Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for October 2015

Cyber-Career Gender Gap Widens Significantly

Cyber-Career Gender Gap Widens Significantly

The gap between US young men and women who would consider a career devoted to Internet security is five times what it was a year ago, research has revealed.

The survey, from Raytheon and the National Cyber Security Alliance (NCSA), shows that globally, the disinterest of young adults in cybersecurity careers is epidemic—especially among women, casting doubt on whether the future will see enough qualified professionals working to keep the Internet safe.

The annual study, Securing Our Future: Closing the Cyber Talent Gap, indicated that the widening gender gap among young adults oriented towards cybersecurity may signal that young women are being shut out.

“There will be serious implications for the world’s security, safety and economic stability if we don’t figure out how to foster a cybersecurity workforce capable of protecting our information from increasingly harmful cyber threats,” said Jack Harrington, vice president of cybersecurity and special missions for Raytheon’s Intelligence, Information and Services business. “We have our work cut out for us to encourage young adults to pursue this profession and to address the widening gender gap—particularly here in the US.”

Despite growing curiosity about cyber-careers, many young adults indicate their education and networking opportunities are not keeping pace with their needs. For example, only 60% of survey respondents say a computer was introduced to their classrooms by age nine. Additionally, women appear to be disadvantaged when it comes to networking opportunities, as men were twice as likely as women to have spoken with a cybersecurity professional, according to the study.

“Not only are we missing obvious [an] opportunity to remediate a global shortfall of cybersecurity workers, but we’re also seeing the problem compounded by leaving women behind when it comes to cybersecurity education, programs and careers,” said Valecia Maclin, program director of cybersecurity and special missions at Raytheon. “It’s critical that public and private partnerships focus on encouraging young girls to foster an interest in science, technology, engineering and math, so that more women are prepared to enter this burgeoning field and help create a diverse, talented workforce.”

Globally, 47% of men say they are aware of the typical range of responsibilities and job tasks involved in the cyber-profession, compared to only 33% of women. And, 62% of men and 75% of women said no secondary or high-school computer classes offered the skills to help them pursue a career in cybersecurity. Also, about half (52%) of women, compared to 39% of young men, said they felt no cybersecurity programs or activities were available to them.

In the US, 67% of men and 77% of women said no high school or secondary school teacher, guidance or career counselor ever mentioned the idea of a cybersecurity career.

“There seems to be latent interest in cyber careers, as half of young adults say believing in the mission of their employer is important and 63% say making money is important,” said Michael Kaiser, executive director of the NCSA. “Cybersecurity jobs offer a clear path to both—we just need to do a better job of spreading the word.”

Source: Information Security Magazine

China Preparing to Unify Cyber Warfare Capabilities – Report

China Preparing to Unify Cyber Warfare Capabilities – Report

China’s leaders could be about to unify the nation’s cyber warfare capabilities under a single command structure, in a move which may stoke further tensions with the US, according to a new report.

Unnamed “people familiar with the matter” told Bloomberg that the plans will be discussed at the Communist Party Fifth Plenum gathering—an event this week where the next five-year economic plan will be thrashed out.

Centralizing cyber warfare capabilities under the Central Military Commission (CMC) would create clearer lines of communication and better organize the nation’s enormous but diffuse hacking apparatus.

At present this is spread out across various PLA units, as well as the Ministry of State Security and Ministry of Public Security, according to the report.

Reorganizing the state’s cyber capabilities would make sense, as it’s believed some state actors could currently be acting on their own accord or with minimal oversight from their superiors.

But in so doing it could also create waves in Washington, which is already suspicious of its rival superpower bolstering its hacking teams yet further.

Although the two nations shook hands on an agreement not to engage in economically motivated state-sponsored cyber espionage against one another, Chinese hackers have shown no signs of moderating their activity, according to one threat intelligence firm.

The agreement also didn’t cover cyber activity carried out for traditional intelligence gathering and national security/nation state purposes.

If true, the move fits with president Xi Jinping’s wider move to remold the People’s Liberation Army into a 21st century fighting force.

Xi, who chairs the CMC, last month announced a reduction of 300,000 troops. He is also down on record as saying at a Politburo meeting last year that the military had to "change our fixed mindsets of mechanized warfare and establish the ideological concept of information warfare.”

