Ghosts of InfoSec

| October 31, 2016

article image
As National Cybersecurity Awareness Month draws to a close on Halloween, it is a fitting time to reflect on some of the ghosts of infosec. Friendly and unfriendly ghosts The ghosts of infosec include both friendly and unfriendly spirits. The friendly ones remind us of the lessons learned and the knowledge we've gained through the decades of our young industry; they also inspire us to look forward and to build on their work. Sadly, we do have quite a few unfriendly ghosts to contend with, from those which are merely troubling to some which are truly terrifying. I won’t dwell on the most terrifying ghosts; the media does a good job of scaring us all with the latest cybersecurity nightmares, from insecure medical devices to default credentials on IoT systems. Those of us in the industry have a wide array of our own hauntings depending on our experiences, from pervasive web application vulnerabilities such as SQL injection to unvalidated inputs to unpatched software and flawed crypto.

Spotlight

Fortinet Inc.

Fortinet, Inc. is an American multinational corporation founded in 2000 by brothers Ken and Michael Xie. Fortinet provides high performance network security products and services including their flagship integrated network security solution, the FortiGate firewall. Fortinet distributes its systems and subscription-based services using the channel partner sales method via more than 20,000 partners worldwide.Fortinet is positioned as the revenue leader in unified threat management (UTM) solutions.

OTHER ARTICLES

What Lessons Can We Takeaway from Las Vegas’ Recent Thwarted Cyberattack?

Article | February 27, 2020

Picture this: a news story detailing a cyberattack in which no data was exfiltrated, thousands (or even millions) of credit card details weren’t stolen, and no data was breached. While this isn’t the type of headline we often see, it recently became a reality in Las Vegas, Nev. On January 7, 2020, news broke that the city of Las Vegas had successfully avoided a cyberattack. While not many details were offered in the city’s public statement, local press reported that the attack did employ an email vector, likely in the form of a direct ransomware attack or phishing attack. The use of the word “devastating” in the public statement led many to believe ransomware was involved. This inference isn’t farfetched—and is likely a correct conclusion—given that cities throughout the U.S. have seen ransomware attacks on critical systems. Attacks that have cost those cities millions of dollars.

