Specialized Recruiting Solutions Designed to Access Deep Talent Pools
Call Us: 415-510-2973

Archive for the News Category

Cybersecurity Pros Aren't Getting the Training They Need, Including in DevOps

Cybersecurity Pros Aren't Getting the Training They Need, Including in DevOps

Despite the fact that the cybersecurity skills shortage is a well-known issue, software developers are not receiving the training they need to be successful—including in the realm of DevOps.

According to the 2017 DevSecOps Global Skills Survey, sponsored by Veracode, slightly less than half of respondents said their employers paid for additional training since their entry into the workforce – and nearly seven in 10 developers report that their organizations provide them with inadequate security training. Third-party training, either in the classroom or through e-learning, was identified by one in three surveyed as the most effective way to gain new, relevant skills – but the study confirmed that very few are afforded the opportunity (only 4%).

“WannaCry and Petya are just two recent examples of large-scale cyberattacks that further demonstrate the importance of security in today’s exceedingly digital world,” said Maria Loughlin, vice president of engineering at Veracode. “Despite this apparent need, security practices and secure software development isn’t required to earn a degree in IT or computer science.”

Although nearly 80% of respondents have a bachelor or master’s degree – with 50% reporting that they studied and earned degrees in computer science – there is still a lack of cybersecurity knowledge prior to entering the workforce. The survey found that 70% of respondents said the security education they received is not adequate for what their current positions require, and that they’re learning their most relevant professional skills on the job (65%).

Also, as DevOps becomes the prevalent approach to building and operating digital products and services, that gap could have real impact on the security and quality of the software that underpins the digital economy. The report found that while 65% of DevOps professionals believe it is very important to have knowledge of DevOps when entering IT, 70% are not receiving the necessary training through formal education.

In security, DevSecOps refers to the practice of integrating security into the development and testing of software for a “shift left” mentality for faster, better quality outcomes. Yet those surveyed said that their IT workforce is only somewhat prepared (55%) or not prepared (nearly 30%) with the skills necessary to securely deliver software at the speed of DevOps. In fact, nearly 40% of hiring managers surveyed reported that the hardest employees to find are the all-purpose DevOps gurus with sufficient knowledge about security testing. This poses a significant challenge, as more than 50% of organizations said that either the entire organization or some of their teams are currently utilizing DevOps practices.

“Our research with DevOps.com highlights the fact that there are no clear shortcuts to address the skills gap,” Loughlin said. “Higher education and enterprises need to have a more mature expectation around what colleges should teach and where organizations need to supplement education given the ever-changing nature of programming languages and frameworks. The industry will have to come together to ensure the safety of the application economy.”

Source: Information Security Magazine

Web Application Attacks Much More Common Than Ransomware

Web Application Attacks Much More Common Than Ransomware

Beware Joomla, et al: An analysis shows that web applications are the soft underbelly of organizations—the chink in the armor that hackers can use to successfully compromise their operations.

That’s the word from Alert Logic, which conducted an analysis of more than 2 million security incidents that were captured and escalated in its systems during an 18-month evaluation period. The resulting 2017 Cloud Security Report found that that web application attacks accounted for 73% of all the incidents flagged. These affected 85% of all Alert Logic customers, with injection-style attacks such as SQL injection leading the pack.

In comparison, server-side ransomware represented only 2% of total incidents.

“While ransomware gets much mindshare in the cybersecurity industry and in media headlines, it accounted for only a small number of observed security incidents in the data set,” the report noted.

“We focused our analysis on incident types and the workloads and environments most at risk,” said Misha Govshteyn, senior vice president of Technical and Product Marketing at Alert Logic. “Cyber-attackers continue to seek the weakest spots in network defenses, and businesses need to understand how they are refocusing to take advantage of the changing attack landscape.”

The Alert Logic customers in the report data set represent a broad range of industries (452 unique SIC codes) and organization sizes, from small-to-medium-sized businesses to large-scale enterprises. About 82% of customer deployments analyzed hosted workloads in the cloud—either on an infrastructure-as-a-service platform or hosted private cloud—and approximately one-third maintained on-premises or cloud hybrid infrastructure.

The report showed that pure public cloud installations experienced the fewest security incidents. On average, customers running applications on public cloud platforms experienced 405 security incidents over the 18-month period, while on-premises customers experienced a 51% higher rate of security incident escalations (612), hosted private cloud 69% higher (684) and hybrid cloud 141% higher (977).