An official Ministry of National Defense white paper from May argues that building improved cyber capabilities is a “critical security development domain.”

Some have argued, however, that a better organized Chinese cyber military could make it easier for the US to open lines of communication for the establishment of cyber rules of engagement.

Source: Information Security Magazine

#TalkTalk: 'Customer Bank Accounts are Safe'

#TalkTalk: 'Customer Bank Accounts are Safe'

TalkTalk CEO Dido Harding has gone on a media offensive over the weekend, allaying fears that hackers could drain customers’ bank accounts with the details they stole and claiming the firm’s cybersecurity is better than many of its competitors.

The chief executive of the UK ISP criticized media “scaremongering” following the major data breach last week.

“We are really frustrated with the number of sensationalist claims that are being made, not just about TalkTalk as a company but more importantly about customers losing millions and millions of pounds,” she told The Guardian.

“I think it’s actually very irresponsible because it’s whipping up fear about the digital world. Goodness knows I’ve been one of its biggest fans … and it’s not right that having lost your bank account number and sort code that people can take money from your bank account—they can’t.”

The true scale of the breach is still not yet known, although TalkTalk has now said it believes the number of customers affected is “materially lower” than at first feared.

She also argued that the firm’s security had “improved dramatically” over the past year, since serious failings were pointed out by researcher Paul Moore.

“On that specific vulnerability, it’s much better than it was, and we are head and shoulders better than some of our competitors and some of the media bodies that were throwing those particular stones,” said Harding.

TalkTalk has apparently called in BAE Systems to help with its investigation into the incident. The Metropolitan Police and National Crime Agency (NCA) are also conducting their own investigation, although no arrests have been made so far.

The ISP’s website is back up and running after being targeted in a denial of service attack apparently used by the hackers as a smokescreen while they attempted to compromise customers’ financial data.

An update posted on Saturday claimed that no account passwords had been accessed by the attackers.

However, it advised customers to change their passwords as a precaution, to stay vigilant and report anything suspicious.

A free year’s worth of credit monitoring from Noddle is also being offered by the ISP.

Source: Information Security Magazine

Essex Police Left Red-faced After Twitter Account ‘Hacked’

Essex Police Left Red-faced After Twitter Account ‘Hacked’

A police force in England was left red-faced on Friday after its Twitter account was hacked and used to post misleading cybersecurity advice.

Essex police has since removed the offending tweet, which claimed: “if you shop & bank online—make sure the site’s URL has ‘http://’ to protect your data.”

HTTP is an insecure protocol which will certainly not make online shopping or banking more secure.

As security blogger Graham Cluley wrote in a post on the incident, HTTPS is the more secure of the two, although even that is not a foolproof way to avoid scams.

“What you actually want to look for is HTTPS, which encrypts communications between your web browser and the website you’re trying to access. Hopefully you have noticed the little green padlock in your URL bar when you access sites that need to secure your information, such as your online bank or webmail accounts,” he explained.

“But there’s still nothing to stop bad guys from creating websites that use HTTPS—so don’t be fooled into believing that it is *proof* that a site is safe to log into.”

To make matters worse for the police force, the link posted alongside this bogus security message is said to have taken users to a site hosting an “offensive” picture.

In any case, the police force soon removed the offending tweet and implied that its account had been cracked or hacked by a malicious outsider.

It tweeted the following message:

“We apologise for previous tweet re #CyberAware; it was malicious & has been deleted – please do not click on the link that was in the tweet.”

Cluley argued that organizations of all sizes need to take the security of their social media accounts more seriously.

“Maybe they would be wise to enable Twitter’s two-factor authentication (known as Login Verification) to protect their account as well,” he added.

The past few days have shown that law enforcers are becoming a popular target for cyber mischief makers.

Last week, Lancashire Constabulary was forced to issue a warning to internet users after reports emerged of a spam phishing email purporting to come from the force.

Source: Information Security Magazine

Enterprise Application Acccess Controls Sorely Lacking

Enterprise Application Acccess Controls Sorely Lacking

Despite widespread and highly publicized security breaches, most companies still fail to require necessary security controls for accessing enterprise applications, including those applications behind the corporate firewall.

According to the Enterprise Application Security Market Research Report from King Research, survey respondents ranked a number of solutions as “highly useful,” including those that: enforce multifactor authentication (MFA) across all users at all times; hide app servers from all devices and unauthenticated users; ensure end-to-end encryption and integrity; and give complete control of who can connect to what, independent of app location, device type and user affiliation.

