Article | June 1, 2021
Over the last year, the education delivery model has changed rapidly. Universities have learnt to operate entirely remotely and now that learning may resume in person, a hybrid education model will likely continue. The transition from physical to online models happened so quickly that it left many IT networks exposed to serious harm from outside forces. With a hybrid model, there is likely a widening attack surface area.
A recent spate of attacks suggests that cyber-criminals are taking notice of the seemingly infinite weaknesses in learning centers defenses. But why?
One of the primary reasons is that universities operate large corporate-sized networks, but without the budgets to match. Add to that, teachers and students aren’t given training to use and connect their technology in a safe way.
To avoid falling victim to devastating cyber-attacks which often have dire consequences, we share three lessons universities need to quickly take on board.
Your Research is Valuable to Cyber-Criminals
There is a hefty price tag on some of the research conducted by universities, which makes it particularly attractive to cyber-criminals. The University of Oxford’s Division of Structural Biology was targeted in February by hackers snooping around, potentially in search of information about the vaccine the university has worked on with AstraZeneca. It’s not just gangs of cyber-criminals targeting research facilities, last year Russian state backed hackers were accused by official sources in the US, UK and Canada of trying to steal COVID-19 vaccine and treatment research.
With world-leading research hidden in the networks of universities, its unsurprising that last year over half (54%) of universities surveyed said that they had reported a breach to the ICO (Information Commissioner’s Office). The research conducted by many UK universities makes them an attractive target for financially motivated cyber-criminals and state-sponsored hackers in search of valuable intellectual property.
To add insult to injury, ransomware attackers are doubling their opportunity for pay off by selling off the stolen information to the highest bidder, causing a serious headache for the victims while potentially increasing the value of their pay-out.
Personal Information of Students and Staff Can Easily Fall into the Wrong Hands
Based on tests of UK university defenses, hackers were able to obtain ‘high-value’ data within two hours in every case. In many cases, successful cyber-attacks are followed by not only a ransom note demanding payment for the recovery of frozen or stolen data, but also the added threat of sharing any sensitive stolen information with the public.
Article | March 20, 2020
The Cybersecurity Solarium Commission's recently released report outlines a strategy to fundamentally reshape the U.S.’s approach to cybersecurity and prepare for resiliency and response before a major cyber incident occurs, not after. Unlike the original Solarium Commission, which operated in a classified environment, the Cybersecurity Solarium Commission chose to release its report publicly out of recognition that cybersecurity involves everyone. “In studying this issue,” begins the letter from Sen. Angus King and Rep. Mike Gallagher, the chairmen of the commission, “it is easy to descend into a morass of classification, acronyms, jargon, and obscure government organization charts. To avoid that, we tried something different: an unclassified report that we hope will be found readable by the very people who are affected by the very people who are affected by cyber insecurity – everyone. This report is also aimed squarely at action; it has numerous recommendations addressing organizational, policy, and technical issues, and we included an appendix with draft bills that Congress can rapidly act upon to put these ideas into practice and make America more secure.”
Article | July 29, 2020
1. Zero Trust – Demystified
Everyone seems to be talking about Zero Trust in the security world at the moment. Unfortunately there seems to be multiple definitions of this depending on which vendor you ask. To help others understand what Zero Trust is, this white paper covers the key aspects of a Zero Trust model.
1.1. What is Zero Trust
Zero Trust is a philosophy and a related architecture to implement this way of thinking founded by John Kindervag in 2010. What it isn’t, is a particular technology!
There are three key components to a Zero Trust model:
1. User / Application authentication – we must authenticate the user or the application (in cases where applications are requesting automated access) irrefutably to ensure that the entity requesting access is indeed that entity
2. Device authentication – just authenticating the user / application is not enough. We must authenticate the device requesting access as well
3. Trust – access is then granted once the user / application and device is irrefutably authenticated.
Essentially, the framework dictates that we cannot trust anything inside or outside your perimeters. The zero trust model operates on the principle of 'never trust, always verify’. It effectively assumes that the perimeter is dead and we can no longer operate on the idea of establishing a perimeter and expecting a lower level of security inside the perimeter as everything inside is trusted. This has unfortunately proven true in multiple attacks as attackers simply enter the perimeter through trusted connections via tactics such as phishing attacks.
1.2. Enforcing the control plane
In order to adequately implement Zero Trust, one must enforce and leverage distributed policy enforcement as far toward the network edge as possible. This basically means that granular authentication and authorisation controls are enforced as far away from the data as possible which in most cases tends to be the device the user is using to access the data. So in essence, the user and device are both untrusted until both are authenticated after which very granular role based access controls are enforced.