Read More

Cybersecurity: Five Key Questions The CEO Must Ask

Article | February 27, 2020

Just about every single day, somewhere in the world, a company falls victim to cyber attackers, even with millions spent on cybersecurity. Every company is a target because they have data and there are too many doors, windows and entryways for cyber attackers to get in, whether on-premise or in the cloud. It is not a question of if, but when, the attackers will get in. Prevention efforts are of course important, but since attackers will get in, equal attention must be on detection going forward. And the focus must be on early detection, otherwise, it will be too late. My book, Next Level Cybersecurity, is based on intensive reviews of the world’s largest hacks and uncovers the signals of the attackers that companies are either missing or don’t know how to detect early, apart from all of the noise. So, the attackers are slipping by the cybersecurity, staying undetected and stealing data or committing other harm. In the book I explain the Cyber Attack Chain. It is a simplified model that shows the steps that cyber attackers tend to follow in just about every single hack. There are five steps: external reconnaissance; intrusion; lateral movement; command and control; and execution. At each step, there will be signals of the attackers’ behavior and activity. But the signals in the intrusion, lateral movement and command and control steps provide the greatest value because they are timely. The external reconnaissance step is very early and the signals may not materialize into an attack, while detecting signals in the execution step is too late because by this time the data theft or harm will have already occurred. My research uncovered 15 major signals in the intrusion, lateral movement and command and control steps that should be the focus of detection. My research of the world’s largest hacks reveals that if the company had detected signals of the attackers early, in the intrusion, lateral movement or command and control steps, they would have been able to stop the hack and prevent the loss or damage. My book shows how to detect the signals in time, using a seven-step early detection method. One of the key steps in this method is to map relevant signals to the Crown Jewels (crucial data, IP or other assets). It is a great use case for machine learning and AI. There is a lot of noise, so machine learning and AI can help eliminate false positives and expose the attackers’ signals early to stop the hack. There are two blind spots that just about every single company world-wide faces that cyber attackers will exploit, beginning in 2019, that companies must get on top of. One blind spot is the cloud. There is a false sense of comfort and lack of attention to detection, thinking the cloud is safer because of the cloud provider’s cybersecurity or because the cloud provider has an out-of-the-box monitoring system. However, if the company fails to identify all Crown Jewels and map all relevant cyber attacker signals for the monitoring, the attackers will get in, remain undetected and steal data or commit other harm in the cloud. The other blind spot is Internet of Things (IoT). IoT devices (e.g. smart TVs, webcams, routers, sensors, etc.), with 5G on the way, will be ubiquitous in companies world-wide. While IoT devices provide many benefits, they are a weak link in the chain due to poor built-in security and lack of monitoring. Cyber attackers will focus on IoT devices to make the intrusion, then pivot to get to the Crown Jewels. Detecting early signals of cyber attackers trying to exploit IoT devices will be critical. Companies world-wide need to make cybersecurity a priority, starting in the board room and with the CEO. It all starts at the top. My intensive reviews of the world’s largest hacks reveal in each case a common theme: inadequate or missing CEO and board cybersecurity oversight. Here are five key questions from my book that the CEO must take the lead on and together with the board ask of the management team to make sure the company will not become the next victim of cyber attackers and suffer significant financial and reputational harm: Have we identified all of our Crown Jewels and are not missing any? Do we know where all of the Crown Jewels are located? Have we identified all of the ways cyber attackers could get to the Crown Jewels? Have we mapped high probability signals of cyber attackers trying to get to the Crown Jewels with each Crown Jewel? Are we sifting through all of the noise to detect signals early and reporting to the CEO and the board in a dashboard report for timely oversight? If your answer is No to any of the questions or you are unsure, you have a gap or blind spot and are at risk, and you must follow up to get to a high confidence Yes answer. In my book, Next Level Cybersecurity, I provide other key questions to ask and a practical seven-step method to take cybersecurity to the next level to stay one step ahead of the attackers. It is written in plain language for boards, executives and management, so everyone can get on the same page and together mitigate one of the most significant and disruptive risks faced today, cybersecurity.

Read More

What Does It Take to Be a Cybersecurity Professional?

