Article | March 20, 2020
In these challenging times, it’s sad to learn that cyber criminals are only increasing their activity as they look to capitalise on the Covid-19 crisis. With the NCSC (National Cyber Security Centre) issuing warnings of such activity on a daily basis, it’s important that we all work to protect our businesses from the damage of cybercrime. As many of us move to working from home, the opportunity for cyber attacks only increases, so it’s vital that we work together with our IT colleagues to adopt good cyber health practices. If you are working from home, you should only be using a VPN (Virtual Private Network) or a secure home network with strong end-to-end encryption; e.g. Office 365 SSL session. Don’t be tempted to use public wifi, as hackers can position themselves between you and the access point.
Article | August 30, 2021
As we emerge from the worst pandemic in a century, many public- and private-sector employees and employers are reassessing their options within technology and cybersecurity roles.
Are boom times coming soon for tech companies, cybersecurity professionals and others?
Marketplace.org recently posted the headline, “Are we headed for a Roaring ’20s economy?”
Here’s an excerpt: “A year ago, when most of the country was under stay-at-home orders and people were losing jobs at an unprecedented rate, we asked three people who study economic history to explain whether the recession on the horizon was going to look anything like the Great Depression.
“With the vaccine rollout well underway, weekly unemployment claims at their lowest level since the pandemic began and consumer confidence rising, we’ve asked them about a different historical comparison: the 1920s.”
Meanwhile, NBC News reported “There are now more jobs available than before the pandemic. So why aren't people signing up?”
Here’s a quote from that piece: “The number of job vacancies soared to nearly 15 million by mid-March, but discouraged, hesitant and fearful job seekers means many positions are still unfilled, according to new data from online job site ZipRecruiter.
“Online job postings plunged from 10 million before the start of the pandemic last year to just below 6 million last May, as lockdowns and shutdown orders forced businesses to close their doors and reduce or lay off workers.”
Meanwhile, according to KPMG in the U.K., tech’s job market is growing at the fastest pace in two years. “The move towards new remote and hybrid working arrangements, new spending priorities for businesses around IT infrastructure, automation and the huge shift to online retail are likely to provide a long-term boost to sales and investment in the tech sector,” said KPMG’s chair Bina Mehta.
One more — thecyberwire.com just reported that the skills gap is getting wider regarding cybersecurity jobs: “The cybersecurity industry is projected to triple year-over-year through 2022, yet the workforce shortage still stands at millions worldwide. With a 273 percent increase in large-scale data breaches in the first quarter of 2020 alone, employing more cybersecurity professionals is a pressing challenge for both companies looking to hire in-house and cybersecurity agencies alike.
“According to the International Information System Security Certification Consortium, there are now more than 4.07 million unfilled cybersecurity positions across the world. Despite high entry salaries, recession-proof job security and plentiful career opportunities, there are simply not enough trained cybersecurity professionals to fill the skills gap.”
BAD TREND — AND EVEN SOME UGLY MIXED IN
I recently posted a story from the Atlanta Journal-Constitution on LinkedIn entitled “Employers are hiring again but struggling to find workers.” Here’s an excerpt: “Chris New said he has turned down $250,000 in business because he just can’t hire enough laborers and drivers at his Carrollton-based company, Barnes Van Lines.
“There are plenty of people without jobs, but unemployment benefits give them too much incentive not to work, he said. ‘We advertise and nobody comes in looking for a job. A lot of people are taking advantage of the system. It’s really killing us.’”
Although the focus on this article was not technology or cybersecurity jobs, many of the comments were tech- and cyber-related.
Marlin Brandys: So how do they explain people like me with a B.S. in networking and cybersecurity and an NCSP both from 2020 and I can’t even get an interview for a tier 1 help desk job? All these posts and stories from corporate America, universities, government agencies selling the bogus skills gap and shortage story. This platform alone has 1,000s of cyber qualified people able and willing to work in entry level positions at entry level pay and benefits. Stop the madness already. I applied for unemployment 01/08/2021. It’s now 04/19/2021 and I haven’t seen a dime of unemployment compensation. I’ll gladly take an entry-level position in cyber.
