now browsing by tag
Source: ComputerWorld by Ira Winkler
Interesting article up for a read at ComputerWorld. Which all in all, is a good thing. The article talks of “The myth of the cybersecurity skills shortage” Winkler calls out companies that are claiming there is a cybersecurity skills shortage; which I don’t necessarily believe there is.
From the article at ComputerWorld:
The approach that seems to prevail these days — seeking a new hire who already has the right skills and experience or hiring them away from another organization — just doesn’t work. But it is why so many people believe there is a shortage of security professionals.
Mr. Winkler hit the nail on the head with this statement. I have a significant amount of security experience, I’ve worked for the government, large companies, medium companies, and small companies. I will generally do reasonably well at any interview question poised for me. The problem I’m seeing, is there are companies out there, that have beaten it into the head of their employees, that they are looking for someone that is an absolute master of skillset X, and disregard everything else. I, like many other security practitioners have my weaknesses; if I am slightly weaker in skillset X, then I am immediately assumed not a good fit for the job.
The way I like to pursue jobs, is I aim for something I want to do, with a company I wouldn’t mind doing it for. Whether I have 100% strength on skillset X, or whether I’m slightly weaker at X, but extremely strong, at skillsets Y and Z; I will still apply, but a decent amount of time, I’ll get shot-down, due to the assumption, that because my skillset at X isn’t the greatest, I’ll never be able to catch up. This is where the fallacy in the argument lies. Company X, needs to look at candidate skills, and make their decision the ability of the candidate to learn skillset X (if skillset X is truly the reason for hiring). So again, there are areas where I’m slightly weaker, such as DLP. That doesn’t mean I don’t know what DLP is, or how it functions, but I’ve never sat in front of a host that does DLP and used it on a day to day basis. Does that mean I’m not right for any position at your organization due to the fact I’ve not been a DLP administrator?
Just something to think about. I always judge interview candidates on not just what they know, but what I think they will learn, and how strong of learners they are.
UD expert predicts bumpy year ahead for cybersecurity
They can’t hold a candle to modern-day hacktivists, who can steal from hundreds of thousands of people while sitting at home in their pajamas.
Pres. Barack Obama has warned that cyberattacks are among the most serious economic and national security challenges facing the nation. Cybersecurity is a top priority of the Senate Committee on Homeland Security and Governmental Affairs, previously chaired by Democratic Sen. Tom Carper of Delaware.
“Cybercrime is becoming everything in crime,” FBI Director James Comey said in a recent interview with CBS’ “60 Minutes.” Comey estimated national losses in the billions each year.
Last week, a hacker group believed to be associated with ISIS took control of the Twitter accounts and website services of the Albuquerque Journal newspaper in New Mexico and WBOC 16 TV station in Maryland. Calling itself “Cyber Caliphate,” the group posted several confidential documents, including driver’s licenses, corrections records and addresses.
The high-profile hack against Sony Pictures Entertainment in November resulted in massive dumps of employees’ personal information and the brief cancellation of the theatrical release of “The Interview.” The FBI has blamed the North Korean government for the data breach.
Many cyber attacks are related to vulnerabilities in three areas: “Computing and software, networked communications, such as the Internet and cell phones, and last, fooling humans into making mistakes,” according to Chase Cotton, director of the University of Delaware’s Center for Information and Communications Sciences.
Cotton, a professor of electrical and computer engineering, is one of several experts involved in a new cybersecurity initiative at UD, which seeks to train the next generation of specialists to meet a critical need. The U.S. faces a severe cyber workforce shortage, according to national statistics, with more than 30,000 jobs available and only 1,000 skilled specialists who can design secure computing systems and write secure code.
Last year, UD named Starnes Walker, a physicist and national cyber defence expert, to lead the regional initative, funded by $3 million in state aid and a research grant from the National Science Foundation. UD is one of only nine universities involved in the first federally funded research and development center solely dedicated to enhancing cybersecurity and protecting national information systems.
The university itself fell victim to a cyberattack in 2013, when hackers stole the names, addresses and social security numbers of more than 72,000 current and past employees.
UD has since introduced five new cybersecurity courses for undergraduate and graduate students. Last fall, the university began offering a minor in Cybersecurity, and administrators are planning graduate degree and certificate programs in the near future.
The educational programs at UD are being developed in collaboration with other local universities and cybersecurity employers, along with the U.S. Army and Delaware National Guard.
Experts are increasingly concerned that sophisticated cyber attackers are focused on taking out critical infrastructure – like the systems controlling the pipeliness of America’s energy sector – instead of consumer data breaches like the ones reported at Target, Staples and Home Depot.
Interviewed by e-mail Friday, Cotton discussed the cybersecurity landscape for 2015 and beyond.
Q: The extremist militant group ISIS has deftly handled social media in recruiting new members and spreading its message. Some experts have claimed that ISIS’ social media savvy doesn’t translate into a real cybersecurity threat. Do you believe that ISIS has the manpower/resources to launch a grand attack on U.S. infrastructure?
Currently no, and probably not alone, but possibly in collaboration with others now or in the future. The technology to make these types of attacks on major infrastructure exist today, though mainly in the hands of nation states. But the skills, much like physical weapons, are increasingly available to groups worldwide.
Q: Can we expect to see more frequent and more dramatic attacks?
Unfortunately yes. Most attacks that non-government organizations and individuals will see are primarily financially motivated. Exposure, unfortunately, is heightened by our increasing reliance on our wired electronic infrastructure.
As for governments, and similarly for critical public infrastructure (e.g., the electrical grid, transportation, manufacturing, etc.), attacks will also continue …We are in a race to stay ahead and protect these assets in both the public and private sectors…
For each [vulnerability], there is a method of attack.
A software application may have a flaw that allows an attacker to modify what the program does, or access data held on the computer where the application is running. This is an attack often used against Internet websites.
A large system, like a wireless network, may have a design weakness that allows an attacker to listen in on your communications. An attacker may be able to use a technically sophisticated attack to take advantage of these weaknesses and listen in on your calls or see your Internet activities.
Very motivated attackers will do detailed research using the Internet and social media and identify key individuals in an organization, (e.g. computer administrators). They will then try to fool those individuals and try to infect their personal computers in order to get access to business systems they manage. We call this “spear phishing.”
Q: What can the average citizen do to better protect himself/herself?
• Keep your computers, tablets, smartphones, operating systems and application software up to date. Also update home-networked devices like Wi-Fi access points, cloud drives, sound systems, security systems/cameras, etc., and always set up strong non-default passwords on these devices.
• Run an antivirus program on your computers.
• Don’t click on links from someone you don’t know. And use care about links even when sent from your friends. Make sure the underlying link (URL) is a real company or organization you recognize.
• Choose strong passwords (eight or more characters mixing upper and lower case letters, numbers, special characters). Or, better yet, use long pass-phrases, (e.g. “my dog eats RED shoes on wednesdays!”). And don’t reuse passwords across different accounts.
• Use two-factor authentication, [two separate forms of identification to verify identity], on critical accounts (banking, email, cloud storage).
• You and your family members should normally try to use non-administrator accounts on your computers for day-to-day activities. This will minimize damage and ease recovery when you eventually get infected with computer malware.
Q: Apart from getting off the Internet completely, can we ever truly be safe from such attacks?
Unfortunately, security will never be 100 percent, but we should eventually be able to get to where successful attacks are rare, like having the occasional fender bender.
Contact Margie Fishman at 302-324-2882 or firstname.lastname@example.org.