Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for October 2018

Skills in demand: Information Security Architects

An Overview of the Role of Information Security Architects

Information Security Architects are the backbone of the design and strategy for strong information security organizations. While they can be focused in specific areas like application security or infrastructure security within very large companies, they often oversee the overall security strategy and determine delivery and implementation of security solutions. This is not only a subject matter expert with strong knowledge of many facets of information security programs, it is also a highly visible role within leadership and will often report directly into the CISO or CIO.

What it takes

Security architects often rise out of hands on engineering positions which gives them in-depth knowledge of implementation and configuration of security tools and best practices. The ability to utilize hands-on technical knowledge and translate that information into long-term security strategy is critical, as is the ability to collaborate and communicate effectively with senior leadership.

Compensation

Base compensation can range from $120K to $175K, often with additional incentives. Independent contract rates can be higher.

– Domini Clark, principal, Blackmere Consulting; founder and director of strategy, InfoSecConnect.com.

This was originally published in the March 2016 Issue of SCMagazine

ReliaQuest Gifts $1m to Build Cyber Lab at USF

ReliaQuest Gifts $1m to Build Cyber Lab at USF

The University of South Florida (USF) has received a $1m gift to fund a cybersecurity lab at the USF Muma College of Business. With the goal of making Florida the “Cyber State,” ReliaQuest extended the gift to USF, payable over the course of five years.

The partnership is being touted as a first-of-its-kind initiative that will prepare students with the skills they need to pursue careers in cybersecurity. "Cybersecurity is one of the hottest job fields that exists today, with a huge demand for skilled professionals. Rather than see this as a challenge, we see it as an opportunity to find innovative solutions together with industry partners like ReliaQuest," said USF Muma College of Business dean Moez Limayem in a press release.

"Ultimately, it's our students who will benefit the most, gaining valuable skills and hands-on experiences that will help them land lucrative jobs after graduation and help build Florida's economy."

The ReliaQuest Cybersecurity Lab will provide hands-on, real-world training in a security operations center (SOC) environment. The gift highlights the company’s effort to address the workforce shortage looming over the cybersecurity industry.

The lab is an extension of ReliaQuest University, the internal training program that already exists at ReliaQuest. Partnering with USF will expand the reach of the training by offering a four-week immersive program in the fundamentals of cybersecurity. As part of the partnership, all students at USF, regardless of their majors, will have access to the Cyber Simulator, the component of ReliaQuest University where users receive the hands-on training with the latest security technologies.

"In the face of what the industry refers to as a talent shortage, we believe that cybersecurity is actually suffering from a skills shortage," said ReliaQuest CEO Brian Murphy. "There are plenty of people eager to enter the cybersecurity field, but they need the skills to perform effectively in those positions. To overcome this challenge, ReliaQuest has chosen to invest both our expertise and financial resources to help solve one of the biggest problems in the industry."

Source: Information Security Magazine

Apollo Faces Criticism for Breach of 200 Million Contacts

Apollo Faces Criticism for Breach of 200 Million Contacts

Sales engagement startup Apollo, whose database of 200 million contacts across 10 million companies was reportedly hacked, is facing criticism for failing to protect the data it collects. According to TechCrunch, Apollo said its contacts database was stolen in a data breach.

While the company’s website offers no information on the breach, Apollo does admit that despite any security practices, it cannot guarantee the protection of the data it collects. “We understand the importance of the security of the information we collect, but we cannot promise that our security measures will eliminate all security risks or avoid any security breaches.”

Infosecurity Magazine contacted Apollo for more details but has not received a response. Bjoern Zinssmeister of Templarbit reportedly gained access to an email sent to affected Apollo customers. The communication acknowledged that the majority of exposed information came from its publicly gathered prospect database. According to TechCrunch, in Apollo's mandatory customer communication email, CEO Tim Zheng wrote that no additional information is available at this time given that the investigation is still ongoing.

Yet content from the email has been made public, and critics say Apollo's security efforts were insufficient. “In an email to affected customers, Apollo said the data breach was discovered weeks after system upgrades in July,” said Zohar Alon, CEO, Dome9. “Apollo is not the first company to have a breach go unresolved for a long period of time, proving organizations do not emphasize security to a high-enough degree.”