Quinn Kuzmich: Marlin Brandys - Honestly one of the unspoken truths of the security industry is age discrimination. Sad but true.
Dave Howe: Quinn Kuzmich - broadly true across all of IT though. They stand around demanding someone "do something" about the "skills shortage" but exclude 90% of candidates based on an arbitrary checklist, and 75% more based on illegal age, sex or race discrimination, disguised as "culture fit"
Joseph Crouse: Marlin Brandys you're overqualified.
Marlin Brandys: Joseph Crouse, I wish I could believe that. For some types of positions in the teaching or instructing silo maybe, for entry level information security I do not believe so.
Dave Howe: Marlin Brandys - it's difficult to tell. I have seen "entry level" roles demand a CISSP and CEH.
Gregory Wilson: 300+ applications and 4 interviews... No job yet... Overqualified, not enough experience, ghosted.... REALITY — I'm over 60 and nobody will hire me... All the BS aside, there are lots of people ready to work... Pay them what they're worth!
Dave Howe: I think there is a bigger picture. Welfare shouldn't be so generous as to encourage people to stay on it, but equally, it shouldn't be so stingy as to cause people to struggle to stay afloat (meet rent, put food on the table, however basic, keep the power on) — there is need for balance. Equally though, an entry -evel role where a worker is willing to put in a nominal 40 hours at a routine, boring but not dangerous or unpleasant job should pay sufficient after expenses so as to be able to afford some luxuries above and beyond what welfare provides — if you are no better off, then that job is underpriced and needs either automation to improve output so as to make paying more a better proposition, or automating entirely and the job eliminated. If the job is dangerous, distasteful or involves unsociable hours, then that should be reflected in the pay, above and beyond what a "basic" job should provide. The answer should never be "we need to cut welfare so that they will take my crappy, low paid job out of desperation, because adding automation means upfront costs and I don't want to pay any more"
You can join in on that LinkedIn conversation here:
This Forbes article offers some interesting perspectives on how both employers and employees can succeed in the coming post-COVID cybersecurity world, while offering a new model for our future workforce:
“Cybersecurity is a striking example of where the supply-demand gap for personnel is particularly volatile, with companies routinely lacking both the technology and available human capital needed to integrate relevant, highly skilled workers at the same speed as their unprecedented digital transformation. When the COVID-19 pandemic forcibly distributed security teams, organizations were given a new perspective as to how remote teams can de-risk innovation. Now, many are moving to industrialize the 'new normal' of cybersecurity with greater efficiencies across their internal programs and the software development life cycle by seamlessly integrating expert security talent on-demand.”
While this coming boom may not be good news for state and local governments who struggle to compete with the private sector for the most talented tech and cyber staff, there are new options opening up for public-sector employees as well.
This research finds that many retirees want to come back and work 10 to 20 hours a week, especially if they can work remotely.
Many groups are training workers for the post-pandemic job market.
I also have spoken with CISOs and other technology leaders in both the public and private sectors who are much more open to hiring out-of-state workers, even though they would never have allowed that before the pandemic.
And finally, what about those who can’t find work, despite the supposed “boom times” that are coming? Last year, I wrote this blog describing why some skilled cyber pros are still not getting jobs. Here are just a handful of the reasons I listed there:
People are living or looking in the wrong places. They want a local job and do not want to move. (Note: More remote hiring is happening now with COVID-19, but it is still unclear if many of these jobs will go “back to the office” after the pandemic. This leads to hesitancy in taking a job in another part of the country.)
Insistence on remote work. While this is easier during the pandemic, some people want 100 percent remote without travel, which can limit options. Also, some hiring managers are not clear if remote jobs will last after the pandemic restrictions are lifted, so they want to hire locally.
Company discrimination due to older worker applicants. Yes, I agree with my colleagues that this is alive and well in 2020. Other forms of discrimination exist as well, such as race and gender.
Lack of professional networking — especially true during COVID-19. They don’t have personal connections and have a hard time meeting the right people who are hiring or can help them find the right job.
Attitude, character, work ethic, humility, etc. I have written several blogs just on this topic, but some people never get the job because they come across in interviews as entitled or too angry or having a bad attitude. They scare off hiring managers. For more on this topic, see “7 reasons security pros fail (and what to do about it)” and “Problem #3 for Security Professionals: Not Enough Humble Pie” and “Problem 5: Are You An Insider Threat?”
Putting this all together, I love my brother Steve’s perspective on individual career opportunities and selling your ideas (and yourself) to those both inside and outside your organization: “It’s all about the right product at the right place at the right time at the right price — with the right person delivering the message to the right decision-maker.”
During a recent vacation to northern Arizona, I found myself working in a coffee shop surrounded by several men and women that were supporting global companies with technology projects. Conversations were all over the map regarding application enhancements and complex deliverables for some industry-leading names.
I was frankly a bit shocked that all of this work was being run out of a coffee shop — with a few video conference calls to people’s homes. The “new normal” of global workforces became more of a reality to me, and I see this trend accelerating even after the pandemic.
Article Orginal Source:
Article | December 15, 2020
There are three significant and disruptive cybersecurity threats that are catching organizations of all types and sizes by surprise:
Cloud misconfigurations; and
Supply chain backdoors.
Let me explain with recent examples and guide you on what you can do to avoid making other’s mistakes and falling victim to the threats.
Let’s start with ransomware. It is one of the most disruptive risks facing your organization today. Why? Because it can literally bring your operations, no matter who you are, to a standstill and inflict significant cost, pain and suffering.
Just look at the recent example of one organization. It was infected with ransomware, and IT systems were shut down for several weeks, bringing operations to a standstill. It had to gradually re-start systems over several more weeks. It estimates it will cost around $95 million from lost sales, recovery and remediation, impacting profitability. Also, it announced it will not be able to attain its growth plans for the year.
Take another recent example. A three-hospital system was infected and IT systems were shut down and it could not accept any incoming patients for several days. It had to operate using paper, until gradually the IT systems were re-started over several days. Fortunately, in this case, the incoming patients turned away did not suffer any loss of life and were able to be diverted to other hospitals timely, but it could have been tragic.
No organization is immune to ransomware and it can rear its ugly head anytime and inflict severe pain.
There are many variants and each can be tweaked easily by the attackers to evade the defense. The Ryuk ransomware is an example of one that has already inflicted significant pain to hundreds of organizations this year in the U.S. and across the globe. Previously, the SamSam ransomware attacked a variety of organizations in the U.S. and Canada, and provided over $6 million in ransom payments and inflicted over $30 million in losses. Prior to that, NotPetya ransomware rapidly inflicted hundreds of organizations in various parts of the world, and caused over $10 billion in damages.
The attackers are seeing that with ransomware it is quicker and easier to make the intrusion, and encrypt some of the data than try to exfiltrate all of it. They are asking themselves, why take all the time and trouble to look for all of the data and try to steal it, when only some critical systems and data can be locked up, until a ransom is paid?
They are seeing that with ransomware there will be immediate adverse impact since the victim will not be able to access critical data and systems, and will not be able to operate. So, there is high probability the ransom will be paid to stop the pain and suffering, especially if the victim has cyber insurance in place. The organization is likely to use the insurance policy to pay the ransom, rather than continue to have its operations disrupted or shut down.
They are also seeing that while most organizations have put in place various controls to prevent and detect data theft, they have not placed an equal weight to preventing and detecting ransomware. Most organizations have a lot of data and given all of the data thefts that have occurred and continue to occur and reported in the press, the bias has been to focus on data theft. But ransomware risk cannot be ignored or approached less seriously.
Imagine that you are infected with ransomware and your people cannot access documents, files or systems, and operate. All critical files and systems are locked out from the ransomware encryption, and a ransom payment is demanded by the hacker for the keys to unlock the encryption. What if, it will take you days, weeks or months to recover? What impact would it have on your organization?
You may think that you will be able to recover quickly from back up files and systems, but are you sure? The new ransomware variants are devised to hunt down and delete or encrypt backup files and systems also, and in some cases, first, before encrypting rest of the files and systems.
The organization that was recently infected that estimates $95 million in financial impact from the ransomware thought it had the risk under control, until it was hit with the ransomware and realized it was not prepared to manage the risk.
Now, let’s move to the threat from cloud misconfigurations.
You are most probably in the cloud completely or partially. Whether you have completely outsourced your infrastructure and services to a cloud provider or are utilizing one partially, remember, ultimately, you own the cybersecurity and that you are responsible for security in the cloud, while the cloud provider is responsible for security of the cloud.
While the cloud provider will provide perimeter security, you are responsible for security of your data, IP and other assets in the cloud, and are equally susceptible to attackers in the cloud as you are on the premises. Even if any of the “big six” cloud providers, such as Amazon Web Services or Microsoft Azure or others, provide the cybersecurity, attackers can exploit weak links in the chain, break in and steal data or cause other harm.
A common weak link in the chain are misconfigurations of the various systems that the cloud provider makes available as part of its service. You are responsible for all of the configurations, not the cloud provider. So, if your team does not take the time to fully understand all of the configurations that are necessary and complete them timely, security holes will arise and remain open for the attackers to exploit.
Just look at the recent example of an organization that fell victim where the data of over 100 million customers was stolen. This organization was using one of the “big six” cloud providers, but missed making all of the necessary configurations. A former employee of the cloud provider, who was familiar with the systems and configurations, discovered a misconfiguration in a web application firewall and exploited it to break in. The attacker then was able to query a metadata service to obtain keys and tokens, which allowed the attacker to query and copy storage object data and eventually exfiltrate it.
This was a case where configuration errors in a web application firewall coupled with unrestricted metadata service access and other errors handed the attacker the keys to the kingdom for the theft of 100 million customers data.
Other common cloud misconfigurations that create opportunities for attackers to exploit include:
Unrestricted in bound access on uncommon ports
Unrestricted outbound access
Unrestricted access to non-http/https ports
Unrestricted metadata service requests
Inactivate monitoring of keys and tokens
You may think that you do not have any misconfigurations in your cloud environment, but how do you know? The organization that recently lost 100 million customers data thought it had strong security in its cloud infrastructure, until it was hit with the data theft and realized it was not prepared to manage the risk.
Now, let’s move to the threat from supply chain backdoors.
No matter what type of organization you are or your size, you most probably have a supply chain, comprised of independent contractors, vendors or partners. Each of these could be the weakest link in the chain.
In other words, the attackers may find that one of your suppliers may be easier to break into first because of weaker cybersecurity and may have privileged access to your organization, given their role and responsibilities. So why not first attack the weaker supplier, steal their privileged user credentials and use it to break into your organization and eventually attain the ultimate objective, steal data or commit other harm?
Or they may find that one of your suppliers has part of your data in order to provide the outsourced service, so they can steal the data simply by breaking into the supplier with the weaker cybersecurity, so no need to attack you directly.
There are many examples of supply chain risk, such as with a government agency, where the credentials of a background check vendor were first stolen to access the agency’s systems, then to move laterally and find other unprotected privileged users credentials to access databases and steal data of 21.5 million individuals, including fingerprints data of 5.6 million individuals.
But just look at the recent example of an organization that had outsourced billing and collections to a supplier. This is a case where the attackers did not have to attack directly. In this case, attackers broke into the supplier and injected malicious code into the payments webpages managed by the supplier and stole credit card, banking, medical and other personal information, such as social security numbers, of 11.9 million consumers. The attackers had access to the supplier’s system for eight months, during which it skimmed the data being input by consumers on the payments webpages.
So, while your cybersecurity may be in good shape, the weakest link in the chain may be one of your suppliers, who may unwittingly provide the attackers the backdoor into your organization or to your data or IP.
So, ransomware, cloud misconfigurations and supply chain backdoors are three significant and disruptive threats facing your organization today that you should mitigate.
Article | March 30, 2020
Trevor is working from home for the first time. He loves the freedom and flexibility, but doesn’t read his company’s new BYOD policy. Sadly, he misses the fact that his home PC is not protected with updated security software nor the latest operating system patches. Kelcie’s home PC is faster than the old work laptop that she’s been issued to use during the pandemic. She decides to use a USB stick to transfer large files back and forth between her PCs to speed things up. After a few days, she does all her work on her home PC, using a “safe” virtual desktop app. But unbeknownst to her, there is a keylogger on her home PC.