Article | August 30, 2021
As we emerge from the worst pandemic in a century, many public- and private-sector employees and employers are reassessing their options within technology and cybersecurity roles.
Are boom times coming soon for tech companies, cybersecurity professionals and others?
Marketplace.org recently posted the headline, “Are we headed for a Roaring ’20s economy?”
Here’s an excerpt: “A year ago, when most of the country was under stay-at-home orders and people were losing jobs at an unprecedented rate, we asked three people who study economic history to explain whether the recession on the horizon was going to look anything like the Great Depression.
“With the vaccine rollout well underway, weekly unemployment claims at their lowest level since the pandemic began and consumer confidence rising, we’ve asked them about a different historical comparison: the 1920s.”
Meanwhile, NBC News reported “There are now more jobs available than before the pandemic. So why aren't people signing up?”
Here’s a quote from that piece: “The number of job vacancies soared to nearly 15 million by mid-March, but discouraged, hesitant and fearful job seekers means many positions are still unfilled, according to new data from online job site ZipRecruiter.
“Online job postings plunged from 10 million before the start of the pandemic last year to just below 6 million last May, as lockdowns and shutdown orders forced businesses to close their doors and reduce or lay off workers.”
Meanwhile, according to KPMG in the U.K., tech’s job market is growing at the fastest pace in two years. “The move towards new remote and hybrid working arrangements, new spending priorities for businesses around IT infrastructure, automation and the huge shift to online retail are likely to provide a long-term boost to sales and investment in the tech sector,” said KPMG’s chair Bina Mehta.
One more — thecyberwire.com just reported that the skills gap is getting wider regarding cybersecurity jobs: “The cybersecurity industry is projected to triple year-over-year through 2022, yet the workforce shortage still stands at millions worldwide. With a 273 percent increase in large-scale data breaches in the first quarter of 2020 alone, employing more cybersecurity professionals is a pressing challenge for both companies looking to hire in-house and cybersecurity agencies alike.
“According to the International Information System Security Certification Consortium, there are now more than 4.07 million unfilled cybersecurity positions across the world. Despite high entry salaries, recession-proof job security and plentiful career opportunities, there are simply not enough trained cybersecurity professionals to fill the skills gap.”
BAD TREND — AND EVEN SOME UGLY MIXED IN
I recently posted a story from the Atlanta Journal-Constitution on LinkedIn entitled “Employers are hiring again but struggling to find workers.” Here’s an excerpt: “Chris New said he has turned down $250,000 in business because he just can’t hire enough laborers and drivers at his Carrollton-based company, Barnes Van Lines.
“There are plenty of people without jobs, but unemployment benefits give them too much incentive not to work, he said. ‘We advertise and nobody comes in looking for a job. A lot of people are taking advantage of the system. It’s really killing us.’”
Although the focus on this article was not technology or cybersecurity jobs, many of the comments were tech- and cyber-related.
Marlin Brandys: So how do they explain people like me with a B.S. in networking and cybersecurity and an NCSP both from 2020 and I can’t even get an interview for a tier 1 help desk job? All these posts and stories from corporate America, universities, government agencies selling the bogus skills gap and shortage story. This platform alone has 1,000s of cyber qualified people able and willing to work in entry level positions at entry level pay and benefits. Stop the madness already. I applied for unemployment 01/08/2021. It’s now 04/19/2021 and I haven’t seen a dime of unemployment compensation. I’ll gladly take an entry-level position in cyber.
Quinn Kuzmich: Marlin Brandys - Honestly one of the unspoken truths of the security industry is age discrimination. Sad but true.
Dave Howe: Quinn Kuzmich - broadly true across all of IT though. They stand around demanding someone "do something" about the "skills shortage" but exclude 90% of candidates based on an arbitrary checklist, and 75% more based on illegal age, sex or race discrimination, disguised as "culture fit"
Joseph Crouse: Marlin Brandys you're overqualified.
Marlin Brandys: Joseph Crouse, I wish I could believe that. For some types of positions in the teaching or instructing silo maybe, for entry level information security I do not believe so.
Dave Howe: Marlin Brandys - it's difficult to tell. I have seen "entry level" roles demand a CISSP and CEH.
