Tag: Information Security

Addressing the Cybersecurity Skills Gap

Are More Defined Parameters the Key to Addressing the Cybersecurity Skills Gap? (Security Intelligence)

...the skill sets required tend to be more diverse than other IT-related jobs. In addition to tech skills, cybersecurity jobs also require skills that align with liberal arts and humanities fields, such as communications and psychology. This has the potential to open the door to a wide range of candidates.

What’s missing is an accurate job description, said Wesley Simpson, chief operating officer with (ISC)2, during a conversation at the company’s Security Congress in October. Hiring managers who write up job descriptions often don’t have a complete understanding of the actual skill needs for these cybersecurity careers. There is a tendency to become enamored with certifications, which a person often can’t qualify for until they have years of job experience.

However, many of these jobs that “require” certifications are essentially entry-level jobs, so the people who should be applying for them don’t because they don’t carry certifications. On the other hand, people who do apply may be over-qualified and see the position as a lateral move, which could lead them to turn an offer down.

Is an inability to define security the main cause of the cybersecurity skills gap? If we can't truly define what security is, how can organizations design the right cybersecurity jobs for their needs?

Click To Read Full Post

Machine Learning Threat Taxonomy

Failure Modes in Machine Learning - Security documentation

In the last two years, more than 200 papers have been written on how Machine Learning (ML) can fail because of adversarial attacks on the algorithms and data; this number balloons if we were to incorporate non-adversarial failure modes. The spate of papers has made it difficult for ML practitioners, let alone engineers, lawyers and policymakers, to keep up with the attacks against and defenses of ML systems. However, as these systems become more pervasive, the need to understand how they fail, whether by the hand of an adversary or due to the inherent design of a system, will only become more pressing. The purpose of this document is to jointly tabulate both the of these failure modes in a single place.

In the last two years, more than 200 papers have been written on how Machine Learning (ML) can fail because of adversarial attacks on the algorithms and data; this number balloons if we were to incorporate non-adversarial failure modes. The spate of papers has made it difficult for ML practitioners, let alone engineers, lawyers and policymakers, to keep up with the attacks against and defenses of ML systems. However, as these systems become more pervasive, the need to understand how they fail, whether by the hand of an adversary or due to the inherent design of a system, will only become more pressing. The purpose of this document is to jointly tabulate both the of these failure modes in a single place.

Click To Read Full Post

Are Cryptographers Being Denied Entry into the US?

Why Are Cryptographers Being Denied Entry into the US? - Schneier on Security (Schneier on Security )

In March, Adi Shamir -- that's the "S" in RSA -- was denied a US visa to attend the RSA Conference. He's Israeli.

This month, British citizen Ross Anderson couldn't attend an awards ceremony in DC because of visa issues. (You can listen to his recorded acceptance speech.) I've heard of two other prominent cryptographers who are in the same boat. Is there some cryptographer blacklist? Is something else going on? A lot of us would like to know.

It certainly seems that way on the surface.

Click To Read Full Post

NIST Proposes Privacy Framework to Help Make Sense of Global Privacy Regulations

NIST Proposes Privacy Framework to Help Make Sense of Global Privacy Regulations by Stephanie Hazlewood (Security Intelligence)

In October 2018, NIST, collaborating with public and private stakeholders, started drafting its privacy framework. The framework is intended to serve as a guide for chief information security officers (CISOs), chief privacy officers (CPOs) and other internal privacy stakeholders and is geared toward helping them improve their organizational privacy posture. Like the NIST Cybersecurity Framework introduced in 2014, organizations that choose to comply with the privacy framework can do so voluntarily.

It is expected that the framework will be presented in language that can be understood by both privacy and security professionals, as well as executives and other business stakeholders who may have no expertise in privacy, and that’s a very good thing. The roles of the CISO and CPO are evolving to have complementary concerns, which means they must work more closely together, especially when it comes to privacy and personal data protection. Technical professionals and legal professionals speak in very different language in their day-to-day lives, so when it comes to implementing an effective privacy program, everyone had better be speaking the same language to establish a common understanding of what needs to get done.

NIST has been working quickly. A request for information (RFI) to gather input and guide the development of the framework wrapped up in January, and the outline of the NIST Privacy Framework was drafted and shared in March.

This is a welcome move from NIST. I hope that information security and privacy officers embrace the framework. I also hope that the federal government issues strong privacy legislation, similar to the GDPR, that is congruent with the United State constitution. We, the people, need some relief form the wonton collection and leverage of personal…

Click To Read Full Post

BGP hijackers made $29M

How 3ve’s BGP hijackers eluded the Internet—and made $29M by DAN GOODIN

Members of 3ve (pronounced "eve") used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a thousand servers hosted inside data centers to impersonate real human beings who purportedly "viewed" ads that were hosted on bogus pages run by the scammers themselves­ -- who then received a check from ad networks for these billions of fake ad impressions. Normally, a scam of this magnitude coming from such a small pool of server-hosted bots would have stuck out to defrauded advertisers. To camouflage the scam, 3ve operators funneled the servers' fraudulent page requests through millions of compromised IP addresses.