In order to achieve the above, a control plane must be implemented that can coordinate and configure access to data. This control plane is technology agnostic. It simply needs to perform the function described above. Requests for access to protected resources are first made through the control plane, where both the device and user must be authenticated and authorised. Fine-grained policy can be applied at this layer, perhaps based on role in the organization, time of day, or type of device. Access to more secure resources can additionally mandate stronger authentication. Once the control plane has decided that the request will be allowed, it dynamically configures the data plane to accept traffic from that client (and that client only). In addition, it can coordinate the details of an encrypted tunnel between the requestor and the resource to prevent traffic from being ‘sniffed on the wire’.
1.3. Components of Zero Trust and the Control Plane
Enforcing a Zero Trust model and the associated control plan that instructs the data plane to accept traffic from that client upon authentication requires some key components for the model to operate. The first and most fundamental is micro-segmentation and granular perimeter enforcement based on:
Their devices and its security posture
Their Context and other data
The above aspects are used to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise.
In this case, the micro-segmentation technology essentially becomes the control plane. Per the above section, encryption on the wire is a key component of Zero Trust. For any micro-segmentation technology to be an effective control plane, it must:
Enforce traffic encryption between endpoints
Authenticate the user and machine based on their identity and not the network segment they are coming from.
1.4. Zero Trust Technologies
As stated earlier, Zero Trust is an architecture. Other than micro-segmentation, the following key technologies and processes are required to implement Zero Trust:
Multifactor authentication – to enforce strong authentication
Identity and Access Management – to irrefutably authenticate the user / application and the device
User and network behaviour analytics – to understand the relative behaviours of the user and the network they are coming from and highlight any unusual behaviour compared to a pre-established baseline which may indicate a compromised identity
Endpoint security – to ensure that the endpoint itself is clean and will not act as a conduit for an attacker to gain unauthorised access to data
Encryption – to prevent ‘sniffing of traffic on the wire’
Scoring – establishing a ‘score’ based on the perimeters above that will then determine whether access can be granted or not
Apart from the above key components, the following are needed as well:
File system permissions – needed in order to implement role based access controls
Auditing and logging – to provide monitoring capabilities in case unauthorised access is achieved
Granular role based access controls – to ensure access is on a ‘need to know basis only’
Supporting processes – all of the above needs to be supported by adequate operational procedures, processes and a conducive security framework so that the model operates as intended
Mindset and organisational change management – since Zero Trust is a shift in security thinking, a mindset change managed by robust change management is required to ensure the successful implementation of Zero Trust in an organisation.
1.5. Challenges with Zero Trust
So Zero Trust sounds pretty awesome, right? So why haven’t organisations adopted it fully?
As with any new technology or philosophy, there are always adoption challenges. Zero Trust is no different. At a high level, the key challenges in my experience are:
Change resistance – Zero Trust is a fundamental shift in the way security is implemented. As a result, there is resistance from many who are simply used to the traditional perimeter based security model
Technology focus as opposed to strategy focus – since Zero Trust is a model that will impact the entire enterprise, it requires careful planning and a strategy to implement this. Many are still approaching security from the angle that if we throw enough technology at it, it will be fine. Unfortunately, this thinking is what will destroy the key principles of Zero Trust
Legacy systems and environments – legacy systems and environments that we still need for a variety of reasons were built around the traditional perimeter based security model. Changing them may not be easy and in some cases may stop these systems from operating
Time and cost – Zero Trust is an enterprise wide initiative. As such, it requires time and investment, both of which may be scarce in an organisation.
1.6. Suggested Approach to Zero Trust
Having discussed some challenges to adopting a Zero Trust model above, let’s focus on an approach that may allow an organisation to implement a Zero Trust model successfully:
1. Take a multi-year and multi-phased approach – Zero Trust takes time to implement. Take your time and phase the project out to spread the investment over a few financial years
2. Determine an overall strategy and start from there – since Zero Trust impacts the entire enterprise, a well-crafted strategy is critical to ensure success. A suggested, phased approach is:
a. Cloud environments, new systems and digital transformation are good places to start – these tend to be greenfield and should be more conducive to a new security model
b. Ensure zero trust is built into new systems, and upgrades or changes – build Zero Trust by design, not by retrofit. As legacy systems are changed or retired, a Zero Trust model should be part of the new deployment strategy
c. Engage a robust change management program – mindset adjustment through good change management
3. Take a risk and business focus – this will allow you to focus on protecting critical information assets and justify the investments based on ROI and risk mitigation
4. Ensure maintenance and management of the new environment – as with everything, ensure your new Zero Trust deployment is well maintained and managed and does not degrade over time.
To summarise, Zero Trust is a security philosophy and architecture that will change the way traditional perimeter based security is deployed. A key component of it is the control plane that instructs the data plane to provide access to data. Zero Trust dictates that access can only be granted once the user / application and device are irrefutably authenticated and even then this access is provided on a ‘need to know’ basis only. Micro-segmentation is a key technology component of Zero Trust implementation and this paper has stated other key technology components and processes that are needed to implement Zero Trust adequately. This paper has discussed some of the challenges with implementing Zero Trust which include change resistance as well as legacy systems. The paper then provided an approach to implementing Zero Trust which included taking a phased approach based on a sound strategy underpinned by a risk and business focused approach.