Acknowledging that there are security risks that could result in a breach does not go far enough in protecting customer data for a company that boasts a database of 200 million contacts from 10 million companies. “If other organizations want to prevent breaches like the one experienced by Apollo, they must leverage advanced security capabilities built for the cloud,” said Jacob Serpa, product marketing manager, Bitglass.

“They should employ multifactor authentication to verify users' identities more accurately, as well as contextual access control that can flexibly extend data access based on a user's location, device type, and more.”

“The breach of Apollo’s enormous database of 200 million prospective customers and 10 million companies adds to a growing list of companies that compile large amounts of data yet fail to keep it safe,” said Ruchika Mishra, director of products and solutions, Balbix.

“When you are expected to keep prospect, customer, supply chain and other business-critical contact information safe, you must be proactive about your security efforts and try to detect and mitigate cyber risks in your network before they are exploited.”

Source: Information Security Magazine

Financial Sector Breaches Have Tripled Since 2016

Financial Sector Breaches Have Tripled Since 2016

US financial services firms suffered three-times more data breaches in the first six months of 2018 than during the same period in 2016, according to new data from Bitglass.

The security vendor aggregated data from the Identity Theft Resource Center (ITRC) and the Privacy Rights Clearinghouse (PRC) to gain insight for its Financial Breach Report 2018.

In total, there were 103 breaches recorded from January to August 2018, versus the 37 recorded over the same period in 2016. That’s understandable considering the wealth of lucrative sensitive information these companies typically store, including home addresses, bank statements and Social Security numbers.

Hacking and malware were responsible for the vast majority (74%), with 15% down to accidental disclosures, 9% the result of a physical breach and 3% the result of insider threats.

Bitglass also claimed that 44% of financial services organizations have malware in at least one of their cloud apps, with ransomware-as-a-service, modular banking trojans, cloud crypto-jacking attacks and more all posing a threat.

It noted that 93% of AV engines, along with Google Drive and Microsoft SharePoint, were unable to detect the zero-day ShurL0ckr ransomware that appeared earlier this year.

The top three breaches so far in 2018 accounted for more records than all of those in the vendor’s 2016 report: 64,512. These included an insider theft of 1.5 million customer details at SunTrust Bank.

The data broadly aligns with Verizon’s most recent Data Breach Investigations Report (DBIR), which revealed earlier this year that 92% of threat actors in attacks on financial services firms are external and 7% internal.

However, that report also pointed to the growing need not just to protect against data theft, but also guard against ATM skimming and jackpotting.

The report also comes just a day after UK regulator the Financial Conduct Authority (FCA) fined Tesco Bank over £16m for failings that led to a theft of over £2m from customers’ accounts back in 2016.

Source: Information Security Magazine

MoD Launches Cyber Cadet Training Program

MoD Launches Cyber Cadet Training Program

The Ministry of Defence has launched a new program designed to equip more young people with cyber-skills.

The Cadets CyberFirst program will train up 2000 Armed Forces cadets each year with cybersecurity know-how.

Over £1m will be invested in the initiative each year, with cadets able to choose from introductory courses on how to protect small networks as well as more advanced curricula. The money will also be used to train more than 50 Cadet Force adult volunteers to deliver the program going forward.

“We live in a modern world where our phones are rarely out of our hands and we rely on computers to make daily tasks easier. Cyber threats to the UK are constantly evolving and this exciting initiative to train and develop ‘cyber cadets’ — the first of its kind in a NATO state — reaffirms our leading role in tackling security threats head on,” said defense secretary, Gavin Williamson.

“It is important to recognize the vital role cadets play in our communities, and I am determined to grow the number of young people signing up and make sure their successes are properly recognized each year.”

The Cadet Expansion Programme aims to increase the number of cadets in schools from 43,000 to 60,000.

The initiative was welcomed by industry experts.

“It is evident that there is currently a shortage of talent in the cybersecurity industry, which we as a nation are struggling to circumvent. All organizations — private and public — are pivotal in closing the cybersecurity skills gap, ensuring our children are fully equipped for facing future inevitabilities,” said Rob Norris, VP head of enterprise & cybersecurity at Fujitsu EMEIA.

“And with our latest report revealing that a fifth of the UK public believe cybercrime and hacking are the biggest challenges facing the UK today, this new scheme provides an invaluable resource as the country looks to identify and nurture the cyber experts of the future.”

McAfee chief scientist, Raj Samani, added that the need to close skills gaps is especially urgent given the rise in nation state attacks.

“Initiatives like this will help to encourage more people into the cybersecurity sector — making students aware of the career prospects in this space and creating a new generation of defense against cyber-criminals,” he argued.

Source: Information Security Magazine

Failure to Protect Data Costs Bupa £175,000

Failure to Protect Data Costs Bupa £175,000

The Information Commissioner’s Office (ICO) has fined Bupa Insurance Services Limited (Bupa) £175,000 for its failure to protect the personal information of its customers. Had the timing of the breach been different, Bupa would have faced fines under the General Data Protection Regulations (GDPR), but the security incident occurred prior to those regulations going into effect.

According to the ICO, a Bupa employee stole the personal data of 547,000 employees between January 6 and March 11, 2017. By email himself bulk data reports, the employee was able to pilfer personal information that reportedly included names, dates of birth, nationalities and administrative information for the policy and its beneficiaries, including membership number, email address, phone and fax number, but not any medical information.

In the Monetary Penalty Notice, ICO wrote, “The monetary penalty concerns Bupa Global's customer relationship management system ('SWAN') which holds customer records relating to 1.5 million data subjects. SWAN is used to manage claims made by Bupa Global customers under their international health insurance policies.”

Because Bupa failed to have effective security measures in place and did not routinely monitor SWAN activity logs, the employee successfully emailed the reports to his personal email and then put the information up for sale on the dark web.

After an external partner alerted Bupa to the breach on June 16, 2017, the employee was terminated. Until that point, “Bupa was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data,” ICO wrote.

For breaching the mandate that companies keep personal data secure, Bupa received the maximum penalties under the Data Protection Act of 1998, which preceded the GDPR. ICO director of investigations Steve Eckersley said in the September 28 post, “Bupa failed to recognize that people’s personal data was at risk and failed to take reasonable steps to secure it."

“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”

Source: Information Security Magazine

Ransomware Casts Anchor at the Port of San Diego

Ransomware Casts Anchor at the Port of San Diego

A cybersecurity incident at the Port of San Diego was first announced on Tuesday, September 25, 2018, but CEO Randa Coniglio announced on September 27, 2018, that the event was actually a ransomware attack on the port, which oversees more than 34 miles of coastline along San Diego Bay.

The port remains open, but the attack has disrupted the agency's information technology systems. According to the press release, the port is working with the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) on the investigation and remains in close communication and coordination with the U.S. Coast Guard. 

Normal port operations continued despite the attack on the network systems. “Public safety operations are ongoing, and ships and boats continue to access the bay without impacts from the cybersecurity incident. While some of the port's information technology systems were compromised by the attack, port staff also proactively shut down other systems out of an abundance of caution,” Coniglio continued.

The attack has caused temporary impacts on some services to the public, including park permits, public records requests, and business services. A ransom note demanded payment in Bitcoin, though the port has not disclosed the amount requested by the cybercriminals. No additional information on whether the port has paid the ransom or has retrieved access to any encrypted files is available at this time.

"The Port of San Diego malware infiltration and subsequent ransomware demand is just the latest example of a local government entity (and critical infrastructure) being disrupted by ransomware, rendering employees unable to access enterprise applications and do their jobs,” said Sherban Naum, senior vice president for corporate strategy and technology at Bromium.

“Unfortunately, it’s no longer a case of if a breach will occur, but when, and how quickly federal agencies can get systems back up and running. Government – whether local, state or federal – needs to stop playing catch up and supplement layered defenses with virtualization, protecting by design by isolating threats in a virtual environment. Only by isolating undetectable threats as a part of life and limiting the damage and profits that can made by them will we start to see the tide turn. This will keep employees productive and prevent ransomware from putting organizations at risk on the stormy seas of the threat environment.”

Source: Information Security Magazine

Password Security Better, Still Poses Business Risk

Password Security Better, Still Poses Business Risk

Today marks the start of National Cybersecurity Awareness Month (NCSAM), and LastPass by LogMeIn has released the 2018 Global Password Security Report to align with the efforts of NCSAM. While businesses have reportedly made progress with passwords, they still have a long way to go toward strengthening password security. Today’s report is an effort to continue to raise awareness about the risks of dangerous password behavior.