Article | February 27, 2020

While eating dinner at a Fourth of July cookout last weekend, my nephew described why he had so many career options as a pilot: There’s a shortage of pilots, and many existing pilots will be retiring soon. Other current pilots need to be retrained, because they fell behind in various ways during the pandemic. New people want to get into the field, but there are many hard requirements that can’t be faked, like flying hours, or unique experience on specific aircraft. There are many job openings and everyone is hiring. My response? Sounds a lot like our current cybersecurity career field. Professionals in cyber are seeing almost the exact same things. And yes, there are many, perhaps thousands, of articles on this topic saying different things. Everyone is focused on the shortages of cyber pros and the talent issues we currently face. But how hard is it to get into a cyber career for the long term? How can someone move into a fulfilling career that will last well beyond their current role? One reason I like the pilot training comparison is that becoming an excellent cyber pro takes time and commitment. If there are any “quick wins” (with minimal preparation or training) in cybersecurity careers, they probably won’t last very long — in the same way that flying large airplanes takes years of experience. After I got home that night, I saw this article from TechRepublic proclaiming “you don’t have to be a tech expert to become a cybersecurity pro.” Here’s an excerpt: “Ning Wang: I think that we’re in a pretty bad state. No matter which source you look at, there are a lot more job openings for cybersecurity than there are qualified people to fill it. And I have worked at other security companies before Offensive Security, and I know firsthand, it is really hard to hire those people. … “You may think that you have to have so much technology background to go into security. And again, I know firsthand that is not the case. What does it take to be a great cybersecurity professional? And I think from my observation and working with people and interacting with people, they need a creative mind, a curious mind, you have to be curious about things. … “And then even if you have all of that, there’s no shortcuts. If you look at all the great people in cybersecurity, just like all the other fields, that 10,000-hour rule applies here as well.” My response? I certainly agree that advanced degrees and formal certifications are not required (although they help). Still, the 10,000-hour rule and determination are must-haves to last in the long term. Here’s what I wrote for CSO Magazine a decade ago on the topic of “Are you a security professional?”: “Many experts and organizations define a security professional based upon whether or not they have a CISSP, CISM, Master’s Degree in Information Assurance or other credentials. Or, are you in an organization or business unit with 'security' in the title? While these characteristics certainly help, my definition is much broader than that. "Why? I have seen people come and go in the security area. For example: Adam Shostack started his career as a UNIX sysadmin. Likewise, you probably know people who started in security and left, or who still have a different job title but read blogs like this one because their job includes something less than 50% information security. (That is, they wear multiple hats). Others are assigned to a security function against their will or leave a security office despite their love for the field (when a too-tempting opportunity arises). Some come back, others never will.” WHY BECOME A CYBER PRO? This CompTIA article outlines some of the top jobs in cybersecurity, with average salaries: 1. Cybersecurity Analyst $95,000 2. Cybersecurity Consultant $91,000 3. Cyber Security Manager/Administrator $105,000 4. Software Developer/Engineer $110,140* 5. Systems Engineer $90,920 6. Network Engineer/Architect $83,510* 7. Vulnerability Analyst/Penetration Tester $103,000 8. Cyber Security Specialist/Technician $92,000 9. Incident Analyst/Responder $89,000 * Salaries marked with an asterisk (*) came from the U.S. Bureau of Labor Statistics. The article also walks through many of the steps regarding education, certifications and skills. Of course, there are many other great reasons to get into a cyber career beyond pay and benefits, including helping society, the fascinating changes that grow with new technology deployment, a huge need, the ability to work remotely (often), and the potential for a wide variety of relationships and global travel if desired. Becoming a CISO (or CSO) is another important role, with CISO salaries all over the map but averaging $173,740 according to Glassdoor. OTHER HELPFUL ARTICLES ON BECOMING A CYBER PRO Yes, I have written on this topic of cybersecurity careers many times over the past decade-plus. Here are a few of those articles: • “The case for taking a government cyber job: 7 recommendations to consider” • “Why Are Some Cybersecurity Professionals Not Finding Jobs?” • “Why You Should Consider a Career in Government Cyber Security” • “Play a Game - Get a Job: GCHQ’s New Tool to Recruit Cyber Talent” FINAL THOUGHTS Many people are now considering career changes as we come out of the COVID-19 pandemic. Cybersecurity is one of the hottest fields that has staying power for decades. At the same time, Bloomberg is reporting that U.S. job openings are at record levels. Also, Business Insider is offering a template to revamp your resume and get a remote job anywhere in the world. So even if the obstacles look daunting, a career in cybersecurity may be just the long-term change you are looking for. Article Orginal Source: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/what-does-it-take-to-be-a-cybersecurity-professional

Read More

CYBERSECURITY AND CORONAVIRUS: KEEPING YOUR BUSINESS SAFE

Article | February 27, 2020

Measures to mitigate the outbreak of COVID-19 have led to an unprecedented increase in remote working across the board. Our guest author Philip Blake, European Regional Director at EC-Council and cybersecurity expert, outlines key challenges and tips for staying secure while away from the office. As governments and businesses work on mitigating the impact of the ongoing COVID-19 outbreak, social distancing measures are leading to an increase in remote working across all sectors. The reasoning behind the measures is best left to health authorities, and are discussed at length elsewhere. The purpose of this article is to shed light on some of the key cybersecurity challenges around the sudden spike in remote work arrangements, and propose potential measures to keep networks as secure as possible during these times.

Read More

Spotlight

Fortinet Inc.

Fortinet, Inc. is an American multinational corporation founded in 2000 by brothers Ken and Michael Xie. Fortinet provides high performance network security products and services including their flagship integrated network security solution, the FortiGate firewall. Fortinet distributes its systems and subscription-based services using the channel partner sales method via more than 20,000 partners worldwide.Fortinet is positioned as the revenue leader in unified threat management (UTM) solutions.

Events