The highest-ranked solution is of course one that does all of the above, according to respondents.

Even so, those surveyed said that 60% of their organizations do not require MFA for non-employees to access enterprise applications. In addition, while 57% of respondents’ organizations allow bring-your-own-device (BYOD) for access to enterprise applications, 42% do not require non-employees to adhere to the corporate BYOD policies.

 “This survey is unique in gathering information around enterprise application access, stringent controls, and the usefulness of solutions InfoSec professionals believe would best protect their organizations from becoming tomorrow’s headline,” said Ross King, principal analyst of King Research. “For example, we found that more than half of respondents (57%) said they have long-term contractors who need access to company information, and these contractors may or may not reside on-premise. But when asked which authentication type is typically used when providing non-employees access to enterprise applications, nearly half (42%) responded that simple passwords are used.”

The survey also found that 63% of respondents said that 10% or more of their enterprise applications are behind the corporate firewall and are accessed by non-employees. Top security concerns, on a scale of 1 to 10, are server vulnerabilities (7.6), phishing (7.3), server misconfigurations (7.3) and denial of service attacks (6.9).

When asked to score criteria importance for selecting enterprise security products and services on a scale of 1 to 10, respondents scored “compliance” the highest with a near 7.6 score. The second most important criterion was “security advantage by using superior technology,” with a score of 7.5.

 “Executed properly, multifactor authentication is very secure,” said Anna Luo, senior director of marketing at Vidder, which sponsored the survey. “But highly stringent controls have proven to be too complex for users to adopt. This complexity is likely the reason why so many organizations do not have the controls needed in place, and why the research findings reveal that characteristics of software defined perimeter are seen as ’highly useful‘ in these areas.”

Source: Information Security Magazine

SQL Injection Possible Vector for TalkTalk Breach

SQL Injection Possible Vector for TalkTalk Breach

A few more details have emerged in the cyber-attack on one of the UK’s largest ISPs, TalkTalk.

TalkTalk, with around four million UK customers, now says that it was hit by a severe distributed denial-of-service (DDoS) attack that was a cover for a plot to access customer data, including profile information, credit-card details and passwords. The comms company has admitted that unauthorized access occurred; and that it has been asked for ransom.

 A TalkTalk spokeswoman told media late Friday: "We can confirm we were contacted by someone claiming to be responsible and seeking payment."

The firm is under investigation by the Information Commissioner's Office over the breach as it’s the third time the company has been data-heisted.

As for what happened, security researchers have started looking into it.

“I have reviewed some of the data around the attack and my guess would be that the attackers used an SQL injection for at least part of the attack,” said Amichai Shulman, co-founder and CTO of Imperva, via email. “My advice to customers would be to keep a close eye for fraudulent activity on back accounts and be particularly vigilant of phishing attacks. The theme that keeps repeating itself is that every time such a breach occurs, media outlets focus heavily on the stolen credit-card numbers; however, in practice, for the average person the theft of personal data is much more critical.”

The theft of financial information credit-card or account information has a limited lifespan, until the victim changes the account details. But the personal information that can be obtained by accessing someone’s account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft.

“The value of this personal data to the cybercriminal has a much greater value; for example, where the selling price for a single stolen credit card is around $1, if that card information is sold with a full identify profile that can dramatically increase up to $500,” explained Andy Heather, vice president, HP Data Security. “If the cyber-criminals know where the real value is then surely we should all expect responsible organization to pay appropriate attention to keeping our personal information safe."

Tim Erlin, director of IT security and risk strategy at Tripwire noted that this is why personal information needs to be encrypted as a clear requirement, both at rest and in transit.

“Even encryption isn’t a perfect solution to data theft,” he told Infosecurity. “The sensitive data we need to protect also needs to be used by various business systems. If those systems are compromised, the data can still be accessed by attackers. Companies need to secure the configurations of their systems as well as encrypt the data they use.”

This is the third time in 12 months that a data breach has affected TalkTalk customers. This is the third time in 2015 that the TalkTalk site has been targeted. Customers were warned in March 2015 about scam mail messages after account names and numbers had been accessed and in August 2015 TalkTalk’s mobile sales site, among other such firms' in the UK, was the focus of an attack on one of its providers.

“The news that TalkTalk customers have once again been impacted by a data breach should be a wakeup call for all companies serving consumers and storing their personal data,” said Richard Parris, CEO at Intercede, in an emailed comment.

He added, “It really is time that these major businesses gave the issue the attention it deserves—they need to stop relying on simple password-based authentication and to start applying enterprise grade solutions. Protecting customers’ private data should be a top priority for any organization. Failure to demonstrate that adequate safeguards are in place will inevitably result in customers, and revenues, disappearing.”

Source: Information Security Magazine

Brits Take on Europe’s Best in EU-wide Cyber Security Challenge

Brits Take on Europe’s Best in EU-wide Cyber Security Challenge

Ten of the UK’s top coders are currently competing in Switzerland to win the first ever European Cyber Security Challenge.

Like its national counterpart, the competition features a series of demanding tests in disciplines such as cryptography, network analysis and digital forensics.

It was created in response to the success of national competitions across the region, notably the UK, which kicked off the craze six years ago with the very first Challenge.

They allow individuals to hone and demonstrate their skills and can be a valuable source of talent recruitment for organizations.

The UK team—split into juniors (15-20) and seniors (20-30)—is competing against teams from Germany, Spain, Romania, Austria and Switzerland.

"Our team is made up of individuals with very different backgrounds, skills and knowledge. This just goes to show that anyone, anywhere could become an expert in cybersecurity, they just need an inquiring mind and the passion to succeed,” said Stephanie Daman, CEO of Cyber Security Challenge UK.

“The skills these young people possess are quite phenomenal and we’re excited about showing the rest of Europe just how good the UK’s cybersecurity talent is.”

In related news, some of the UK’s biggest security organizations including the NCA, BT, GCHQ and Qinetiq have announced their collaboration to design and run a sophisticated cyber attack simulation as part of this year’s Cyber Security Challenge UK’s 2015 Masterclasses.

The simulated cyber attack—which will be staged on 19 and 20 November—will run in real time and require the 42 participants to battle fictitious threat group Black Oleander, suspected of funding terrorist groups.

The two day Masterclass final will assess participants as teams and individually on technical, interpersonal and decision making skills.

Candidates can still qualify for the Masterclass competition by registering with the Challenge and playing one or more of the upcoming virtual qualifying competitions on new on-demand platform Cyphinx by 23 October.

Source: Information Security Magazine

Tech Giants Oppose US Threat Intel Sharing Bill

Tech Giants Oppose US Threat Intel Sharing Bill

Apple and Dropbox have joined a long list of big name tech companies opposed to a new cyber security information sharing bill passing through Congress.

The Senate is expected to vote on the Cybersecurity Information Sharing Act (CISA) in just days.

It would give private companies legal cover if they wanted to send threat information on their customers to the Department of Homeland Security, which would be required to share that with other relevant government agencies.

Supporters say the threat sharing would be completely voluntary and that sensitive information would in most cases be anonymized.

However, persistent privacy concerns seem to be the main reason why so many tech companies have come out against it.

"The trust of our customers means everything to us and we don't believe security should come at the expense of their privacy," Apple said in a statement sent to the Washington Post.

Dropbox expressed similar sentiments, arguing that while it’s important to share information between private and public sectors, “that type of collaboration should not come at the expense of users’ privacy."

The two join a list of big names including Google, Facebook, Amazon and Microsoft in opposition to CISA.

They sent an open letter via industry body the Computer and Communications Industry Association raising the same privacy concerns.

"In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties," it added.

Although the president is for the bill as it stands, the Department for Homeland Security is surprisingly not.

It argued back in July that the proposed law “could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.”

CISA is a slightly tweaked version of the much-hated CISPA which was ultimately kicked into the political long grass in 2013.

Source: Information Security Magazine

Industry and Police Must Improve Cybercrime Response – Report

Industry and Police Must Improve Cybercrime Response – Report

Industry body techUK has called on businesses and law enforcers to team up in order to raise standards of cybercrime reporting and response.

The self-styled “voice of the technology industry” submitted Freedom of Information requests to all 43 police forces in England and Wales and interviewed senior police stakeholders in order to produce its recommendations.

The Partners Against Crime report reveals that, tellingly, half of those forces contacted couldn’t even supply accurate figures without manually analyzing every crime in their recording systems.

It paints a picture of law enforcement literally swamped with cybercrime.

Warwickshire police had to deal with over 2,000 online fraud reports between January 2013 and March 2014, while West Mercia police had to manage over 3,400. In Avon and Somerset, 2,345 cybercrime incidents were recorded in 2014. 

TechUK has called for a new approach to improve the recording and reporting of cybercrime and the ability of police to respond.

This includes the creation of a “new lexicon” to standardize and streamline the reporting of accurate information.

Also vital is to ramp up the pressure on businesses so they feel obliged to report incidents—an area where the development of reporting apps could help.

And preventative measures like Cyber Essentials accreditation should be encouraged, the report argues.

The law enforcement response to cybercrime varies greatly from region to region, so closer co-operation is needed with the cybersecurity industry to improve standards across the board, techUK said.

This could be achieved by establishing a Managed Service Provider (MSP) model where police contract cybersecurity skills as needed. The College of Policing could be given a greater role to accredit private cybercrime training providers to ensure there are standards for national courses, the report claims.

TechUK also called for the creation of sector-specific police/industry working groups to share threat information in real time.

And it recognizes that more funds need to be ploughed into cybercrime policing.

But this is going to be difficult given the current government austerity push, which some believe will lead to the loss of over 20,000 jobs nationwide.

Nevertheless, techUK’s associate director for defense and security, James Murphy, remained upbeat.

“With further cuts expected as part of the spending review, it’s more important than ever that skills, tools and expertise are shared across forces to ensure that the police can better tackle the growing threat of cybercrime, and victims get consistent treatment, no matter where they are in the UK,” he told Infosecurity.

“To make the scale of changes needed, government and industry need to work closely together to improve consistency of reporting, recording and resolution of cybercrime across the UK.”

Source: Information Security Magazine

IT Personnel Are the Riskiest Business Users

IT Personnel Are the Riskiest Business Users

While 93% of office workers admit to insecure IT practices, we can’t blame ignorance: It turns out that tech-savvy users are actually the worst offenders.

According to Intermedia’s 2015 Insider Risk Report, which catalogued the online security habits of more than 2,000 employees in the US and UK, most office workers engage in some form of unsafe online habits that could jeopardize their employer or their customers. But, the very people who have the greatest access to company data and are tasked with keeping the company secure—IT personnel—are much more likely to engage in risky behaviors than the average employee.

“It’s nearly always that technical people are the worst offenders,” said Richard Walters, vice president of identity and access management at Intermedia. “They know how to get around various controls that an IT team will put in place. It’s sometimes done with the best intent, but nevertheless with a complete lack of consideration for the risk or security implications.”

A third (32%) of IT professionals have given out their login or password credentials to other employees (compared to 19% across all respondents), while 28% of IT pros said they accessed systems belonging to previous employers after they left the job (compared to only 13% among all respondents).

“I’m particularly worried about ex-employee access,” said Felix Yanko, president of ServNet, in the report. “What kind of access do employees walk away with when they leave? If they go to a competitor, what kind of damage can they do? People usually delete stuff when they leave, which is bad enough—but it’s really bad when they can come back a few months later and wreak havoc. Especially if it’s IT people with that access. That bothers me the most.”

Worse, almost a third (31%) of IT pros said they would take data from their company if it would positively benefit them—nearly three times the rate of general business professionals.

These kinds of practices create risks that include lost data, regulatory compliance failures, data breaches, e-discovery complications, ex-employee access, and even out-and-out sabotage by a disgruntled current or former employee.

Intermedia’s report also includes data about security habits across age group, company size and job tenure. It turns out that Millennials are most likely to breach the personal and professional computing divide. Common activities include installing apps without company approval, saving company files to personal cloud storage, or engaging in other risky shadow IT practices.

By employment duration, long-term employees (7+ years) tend to introduce greater overall security risks.

“Security policies are most effective when employees don’t even have to think about them,” said Jonathan Levine, CTO at Intermedia. “That’s why it’s so important to provide tools that make it easier to follow the rules, like single sign-on portals or enterprise-class file sharing. The simpler it is for employees to be productive using company sanctioned tools, the more likely you are to deter the kinds of practices that put the company at risk.”

Source: Information Security Magazine