The results also showed that bad actors like content management systems and e-commerce platforms. 

“Vulnerabilities in ubiquitous third-party web application components, insecure coding practices and increases in exploit automation make content management systems and e-commerce platforms rich hunting grounds for hackers targeting web applications,” said the report. “Attacks targeting the Joomla content management system (CMS) accounted for 25% of total web application attacks observed followed by WordPress with 10% and Magento with 7%.”

Source: Information Security Magazine

Uber Agrees to 20 Years of Privacy Audits by the FTC

Uber Agrees to 20 Years of Privacy Audits by the FTC

Long plagued by privacy issues, Uber has agreed to privacy audits for the next 20 years after the FTC found the ride-sharing company at fault for harming consumers.

There are twin transgressions, in the FTC’s eyes: First, the ride-hailing start-up had a system for monitoring employee access to consumer information, but it stopped using it after less than a year. Also, hackers stole more than 100,000 driver names and license numbers in a 2014 data breach, which the FTC said could have been easily averted using multifactor authentication. Combined, these amount to "deceptive privacy and data security claims,” the FTC said.

"Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data," said Maureen Ohlhausen, acting chairman of the FTC. "This case shows that, even if you're a fast-growing company, you can't leave consumers behind: you must honor your privacy and security promises."

In addition to the audits, Uber will be implementing a new privacy program as part of the settlement.

Some noted that the requirements from the States are changes that Uber would have had to make to continue operating in Europe anyway.

"Uber may offer cheap cab fares but underneath the surface is a company plagued by reports of sexism, a massive data breach and an unhealthy interest in the journeys taken by a journalist,” Lee Munson, security researcher for Comparitech.com, said via email. "While such an agreement with the FTC may sound incredibly arduous, [but] executives may be rubbing their hands together, safe in the knowledge that the FTC will point them in the right direction long before any EU nations start handing out fines of up to 4% of an organization’s annual turnover for nightmarish privacy issues."

Trust and privacy go hand in hand, another researcher told us.

“In the age of digital business and increasing cyber-risk, it’s critical for senior executives and boards to put the building of trust at the top of the priorities list,” Malcolm Harkins, chief security and trust officer at Cylance, said via email. “Trust is a function of two things: Competence and character. While I respect the work of Uber’s more recent executive hires, this settlement may be an indication of things that were lacking to deliver that trust earlier in Uber’s history. Not only for security, but for privacy, all organizations should have a set of principles in place to guide the placement of the anchor points for security and privacy to deliver trust. Equally important is the right governance model to oversee the evolution of trust throughout the company.”

Source: Information Security Magazine

Ex-Secret Service Man Admits Laundering More Stolen Bitcoin

Ex-Secret Service Man Admits Laundering More Stolen Bitcoin

A disgraced former Secret Service sent to jail for stealing Bitcoin during an investigation into the Silk Road darknet marketplace has pleaded guilty to laundering even more of the digital currency.

Shaun Bridges, 35, of Laurel, Maryland, was sent to jail in December 2015 for six years after hijacking the Silk Road account of a site administrator to steal around $820,000 worth of crypto-currency.

However, before starting that sentence, he was arrested again on new charges relating to the alleged theft of 1606 Bitcoin; valued at the time at $359,000 but now worth a staggering $6.6m.

He has admitted using a private key to access a digital wallet belonging to the US government and transferring the currency to other wallets at other Bitcoin exchanges to which only he had access, according to the Department of Justice.

As part of his investigation into the Silk Road, Bridges is said to have worked with the US attorney’s office in Baltimore to obtain a seizure warrant for Bitcoin held in the Bitstamp digital exchange.

As part of the warrant, the 1606 Bitcoins were sent to a BTC-e digital wallet to which only Bridges had the private key.

BTC-e is a notorious exchange which police believe has been used by cyber-criminals to receive the proceeds of ransomware, dark net drug sales and more.

Its alleged operator, Alexander Vinnik, 37, is accused of laundering $4bn through the exchange and was indicted on 21 counts after being arrested in Greece in July.

Among the Bitstamp accounts seized by Bridges were those of DEA special agent Carl Force, working undercover to crack the Silk Road and its kingpin Ross Ulbricht, aka ‘Dread Pirate Roberts’.

Force was sentenced to six-and-a-half years behind bars for himself stealing Bitcoins from targets of the investigation, after trying to disguise his actions by inventing various online pseudonyms.

Bridges has pleaded guilty to one count of money laundering, with sentencing set for November 7.

A SANS Institute report earlier this month revealed that malicious insiders (40%) are more dangerous than accidental or negligent staff (36%).

Source: Information Security Magazine

IT Insider Helped Alleged $5m Insider Trading Scheme

IT Insider Helped Alleged $5m Insider Trading Scheme

Five men have been charged with insider trading offenses after an IT consultant pleaded guilty to using his position as a trusted insider at an investment bank to facilitate the scam.

In his role at the unnamed bank, Daniel Rivas is said to have accessed sensitive M&A information from at least August 2014 to around April 2017, sending it to friends on more than 50 occasions for them to buy and sell securities.

His efforts netted them an estimated $5m.

Rivas first sent insider information to the father of his girlfriend, a James Moodhe of New York City, which he used to generate profits of $2m over three years.

The two have already pleaded guilty to conspiracy, securities fraud, fraud in connection with a tender offer, wire fraud and making false statements to law enforcement officials.

A separate SEC civil case reveals that Rivas tried to use his IT know-how to his advantage:

“To avoid leaving a trail of their communications, Rivas and Moodhe did not communicate through electronic means such as phone calls, text messages, or emails. Instead, Rivas tipped Moodhe through other methods. For instance, Rivas provided handwritten notes to Moodhe’s daughter.”

Rivas also passed information to Michael Siva, 55, of West Orange, New Jersey, a financial adviser; Roberto Rodriguez, 32, of Miami Gardens; Rodolfo Sablon, 37, of Miami; Jhonatan Zoquier, 33, of Englewood, New Jersey and Jeffrey Rogiers, 33, of Oakland, California.

“As alleged, the defendants took advantage of an insider at an investment bank to make millions in illegal profits, trading over 50 times in advance of confidential corporate information. The defendants allegedly used code words and encrypted messages to try to avoid law enforcement detection,” said acting US attorney, Joon Kim.

“But despite their efforts to hide their crimes, the defendants’ insider trading schemes have been exposed, and two have already pled guilty federal crimes. Those who seek to cheat the markets by trading on stolen inside information corrupt the integrity of our nation’s securities markets, and we are committed to stopping them and holding them accountable.”

New research from Dtex out this week revealed that IT pros overwhelmingly believe insider threats are more difficult to spot than attacks from third parties, and over half (51%) think such incidents are on the rise.  

Source: Information Security Magazine

Exploit Packages Lead to Five Million Attacks in Q2

Exploit Packages Lead to Five Million Attacks in Q2

Exploit leaks from the likes of the Shadow Brokers dominated the threat landscape in the second quarter, according to new stats from Kaspersky Lab.

The Russian AV firm detected over 342 million attacks in 191 countries in the period April-June this year, a fairly significant reduction from the 479m attacks seen in Q1.

However, over five million such threats spotted by the vendor came from leaked exploits; that is, malware designed to utilize software vulnerabilities to infect victim machines.

Such attacks are particularly dangerous as they typically don’t require user interaction to deliver malicious code.

The Kremlin-linked Shadow Brokers leak was particularly damaging, making public exploits thought to have been developed by the NSA.

These led to the notable WannaCry and NotPetya outbreaks which caused chaos and destruction across the globe, even at big-name organizations including international law firm DLA Piper, Danish shipper Maersk, German drug company Merck, and ad giant WPP.

Although many of the bugs exploited by such threats were not zero-day vulnerabilities, poor patch management on the part of many organizations appeared to leave them exposed to attack.

Office vulnerability CVE-2017-0199, for example, was first discovered and patched in April but 1.5m users were subsequently attacked, according to Kaspersky Lab.

The average number of exploit-based attacks seen each day is also growing, with 82% of all attacks detected in the last month of the quarter.

“The threat landscape of Q2 provides yet another reminder that a lack of vigilance is one of the most significant cyber-dangers,” warned Kaspersky Lab security expert, Alexander Liskin. “While vendors patch vulnerabilities on a regular basis, many users don’t pay attention to this, which results in massive-scale attacks once the vulnerabilities are exposed to the broad cyber-criminal community.”

Elsewhere in the report, crypto-ransomware attacks increased, with the vendor blocking these threats on 246,675 computers during Q2, versus 240,799 in Q1.

Source: Information Security Magazine

Scottish Parliament Accounts Under Brute Force Attack

Scottish Parliament Accounts Under Brute Force Attack

The Scottish Parliament has been hit by a brute force attack designed to crack MSP and staff passwords, it has emerged.

The external attack appears to be targeting online accounts like the one suffered by parliament in June.

Although there’s no official info on the Scottish Parliament website, MSPs and staff have been informed by email by CEO Paul Grice, according to the BBC.

"Symptoms of the attack include account lockouts or failed logins,” the missive reportedly notes.

"The parliament's robust cybersecurity measures identified this attack at an early stage and the additional security measures which we have in readiness for such situations have already been invoked. Our IT systems remain fully operational."

The additional security measures in question appear to involve forcing a change to weak passwords, which begs the question why they were allowed in the first place.

Bitglass CEO, Rich Campagna, argued that passphrases are a better bet than long and strong passwords.

“These will still be lengthy, but made up of real words, so easier to remember,” he added. “It might seem simple, but the truth is, if a password takes too long to crack, hackers will simply move onto the next batch."

Jamie Graves, CEO of Edinburgh-based ZoneFox argued that the Scottish Parliament is institutionally well prepared to cope with cyber-attacks.

“What the Scottish Parliament has in its favor is a transparent, open culture and so unquestionably all staff will heed Sir Paul Grice's request to remain vigilant,” he explained. “A united, digitally alert team is one of the greatest tools organizations can deploy in their fight against hackers."     

However, the use of password-based systems is still troubling given the high stakes at play here.

Security expert Graham Cluley recommended a switch to two-factor authentication; a simple step which would confound hackers, crackers and phishers.

“If it's good enough for the cast of Game of Thrones it should be good enough for you,” he explained, referencing a move designed to tighten up security on the hit TV show.

Back in June, less than 1% of 9000 parliamentary accounts were compromised in a similar attack, also prompting calls for 2FA to be introduced across the board.

Source: Information Security Magazine

UK Retail Data Breach Incidents Double in a Year

UK Retail Data Breach Incidents Double in a Year

The number of UK retailers experiencing data breaches has doubled over the past year, according to new stats shared by law firm RPC.

The City-based firm claimed that the number of breaches reported to data protection watchdog the Information Commissioner’s Office (ICO) increased from just 19 in 2015/16 to 38 in 2016/17.

Contrary to some headlines making the news, this doesn’t necessarily mean an uptick in malicious activity by third parties; breaches can commonly be caused by employee error, negligence or deliberate actions.

Nevertheless, the stats highlight a growing problem for the UK’s retailers, and the need for further investments in cybersecurity, according to RPC.

Partner Jeremy Drew argued that cost pressures including rates and minimum wage increases and the declining pound can often take precedent.

“Retailers are a goldmine of personal data but their high-profile nature and sometimes aging complex systems make them a popular target for hackers,” he added.

“As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we do expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained.”

David Kennerley, director of threat research at Webroot, argued that retailers need to focus both on their internal security and on ensuring customers stay safe online.

“Retailers need to keep PoS software up-to-date and deploy threat protection and detection on these devices, while not forgetting the importance of the physical security of PoS systems. Where possible, two-factor authentication should be used internally and by their customers. Online transactions should always require the CVV number is entered by the customer for every transaction,” he said.

“Retailers need to make sure all data that they store and transmit is encrypted, access is only given to those within the organization that need it to perform their job and at the same time ensure any third-party entities are maintaining the same high standards.”

Sports Direct and Debenhams Flowers are just two well-known brands breached over the past year.

Source: Information Security Magazine

Unskilled Nigerian Behind Phishing Offensive Targeting World's Biggest Companies

Unskilled Nigerian Behind Phishing Offensive Targeting World's Biggest Companies

A relatively unskilled man in his mid-20s, operating from a location near the capital of Nigeria, is the kingpin behind a four-month cyber-offensive that has affected 4,000 organizations globally.

According to an investigation by Check Point, a range of companies have been targeted by cyberattacks which aim to infect their networks, steal data and commit fraud. The victims include a marine and energy solutions company in Croatia, a transportation company in Abu Dhabi, a mining company in Egypt, a construction organization in Germany, and so on—leading international names in industries such as oil & gas, manufacturing, banking and construction.

“Successful attacks on this scale are usually attributed to expert gangs of cybercriminals—often backed by a nation-state, with the aim of destabilizing economies,” Check Point researchers said. “[Instead], he is a Nigerian national, working on his own. On his social media accounts, he uses the motto ‘get rich or die trying’.”

His attack campaign uses fraudulent emails which appear to originate from oil and gas giant Saudi Aramco, the world’s second largest daily oil producer, targeting financial staff within companies to trick them into revealing company bank details, or open the email’s malware-infected attachment. 

“It’s particularly striking that his techniques display a low level of cyber-skills,” the researchers said. “His fraudulent emails are crude and unsophisticated; there is almost no research or social engineering involved in creating them. The titles of the emails are generic, and phrased as “Dear Sir/Ms.”  The same mail is sent to numerous targets, all in blind carbon copy, urging victims to send back banking details, perhaps for future scams.”

The malware used is NetWire, a remote access Trojan which allows full control over infected machines, and Hawkeye, a keylogging program. These are old, generic and readily available online; and, he uses freeware to ‘scrape’ email addresses from corporate websites which he then uses as targets for his campaigns, Check Point said.

The ramifications are myriad: Both financial losses and the ability for follow-on attacks should both be concerns, the firm cautioned.

“In addition to the financial losses resulting from the attack, the malware used by the criminal to infect organizations gives remote control over infected machines, and can perform keylogging functions,” researchers explained “This enables harvesting of a variety of information from infected machines, such as details on the companies’ operations, assets and intellectual property. These can have a value far greater than the thousands of dollars obtained by fraud. What happens when the hackers realize the real value of these assets and start to exploit them?”

Check Point’s research team has notified law enforcement authorities in Nigeria and internationally, it said.

Source: Information Security Magazine

Poll: Young Women Worry They Don't Have the Skills for Tech

Poll: Young Women Worry They Don't Have the Skills for Tech

Against the backdrop of a (now-fired) Google engineer’s screed against women in tech, a survey of more than 1,000 university students has identified a worrying crisis in confidence among young women with regards to their digital skills.

Conducted by KPMG and independent market research company High Fliers, the poll found that only 37% of young women are confident they have the tech skills needed by today’s employers, compared with 57% of young men. This is despite scoring on a par with their male counterparts when assessed on digital skills such as data manipulation and use of social media.

There is evidence that this lack of confidence could be putting many young women off applying for jobs: Almost three-quarters (73%) of female respondents said they have not considered a graduate job in technology.

“The issue here isn’t around competency—far from it—but rather how businesses understand the underlying capability of an individual and how to unlock it,” said Aidan Brennan, KPMG head of digital transformation. “I think this research highlights the work that needs to be done to show the next generation that when it comes to a career in tech, gender isn’t part of the equation.”

He added, “Competition for jobs is tough, and we know that female job seekers can be less likely to apply for a role than their male counterparts if they don’t feel they already possess every pre-requisite the job demands. Businesses committed to building a truly diverse workforce need to adapt their recruitment processes to reflect this, and ensure they don’t fall into the trap of listening only to those who shout about their capability loudest.”

The news on the heels of a memo penned by 28-year-old former Google engineer James Damore, whose assertions that “genetic differences” may explain “why we don’t see equal representation of women in tech and leadership” stirred a rousing debate over diversity in the workplace earlier in the month.

Google CEO Sundar Pinchai himself sent an employee memo, saying, "To suggest a group of our colleagues have traits that make them less biologically suited to that work is offensive and not OK.”

The controversy has underscored ongoing initiatives on the part of some companies to encourage more gender diversity.  

Anna Purchas, interim head of people at KPMG in the UK, said that the firm is already taking action to target women who are digitally capable, but may not yet be confident in their skills.

“We recruit around 1,000 graduates each year through our graduate recruitment process, Launch Pad, and we are proud to have reached a 50/50 gender split amongst our graduate intake,” she said. “However, to maintain this level of equality in an increasingly digital world, it’s vital that more women … have the confidence that their tech skills will be applicable for a role at a professional services firm like ours.”

Earlier this year KPMG launched ITs Her Future, an initiative aimed at encouraging more women to consider a career in tech, as well as Future Ready, an online tool designed to help young people who may not yet have experienced working in an office understand how the skills they do possess could be applicable in the workplace.

Source: Information Security Magazine

Page 1 of 21212345...102030...Last »