About one million of those IP addresses belonged to computers, primarily based in the US and the UK, that attackers had infected with botnet software strains known as Boaxxe and Kovter. But at the scale employed by 3ve, not even that number of IP addresses was enough. And that's where the BGP hijacking came in. The hijacking gave 3ve a nearly limitless supply of high-value IP addresses. Combined with the botnets, the ruse made it seem like millions of real people from some of the most affluent parts of the world were viewing the ads.

This is an interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol.

Click To Read Full Post

Stop Trying to Fix the User

Security Design: Stop Trying to Fix the User by Bruce Schneier

We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

Old (by Internet standards) but still relevant.

Click To Read Full Post

Phone Phish

Voice Phishing Scams Are Getting More Clever by Brian Krebs (krebsonsecurity.com)

Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate.

Vishing is getting more sophisticated.

Click To Read Full Post

Cyber Range

Are Colleges Teaching Real-World Cyber Security Skills? by Adi Shua

SOC analysts must have a large amount of formal knowledge and the analytic abilities to derive actionable insights from the data collected by the company’s various security tools. Moreover, the analyst is expected to use human behavioral and business context to identify threats and make decisions about how to respond to keep the organization safe. However, most junior security staff enter the cybersecurity job market with only theoretical knowledge of what “security” is, lacking practical analytical methodologies, detection techniques and more advanced specialized skills. New graduates often lack the practical analysis and synthesis skills, which leaves them unprepared to face the challenges they will meet in the cybersecurity world.

 

The 2018 SANS survey states that “gamification of the SOC via simulations, exercises, training or any other form of targeted practice is becoming the standard operating procedure for providing a SOC skill set and an effective way of retaining skilled staff”. Institutions of higher education are starting to address the deep asymmetry between frontal instructionand practical exercises by incorporating a cyber range into their cybersecurity curricula.

I have 15 years of experience in information security. I think I would enjoy a cyber range course and learn something new.

Click To Read Full Post

Security Policy Security Failure

Why Your Security Policies Could Be Failing Your Business

For security policies to be followed, they must be known and enforced wherever possible and reasonable. If your users can’t follow your policies due to business process conflicts, or you can’t enforce the rules due to a lack of technology or another shortcoming you’re unwilling to mitigate, then you’re probably better off not having them at all.

Click To Read Full Post

4 Tips to Creatively Close the Information Security Skills Gap

4 Tips to Creatively Close the Information Security Skills Gap by Joan GoodchildJoan Goodchild

In a competitive market for skilled candidates, Combs suggested it doesn’t hurt to take a dose of reality when it comes to your expectations for hiring. Begin by taking a hard look at your interview process.

“Most organizations have an interview process that is too long, with a lot of redundancy, and it’s low-touch,” Combs said. “They rely so much on technology for applications, but you can’t do that in security. It’s too sterile. If you want to be successful, then you need recruitment with real people who move quickly to communicate.”

Combs suggests testing your interview process so you know what the process is like as an outsider. The timeline should be a consideration, too. Investing time in finding the right person is OK, but it should be reasonable, Combs said.

“As long as you drag your feet, the candidate is going to have other options and ultimately may choose to go elsewhere. And in this market, they can,” Combs said.

Joan Goodchild offers creative tips for companies looking to hire and develop information security talent.

Click To Read Full Post

Why Security Skills Should Be Taught, Not Hired

Why Security Skills Should Be Taught, Not Hired

We are in a state of deep technical debt in security, and there’s no hiding it. Almost all of the threats our peers were warning management about a decade ago are now the realities we face on a daily basis. Because security wasn’t seen as essential — and because the pipeline wasn’t created in colleges and universities — we’re facing a hiring shortage today. Perhaps most importantly, since no education can prepare a student for the real world, training is our only option to fix the problem.

Only a few organizations can afford to pay the salaries required to hire the top talent in our field. The rest of us need to train people internally and help our new hires develop the skills we need them to have. Using training and promotion as an incentive to hire and retain employees seems to be a logical solution — even if it’s going to take long-term planning to make it effective.

Click To Read Full Post

2018 Philadelphia Information Security Forum

Unable to Attend 2018 Philadelphia Information Security Forum

IANS Information Security Forums offer an immersive, two-day experience built around actionable, deep-dive technical and leadership sessions all delivered by our faculty of world-renowned security experts. Join us for sound, unbiased, research-driven advice on the top-of-mind information security threats and organizational concerns facing today’s enterprise security leaders. At an IANS Forum, you can -Attend hands-on, prescriptive roundtable sessions on security technologies and strategy -Hear top industry keynoters share thought-leading insights on information security trends -Connect with industry peers and share best practices in an intimate and confidential setting -Discover emerging technologies with real-world applications in a pressure-free environment

I haven't attended in two years. I need to plan how I'll hit my CPE targets for 2018.

Click To Read Full Post