of them by no means even went to school or accomplished a university-level diploma program.

Slightly, they acquired into safety as a result of they had been passionately and intensely curious in regards to the topic, and that curiosity led them to be taught as a lot as they may — primarily by studying, doing, and making errors (heaps of them).

I point out this to not dissuade readers from pursuing levels or certifications within the subject (which can be a fundamental requirement for a lot of company HR departments) however to emphasise that these shouldn’t be seen as some form of golden ticket to a rewarding, secure and comparatively high-paying profession.

Extra to the purpose, with out a mastery of a number of of the above-mentioned expertise, you merely is not going to be a terribly interesting or excellent job candidate when the time comes.

BUT..HOW?

So what do you have to focus on, and what’s one of the best ways to get began? First, perceive that whereas there are a close to infinite quantity of methods to accumulate data and just about no restrict to the depths you possibly can discover, getting your arms soiled is the quickest option to studying.

No, I’m not speaking about breaking into somebody’s community, or hacking some poor web site. Please don’t do this with out permission. If you happen to should goal third-party companies and websites, stick to those who supply recognition and/or incentives for doing so through bug bounty programs, after which be sure to respect the boundaries of these packages.

In addition to, virtually something you need to be taught by doing may be replicated regionally. Hoping to grasp widespread vulnerability and exploitation strategies? There are innumerable free resources out there; purpose-built exploitation toolkits like Metasploit, WebGoat, and customized Linux distributions like Kali Linux which are effectively supported by tutorials and movies on-line. Then there are a quantity of free reconnaissance and vulnerability discovery instruments like Nmap, Nessus, OpenVAS and Nikto. This is on no account a full listing.

Arrange your individual hacking labs. You are able to do this with a spare laptop or server, or with older that’s plentiful and low cost on locations like eBay or Craigslist. Free virtualization instruments like VirtualBox could make it easy to get pleasant with totally different working methods with out the necessity of extra .

Or look into paying another person to arrange a digital server which you can poke at. Amazon’s EC2 services are a good low-cost possibility right here. If it’s internet utility testing you want to be taught, you possibly can set up any quantity of internet companies on computer systems inside your individual native community, equivalent to older variations of WordPress, Joomla or procuring cart methods like Magento.

Wish to be taught networking? Begin by getting a decent book on TCP/IP and actually studying the community stack and how each layer interacts with the other.

And when you’re absorbing this data, be taught to make use of some instruments that may assist put your newfound data into sensible utility. For instance, familiarize your self with Wireshark and Tcpdump, helpful instruments relied upon by community directors to troubleshoot community and safety issues and to grasp how community functions work (or don’t). Start by inspecting your individual community site visitors, internet searching and on a regular basis laptop utilization. Attempt to perceive what functions on your laptop are doing by what information they’re sending and receiving, how, and the place.

ON PROGRAMMING

Whereas with the ability to program in languages like Go, Java, Perl, Python, C or Ruby could or is probably not on the high of the listing of expertise demanded by employers, having a number of languages in your skillset just isn’t solely going to make you a extra enticing rent, it would additionally make it simpler to develop your data and enterprise into deeper ranges of mastery.

It is usually possible that relying on which specialization of safety you find yourself pursuing, sooner or later you’ll find your capability to broaden that data is considerably restricted with out understanding code.

For these intimidated by the thought of studying a programming language, begin by getting aware of fundamental command line instruments on Linux. Simply studying to write down fundamental scripts that automate particular guide duties may be a fantastic stepping stone. What’s extra, a mastery of creating shell scripts can pay good-looking dividends for the length of your profession in virtually any technical position involving computer systems (regardless of whether or not you be taught a particular coding language).

GET HELP

Make no mistake: Very like studying a musical instrument or a new language, gaining cybersecurity expertise takes most individuals a whole lot of effort and time. However don’t get discouraged if a given matter of research appears overwhelming at first; simply take your time and preserve going.

That’s why it helps to have assist teams. Severely. Within the cybersecurity business, the human aspect of networking takes the shape of conferences and native meetups. I can not stress sufficient how necessary it’s for each your sanity and profession to get entangled with like-minded folks on a semi-regular foundation.

Many of these gatherings are free, together with Security BSides events, DEFCON groups, and OWASP chapters. And since the tech business continues to be disproportionately populated by males, there are additionally a quantity cybersecurity meetups and membership teams geared towards girls, such because the Women’s Society of Cyberjutsu and others listed here.

Except you reside within the center of nowhere, chances are high there’s a quantity of safety conferences and safety meetups in your normal space. However even in case you do reside within the boonies, the excellent news is many of these meetups are going digital to keep away from the continuing pestilence that’s the COVID-19 epidemic.

In abstract, don’t depend on a diploma or certification to arrange you for the varieties of expertise employers are going to understandably count on you to own. That is probably not honest or accurately, but it surely’s possible on you to develop and nurture the talents that can serve your future employer(s) and employability on this subject.

I’m sure that readers right here have their very own concepts about how newbies, college students and people considering a profession shift into cybersecurity can greatest focus their time and efforts. Please be happy to hold forth within the feedback. I’ll even replace this submit to incorporate some of the higher suggestions.

Tags: Alan Paller, DEFCON Groups, How to Break Into Security, Kali Linux, Metasploit, Nessus, Nikto, Nmap, OpenVAS, OWASP, SANS Institute, Security BSides, TCP/IP, Tcpdump, Virtualbox, Webgoat, Wireshark, Women’s Society of Cyberjutsu

This entry was posted on Friday, July 24th, 2020 at 6:20 pm and is filed underneath How to Break Into Security. You may comply with any feedback to this entry via the RSS 2.0 feed. You may skip to the tip and go away a remark. Pinging is at the moment not allowed.

Supply: Source link

Thinking of a Cyber_Security Career? Read This — Krebs on Security Articles, Career, Cybersecurity, IT, Krebs, Read, Security, Thinking via exercisesfatburnig.blogspot.com https://ift.tt/314bbgz

#Articles #Career #Cybersecurity #IT #Krebs #Read #Security #Thinking

0 notes

douglassmiith · 5 years ago

Text

12 Ways To Improve User Interview Questions

About The Author

Slava is a designer from Ukraine. He works in Berlin as a Designer Manager at ELEKS, a software consultancy, and is a journalist by education. Slava curates … More about Slava Shestopalov …

Right questions don’t simply roll off the tongue, but it’s a handy skill everyone can train. The following pieces of advice will help you to formulate questions that foster reliable answers from your users and clients.

An experienced interviewer takes care of many things: builds hypotheses, selects interviewees, composes invitations, schedules appointments, sets the stage, and, of course, writes an interview script. Any of these preparations can go wrong, but the script failure means all the effort is in vain. So, if you haven’t interviewed people a lot before or you have to delegate it to non-designers, I’d recommend paying attention to high-quality questions, in the first place. Then, there is a chance they’ll smooth out other potential shortcomings.

We’ll talk about 12 kinds of questions explained with examples. The first part includes six frequent mistakes and how to fix them. The second part presents six ways to improve decent questions and take control of difficult situations.

Pitfall #1: Hypothetical Questions

“I don’t care if people will use the new features,” said no budget owner ever. Investing in design and development, people want to make sure money will return. And direct asking, unfortunately, is not an effective way to check it, although it may intuitively seem a great idea. “Let’s go out of the office and ask ‘em!” In my practice, there were a lot of cases when people said they liked a feature but were reluctant to pay for it. So, is there any method to make sure that something not functioning yet will be needed when implemented?

Hypothetical questions put an interviewee into the position of a dreamer, thus don’t provide reliable answers. (Large preview)

I cannot recall anything more relevant than referring to people’s past experiences and behavior in similar situations. If users don’t have a habit of saving articles for later on all the news sites, what is the chance they’ll start doing it on your website? As Jakob Nielsen said, “Users spend most of their time on other sites.”

Pitfall #2: Closed Questions

Closed questions appear from a natural human wish to be approved and gain support. However, in the interviews, they aren’t useful enough. A yes-or-no question doesn’t provoke reserved people to talk and doesn’t help much to reveal their motives and way of thinking.

Open questions help to gather more information than the closed ones. (Large preview)

To be fair, closed questions are not evil. For example, they can serve a handy facilitation technique to make a talkative interviewee stop and turn back to the point. Also, they can help to double-check the information previously received through open questions. But if your goal is to gather as much information as possible, open questions will work better.

Pitfall #3: Leading Questions

The things considered polite in everyday conversations may be harmful to the efficiency of a user interview. Trying to help an interviewee with the options can guide them in saying what they don’t really think. A user interview is not the most comfortable situation for the majority of people, and they try to pass it as quickly as possible and at minimum effort. As a result, people tend to agree with anything more or less close to the truth or with a socially-expected choice instead of composing their answer from scratch.

Questions that suggest answer options lead to biased answers. (Large preview)

That’s why it’s better to move one step at a time and build the next question upon the answer to the previous one.

Pitfall #4: Selfish Questions

Idea authors sometimes act like proud parents — they want everyone to admire their child. The downside of such an attitude in user interviews is the unconscious usage of the pronouns “we” or “our.” As a result, users feel as if they are taking an exam and should either adore what they see or maintain neutrality, disguising real complaints.

Possessive pronouns like “our” provoke people to praise the subject of talk instead of sharing honest feedback. (Large preview)

In your interview script, replace possessive pronouns with neutral words like “this site” and “that application” or just call a subject of conversation by the name.

Pro tip: as an interviewer, you can try hiding or understating your job title and relation to the topic.

Pitfall #5: Stacked Questions

There are many reasons why we ask stacked questions. It can be a human desire to be heard, the fear of being interrupted, or worrying that you might forget the next question while listening to the current answer. However, for the interview efficiency, stacked questions are not an option. Interviewees often select the one they are more comfortable to answer to or the one they managed to memorize from the stack. Remembering questions shouldn’t become the interviewee’s burden, so it’s better to ask them one by one. (And maybe the answers are so comprehensive that you won’t need some of the planned questions anymore.)

A stack of questions leads to a messy answer, whereas a sequence of separate questions works much better. (Large preview)

Pitfall #6: Explanation Instead Of A Question

Teams that work together for some time often establish their own language and tend to bring it into the product they are building. But will users understand such words as “dashboard,” “smart update,” “inclusion,” or “trigger”? Explanatory questions put an interviewee into the position of a lexicographer and help to check what sense (if any) they put into brand concepts and expert terminology. For a designer, it gives insights into how the future product — a website, app, or self-service terminal — should speak to people.

Instead of inserting the explanation into the question it’s better to openly ask interviewees what they think this is. (Large preview)

The opposite side of this approach is explaining it yourself and leading people before they have a chance to share their opinions. Think about this: in the interview, you are superior and can put pressure on users making them get your point. But will you always be there for thousands of users to explain how the product works? Probably no. So, it’s more efficient to discover people’s thinking styles and then create self-explanatory solutions rather than create something and push it in interviews.

We’ve just covered six major interviewing mistakes. The next portion of advice will be about making fairly good questions even more powerful and dealing with difficult interview situations.

Pitfall #7: Question Clutter

Open questions are great until you realize there are too many details to figure out. The best method in such a situation is storytelling — describing a recent or the most prominent experience. As a result, an interviewee talks about a real situation and is less inclined to compose a socially desired answer or summarize various cases.

When a topic is broad, it’s better to ask for a full story instead of a series of open questions. (Large preview)

Besides, storytelling gives the freedom to speak about aspects a person considers necessary. Usually, people start with or talk longer about the most crucial experiences.

Pitfall #8: Too General Questions

When you’ve figured out regularity or general attitude, it’s the right moment to ask the interviewee about an example. Recent-experience questions can fill in the gaps, which might have appeared while answering general questions. For an interviewer, it’s another powerful method to check if users aren’t accidentally exaggerating or dropping significant details.

Past-experience questions give more insight into users’ behavior than general questions. (Large preview)

Pitfall #9: Talking About What You Can Observe

When you are lucky enough and interview people in their “natural habitat,” it’s a perfect chance to see their work process with your own eyes. So, if there is an opportunity to ask a user to demonstrate typical actions — offline or online — you’ll gather tons of insights. It’s a chance to learn about users’ habits (including shortcuts and favorite programs), level of computer skills, software environment, and the way of thinking (mental model).

Sometimes it’s better to witness user’s behavior than to listen to its verbal description. (Large preview)

Pitfall #10: Tolerating Vagueness

Abstract nouns and adjectives, for example, “comfort,” “accessibility,” “support,” “smart,” or “user-friendly,” are probably the trickiest words in the language because everyone interprets them differently. When you hear abstract names, that’s not enough to document them as they are. These words require “unboxing” and only then can support design decision-making.

Abstract concepts need unboxing; otherwise, they cannot back up design decision-making. (Large preview)

“Nothing is clear enough” has become my second favorite slogan after the classical UX phrase “It depends.” “Nothing is clear enough” means that you cannot be certain about the meaning if you hardly visualize a scenario from your interviewee’s life. The best way to unbox abstract concepts is by turning them into verbs.

Pitfall #11: Missing Numbers

Generalizations like “all,” “never,” “always,” “nobody,” “often,” or“frequently” are as unclear as abstract nouns and adjectives. But the way to “unbox” generalizations is different — through quantifying. Basically, you ask questions about approximate numbers or proportions. An interviewee, of course, might not provide you statistics, but at least you’ll understand whether the user’s “very frequent” is about “more than a half” or “nearly 20%.” Another example: the same phrase “a lot” can mean “50 per day” for work emails, but it’ll be only “5 per year” for cybersecurity alerts.

Exaggerated or vague characteristics deserve to be quantified in the interview. (Large preview)

Pitfall #12: Undervalued WH-Questions

As a non-native speaker, I remember these questions from the English classes at school. The teacher often asked us to make WH-questions (What? Where? When? Who? How?) so that we could start a conversation and break the awkward silence. Nothing had changed from school times. Now, as a designer, I often use WH-questions as the main interviewing instrument.

WH-questions are great for figuring out time, locations, participants, consequences, and other details. (Large preview)

My favorite question is “why.” For the sake of politeness and a more friendly atmosphere, I conceal it behind the following phrases, “What are you trying to achieve when you…?” or “Can you please explain the reason/value of…?” This is how in pursuit of a root cause you can ask several “whys” in a row without annoying your interviewee.

Summary

The question techniques above are pretty straightforward and might not take into account the nuances of a particular conversation or interviewee. Of course, even the best questions won’t make all the answers automatically objective, but they can make information more reliable and actionable. All in all, it’s always on an interviewer to adjust according to the situation. Here are the three core principles if you are in doubt about particular questions.

Experience holds more truth than a hypothesis.

That’s why it’s recommended to ask about cases from the past and similar examples from other areas of a user’s life.

Let them tell their story; your ideas can wait

The goal of an interview is to explore the truth, not to sell or demonstrate something. If you force an interviewee to support you, it might mean the rest of the people won’t agree either. Also, give preference to clarifying the unknown versus checking hypotheses — for hypotheses, a better method is prototyping and testing.

If you cannot imagine it, you don’t get it

In a series of 1–2-hour user interviews, it’s so easy to get lazy and pretend you understand what you hear. Try challenging interviewee’s statements in your mind, “Did he say the truth? Do I know why she says that? What exactly do they mean telling me about it?”

Recommended Reading

“The Mom Test: How to Talk to Customers and Learn If Your Business is a Good Idea when Everyone is Lying to You,” a book by Rob Fitzpatrick.

“User Interviews: How, When, and Why to Conduct Them,” an article by Kara Pernice for Nielsen Norman Group.

“The 3 Types of User Interviews: Structured, Semi-Structured, and Unstructured,” a video by Maria Rosala for Nielsen Norman Group.

“The Art of the User Interview,” an article by Nick Babich for Springboard.

“How to Conduct User Interviews,” an article by Interaction Design Foundation.

“First Rule of Usability? Don’t Listen to Users,” an article by Jakob Nielsen for Nielsen Norman Group.

“Interviewing Users,” an article by Jakob Nielsen for Nielsen Norman Group.

(cc, yk, il)

Website Design & SEO Delray Beach by DBL07.co

Delray Beach SEO

Via http://www.scpie.org/12-ways-to-improve-user-interview-questions/

source https://scpie.weebly.com/blog/12-ways-to-improve-user-interview-questions

0 notes

riichardwilson · 5 years ago

Text

12 Ways To Improve User Interview Questions

About The Author

Slava is a designer from Ukraine. He works in Berlin as a Designer Manager at ELEKS, a software consultancy, and is a journalist by education. Slava curates … More about Slava Shestopalov …

Pitfall #1: Hypothetical Questions

Hypothetical questions put an interviewee into the position of a dreamer, thus don’t provide reliable answers. (Large preview)

Pitfall #2: Closed Questions

Open questions help to gather more information than the closed ones. (Large preview)

Pitfall #3: Leading Questions

Questions that suggest answer options lead to biased answers. (Large preview)

That’s why it’s better to move one step at a time and build the next question upon the answer to the previous one.

Pitfall #4: Selfish Questions

Possessive pronouns like “our” provoke people to praise the subject of talk instead of sharing honest feedback. (Large preview)

In your interview script, replace possessive pronouns with neutral words like “this site” and “that application” or just call a subject of conversation by the name.

Pro tip: as an interviewer, you can try hiding or understating your job title and relation to the topic.

Pitfall #5: Stacked Questions

A stack of questions leads to a messy answer, whereas a sequence of separate questions works much better. (Large preview)

Pitfall #6: Explanation Instead Of A Question

Instead of inserting the explanation into the question it’s better to openly ask interviewees what they think this is. (Large preview)

We’ve just covered six major interviewing mistakes. The next portion of advice will be about making fairly good questions even more powerful and dealing with difficult interview situations.

Pitfall #7: Question Clutter

When a topic is broad, it’s better to ask for a full story instead of a series of open questions. (Large preview)

Besides, storytelling gives the freedom to speak about aspects a person considers necessary. Usually, people start with or talk longer about the most crucial experiences.

Pitfall #8: Too General Questions

Past-experience questions give more insight into users’ behavior than general questions. (Large preview)

Pitfall #9: Talking About What You Can Observe

Sometimes it’s better to witness user’s behavior than to listen to its verbal description. (Large preview)

Pitfall #10: Tolerating Vagueness

Abstract concepts need unboxing; otherwise, they cannot back up design decision-making. (Large preview)

Pitfall #11: Missing Numbers

Exaggerated or vague characteristics deserve to be quantified in the interview. (Large preview)

Pitfall #12: Undervalued WH-Questions

WH-questions are great for figuring out time, locations, participants, consequences, and other details. (Large preview)

Summary

Experience holds more truth than a hypothesis.

That’s why it’s recommended to ask about cases from the past and similar examples from other areas of a user’s life.

Let them tell their story; your ideas can wait

If you cannot imagine it, you don’t get it

Recommended Reading

“The Mom Test: How to Talk to Customers and Learn If Your Business is a Good Idea when Everyone is Lying to You,” a book by Rob Fitzpatrick.

“User Interviews: How, When, and Why to Conduct Them,” an article by Kara Pernice for Nielsen Norman Group.

“The 3 Types of User Interviews: Structured, Semi-Structured, and Unstructured,” a video by Maria Rosala for Nielsen Norman Group.

“The Art of the User Interview,” an article by Nick Babich for Springboard.

“How to Conduct User Interviews,” an article by Interaction Design Foundation.

“First Rule of Usability? Don’t Listen to Users,” an article by Jakob Nielsen for Nielsen Norman Group.

“Interviewing Users,” an article by Jakob Nielsen for Nielsen Norman Group.

(cc, yk, il)

Website Design & SEO Delray Beach by DBL07.co

Delray Beach SEO

source http://www.scpie.org/12-ways-to-improve-user-interview-questions/ source https://scpie.tumblr.com/post/620485446118621184

0 notes

scpie · 5 years ago

Text

12 Ways To Improve User Interview Questions

About The Author

Slava is a designer from Ukraine. He works in Berlin as a Designer Manager at ELEKS, a software consultancy, and is a journalist by education. Slava curates … More about Slava Shestopalov …

Pitfall #1: Hypothetical Questions

Hypothetical questions put an interviewee into the position of a dreamer, thus don’t provide reliable answers. (Large preview)

Pitfall #2: Closed Questions

Open questions help to gather more information than the closed ones. (Large preview)

Pitfall #3: Leading Questions

Questions that suggest answer options lead to biased answers. (Large preview)

That’s why it’s better to move one step at a time and build the next question upon the answer to the previous one.