Gregory Wilson: 300+ applications and 4 interviews... No job yet... Overqualified, not enough experience, ghosted.... REALITY — I'm over 60 and nobody will hire me... All the BS aside, there are lots of people ready to work... Pay them what they're worth!
Dave Howe: I think there is a bigger picture. Welfare shouldn't be so generous as to encourage people to stay on it, but equally, it shouldn't be so stingy as to cause people to struggle to stay afloat (meet rent, put food on the table, however basic, keep the power on) — there is need for balance. Equally though, an entry -evel role where a worker is willing to put in a nominal 40 hours at a routine, boring but not dangerous or unpleasant job should pay sufficient after expenses so as to be able to afford some luxuries above and beyond what welfare provides — if you are no better off, then that job is underpriced and needs either automation to improve output so as to make paying more a better proposition, or automating entirely and the job eliminated. If the job is dangerous, distasteful or involves unsociable hours, then that should be reflected in the pay, above and beyond what a "basic" job should provide. The answer should never be "we need to cut welfare so that they will take my crappy, low paid job out of desperation, because adding automation means upfront costs and I don't want to pay any more"
You can join in on that LinkedIn conversation here:
This Forbes article offers some interesting perspectives on how both employers and employees can succeed in the coming post-COVID cybersecurity world, while offering a new model for our future workforce:
“Cybersecurity is a striking example of where the supply-demand gap for personnel is particularly volatile, with companies routinely lacking both the technology and available human capital needed to integrate relevant, highly skilled workers at the same speed as their unprecedented digital transformation. When the COVID-19 pandemic forcibly distributed security teams, organizations were given a new perspective as to how remote teams can de-risk innovation. Now, many are moving to industrialize the 'new normal' of cybersecurity with greater efficiencies across their internal programs and the software development life cycle by seamlessly integrating expert security talent on-demand.”
While this coming boom may not be good news for state and local governments who struggle to compete with the private sector for the most talented tech and cyber staff, there are new options opening up for public-sector employees as well.
This research finds that many retirees want to come back and work 10 to 20 hours a week, especially if they can work remotely.
Many groups are training workers for the post-pandemic job market.
I also have spoken with CISOs and other technology leaders in both the public and private sectors who are much more open to hiring out-of-state workers, even though they would never have allowed that before the pandemic.
And finally, what about those who can’t find work, despite the supposed “boom times” that are coming? Last year, I wrote this blog describing why some skilled cyber pros are still not getting jobs. Here are just a handful of the reasons I listed there:
People are living or looking in the wrong places. They want a local job and do not want to move. (Note: More remote hiring is happening now with COVID-19, but it is still unclear if many of these jobs will go “back to the office” after the pandemic. This leads to hesitancy in taking a job in another part of the country.)
Insistence on remote work. While this is easier during the pandemic, some people want 100 percent remote without travel, which can limit options. Also, some hiring managers are not clear if remote jobs will last after the pandemic restrictions are lifted, so they want to hire locally.
Company discrimination due to older worker applicants. Yes, I agree with my colleagues that this is alive and well in 2020. Other forms of discrimination exist as well, such as race and gender.
Lack of professional networking — especially true during COVID-19. They don’t have personal connections and have a hard time meeting the right people who are hiring or can help them find the right job.
Attitude, character, work ethic, humility, etc. I have written several blogs just on this topic, but some people never get the job because they come across in interviews as entitled or too angry or having a bad attitude. They scare off hiring managers. For more on this topic, see “7 reasons security pros fail (and what to do about it)” and “Problem #3 for Security Professionals: Not Enough Humble Pie” and “Problem 5: Are You An Insider Threat?”
Putting this all together, I love my brother Steve’s perspective on individual career opportunities and selling your ideas (and yourself) to those both inside and outside your organization: “It’s all about the right product at the right place at the right time at the right price — with the right person delivering the message to the right decision-maker.”
During a recent vacation to northern Arizona, I found myself working in a coffee shop surrounded by several men and women that were supporting global companies with technology projects. Conversations were all over the map regarding application enhancements and complex deliverables for some industry-leading names.
I was frankly a bit shocked that all of this work was being run out of a coffee shop — with a few video conference calls to people’s homes. The “new normal” of global workforces became more of a reality to me, and I see this trend accelerating even after the pandemic.
Article Orginal Source:
Article | November 25, 2020
On their road to recovery from the pandemic, businesses face unique dilemmas. This includes substantial and entirely necessary investments in digital transformation, however tight budgets are making such endeavors difficult if not impossible. Businesses continue to struggle with pivots like adopting new digital platforms, shifting their corporate model to resolve supply chain disruption and enabling a remote workforce.
The inability for businesses to quickly adopt technologies that support digital transformation processes, including identity-based segmentation, virtual desktop interfaces and full-stack cloud, is hindering their ability to adequately address new threats and even to test new security systems and protocols.
“Now more than ever, it’s imperative to remediate risk exposure and vulnerabilities within an organization’s existing systems—optimally from the get-go,” urges cybersecurity expert Nishant Srivastava, Cyber Security Architect and field expert at Cognizant—an IT Solutions and Services firm for which he's focused on designing and implementing Identity and Access Management (IAM) solutions. “Biggest threats should get highest priority, of course, but the magnitude or even likelihood of a threat should not be the sole consideration. Organizations should also look at other forms of value that new technologies can bring.”
Below Srivastava, a senior-level IAM, governance and cyber risk authority, offers key digital security vulnerabilities businesses need to be mindful of given increased digital dependency amid the pandemic. Heed these best practices to help keep your company—and customers—uncompromised.
Consumer-Facing App Gaps
For consumer-facing web applications, some of the biggest security threats include path traversal, cross-site scripting (XSS), SQL injections and remote command execution. Of course, protecting customer data is an utmost security concern and breaches abound. One of the biggest challenges to address these kind of issues lies with lacking human resources. There is a lack of aptly trained and skilled security staff in even the most sophisticated of regions, which is cultivating a gap in cybersecurity skills across the globe. It goes without saying that employee training and investing in highly-qualified staff are among the best ways to establish, maintain and uphold security levels of consumer facing apps. Rifts, however small, can induce excessive damage and losses.
Online delivery businesses that are aware of security risks would be wise to introduce more secure logins, automatic logouts and random shopper ID verification and are preventing shoppers from swapping devices when ordering. Such measures will help thwart breaches that expose of customer names, credit card information, passwords, email addresses and other personal and sensitive information.
Companies selling goods or services online also should not launch without a secure socket layer (SSL) connection. It will encrypt all data transfer between the company’s back end server and the user's browser. This way, a hacker won’t be able to steal and decode data even if he or she manages to intercept web traffic.
Another useful strategy is to enforce password limitations. Passwords should be as complicated as possible with a combination of symbols, numbers and letters. Investing in a tokenization system is worthwhile because any hacker who accesses the back end system can read and steal sensitive information, which is held in the database as plain text. Some payment providers tokenize cardholder information, which means a token replaces the raw data so the database then holds a token rather than the real data. If someone steals it, they can’t do anything with it because it’s just a token.
Ransomware threats are escalating, which is why those doing business digitally should enforce a multi-layer security strategy that incorporates data loss prevention software, file encryption, personal firewall and anti-malware. This will protect both a company’s infrastructure and its endpoint.
Data backups are key because there’s still a mild chance of a breach even with all of the aforementioned security solutions in place. The easiest and most effective way to minimize cyberattack damage is to copy files to a separate device. This very reliable form of backup makes it possible for people to recommence work as usual with little to no downtime, and all their computer files intact, should an attack occur.
Gmail blocks over 100 million COVID-related phishing emails every day, but more than 240 million are sent. That means less than half sent via Gmail alone are blocked. Experts cite imposing limits on remote desktop protocol (RDP) access, multifactor authentication for VPN access, in-depth remote network connection analysis and IP address whitelisting as some of the best strategies to maintain security. In addition, businesses should secure externally facing apps like supplier portals that use risk-based and multifactor authentication—particularly for apps that would let a cybercriminal divert payments or alter user bank account details.
The shift to remote work after the pandemic hit has given cybercriminals more and more opportunities, directing their focus on the tools people use for work. It’s important that people recognize their vulnerabilities, particularly while they work from home. Among these are hacked videoconference passwords and unprotected videoconference links, which criminals can use to access an organization’s network without authorization. Many people who work from home do not use secured networks, unknowingly and unintentionally. Many are just not aware of the risks.
To avoid online teleconference security issues, meetings should always be encrypted. This means a message can only be read by the recipient intended and that the host must be present before the meeting begins. There should also be waiting rooms for participants. Screen share watermarks, locking a meeting, and use of audio signatures are additional recommendations.
When asked what his best advice would be to tweak security for a workforce that’s predominately working remotely, Nishant says that companies should start by analyzing the basics (like those specified above) against the backdrop of a wide range of ever-escalating and evolving threats. “Employees should use dual-factor authentication and make sure apps, mobile phones and laptops are updated and that available patches and updates are always installed,” he says. “They should certainly be wary of all information requests and verify the source. These even include unexpected calls or emails seemingly from colleagues.”
Srivastava also pointed out that insiders at the CIO Symposium in July 2020 agreed that the pandemic packed years of digital transformation into just a few weeks. The use of third parties emerged as a major security concern to take into account. For instance, some employees abroad were unable to move their computers to their homes, so employers rushed to supply them with new equipment. In the process, some of it was not set up correctly thus compromising security. Companies should have done more to determine out whether individuals were using technology properly, such as if employees were sharing work devices or using their own personal equipment.
On the plus side, the shift toward working from home sped up multi-factor authentication adoption. This is a great opportunity that today’s digitally-driven businesses should take advantage of.
In short, Srivastava advocates taking a zero-trust approach. “It might sound harsh, but this is the idea that you can’t trust devices, people and apps by default,” he says. “Everything needs to be authorized and authenticated. Users should always verify and never trust, and businesses should act as if there has already been a breach and work to shore up weak links in the security chain. Finally, businesses should give access to information and data to as few people as possible—and wholly ensure those who do have access are appropriately trained to recognize when a red flag presents.
By employing all or even some of the advice above, businesses can continue to thrive as the digital transformation age unfolds—and do so more confidently and contently all around.
Article | March 11, 2020
With the spread of the novel coronavirus (COVID-19), many organizations are requiring or permitting employees to work remotely. This post is intended to remind employers and employees that in the haste to implement widespread work-from-home strategies, data security concerns cannot be forgotten.Employers and employees alike should remain vigilant of increased cybersecurity threats, some of which specifically target remote access strategies. Unfortunately, as noted in a prior blog post, cybercriminals will not be curtailing their efforts to access valuable data during the outbreak, and in fact, will likely take advantage of some of the confusion and communication issues that might arise under the circumstances to perpetrate their schemes. Employees working from home may be accessing or transmitting company trade secrets as well as personal information of individuals. Inappropriate exposure of either type of data can lead to significant adverse consequences for a company.
Article | August 30, 2021
Global leaders want to carve out specific areas of critical infrastructure to be protected under international agreements from cyber-attacks. But where does that leave others?
There are ‘four or five steps you could take that could significantly mitigate this risk,’ Falk said. These are patching, multifactor authentication and all the stuff in the Australian Signals Directorate's Essential Eight baseline mitigation strategies. …”
Back in April of this year, a BBC News headline read, "The ransomware surge ruining lives."
And that was before the cyber-attacks on critical infrastructure sectors like Colonial Pipeline, meat-processing giant JBS, the Irish Health Service and so many others.
And when President Biden met with Russian President Putin last month in Geneva, he declared that certain critical infrastructure should be “off-limits” to cyber-attacks.
“We agreed to task experts in both our countries to work on specific understandings about what is off-limits,” Biden said. “We’ll find out whether we have a cybersecurity arrangement that begins to bring some order.”
As an initial positive step forward, this cyber defense policy makes sense. In fact, most global experts applaud these moves and efforts to better protect and clarify international crimes in cyberspace.
Previous administrations going back to George W. Bush have taken aggressive steps to ensure critical infrastructure is protected in the U.S. and around the world through actions involving people, process and technology, both offline and online. The 16 critical infrastructure sectors identified by DHS/CISA can be found here.
Still, many questions remain regarding this new policy: Will all global governments actually agree on the wording? More importantly, even if they do agree, how will the agreements be enforced? Also, what happens if some countries continue to allow criminals to attack these critical infrastructure sectors from their soil?
And my main question goes further: Even if all of these agreements and actions are 100 percent agreed upon and enforced, which most people don’t believe will happen, does this imply that every organization not covered under these 16 critical infrastructure sectors can be openly attacked without a response? Is this giving into cyber criminals for everyone else?
For example, would K-12 schools or small businesses be “fair game” and not off limits? Could this actually increase attacks for any organization not considered on the CISA list?
No doubt, some will say that schools are a part of government, and yet there are private schools. In addition, if we do cover all others somehow, perhaps as a supplier of these 16 sectors, doesn’t that make the “off-limits” list essentially meaningless?
Essentially, where is the line? Who is included, and what happens when some nation or criminal group crosses the line?
These questions became more than an intellectual thought exercise recently when the Kaseya ransomware attack impacted more than 1,500 businesses, without, in their words, impacting critical infrastructure.
CBS News reports, “Still, Kaseya says the cyber-attack it experienced over the July 4th weekend was never a threat and had no impact on critical infrastructure. The Russian-linked gang behind the ransomware had demanded $70 million to end the attack, but CNBC reported that the hackers reduced their demands to $50 million in private conversations.
"The Miami-based company said Tuesday that it was alerted on July 2 to a potential attack by internal and external sources. It immediately shut down access to the software in question. The incident impacted about 50 Kaseya customers.”
OTHER RECENT RANSOMWARE NEWS
Meanwhile, in a bit of a surprise, ransomware group REvil disappeared from the Internet this past week, when its website became inaccessible.
As Engadget reported, “According to CNBC, Reuters and The Washington Post, the websites operated by the group REvil went down in the early hours of Tuesday. Dmitri Alperovitch, former chief technology officer of the cyber firm CrowdStrike, told The Post that the group's blog in the dark web is still reachable. However, its critical sites victims use to negotiate with the group and to receive decryption tools if they pay up are no longer available. Visitors to those websites now see a message that says ‘A server with the specified host name could not be found.’"
CNBC reported: “There are 3 main possibilities for the criminal gang’s disappearance — each of which carries good and bad news for U.S. efforts to combat the ransomware scourge emanating from Russia.
The Kremlin bent under U.S. pressure and forced REvil to close up shop.
U.S. officials tired of waiting for Kremlin cooperation and launched a cyber operation that took REvil offline.
REvil’s operators were feeling the heat and decided to lay low for a while.
"This situation may send a message to some of the players that they need to find a less-aggressive business model, which could mean avoiding critical infrastructure, or it could mean avoiding U.S. targets.”
Also, the Biden administration announced several other measures to combat ransomware: “The Biden administration will offer rewards up to $10 million for information leading to the identification of foreign state-sanctioned malicious cyber activity against critical U.S. infrastructure — including ransomware attacks — and the White House has launched a task force to coordinate efforts to stem the ransomware scourge.
"It is also launching the website stopransomware.gov to offer the public resources for countering the threat and building more resilience into networks, a senior administration official told reporters.”
And yet, many experts are still predicting that ransomware will continue to grow in the near future. For example, TechHQ wrote that “identifying the culprits often isn't as big an obstacle as apprehending them.”
To show recent growth of ransomware attacks, Fox Business offered details on a Check Point report this past week that “ransomware attacks surge, growing 93 percent each week.”
Also: “'The ransomware business is booming. We’re seeing global surges in ransomware across every major geography, especially in the last two months,' said Lotem Finkelstein, head of threat intelligence at Check Point Software. 'We believe the trend is driven by scores of new entrants into the ransomware business.'"
For more background on this hot topic, a few weeks back I appeared on MiTech News to discuss the ransomware crisis.
I’d like to close with this article which offers a slightly different perspective on ransomware from ZDNet Australia:
“The threat of ransomware dominates the cyber news right now, and rightly so. But this week Rachael Falk, chief executive officer of Australia's Cyber Security Cooperative Research Centre, made a very good point.
Ransomware is ‘Totally foreseeable and preventable because it's a known problem," Falk told a panel discussion at the Australian Strategy Policy Institute (ASPI) on Tuesday.
‘"It's known that ransomware is out there. And it's known that, invariably, the cyber criminals get into organisations through stealing credentials that they get on the dark web [or a user] clicking on a link and a vulnerability," she said.
‘We're not talking about some sort of nation-state really funky sort of zero day that's happening. This is going on the world over, so it's entirely foreseeable.’"
Article Orginal Source: