Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Remote Islands to Enter Cybersecurity Industry in 2020

Remote Islands to Enter Cybersecurity Industry in 2020

The US Commonwealth of the Northern Mariana Islands (CNMI) is to welcome its first ever cybersecurity business next year.

In a statement released today and published in the Marianas Variety, the CNMI Departments of Commerce and Labor announced that an unnamed US-based cybersecurity firm will open its newest Security Operations Center on CNMI's largest island, Saipan, in January 2020.

In addition to placing the CNMI on the cybersecurity industry's map, the new center is expected to create new jobs on the remote Pacific Ocean island. Recruitment is currently underway for 15 information security analysts. 

Applicants must be at least 18 and need to have attained a CompTIA certification through local nonprofit organization The Latte Training Academy (LTA). 

The US firm will be hiring qualified candidates on a full-time basis and will offer career progression, which may require relocation to various client locations throughout the United States and Europe.

"The firm reached out to the Latte Training Academy through its affiliation with CompTIA and began discussions on the ability to support its need for entry level Information Security Analysts. These positions are intended to serve as front line network analysts for the firm’s clients," said the LTA's director, Ed Arriola Jr.

"Given the security concerns of their customer base, the organization has opted to open a CNMI location rather than outsource the work. The need to source a US labor market was a key component to their interest in the CNMI, but our geographic location on the opposite side of the international date line was beneficial as it allows them to provide coverage to supplement their US offices."

Secretary of Labor Vicky Benavente said the arrival of the US firm aligned well with the CNMI's plans to create an apprenticeship program. 

"The Department of Labor Workforce Investment Agency director David Attao has been a key advocate in establishing our apprenticeship strategy and work experience programs. 

"Given the course of the discussion with the firm, he recognized that their training and on-boarding plan was directly in-line with the mission of DOL WIA and the USDOL Apprenticeship State Expansion program. 

"We will continue to work with our partners at the Latte Training Academy to bring this tremendous opportunity to fruition. This effort is exactly the push that this administration has worked so diligently to produce. While we are still in beginning phases, to be able to generate the interest within this industry is extraordinary."

Source: Information Security Magazine

Dutch Company Launches Private Unprofiled News Tab

Dutch Company Launches Private Unprofiled News Tab

Startpage.com has created a private News tab that allows users to search the internet without logging in or sharing any personal information. 

The Dutch company launched the News tab today as an additional feature of its existing private browsing extension. 

The tab allows users to keep up with the latest news stories in complete anonymity, and prevents users from becoming trapped in a limited bubble of search results tailored to their own preferences. 

Anyone using the news tab will receive identical unprofiled search results for their particular query, regardless of their browsing history or demographic profile. 

The News tab is an extension of Startpage’s existing private search engine options of “Web,” “Images,” and “Anonymous View.”

A spokesperson for Startpage.com said: "With the rise of content creation and dispersion of news sources, there’s been a tidal wave of news coverage flowing across the web on a daily basis. Some of this news becomes wide-reaching, being read by millions, while other news goes entirely unnoticed. 

"Furthermore, news outlets’ viewpoints are becoming more extreme to serve niche audiences with divisive opinions versus unbiased reporting." 

Algorithms developed to display curated news and articles based on a reader's individual digital profile result in users' receiving only a narrow slice of information about what's really going on in the world.

Startpage.com was inspired to create the News tab after several months of receiving multiple requests from their users for a "fair, un-personalized, anonymous way to receive their news."

A company spokesperson said: "Most search engines keep an archive of your prior search and browsing history, resulting in a 'filter bubble,'—a tailored internet experience based on your collected data, which traps you in a search bubble built by your own preferences. Startpage’s News tab empowers users to see comprehensive search results beyond the bubble." 

The News tab will showcase the most relevant search results—which can be filtered by date—while guaranteeing a completely unprofiled browsing experience, allowing users to peruse the news free of any search history tracking.

Startpage.com won praise from the Dutch legal protection minister Sander Dekker, who cited the company in a June letter to the House of Representatives regarding privacy. 

Dekker wrote: "It is important that people become more aware of the consequences of sharing personal data. Dutch initiatives such as the search engine Startpage.com, where no personal data is stored, contribute to the protection of the privacy of citizens."

Source: Information Security Magazine

Cybersecurity Protocol for International Arbitration Published

Cybersecurity Protocol for International Arbitration Published

A detailed set of guidelines on what cybersecurity measures to take when handling arbitration was released today as part of New York Arbitration Week.

The Cybersecurity Protocol for International Arbitration (2020) is the culmination of two years of work by a working group on cybersecurity consisting of representatives of the International Council for Commercial Arbitration (ICCA), the New York City Bar Association (City Bar), and the International Institute for Conflict Prevention & Resolution (CPR). 

The protocol was published with the twin goals of providing a framework for determining reasonable information-security measures for individual arbitration matters and increasing awareness about information security in international arbitration.

Cybersecurity is crucial in arbitration, since the credibility and integrity of any dispute-resolution process depends on maintaining a reasonable degree of protection over the data exchanged during the process.

A City Bar representative said: "We are proud that this important work has had its launch during New York Arbitration Week and at the New York International Arbitration Center. New York is one of the most frequently selected locations for international arbitration in the world and the most popular city for arbitration in the United States."

The protocol reviews the importance of cybersecurity in high-stakes international arbitration, which often involves extensive travel and the use of multiple networks. Recommendations include identifying and classifying all information and controlling access to it as appropriate. 

Suggested information security measures for hearings and conferences include implementing procedures for the handling of any transcripts, recordings, or videos that are made and restricting what technology attendees may bring to and use at hearings. 

"The Protocol provides a pathway for the arbitration community to maintain a culture of awareness and effective security so that arbitration will continue to meet users’ expectations," said a City Bar representative. 

The working group published an initial Consultation Draft in April 2018, together with a request for comments that was sent to more than 240 individual consultees representing arbitral institutions, law firm arbitration practice groups, expert witnesses in arbitration proceedings, and non-governmental organizations such as bar associations. 

In the expectation that the protocol will necessarily evolve over time, the working group has appended "2020" to this first edition. Feedback on the Cybersecurity Protocol may be sent to cybersecurity@arbitration-icca.org.

Source: Information Security Magazine

#InfosecNA: How to Communicate Risk and Security to Executives

#InfosecNA: How to Communicate Risk and Security to Executives

Speaking at Infosecurity ISACA North America Expo and Conference in New York, Tony Rock, chief operating officer at Lockpath, discussed the challenges many security departments face in building a business case to communicate their risk management and security programs.

“Our [infosec pros] jobs are hard, when you think about the world that we live in: no resources, changing priorities, no funding, compliance [etc.],” Rock said.

“We need to find a way to communicate the issues we are having within the organization and how we can use those to minimize risk and deliver value.”

Fundamentally, security leaders can become frustrated, Rock admitted, “but at the same time, our business executives are frustrated too, ” and they do not view or understand security and risk in the same way as security professionals. 

Security leaders must understand the business use cases of security strategies to drive more value, he added. “Not being able to communicate effectively is a significant problem, and at the end of the day, the people on the business side control the check books, but they normally don’t quite understand what we do and how we deliver value.”

It’s therefore down to security leaders to align and articulate their needs with the needs of the wider business stakeholders, including:

  • Linking needs to performance metrics
  • Funding business cases
  • Reporting status for action

Security leaders must understand the cost and benefit of their objectives, and frame reporting of results or requests for resources in the context of business executives, Rock continued. He then shared an ‘alignment to value’ diagram (below) that can aid security leaders in achieving this.

“At the end of the day, there are business benefits to [doing] this, because this is what essentially allows us to fund the things that we need to deliver to the organization.”

Source: Information Security Magazine

#InfosecNA: The Benefits of Training Employees to Hack

#InfosecNA: The Benefits of Training Employees to Hack

For most corporate denizens, security training is an unpleasant but necessary evil, but does it have to be? Not according to Kris Martel, CISO of Imagine IT, who uses a highly interactive approach to create an engaging, entertaining learning environment that makes security meaningful and interesting to the average employee.

Speaking at Infosecurity ISACA North America Expo and Conference in New York, Martel shared some of the things he uses in his trainings to help improve security awareness and compliance, and have employees eagerly awaiting their next session.

“Cyber awareness training must change audience perception by making it [security] relevant to the organization or the individuals you’re teaching,” said Martel. “The way to do that is to make it engaging, interactive and fun – and unpredictable,” he added. One of the ways he engages employees is to teach them real-world hacking skills, including how to craft effective phishing attacks, helping them learn who has their Facebook login and taking them on guided tours of the Dark Web. Whenever possible, Martel finds ways to reward participation with small but popular tokens such as preferred parking spots, movie tickets and, in some cases, internal cryptocurrency.

Martel has developed a fun, and effective way to deal with experienced cyber-workers who don’t take the training seriously because they believe they are too smart to be hacked by offering them a friendly challenge. After a co-worker accepts the challenge, he begins a surveillance phase which, depending on how good his opponent is, can last anywhere from a few days to a few months. In one case, with an especially cyber-savvy individual, his usual hunt within social media, inquiries with co-workers, and other tactics failed to produce anything. Even though they had effectively hosted themselves, including paying a service to erase their profile from the internet, he did find evidence of their activity on Amazon which enabled him to craft a phishing attack that eventually proved effective in gaining his ‘victim’s’ credentials. Although it took four months to execute, Martel felt it was worth it after the employee agreed to go to training and he got a good story out of it to share with his colleagues.  

Here are a few of Martel’s key takeaways:

  • Interactive training keeps people engaged
  • If possible, teach the class to hack as part of the training to make what they are learning meaningful
  • Incentivize employees to report phishing with contests and recognition
  • Make monthly training fun. One way to do this is to fill part of the session with short presentations developed by your students

Applying these tactics helped Martel stimulate a 70% increase in reporting of phishing attacks, a 45% reduction in the success rate of phishing attacks, and a 94% positive rating on his course feedback surveys. “I knew things had changed when people started asking me when the next security training session was going to be held,” he concluded.

How to make security awareness training more effective and engaging

For most corporate denizens, security training is an unpleasant but necessary evil, but does it have to be? Not according to Kris Martel, CISO of Imagine IT, who uses a highly interactive approach to create an engaging, entertaining learning environment that makes security meaningful and interesting to the average employee.

Speaking at Infosecurity ISACA North America Expo and Conference in New York, Martel shared some of the things he uses in his trainings to help improve security awareness and compliance, and have employees eagerly awaiting their next session.

“Cyber awareness training must change audience perception by making it [security] relevant to the organization or the individuals you’re teaching,” said Martel. “The way to do that is to make it engaging, interactive and fun – and unpredictable,” he added. One of the ways he engages employees is to teach them real-world hacking skills, including how to craft effective phishing attacks, helping them learn who has their Facebook login and taking them on guided tours of the Dark Web. Whenever possible, Martel finds ways to reward participation with small but popular tokens such as preferred parking spots, movie tickets and, in some cases, internal cryptocurrency.

Martel has developed a fun, and effective way to deal with experienced cyber-workers who don’t take the training seriously because they believe they are too smart to be hacked by offering them a friendly challenge. After a co-worker accepts the challenge, he begins a surveillance phase which, depending on how good his opponent is, can last anywhere from a few days to a few months. In one case, with an especially cyber-savvy individual, his usual hunt within social media, inquiries with co-workers, and other tactics failed to produce anything. Even though they had effectively hosted themselves, including paying a service to erase their profile from the internet, he did find evidence of their activity on Amazon which enabled him to craft a phishing attack that eventually proved effective in gaining his ‘victim’s’ credentials. Although it took four months to execute, Martel felt it was worth it after the employee agreed to go to training and he got a good story out of it to share with his colleagues.  

Here are a few of Martel’s key takeaways:

  • Interactive training keeps people engaged
  • If possible, teach the class to hack as part of the training to make what they are learning meaningful
  • Incentivize employees to report phishing with contests and recognition
  • Make monthly training fun. One way to do this is to fill part of the session with short presentations developed by your students

Applying these tactics helped Martel stimulate a 70% increase in reporting of phishing attacks, a 45% reduction in the success rate of phishing attacks, and a 94% positive rating on his course feedback surveys. “I knew things had changed when people started asking me when the next security training session was going to be held,” he concluded.

Source: Information Security Magazine

#InfosecNA: How IoT Gadgets Can Spy on Your Children

#InfosecNA: How IoT Gadgets Can Spy on Your Children

At Infosecurity ISACA North America Expo and Conference in New York this week Ken Munroe, CEO of Pen Test Partners, took visitors on what he referred to as a “scary, creepy tour” of IoT-related security issues. Munro explained that a child's doll, marketed as ‘My Friend Cayla,’ is just one example of the growing number of IoT-enabled consumer and commercial products on the market, and the lack of proper security in their designs that leaves many of them vulnerable to attack.

Cayla, for example, is a children’s doll endowed with speech recognition technology that enables it to have a conversation with a child. The big selling point for parents however is Cayla's GPS receiver and wireless module, which allows them to track and listen in on their child. Although Cayla was supposed to be ‘kid-friendly’ and ‘cyber-safe,’ Munroe’s long experience with exploring the vulnerabilities of embedded systems made him suspect otherwise. It wasn't very long before he discovered what he described as “a huge attack surface” that allowed him and his team to bring out another, more sinister, side of Cayla.

Using a simple program that mimicked Cayla's phone app, the Pen Test Partners team were able to access the doll’s web-based portal and change their user status code from 1 to 0, giving them complete administrative access to the doll's features as well as the user information of all the other doll’s owners. From there, they were able to modify the table that prevented Cayla from using 1500 words deemed to be “naughty” which, in Munro's words, “allowed her to swear like a sailor.” Had they chosen to do so, this access would have also allowed them to access other owners’ dolls and listen to or even converse with their children.

Munro noted that the attack he used was only one of Cayla's numerous vulnerabilities, such as poorly-secured wireless links, easily hackable cellular modems, and non-encrypted SIM cards, virtually all of which could be found in a frightening number of “smart” consumer goods, such as thermostats and child tracking devices. There are similar issues with many commercial and industrial products – including web cameras, smart building controllers and other security appliances.

Research conducted by Pen Test Partners has shown that the majority of these problems arise from a handful of highly preventable sources which include:

  • Cut-and-paste use of vendor-provided software and hardware reference designs with little or no review for security issues
  • Extensive use of third-party web-based services without any evaluation of how secure they were or vulnerable to corruption from other vectors
  • Extensive use of offshore vendors throughout the supply chain for engineering, materials, and assembly, without any assessment of their security or integrity

Since we will most likely live in an even more connected future, concluded Munro, manufacturers cannot afford to ignore the need to make their products more resistant to the potential cyber-muggings awaiting them in the IoT.

Source: Information Security Magazine

Midwest Gets First Cybercrime-Fighting Dog

Midwest Gets First Cybercrime-Fighting Dog

Police in Nebraska have recruited a highly trained dog to assist them in the fight against cybercrime.

Two-year-old black Labrador Quinn has joined the Bellevue Police Department as the Midwest's first-ever electronic storage device K-9 officer.

Unlike most sniffer dogs, who are taught to detect drugs, Officer Quinn has been specially trained to sniff out a particular chemical used in electronic devices like SIM cards, cell phones, and micro SD cards. 

"Her sole purpose is electronics detection," said Quinn's partner, cybercrimes detective Roy Howell. 

"We’ve had a couple of cases where I believe we as law enforcement officers may have missed something. A dog who can pick up an odor would be able to say 'hey, there’s something here. You need to look here.'"  

Following a two-week familiarization period in Indianapolis, Indiana, Howell has been working with the highly trained Quinn since November 3. The detective has great expectations regarding the contribution Quinn will make to local law enforcement. 

"After a night with her I thought 'this dog’s unbelievable,'" said Howell. "I want to get her to be that dog that can find something 18 inches under a wall or 18 inches underwater, or something behind a wall, or under the carpet. I’m hoping that she will make a big difference in the state."

When she isn't nosing out electronic storage devices crammed with incriminating evidence and all manner of illegal content, Officer Quinn may be called on to use her affectionate nature to offer emotional support. 

"She’s a very friendly dog. She gets along around other people very well," said Howell. "If we go inside a house and there are families and kids that are upset, we can take her to the kids and they can pet her, which will calm them down."

Quinn is the thirtieth electronic storage device K-9 officer to find employment in the United States. A position was found for her on the Bellevue force as the result of an anonymous donation, which was made through the Bellevue Public Safety Foundation. 

Another electronic storage device K-9 officer named Bear, who was trained at the same facility that put Quinn through her paces, was used in the investigation into ex-Subway spokesman, Jared Fogle.

Bear, who is also a Labrador, found a thumb drive that authorities were unable to locate during an FBI raid at Fogle's Indiana home in 2015. The drive subsequently played a key role in Fogle's arrest.

Source: Information Security Magazine

100K People Targeted by Spoof IRS Websites

100K People Targeted by Spoof IRS Websites

Over 100,000 people were targeted by a large-scale summer threat campaign using fake IRS websites. 

The extensive phishing campaign was discovered by researchers at cloud security solutions provider Akamai.

Akamai's research team recorded threat actors using hundreds of different domains and URLs to impersonate the Internal Revenue Service of the United States over a two-month period beginning in mid-August 2019. 

Users were all directed to the same fake IRS login page, where they were asked to enter sensitive information, including their email address and password. 

In total, the campaign used at least 289 different domains and 832 URLs to target people all over the world. Most remained active for fewer than 20 days.

Most of the activity took place in the second half of August; however, researchers observed new websites being activated periodically over the course of a 47-day period.  

Threat actors appear to have targeted legacy websites, perhaps in an effort to delay detection.

Or Katz, principal lead security researcher at Akamai, told Infosecurity Magazine: "According to our analysis, we suspect that many of the websites that hosted the IRS phishing page are compromised (meaning that they are legit websites that have been taken over or hijacked by criminals). 

"In many cases these are legacy websites with minimal/no maintenance involved. This is what makes them vulnerable in the first place. Moreover, once compromised, it might also take more time to execute remediation of the vulnerability and cleaning of the website content." 

Katz suspects that opting for an August launch date was a calculated decision by the threat actors.

He said: "According to past phishing research I was doing, August is a good time to get more engagement from victims. It might be related to being on vacations and having more time to read personal emails, browse, and use social networks. But scams like this can show up at any time of the year because it is a topic that gets attention and, in some cases, causes fear, leading the victim to take an action such as providing sensitive information, downloading a file, or clicking a malicious link."

Asked why he thought attackers had chosen to impersonate America's Internal Revenue Service, Katz replied: "I haven’t seen many IRS attacks in the past year, and it might be associated with that, as it wouldn't be in victims' attention to be aware of campaigns associated with IRS. 

"The second reason is related to the IRS being trustworthy and an official brand; that can create more engagement from victims."

Source: Information Security Magazine

Vishing Attacks to Become Commonplace in 2020

Vishing Attacks to Become Commonplace in 2020

Cybersecurity experts predict that voicemail phishing attacks, otherwise known as vishing, could become a daily occurrence in 2020. 

Threat research conducted by Mimecast found that malicious voicemail messages were not just on the rise, but were "evolving and more nuanced than ever before." 

In the "Quarterly Threat Intelligence Report: Risk and Resilience Insights" report released by Mimecast today, researchers warned that in 2020, "voicemail will feature more prominently." 

Researchers wrote: "The potential for the addition of complexity and malicious payloads, as well as simple phishing, cannot be overlooked. In addition, because the processes and technology to automate voicemail attacks are already ubiquitous, these forms of voicemail phishing will become commonplace in 2020."

Asked with what regularity vishing attacks might strike next year, Carl Wearn, head of E-Crime at Mimecast, told Infosecurity Magazine: "Potentially daily; this is already being seen in our data."

Wearn predicted a rise in the number of private individuals who will fall victim to vishing in the year ahead. 

"It’s potentially a simple vector, and in its most prevalent and simplistic form, these attacks will be phishing emails that claim a missed message and merely attempt to entice you to click on a link to cause infection or compromise," said Wearn.

According to Wearn, the growth in vishing could result in some significant financial losses.

Wearn said: "The impact will increase as more people are fooled by it. Losses will depend on the sophistication deployed. In the main attacks will be low-sophistication URL link lures, but it is highly likely that specific targeted attacks employing ML (Machine Learning) will cause some high-value losses."

Vishing is believed to have already reached a high level of complexity following reports earlier this year of a manager at a UK energy company being duped out of £200,000 by cyber-criminals who used artificial intelligence to make a spoof voicemail that sounded like it had been left by the manager's boss. 

Predicting how vishing scams are likely to evolve, Wearn said: "The majority of attacks will be low effort and similar to phishing, but, increasingly, ML and (AI) artificial intelligence will be utilized as these technologies mature, and they will be very difficult to detect without similar ML/AI defense mechanisms."

When asked what makes vishing seem so inherently sinister, Wearn painted a chilling picture of the form these attacks may soon take. 

"I think the real sinister aspect pertains to the potential for AI/ML to aggregate speech into wholly electronically constructed fake conversations. The idea that a soulless machine can fool you into thinking you are talking to a real person is inherently disconcerting to anyone and no doubt embarrassing if you fall victim to it."

Source: Information Security Magazine

#InfosecNA: How to Know If You’ve Been Compromised

#InfosecNA: How to Know If You’ve Been Compromised

Speaking at Infosecurity ISACA North America Expo and Conference in New York, Marc Keating, senior sales engineer at Arctic Wolf Networks, outlined steps organizations can take to gauge whether or not they have suffered a data compromise.

Keating said that cyber-threats are evolving quickly: “What we are up against today in this world are people who go to work to break into your company,” he said. “They are being funded by nation states. The most important thing to understand is that cyber-attackers are very organized.”

Therefore, it has never been more important for companies to be able to quickly and accurately detect breaches if they occur.

The first step in successful prevention and detection is understanding the attack vectors cyber-criminals use, Keating added. He cited an ‘attack chain’ of reconnaissance, weaponization, delivery, exploit and install, command and control, and action.

It’s then important to design your defense strategies around a framework. “Start with a framework that will help you understand where you need to go and where your holes are.”

It’s also vital to monitor and scan for threats everywhere in the environment, all the time. “If you monitor everything, you also want to monitor 25/7, 365 days per year.”

What’s more, logging threat information is not enough, Keating explained – the data must be taken and proactively used.

“If you’re going to go that far [monitor and scan environment], please taken action on what you find,” Keating concluded.

Source: Information Security Magazine