Analying anonymized data from more than 43,000 companies of all sizes that are using LastPass as their business password manager, the report graded businesses, awarding a password security score on a scale of 0–100. The average password security score of organizations was 52. Organizations with fewer than 25 employees averaged 50, while technology companies scored averaged 53 points, in part because 31% of businesses in the technology sector have adopted multifactor authentication.

“Passwords continue to be a challenge to cybersecurity in the workplace, and attacks continue to grow in number and complexity every year. Despite these threats, businesses have struggled to quantify their own level of password risk,” said Gerald Beuchelt, CISO at LogMeIn in a press release.

Given that an increased number of end users poses a higher risk, it makes sense that the bigger the company, the lower the score. However, when looking at the organizations included in the survey, those who were within the first year of using a password management tool saw an increase of nearly 15 points in their password security score. Yet the data revealed that the practice of password sharing still prevails, with a single employee sharing, on average, six passwords with co-workers.

“Security professionals often fail to consider the value of the first factor of enterprise authentication: the password. Despite the sophisticated security measures enterprises are putting in place, something as fundamentally simple as a password is tripping them up,” said Frank Dickson, research vice president, security products at IDC.

The report highlights two benchmarks for evaluating password security: the LastPass Security Score and the LastPass Password Strength Score. The LastPass Security Score incorporates the Password Strength Score and assessed whether passwords were vulnerable based on a variety of indicators, including whether they were duplicated. Additional security settings, such a multifactor authentication, were also considered in the overall score.

Source: Information Security Magazine

Tesco Bank Fined £16m After 2016 Cyber Heist

Tesco Bank Fined £16m After 2016 Cyber Heist

Tesco Bank has been fined £16.4m by the UK’s financial regulator for deficiencies which allowed hackers to steal millions from its customers in 2016.

Online attackers bagged £2.24m in the November raid two years ago, in what the lender described as “sophisticated criminal fraud.”

Although the actual MO of the attackers is still unknown, the Financial Conduct Authority (FCA) has seen the details and decided to slap a major fine on Tesco Bank for “failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack.”

Specifically, the bank failed the regulator’s Principle 2, due to deficiencies in the “design of its debit card,” and its configuration of fraud detection and authentication rules.

The bank was also criticized for failing to respond to the incident with “sufficient rigor, skill and urgency.”

“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all,” explained FCA executive director of enforcement and market oversight, Mark Steward.

“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”

The fine would have been an even bigger £33.5m had Tesco Bank not provided high-level co-operation which helped to protect more customers and quickly compensate those affected. It also received a 30% discount for early settlement, the FCA said.

Source: Information Security Magazine

Torii IoT Botnet Takes Mirai to the Next Level

Torii IoT Botnet Takes Mirai to the Next Level

Security experts are warning of a new IoT botnet far more stealthy, persistent and advanced than Mirai and designed to compromise a wide range of device architectures.

Researcher @VessOnSecurity first tweeted about his discovery last week after detecting the threat via a honeypot. Although it spreads via Telnet and targets weak credentials on devices, “it’s not your run-of-the-mill Mirai variant or Monero miner,” he warned.

“It does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies,” explained Avast in a follow-up analysis.

“Instead, it comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication.”

Dubbed “Torii” by the firm, the threat first finds out the architecture of the targeted device, and downloads an appropriate payload — with MIPS, ARM, x86, x64, PowerPC, SuperH and more supported.

This payload is a dropped for the second stage. Meanwhile, Torii uses at least six methods to make sure the file remains on the device and always runs.

“The second stage payload is a full-fledged bot capable of executing commands from its master (CnC),” said Avast. “It also contains other features such as simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, etc.”

Sean Newman, director at Corero Network Security, said Torii is “cashing in on the rapidly expanding global pool of IoT devices.”

“Its secret could be the large number of different platforms the code can support, which gives it the diversity needed to find enough devices that still use simple default username/password pairs,” he added. “Until IoT manufacturers solve the issue of shipping devices with the same default administrator credentials, it’s going to remain child’s play for cyber-criminals to leverage them for nefarious purposes.”

Source: Information Security Magazine