Pitfall #4: Selfish Questions

Possessive pronouns like “our” provoke people to praise the subject of talk instead of sharing honest feedback. (Large preview)

In your interview script, replace possessive pronouns with neutral words like “this site” and “that application” or just call a subject of conversation by the name.

Pro tip: as an interviewer, you can try hiding or understating your job title and relation to the topic.

Pitfall #5: Stacked Questions

A stack of questions leads to a messy answer, whereas a sequence of separate questions works much better. (Large preview)

Pitfall #6: Explanation Instead Of A Question

Instead of inserting the explanation into the question it’s better to openly ask interviewees what they think this is. (Large preview)

We’ve just covered six major interviewing mistakes. The next portion of advice will be about making fairly good questions even more powerful and dealing with difficult interview situations.

Pitfall #7: Question Clutter

When a topic is broad, it’s better to ask for a full story instead of a series of open questions. (Large preview)

Besides, storytelling gives the freedom to speak about aspects a person considers necessary. Usually, people start with or talk longer about the most crucial experiences.

Pitfall #8: Too General Questions

Past-experience questions give more insight into users’ behavior than general questions. (Large preview)

Pitfall #9: Talking About What You Can Observe

Sometimes it’s better to witness user’s behavior than to listen to its verbal description. (Large preview)

Pitfall #10: Tolerating Vagueness

Abstract concepts need unboxing; otherwise, they cannot back up design decision-making. (Large preview)

Pitfall #11: Missing Numbers

Exaggerated or vague characteristics deserve to be quantified in the interview. (Large preview)

Pitfall #12: Undervalued WH-Questions

WH-questions are great for figuring out time, locations, participants, consequences, and other details. (Large preview)

Summary

Experience holds more truth than a hypothesis.

That’s why it’s recommended to ask about cases from the past and similar examples from other areas of a user’s life.

Let them tell their story; your ideas can wait

If you cannot imagine it, you don’t get it

Recommended Reading

“The Mom Test: How to Talk to Customers and Learn If Your Business is a Good Idea when Everyone is Lying to You,” a book by Rob Fitzpatrick.

“User Interviews: How, When, and Why to Conduct Them,” an article by Kara Pernice for Nielsen Norman Group.

“The 3 Types of User Interviews: Structured, Semi-Structured, and Unstructured,” a video by Maria Rosala for Nielsen Norman Group.

“The Art of the User Interview,” an article by Nick Babich for Springboard.

“How to Conduct User Interviews,” an article by Interaction Design Foundation.

“First Rule of Usability? Don’t Listen to Users,” an article by Jakob Nielsen for Nielsen Norman Group.

“Interviewing Users,” an article by Jakob Nielsen for Nielsen Norman Group.

(cc, yk, il)

Website Design & SEO Delray Beach by DBL07.co

Delray Beach SEO

source http://www.scpie.org/12-ways-to-improve-user-interview-questions/

0 notes

acquaintsofttech · 9 months ago

Text

Humorous Cybersecurity Mistakes in MEAN Stack Development

Introduction

The MEAN stack, i.e. MongoDB, Express.js, Angular, and Node.js have become highly well-liked among developers in the dynamic field of web development as they create scalable, dynamic apps.

However, the MEAN stack is not impervious to its fair share of cybersecurity disasters, just like any other technology. Even though cybersecurity can be extremely dangerous, there are instances when it makes sense to be lenient toward mistakes and stupidities made throughout the development process. Now, let's explore some of the most humorous, yet instructive, cybersecurity errors that occurred throughout the creation of the MEAN stack.

The Tale of the Misconfigured MongoDB

The Incident

Dave was a fresh graduate, eager to make his mark in the world of web development. He had learned the basics of the MEAN stack and landed a project to build an e-commerce application. Dave set up MongoDB with a sense of accomplishment but skipped the step of securing the database with authentication, thinking it was something he could do later.

Days went by, and everything seemed to be working perfectly. The application was getting positive feedback, and Dave was thrilled. One morning, however, Dave received a call from his project manager, who sounded alarmed. The application was experiencing a data breach, and sensitive customer information was being leaked.

The Aftermath

Upon investigation, it was discovered that the MongoDB instance was left open to the internet without any authentication. Cyber attackers had found the unsecured database and had a field day, extracting valuable data. Dave learned the hard way that in cybersecurity, "later" is not an option.

In-Depth Solution

To prevent such mishaps, always ensure that MongoDB instances are secured with proper authentication and authorization mechanisms. Use environment variables to store sensitive information like database credentials securely. Regularly audit your configurations and access controls to ensure that no weak points are left unprotected. Additionally, consider using firewalls and VPNs to restrict access to your database servers.

The Curious Case of the Exposed API Keys

The Incident

Sarah was known for her meticulous coding and her ability to integrate complex APIs seamlessly. She was working on integrating a payment gateway into her MEAN stack application. The integration was flawless, and the application went live without any issues. However, Sarah made a critical error, she hard-coded the API keys directly into her codebase and pushed it to her public GitHub repository.

A few weeks later, Sarah started noticing unusual activity in her account for the third-party service. Someone was using her API keys to make unauthorized transactions. The realization hit hard that her API keys were exposed to anyone with access to her public repository.

The Aftermath

Sarah had to revoke the exposed API keys and generate new ones. She also had to go through the tedious process of securing her repository and ensuring that no other sensitive information was exposed. The unauthorized transactions had caused significant financial damage, and Sarah's company had to bear the brunt.

In-Depth Solution

To avoid such situations, never hard-code API keys, passwords, or any other sensitive information directly into your codebase. Use environment variables to manage these secrets securely. Tools like dotenv for Node.js can help you manage environment variables effectively. Regularly review your repository settings and use tools like GitGuardian to scan for exposed secrets in your codebase. Additionally, enable two-factor authentication (2FA) for your accounts to add an extra layer of security.

The Not-So-Anonymous Admin

The Incident

Tom was a seasoned developer tasked with creating an admin panel for his MEAN stack application. To make the setup process quick and easy, Tom created a default admin account with the username "admin" and password "admin123." He planned to change the credentials before the application went live but got caught up in other tasks and forgot.

The application launched, and everything seemed to be running smoothly. That is, until one day, Tom received an alert that someone had logged into the admin panel from an unknown location. The attacker had gained full control over the application, including access to sensitive user data.

The Aftermath

Tom's oversight had caused a significant security breach. The attacker had changed settings, deleted data, and even managed to steal user information. Tom had to shut down the application, revoke the compromised admin account, and conduct a thorough security audit to ensure no other vulnerabilities existed.

In-Depth Solution (Continued)

Always use strong, unique credentials for all user accounts, especially administrative ones. Implement multi-factor authentication (MFA) for an additional layer of security, requiring users to verify their identity through a secondary device or method. Regularly audit user accounts and permissions to ensure that only authorized individuals have access to sensitive areas of your application. Additionally, consider implementing role-based access control (RBAC) to limit the permissions of each user based on their role within the organization.

The Woes of Insecure CORS Configuration

The Incident

Emma was an enthusiastic developer excited about creating a RESTful API for her MEAN stack application. To ensure that her API was accessible from various domains, she decided to configure the Cross-Origin Resource Sharing (CORS) policy. In her haste, she set the CORS policy to allow all origins (*), thinking it would be a quick fix to any cross-domain issues.

Months later, Emma started noticing suspicious activity. Malicious actors were making unauthorized requests to her API from various domains, exploiting the overly permissive CORS policy. The lack of proper restrictions had left her application vulnerable to cross-site request forgery (CSRF) attacks.

The Aftermath

Emma had to quickly reconfigure her CORS policy to restrict access to only trusted origins. She also had to implement additional security measures to prevent further exploitation of her API. The incident served as a stark reminder of the importance of properly securing APIs.

In-Depth Solution

When configuring CORS policies, always specify trusted origins to limit access to your API. Avoid using the wildcard * for allowed origins unless absolutely necessary. Implement proper authentication and authorization mechanisms to ensure that only legitimate requests are process. Use tools like JWT (JSON Web Tokens) to secure API endpoints and consider implementing CSRF tokens for additional protection.

The Perils of Poor Input Validation

The Incident

Mike was a developer racing against the clock to meet a tight deadline. He was tasked with creating a user registration form for his MEAN stack application. To save time, Mike decided to skip through input validation, assuming he would add it later. Users started registering, and everything appeared to be functioning smoothly.

However, Mike soon noticed strange entries in the database. An attacker had been exploiting the lack of input validation to inject malicious scripts through the registration form. This oversight had left the application vulnerable to SQL injection and cross-site scripting (XSS) attacks.

The Aftermath

Mike had to halt user registrations and implement comprehensive input validation and sanitization. He also had to clean the database of malicious entries and fortify the application against future attacks. The incident underscored the critical importance of validating user inputs from the outset.

In-Depth Solution

Always validate and sanitize user inputs on both the client-side and server-side. Use built-in validation libraries and frameworks that provide protection against common vulnerabilities. For example, use Mongoose for MongoDB to enforce schema validation. Implement escaping and encoding techniques to prevent XSS attacks and use parameterized queries to safeguard against SQL injection. Never trust user input blindly, and assume that all input is potentially malicious.

The Saga of the Unpatched Dependencies

The Incident

Lisa was a diligent developer who made sure to use the latest libraries and frameworks for her MEAN stack application. However, in her quest to stay current, she neglected to regularly check for security updates and patches for her dependencies. Lisa's application was running smoothly until one day, it was compromised due to a known vulnerability in one of the libraries she used.

The Aftermath

Lisa had to scramble to update all her dependencies and patch the vulnerability. The attack had caused downtime and affected user trust in the application. Lisa realized that keeping dependencies up-to-date was not just about having the latest features, but also about maintaining security.

In-Depth Solution

Regularly update your dependencies and stay informed about security patches. Use tools like npm audit and yarn audit to identify and fix vulnerabilities in your project. Automate dependency management using tools like Dependabot or Renovate to ensure that you are always using the latest, secure versions of libraries. Subscribe to security mailing lists and follow best practices for dependency management to minimize the risk of vulnerabilities.

The Mystery of the Missing HTTPS

The Incident

Jack was thrilled to launch his MEAN stack application and see users signing up and interacting with his app. However, he soon started receiving complaints about security warnings in users' browsers. Upon investigation, Jack realized he had forgotten to configure HTTPS for his application, leaving it vulnerable to man-in-the-middle attacks.

The Aftermath

Sensitive data, include user credentials, was being transmitted over an unencrypted connection, exposing it to potential eavesdropping and tampering. Jack had to quickly obtain and configure SSL/TLS certificates to secure the communication between clients and the server. The oversight caused users to lose trust in the application's security.

In-Depth Solution

Always use HTTPS to encrypt data transmitted between the client and server. Obtain SSL/TLS certificates from a trusted Certificate Authority (CA) and configure them for your application. Tools like Let's Encrypt provide free certificates and automated renewal services. Use HSTS (HTTP Strict Transport Security) headers to enforce HTTPS and prevent downgrade attacks. Regularly test your SSL/TLS configuration using tools like Qualys SSL Labs to ensure it meets security standards.

The Paradox of Over-Engineering Security

The Incident

Alex was a developer passionate about cybersecurity. Determined to make his MEAN stack application impenetrable, Alex implemented every security measure imaginable, from complex encryption algorithms to multi-layered firewalls. However, the result was an overly complex and cumbersome application that was difficult to maintain and performed poorly.

The Aftermath

Users were frustrated with slow response times and frequent security prompts. The excessive security measures made the application difficult to use and maintain, leading to a negative user experience. Alex realized that while security is crucial, it should not come at the expense of usability and performance.

In-Depth Solution

Strike a balance between security and usability. Implement necessary security measures based on risk assessment and prioritize those that have the most significant impact on protecting your application. Regularly review and optimize your security measures to ensure they do not hinder performance or user experience. Engage with security professionals to conduct threat modeling and vulnerability assessments to identify and address the most critical risks.

Now, let us understand how Acquaint Softtech can help in developing a security proof MEAN Stack development

How can Acquaint Softtech help?

Software development outsourcing and IT staff augmentation are two services provided by Acquaint Softtech, an IT outsourcing company. As an official Laravel partner, we take great pride in using the Laravel framework to create new applications.

Acquaint Softtech is the best choice if your business is looking to hire remote developers. With our accelerated onboarding process, developers can join your existing team in as little as 48 hours.

Because of our $15 hourly fee, we are also the best choice for any kind of outsourced software development task. We can help you to hire remote developers, hire MEAN stack developers, hire MERN stack developers, and outsourced development services to meet your needs for specialized development. Let’s scale your business today & achieve new heights.

Conclusion

Cybersecurity is an essential aspect of MEAN stack development, and while it's important to take it seriously, we can also learn from the lighter side of mishaps. By understanding these common mistakes and the lessons they teach, developers can build more secure and resilient applications.

Always remember to secure your databases, protect your API keys, use strong credentials, configure CORS policies wisely, validate user inputs, keep dependencies up-to-date, use HTTPS, and avoid over-engineering security measures. Through these best practices, we can ensure our applications remain safe and our users' data secure. Happy coding!

#Hire MEAN Stack Developer #MEAN Stack Development #Cybersecurity Mistakes #Cybersecurity Mistakes in MEAN Stack Development

0 notes

laurelkrugerr · 5 years ago

Text

12 Ways To Improve User Interview Questions

About The Author

Slava is a designer from Ukraine. He works in Berlin as a Designer Manager at ELEKS, a software consultancy, and is a journalist by education. Slava curates … More about Slava Shestopalov …

Pitfall #1: Hypothetical Questions

Hypothetical questions put an interviewee into the position of a dreamer, thus don’t provide reliable answers. (Large preview)

Pitfall #2: Closed Questions

Open questions help to gather more information than the closed ones. (Large preview)

Pitfall #3: Leading Questions

Questions that suggest answer options lead to biased answers. (Large preview)

That’s why it’s better to move one step at a time and build the next question upon the answer to the previous one.

Pitfall #4: Selfish Questions

Possessive pronouns like “our” provoke people to praise the subject of talk instead of sharing honest feedback. (Large preview)

In your interview script, replace possessive pronouns with neutral words like “this site” and “that application” or just call a subject of conversation by the name.

Pro tip: as an interviewer, you can try hiding or understating your job title and relation to the topic.

Pitfall #5: Stacked Questions

A stack of questions leads to a messy answer, whereas a sequence of separate questions works much better. (Large preview)

Pitfall #6: Explanation Instead Of A Question

Instead of inserting the explanation into the question it’s better to openly ask interviewees what they think this is. (Large preview)

We’ve just covered six major interviewing mistakes. The next portion of advice will be about making fairly good questions even more powerful and dealing with difficult interview situations.

Pitfall #7: Question Clutter

When a topic is broad, it’s better to ask for a full story instead of a series of open questions. (Large preview)

Besides, storytelling gives the freedom to speak about aspects a person considers necessary. Usually, people start with or talk longer about the most crucial experiences.

Pitfall #8: Too General Questions

Past-experience questions give more insight into users’ behavior than general questions. (Large preview)

Pitfall #9: Talking About What You Can Observe

Sometimes it’s better to witness user’s behavior than to listen to its verbal description. (Large preview)

Pitfall #10: Tolerating Vagueness

Abstract concepts need unboxing; otherwise, they cannot back up design decision-making. (Large preview)

Pitfall #11: Missing Numbers

Exaggerated or vague characteristics deserve to be quantified in the interview. (Large preview)

Pitfall #12: Undervalued WH-Questions

WH-questions are great for figuring out time, locations, participants, consequences, and other details. (Large preview)

Summary

Experience holds more truth than a hypothesis.

That’s why it’s recommended to ask about cases from the past and similar examples from other areas of a user’s life.

Let them tell their story; your ideas can wait

If you cannot imagine it, you don’t get it

Recommended Reading

“The Mom Test: How to Talk to Customers and Learn If Your Business is a Good Idea when Everyone is Lying to You,” a book by Rob Fitzpatrick.

“User Interviews: How, When, and Why to Conduct Them,” an article by Kara Pernice for Nielsen Norman Group.

“The 3 Types of User Interviews: Structured, Semi-Structured, and Unstructured,” a video by Maria Rosala for Nielsen Norman Group.

“The Art of the User Interview,” an article by Nick Babich for Springboard.

“How to Conduct User Interviews,” an article by Interaction Design Foundation.

“First Rule of Usability? Don’t Listen to Users,” an article by Jakob Nielsen for Nielsen Norman Group.

“Interviewing Users,” an article by Jakob Nielsen for Nielsen Norman Group.

(cc, yk, il)

Website Design & SEO Delray Beach by DBL07.co

Delray Beach SEO

source http://www.scpie.org/12-ways-to-improve-user-interview-questions/ source https://scpie1.blogspot.com/2020/06/12-ways-to-improve-user-interview.html

0 notes

terabitweb · 6 years ago

Text

Original Post from SC Magazine Author: Doug Olenick

The vicious cycle of imbalance between cyber attackers and defenders seems never-ending. Defenders continue to develop and implement new tools to prevent, detect, monitor and remediate cyber threats while attackers simultaneously develop new attack techniques to thwart defenses, which for all intents and purposes gives them the upper hand.

But a new concept, originally conceived by DHS.gov, is creating a new paradigm in cyber defense that can for the first time potentially shift the power to the defenders for good. Known as Moving Target Defense (MTD), this concept creates confusion for bad actors by introducing a dynamic, constantly evolving attack surface across multiple system dimensions to increase uncertainty and complicate attacks. Ultimately, hackers cannot hit what they cannot see.

MTD can be implemented in different ways, including via dynamic runtime platforms and dynamic application code and data. However, it is through the deployment of decoys, such as false endpoints, servers and IoT devices – to misdirect attackers at the network, host or application layer of a tech stack – that security teams benefit from most. Such distractions create a constantly changing environment, prompting attackers to question if the vulnerabilities they find are real or fake, if systems are real or a decoy and if the layout of a network is genuine.

Why now is the time to implement Moving Target Defense

For some CISOs and security managers, implementing MTD may sound like an enticing proposition, but envisioning the transformation can be somewhat mind boggling and makes them hesitate. It’s important to acknowledge that polymorphism has been weaponized by malware authors against us for years. But with recently developed techniques, the right pro-active defense is available. Here are three ways that implementing MTD now can help your organization reduce risk.

It levels the playing field between attackers and defenders. The single biggest benefit of implementing MTD is that defenders make themselves difficult targets for attackers to spot, regardless of the type of application layer. In the network layer, for example, if an attacker doesn’t know what IP address to target because it constantly shifts, then they cannot easily identify attack locations that they wish to target from device-to-device. By creating a decoy software layer that makes it easy for the defender to move around, the costs of an attacker attempting to chase a defender are driven up, while also reducing the number of people that are qualified to attack, as the software layer continues to move.

As an example, the military for decades has utilized frequency hopping radios, a technique that rapidly transmits radio signals by switching carriers between a number of frequency channels. If a defender knows what frequency that an adversary is using, they can put out so much noise, or “jam” the frequency at any moment so that adversary has great difficulty penetrating through that noise.

It reduces the need for threat detection. When defenders increase the difficulty of an attack, then that itself means that a security team doesn’t need to rely as much on threat detection solutions. That’s because when applying MTD, you zig when an attacker zags. As an analogy, think about a bank vault and its contents. Every night, the bank vault moves places within the bank, so robbers who attempt breaking-in would have a difficult time finding the vault. Similarly, changing the location of the attack surface makes it very difficult for attackers to strike, again shifting the power to defenders, while also lessening the burden on over-extended security teams.

It’s a ‘scalable’ security solution. As more controllers, servers, remote terminals, monitoring equipment and sensors are tied to the internet, the cyberattack surface increases exponentially, creating unprecedented vulnerabilities and threats that require additional resources to remediate. Because MTD makes an attack surface dynamic, it naturally decreases in size because of its constant movement, creating more efficiencies in security at scale.

While these are all clear benefits of implementing an MTD strategy, it has to be noted that for MTD to work, the concept must be implementable. Specifically, it has to fit within the existing architectural infrastructure; have a near zero impact on the administrative behavior of the enterprise; be easy to “turn on”; and require minimal customized knowledge. MTD must result in a net positive shift in security because if an attack surface is reduced, but requires leaving a back door open, then it is ineffective because attackers can still get in.

To elaborate, let’s revisit the radio jamming example. Frequency hopping does not solve the underlying reliance on the RF spectrum to provide transport for the frequencies, so vulnerabilities remain. The point is that frequency hopping radios have provided decades of RF security, even with the risks and inherent vulnerabilities. It isn’t perfect, but it works, and the same can be said for MTD.

MTD is imperfect, but gives defenders an unprecedented edge against attackers

Make no mistake, MTD is not perfect and it operates on the assumption that attacks will still happen. But by taking a pragmatic approach to MTD and understanding that it makes a defender a more difficult target, reduces the need for threat detection and makes security more scalable, it’s clear that the benefits outweigh the cons of implementing it as part of the broader cybersecurity strategy. Even in environments that are likely to be compromised, MTD gives defenders an advantage that simply wasn’t possible to obtain just a short time ago.Doug Britton is Chief Technology Officer at RunSafe Security

The post Three reasons why moving target defense needs to be a priority in any cybersecurity ctrategy appeared first on SC Media.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Doug Olenick Three reasons why moving target defense needs to be a priority in any cybersecurity ctrategy Original Post from SC Magazine Author: Doug Olenick The vicious cycle of imbalance between cyber attackers and defenders seems never-ending.

#SC Magazine

0 notes

technicaldr · 6 years ago

Text

Women and Nonbinary People in Information Security

I’ve got great news for you! My interview series continues.

Last week, I spoke with Nicola Whiting, cyber hygiene specialist, and Titania Chief Strategy Officer.

This time, I had the privilege of speaking with defensive security expert Liz Bell. We talked about the 90s internet, blue teaming, sexism and transphobia in tech as well as what pen testing can teach you about defensive security.

Kim Crawley: Please tell me a bit about yourself and what you do.

Liz Bell: I work for a cybersecurity defense company that provides network monitoring and response tools for customers in the finance, government, and energy sectors. I work on the internal monitoring team, which means I help keep our own networks safe. Before that, I worked in penetration testing punctuated with some time in academia doing research on applying machine learning techniques to attacking ciphers, and before that, I was a software engineer. I’ve been interested in security since I was little, though. Being lucky enough to have grown up with the web, I just caught the tail end of the BBS era, and so I got to see security start to become something people actually took seriously. Being curious, my general instinct was to find ways to circumvent limitations. Now I get to spot people trying to do those same things.

KC: It sounds like you’ve been online since the 90s. I’ve been online since 1994. Is there anything about the 90s internet that you miss these days?

LB: There are a few things that I’m kind of nostalgic about like MSN chat rooms, hearing my phone sing the internet song to the gateway, downloading Win32 viruses from Napster and Limewire, earning badges and posting angsty poetry on Bolt.com, but I think the main thing I miss is the openness and generosity of the web back then. These days, it feels like, if you’re fortunate, you have a series of walled gardens, and if you’re not, you’re facing a never-ending stream of racist/homophobic/transphobic content and intrusive adtech.

KC: You mentioned P2P malware, which is still a problem these days. How do you think online cybersecurity challenges are different now compared to back then?

LB: I think a major difference between then and now, if not the main difference, is money. Once we started being able to shop and bank online, users became a good target for scammers, extortionists and other organized crime groups. Not to mention the environment is now extremely different; a lot of people now have a lot of their lives stored in phones, tablets, and laptops, and some of those also end up connecting to corporate or industrial networks. For organizations, this means that just defining what your network perimeter is can sometimes be impossible.

As far as national security is concerned, the public at large has become much more aware of the scale of state-level activities on communication networks, much more than when the ECHELON disclosures happened, as far as I can tell. I think that has also led to something of a change in what people’s threat model looks like.

KC: Echelon! I knew someone who worked at Lawrence Livermore back in the day, apparently on that particular project.

LB: That’s awesome! I work with a lot of former IC and .mil people who I understand have probably been involved in a lot of things that would make for extremely interesting conversations, but alas, I’m not cleared.

KC: How has your penetration testing experience helped you with your blue teamwork?

LB: It’s a big help. Understanding the different kinds of techniques and tools used by adversaries to compromise accounts, intercept traffic or steal data means I have more of an ability to spot patterns or suspicious outliers in our sensor data. Likewise, seeing how blue teams operate makes me better at doing the offensive work or, at least, doing it in a way that’s less likely to get me caught! I’m increasingly a proponent of getting the red team and blue team members to trade sides occasionally or work together to have a better understanding of how the other side operates.

KC: Has sexism ever been a challenge in your career?

LB: Honestly, I don’t know. When I first started, I hadn’t transitioned yet, and so I was perceived as an (effeminate, not assertive) man, and so presumably I benefited from that when it came to getting my career started. At a previous employer, after transitioning, I was the only female penetration tester in the office, the only woman I knew of working in a technical role, and the only out queer person, and I started getting more complaints about my performance. I ultimately ended up leaving, and it definitely became harder to find work afterward, but then again, what I was looking for was pretty specific. I’m lucky enough to have been hired by a woman and be managed by a woman, in my current role, even though the team is still largely white cisgender straight men.

KC: Well, you’re not the first transgender woman I’ve interviewed in this series. I’m happy to see more transgender people in cybersecurity.

LB: I actually applied to the place I’m working at now because a good friend of mine, who’s also trans, worked there. It was an incredible privilege to go from this extremely homogenous environment to getting to work professionally in information security with another queer trans woman.

KC: Is there anything you miss about your pen testing days?

LB: I do miss the “let’s be evil” feeling, sometimes and the interaction with external clients from all kinds of different industries. My job now has maybe a little less variety, but I get to stick with projects longer, and being an investigator definitely makes up for not getting to pretend to be a criminal anymore!

KC: I have spoken to Defensive Security Handbook authors Ian Brotherston and Amanda Berlin, who believe that defensive security is underrated in our field. Do you agree?

LB: I think that offensive security gets a lot of the glamor, but penetration testing is really only a small piece of what keeps users safe. Blue team folks definitely don’t get nearly enough credit or support; offensive security people need to only find one problem, but defensive security practitioners can’t make a single mistake.

KC: Do you think a lot of organizations overlook defensive security?

LB: In my experience, a lot of organizations tend to maybe focus on the wrong things: or rather, they optimize for meeting regulatory requirements. Rules say they need a firewall and quarterly penetration tests, so they buy a firewall and contract the tests out. Security should be baked in everywhere; into the software development lifecycle, the monitoring and maintenance of the corporate network, training of new employees and continuous training of your existing staff and even how the organization interacts with suppliers. The line between ‘defensive information security’ and ‘physical security’ gets fuzzy, and I don’t know if many organizations prioritize either at sufficiently many levels of the stack.

KC: I’ve learned a lot from you. Do you have anything else you’d like to add before we go, Liz?

LB: I think it might be worth mentioning that machine learning is increasingly something people are exploring in both the defensive and offensive information security space, and in order to both defend against robot hackers and defeat Skynet, or build either, it helps to have that blended blue and red team exposure. Otherwise, thank you so much for your work here boosting not-male voices!

Technical Dr. Inc.'s insight:

Contact Details :

[email protected] or 877-910-0004 www.technicaldr.com

0 notes

antonymilton619-blog · 7 years ago

Text

Preparing for the looming battle of AI bots

New Post has been published on https://www.pentoz.com/tech/preparing-for-the-looming-battle-of-ai-bots/

Preparing for the looming battle of AI bots

As the cybersecurity business receives counterfeit consciousness methods vigorously, unobtrusively digital crooks are building their own particular computerized reasoning ill-disposed apparatuses. This article investigates the possible “first contact” ventures will look with ill-disposed AI.

The case for computerized reasoning to protect the undertaking

The case for utilizing computerized reasoning to protect systems against assaults develops as inheritance security advancements melt away inadequacy against new assaults. As damaging assaults like WannaCry and NotPetya revive worm spreading practices, the criticalness for robotized guard has never been higher. Just expressed, we can’t effectively battle a foe that works at the speed of machines with safeguards hoping to recognize and stop these assaults in human time and scale.

Against this scenery of progressively complex dangers, new counterfeit consciousness innovation guarantees to defeat specialized difficulties with inheritance signature-based advancements. For instance, we comprehend that record hash coordinating functions admirably at recognizing known malware, however with most malware assaults not reusing a similar document, the mark coordinating methodology has constrained utility against identifying current assaults. Machine learning innovation, for example, profound learning calculations have shown the capacity to identify beforehand inconspicuous malware via preparing against vast volumes of known malware storehouses.

While pernicious document location is an issue ready for machine learning innovation, we expect that later on foes will depend less on malware and more on abusing and utilizing existing true blue projects on endpoints to do their offering. This will require an alternate model of discovery – one in view of recognizing examples of abuse of framework assets instead of malignant program designs. Seeing uncommon examples in expansive volumes of information is the place machine learning exceeds expectations contrasted with people who can intuit well, however not insubstantial scale nor at machine time speeds.

Antagonistic counterfeit consciousness is frequently utilized as a part of two situations: (1) gaming guarded AI systems to discover and abuse their shortcomings or blindsides, or (2) utilizing AI for hostile digital tasks. In this article, the emphasis is on utilizing AI for hostile digital tasks. Having said that, engineers of guarded AI arrangements should be particularly discerning of disappointment modes in their methodologies, for example, disastrous disappointments because of homogeneous preparing sets, or just the law of vast numbers that states numerous walker assaults will move beyond machine learning approaches on the grounds that most are basically measurable estimators of a capacity, not an immovable run the show.

Digital foes as of now robotize a few phases of assault, including target disclosure and malware age and sending. These improvements have made shielding against assaults all the more trying for heritage security frameworks. In any case, computerized reasoning now gives foes new devices to mechanize significantly more parts of the foe TTPs (strategies, methods, conventions).

Foes are currently utilizing counterfeit consciousness in:

Phishing efforts

Defenselessness revelation

Adventure age

Work process robotization

Scholarly investigations have demonstrated that you can accomplish higher navigate rates on phishing messages and tweets utilizing machine learning calculations over human-created phishing efforts. This ought not to amazing given the advances in visit bots in managing human inquiries. From an antagonistic viewpoint, why take the time and push to handcraft a phishing effort when a machine learning calculation can improve, less expensive, and in bigger volumes? Customary methods for phishing recognition preparing for people will probably bomb in significantly higher rates in seeing machine created phishing efforts essentially in light of the fact that they regularly search for human mistakes.

Distinguishing vulnerabilities in programs, the grist for the 0-day powerlessness process, is ready for propels in machine learning. Programmed fluffing apparatuses, for example, AFL have empowered more quick-witted criticism based fluffing utilizing comes about because of earlier fluffing keeps running in beast constrain way. Mechanized fluffing has just brought about the revelation of various basic 0-days. Applying AI calculations to crash dump logs can be utilized to improve the age of better fluff test cases that can prompt endeavor rich accidents. While programming merchants could utilize this to discover vulnerabilities in their product before discharging, foes are roused by finding and abusing 0-days. This isn’t speculative – it is a key system for cutting-edge country states in finding and misusing 0-day abuses in target systems.

Zero-days are helpful just on the off chance that they can be abused. One zone that is promising for mechanization is the improvement of endeavors for pile based floods and undercurrents. Generally, the way toward building up an adventure for a memory portion powerlessness requires dull manual work in situating abuse code with respect to the memory stack. A current talk via Sean Heelan at BlackHat EU exhibits progresses in calculations that computerize this in discovery design, which underway, can prompt programmed misuse age from helplessness disclosure.

Discovering zero-days isn’t the best way to trade off frameworks obviously. With regards to implanted frameworks and IoT write gadgets, disappointment modes and impacts from antagonistic activities are not surely knew and never intended for vindictiveness. The single blame speculation is utilized as a part of the outline and reproduction for most inserted and wellbeing basic frameworks. Concurrent disappointments in various segments, similar to those caused by assaults are not generally demonstrated and there is little possibility made arrangements for these antagonistic situations. Investigation of blame trees with robotized thinking can recognize ideal purposes of a framework to assault all the while, for example, to make a disappointment mode while concealing it to administrators and sensors. Anticipate that these strategies will be utilized as a part of self-driving autos, mechanical control frameworks, and plants by skilled and persuaded enemies.

At long last, the phases of assault-related with enemy TTPs, frequently called the digital kill chain, is a repeatable work process where the difference is because of specific individual target systems. This work process is ready for revelation and computerization, like how a robot AI finishes undertakings while beating hindrances. The result for mechanizing enemy TTPs from adventure to revelation, benefit acceleration, information catch and exfiltration is adaptable hacking in machine time.

While enemies are still in beginning periods of utilizing computerized reasoning, the benefit thought process and adaptability of AI make it likely that foes will jump in front of safeguards as far as creating and utilizing AI for their motivations.

In the event that anything, this implies protectors should move significantly quicker to mechanize resistances that work at machine speed with a specific end goal to counter hostile AI calculations. As it were, anticipate that future fights will be AI on AI where the groups that build up the best AI calculations with the best preparing sets wins.

Protecting against AI-based assaults

While antagonistic AI may sound progressively debilitating for protectors, the test isn’t sad. Machine learning calculations today are being consolidated in items to recognize obscure malware. Computerized reasoning calculations enemies are utilizing to discover exploitable programming vulnerabilities can be utilized by programming merchants to get before foes by finding and settling vulnerabilities in their items previously discharging them. In like manner, foe TTPs are genuinely consistent. By watching, gathering, and breaking down information, one can distinguish assault designs crosswise over huge informational collections and gadgets utilizing AI calculations.

The most imperative takeaway for safeguards is that on the off chance that you are not effectively down the way of creating or fusing AI in your barriers, at that point you are falling behind foes. The key favorable circumstances in scaling and cost mean enemies will embrace AI for their motivations. We should think comparatively on edge side.

#ai #artificialintellgience #BigData #business #Data #disruption #enterprise #industries #industry #Informatica #innovation #insights #metadata #potential #prediction #transformation #AI

0 notes