Article | August 30, 2021
While eating dinner at a Fourth of July cookout last weekend, my nephew described why he had so many career options as a pilot:
There’s a shortage of pilots, and many existing pilots will be retiring soon.
Other current pilots need to be retrained, because they fell behind in various ways during the pandemic.
New people want to get into the field, but there are many hard requirements that can’t be faked, like flying hours, or unique experience on specific aircraft.
There are many job openings and everyone is hiring.
My response? Sounds a lot like our current cybersecurity career field. Professionals in cyber are seeing almost the exact same things.
And yes, there are many, perhaps thousands, of articles on this topic saying different things. Everyone is focused on the shortages of cyber pros and the talent issues we currently face. But how hard is it to get into a cyber career for the long term? How can someone move into a fulfilling career that will last well beyond their current role?
One reason I like the pilot training comparison is that becoming an excellent cyber pro takes time and commitment. If there are any “quick wins” (with minimal preparation or training) in cybersecurity careers, they probably won’t last very long — in the same way that flying large airplanes takes years of experience.
After I got home that night, I saw this article from TechRepublic proclaiming “you don’t have to be a tech expert to become a cybersecurity pro.” Here’s an excerpt:
“Ning Wang: I think that we’re in a pretty bad state. No matter which source you look at, there are a lot more job openings for cybersecurity than there are qualified people to fill it. And I have worked at other security companies before Offensive Security, and I know firsthand, it is really hard to hire those people. …
“You may think that you have to have so much technology background to go into security. And again, I know firsthand that is not the case. What does it take to be a great cybersecurity professional? And I think from my observation and working with people and interacting with people, they need a creative mind, a curious mind, you have to be curious about things. …
“And then even if you have all of that, there’s no shortcuts. If you look at all the great people in cybersecurity, just like all the other fields, that 10,000-hour rule applies here as well.”
I certainly agree that advanced degrees and formal certifications are not required (although they help). Still, the 10,000-hour rule and determination are must-haves to last in the long term. Here’s what I wrote for CSO Magazine a decade ago on the topic of “Are you a security professional?”:
“Many experts and organizations define a security professional based upon whether or not they have a CISSP, CISM, Master’s Degree in Information Assurance or other credentials. Or, are you in an organization or business unit with 'security' in the title? While these characteristics certainly help, my definition is much broader than that.
"Why? I have seen people come and go in the security area. For example: Adam Shostack started his career as a UNIX sysadmin. Likewise, you probably know people who started in security and left, or who still have a different job title but read blogs like this one because their job includes something less than 50% information security. (That is, they wear multiple hats). Others are assigned to a security function against their will or leave a security office despite their love for the field (when a too-tempting opportunity arises). Some come back, others never will.”
WHY BECOME A CYBER PRO?
This CompTIA article outlines some of the top jobs in cybersecurity, with average salaries:
1. Cybersecurity Analyst $95,000
2. Cybersecurity Consultant $91,000
3. Cyber Security Manager/Administrator $105,000
4. Software Developer/Engineer $110,140*
5. Systems Engineer $90,920
6. Network Engineer/Architect $83,510*
7. Vulnerability Analyst/Penetration Tester $103,000
8. Cyber Security Specialist/Technician $92,000
9. Incident Analyst/Responder $89,000
* Salaries marked with an asterisk (*) came from the U.S. Bureau of Labor Statistics.
The article also walks through many of the steps regarding education, certifications and skills.
Of course, there are many other great reasons to get into a cyber career beyond pay and benefits, including helping society, the fascinating changes that grow with new technology deployment, a huge need, the ability to work remotely (often), and the potential for a wide variety of relationships and global travel if desired.
Becoming a CISO (or CSO) is another important role, with CISO salaries all over the map but averaging $173,740 according to Glassdoor.
OTHER HELPFUL ARTICLES ON BECOMING A CYBER PRO
Yes, I have written on this topic of cybersecurity careers many times over the past decade-plus. Here are a few of those articles:
• “The case for taking a government cyber job: 7 recommendations to consider”
• “Why Are Some Cybersecurity Professionals Not Finding Jobs?”
• “Why You Should Consider a Career in Government Cyber Security”
• “Play a Game - Get a Job: GCHQ’s New Tool to Recruit Cyber Talent”
Many people are now considering career changes as we come out of the COVID-19 pandemic. Cybersecurity is one of the hottest fields that has staying power for decades. At the same time, Bloomberg is reporting that U.S. job openings are at record levels.
Also, Business Insider is offering a template to revamp your resume and get a remote job anywhere in the world.
So even if the obstacles look daunting, a career in cybersecurity may be just the long-term change you are looking for.
Article Orginal Source: