STE WILLIAMS

I was authorized to trash my employer’s system, sysadmin tells court

Back in December 2011, Michael Thomas did what many sysadmins secretly dream of doing: he trashed his employer’s network and left a note saying he quit.

As well as deleting ClickMotive’s backups and notification systems for network problems, he cut off people’s VPN access and “tinkered” with the Texas company’s email servers. He deleted tech support wiki pages and removed contact details for the organization’s outside tech support, leaving the automotive software developer scrambling.

The real-life BOFH then left his keys, laptop, and entry badge behind with a letter of resignation and an offer to stay on as a consultant.

What Thomas didn’t consider while leaving his elaborate “screw you” was that he might be breaking the law. Just under two years later, he was charged with a single felony count of “intentionally causing damage without authorization, to a protected computer.”

He was found guilty by a jury in June last year, and in August was sentenced to time served plus three years of supervised release. He was also ordered to pay $130,000.

Now, however, Thomas is appealing [PDF] that conviction in the Fifth Circuit Court of Appeals in New Orleans using a legal defense that may have enormous implications for sysadmins across the entire United States.

In essence, Thomas is arguing that, yes, while he did intentionally cause damage it wasn’t “without authorization.” In fact, he was expressly authorized to access all the systems he accessed, and he was expressly authorized to carry out the deletions he did – every sysadmin in the world deletes backups, edits notification systems and adjusts email systems. In fact, it’s fair to say that is a big part of the job they are paid to carry out.

His legal filing to the Fifth Circuit also points out that none of his actions were forbidden by the company’s own policies.

Thomas is telling the court: sure, I trashed their systems but I did nothing illegal. And he has a point. It’s just that every company in America is terrified that he might win the argument.

Run-up

Of course, there is a back story.

Thomas was hired to the company by a friend of his – Andrew Cain. Cain was the company’s first employee and the only IT employee. As the company – which sets up and runs car dealership websites – grew, it needed another full-time IT staffer to handle demand.

Things went well for two years until, out of the blue, the company’s founders fired Cain. Cain suspected the reason for his firing was the founders were looking to sell the company – something they have done repeatedly in the past as serial entrepreneurs – and didn’t want to have to give Cain his cut as the first employee. At the same time they fired Cain – on a Thursday – Thomas was offered a bonus to stay on and take over his friend’s job.

It’s fair to say that Cain was just a tad irritated. And he called Thomas to tell him the news and that he would be suing for wrongful dismissal. And that’s when ClickMotive started having trouble with its IT systems.

Thomas’ appeal filing admits many of the things that came out during the investigation and trial: he obtained emails from ClickMotive’s system and forwarded them to Cain’s wife to help his lawsuit.

The day after Cain was fired, a Friday, the entire ClickMotive network went down from a power outage. Thomas got it back up and was still working remotely on Saturday, mopping up problems. Then, on the Sunday, the network was hit with a denial-of-service attack, taking it down again.

And so Thomas drove to the office Sunday evening and start working on getting it back up. While there, however, he also carried out a whole range of activities, before departing a few hours later and leaving his keys, laptop, badge and a resignation letter – which were discovered the next morning.

That Sunday, Thomas deleted remotely stored backups and turned off the automated backup system. He made some changes to VPN authentication that basically locked everybody out, and turned off the automatic restart. He deleted internal IT wiki pages, removed users from a mailing list, deactivated the company’s pager notification system, and a number of other things that basically created a huge mess that the company spent the whole of Monday sorting out (it turned out there were local copies of the deleted backups).

Authorized

While the company’s actions don’t exactly cover it in glory, using your admin privileges to delete backups and mess up your employer’s system is not a great idea (no matter how appealing it might be). The question is: is it illegal?

“Michael Thomas had unlimited authorization to access, manage, and use ClickMotive’s computer systems,” argues his Tor Ekeland lawyers, “and was given broad discretion in his exercise of that authority.”

Unsurprisingly as one of only two IT people in the company, Thomas basically had full reign over the computer systems. He could manage users and their privileges without requiring specific authorization. Part of his job was to delete unnecessary data.

As the filing argues: “The central issue in this case is whether Thomas acted ‘without authorization’ if he performed these same actions in a manner that was contrary to the company’s interests.”

And it argues that he didn’t. He had the right to make changes to all the systems he touched; the term “without authorization” is ambiguous and was interpreted too broadly in his case; and the court didn’t identify exactly what he did that was prohibited.

Since the appeal has decided to focus in on the specific legal language used to convict Thomas, it could have far-reaching implications either way.

If he is found to have acted without authorization, the question then becomes: does that make other sysadmins criminally liable for mistakes they might make unless they get explicit permission beforehand? That would create a hell of a problem.

If Thomas is found to have acted with authorization, every company will wonder if that gives their sysadmins carte blanche to ruin their systems with no legal comeback. That’s not going to sit very well in boardrooms.

Of course, one solution would be to have explicit, commonsense company policies about what sysadmins are allowed to do and what they are not allowed without additional permission.

Or perhaps the better solution is to follow an age-old piece of advice that company bosses never seem to grasp: don’t treat your employees like shit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/23/michael_thomas_appeals_conviction/

  • 23/02/2017
  • adm

Hackers spam Counter-Strike: Global Offensive to spotlight security flaws

Gamers logging on to Valve’s popular first-person shooter, Counter-Strike: Global Offensive (CS:GO), earlier this week found themselves confronted by a rather aggrieved and aggressive wall of text spammed in the game lobbies.

According to screenshots from CS:GO players, the text said that security issues in-game were going unnoticed and unmitigated by Valve, who were instead, according to the complaints, more interested in getting money from players than fixing security issues, as “in its current state it is unplayable”.

Within a day of this hack going live, a Valve staff member commented on the complaint thread that the exploit had been mitigated via a “temporary solution,” with a more permanent fix coming within a week or so.

Ironically, the spammed text says that “we are customers that are willing to pay for a good game without hackers and bugs,” though the tactic used by the spammers exploits an in-game vulnerability that allowed them to spam multiple game lobbies – apparently even including private lobbies – with this text for hours, if not days, over and over, according to the Reddit thread where this issue was initially reported. In essence, they hacked the game to prove that the game is hackable.

It does seem like whoever is responsible for this lobby hack has also posted numerous videos showing other in-game exploits at work, which often use a combination of bots and JavaScript to either infiltrate CS:GO lobbies or to modify a player’s rank bracket to display “Global Elite” status, the highest and most difficult status in the game.

In addition, the hackers responsible for the text spam have also published their script for lobby hacking, making it possible for anyone to copy their attack if they were so inclined until the hotfix was deployed.

The volume of the lobby text-spam and the infiltration of private rooms certainly annoyed and spooked a number of players, judging by the comments in the Reddit thread. Opinions are certainly mixed if the hackers made their case: certainly in-game cheating is and has been a problem in highly competitive games like CounterStrike for a very long time, and almost anyone who plays these games encounters people using bots or cheats at one point.

Game companies are often in an arms race to deploy more sophisticated countermeasures to clamp down on the practice. But while spamming game lobbies and making the game more difficult to play may have grabbed attention from players and Valve alike, it’s questionable if the hackers’ tactics really helped their cause.

While there are many approaches to disclosure recommended in the field, the approach the hackers took here is akin to dropping a zero-day with no coordination with the vendor. We would have recommended a more coordinated disclosure approach, giving Valve specific details on an exploit used by cheaters, and then allowing them a chance to investigate and respond before making the details public.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JDkvvzsliIw/

  • 23/02/2017
  • adm

Lawmakers set to overturn broadband privacy rules, as ISPs requested

Congress is looking to undo recently passed broadband privacy rules that industry groups have called “dysfunctional” and that consumer groups call important to ensuring that ISPs can’t sell customers’ data without their consent.

A week ago, Republican senator Jeff Flake of Arizona confirmed to Politico that he’s planning to use the Congressional Review Act (CRA) to get rid of the Federal Communications Commission’s (FCC’s) broadband privacy rules.

The CRA is an obscure, rarely used law that’s now being wielded against an array of Obama-era regulations, including one that limits the venting of the greenhouse gas methane from oil- and gas-drilling facilities and one that requires federal contractors to report previous labor law violations.

A consortium of 19 privacy and consumer-rights groups on January 27 urged Congress to let the FCC rules stand. The rules require consumers to opt in before a broadband provider can sell their web-browsing and other information to advertisers and other third parties, and they require that users be notified when user data is breached by hackers.

The rules in question were passed in October.

The ISPs – including companies such as ATT and Verizon – have lobbied hard against the privacy rules, which impose tougher privacy standards on them than on sites such as Google and Facebook. Such internet giants are governed by Federal Trade Commission (FTC) regulations.

One industry voice – Scott Cleland, chairman of NetCompetition, a pro-competition e-forum supported by broadband interests – described the privacy rules as the outcome of a turf war between the two federal agencies:

President Obama’s Federal Communications Commission took a federal consumer privacy regulation situation that wasn’t broken, self-servingly broke it with Title II, and left it broken for over a year. Two weeks before the election, the agency finally advanced a “fix” that made most everything worse for everyone but the FCC.

The weapon that Republicans plan to wield to kill the privacy rules – the CRA – enables Congress to eliminate agency rules with a simple majority vote. It also bars an agency from reissuing the regulation at any point.

Sources told Politico that Senator Flake had about 12 co-sponsors lined up as of two weeks ago. Marsha Blackburn (R-Tenn.), who chairs the House Energy and Commerce’s technology subcommittee, has said that she was speaking with colleagues in the Senate “daily” about how to best use the CRA to undo the broadband privacy rules.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RGScZCZwTOo/

  • 23/02/2017
  • adm

How much does Facebook really know about you – and is it right?

There’s an old expression: if you’re not paying for the product, you are the product. This is broadly understood by many people to apply to social media and they’re right. If you’re enjoying Facebook’s service, great. If you think you’re getting it for nothing, you’re kidding yourself. Facebook is tracking what you do on its site and when you hit a “like” button on someone else’s site.

A number of online facilities are starting to become available not so much to fight this as to help people understand what they’re handing over. One such is Data Selfie, and I tried it. It’s a Chrome extension and it simply tracks what you’re doing on Facebook. It only tracks sessions during which you have the extension open at your desktop, so mine looked like this:

screen-shot-2017-02-23-at-12-53-17

It’s a world of dull that masks the fact that I was also on Facebook on the tablet, on the phone – it’s fine if you’re on the desktop the whole day. Tellingly, it suggests I’d been on several pages that I hadn’t. If Horizn Studios is reading and Facebook is selling me as an ad click then ask for your money back. I may have had a page served up as a sidebar thing but I’ve never consciously clicked your links.

Of more practical use is Stalkscan. Feed the homepage of any Facebook user into this and it will start to tell you not only what they’ve made public but, crucially, it makes links Facebook can make with its aggregated data. So I put my profile in and tried clicking on “Schoolmates”:

screen-shot-2017-02-23-at-13-15-51

It produced plenty of errors (and don’t even bother hitting “colleagues” when someone’s job title is “freelance”, honestly, we don’t always know each other). However, within seconds it had linked me (correctly) with someone with whom I’d lost touch but who was in the same class as me some 40 years ago; it had also found some of my brother’s friends (no picture of that page in order to respect their privacy). It could tell me which (pretty random) posts I’d liked, also if I’d been assiduous in checking in to restaurants it could have told me where I’d eaten. Thanks to my lackadaisical approach to keeping Facebook up to date, it is convinced I have read four books in the last five years.

The curious thing there is that it could track who I knew but didn’t know was on Facebook; it had an idea of my likes and dislikes and, unlike me, could interrelate them with the likes and dislikes of other people. It’s not perfect; other than the “freelance” glitch it didn’t have anything for events, while in real life my book group is arranged through Facebook and takes place only a week from now.

It knew, however, a lot and was able to work out even more. Pictures in which I’d been tagged. People I probably knew (although the idea that I never visit bars was pretty wide of the mark). The good news is that you can use the same facility to check what they might know, or imagine they know, about you.

The principle of alerting people to how they’re being tracked has been welcomed. Jim Killock, executive director of Open Rights Group, welcomed the moves:

Facebook’s business model is to gather as much information as possible about its users so that it can monetise that data. It’s not in Facebook’s interests to make its users aware of this so initiatives to help people to understand how much data they are giving away are welcome.

We just wonder in turn how those initiatives are funded…


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tJVLRGfa5Mw/

  • 23/02/2017
  • adm

Deutsche Telekom hack suspect arrested at London airport

UK police have arrested a suspect in connection with an attack that infected nearly 1 million Deutsche Telekom routers last November.

The as-yet-unnamed 29-year-old British suspect was arrested at a London airport by officers from the UK’s National Crime Agency (NCA) on Wednesday, Reuters reports.

The attack on Germany’s largest telco created service disruption for 900,000 people. A modified version of the infamous Mirai worm – which hijacks CCTV cameras, PVRs and other Internet-of-Things kit – was blamed for the DDoS assault.

German police have issued a statement (in German). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/23/deutsche_telekom_hack_suspect_arrested/

  • 23/02/2017
  • adm

End-Of-Life Software Alive And Well On US PCs

7.5% of users ran unpatched Windows operating systems in Q4 of 2016, up from 6.1 percent in Q3 of 2016, new study shows.

The average PC user in the United States has 75 programs installed on their machine and 7.4% are end-of-life software that no longer receive regular vendor security updates.

This finding comes from a new report published this week by Secunia Research at Flexera Software, that studied vulnerable software on private PCs in 12 countries.

Unpatched software vulnerabilities are popular and obvious attack vectors, and unpatched private devices can ultimately affect businesses whose users do work from home devices. 

The annual rise in vulnerabilities is making is harder for businesses to manage the risks of unpatched software, explains Kasper Lindgaard, director of Secunia Research at Flexera Software, whose firm studied vulnerable software products on private PCs in 12 countries, list vulnerable apps, and rank them by how much they expose PCs to attack.

“Once hackers successfully exploit a vulnerability, they have the ability to start moving around in the businesses and start to gain access to data of all kinds,” he says. “It is then down to the imagination of the hacker what data will be stolen, if it will be leaked, if direct or indirect financial impacts will happen.”

In Q4 2016, some 7.5% of private PC users in the US had unpatched Windows operating systems (Win7, Win8, Win10, Windows Vista). This marks a decrease from 9.9% in Q4 2015, but an increase from 6.1% in Q3 2016. Of the 75 programs installed on each device, 42% are Microsoft programs and 58% come from other vendors.

Lindgaard says he wouldn’t call it “easy” for attackers to exploit Windows machines, but does note that the longer a security patch is not installed, the more time hackers have to develop an effective exploit. For most popular apps, patches are available the same day vulnerabilities are disclosed, meaning businesses and private users can quickly mitigate the risk.

“The fact that this is not happening every time shows that there is work to be done with the software supply chain,” he notes. “The gap between vendors and users, when it comes to users knowing about the vulnerabilities affecting products to applying security patches, is still too wide.”

Fourteen percent of users had unpatched non-Microsoft programs in Q4 2016, an increase from 13.8% in Q3 2016 and 12.2% in Q4 2015. Forty-two percent of vulnerabilities originated from non-Microsoft programs between January and December 2016, according to the Secunia report.

iTunes For the ‘Win’

Secunia ranks the top most exposed programs based on two parameters: percentage of market share, multiplied by how many users neglect to patch them when a patch is available.

The most exposed programs in Q4 2016 were Apple iTunes 12.x. (55% unpatched); Oracle Java JRE 1.8.x/8.x, (50% unpatched); VLC Media Player 2.x (44% unpatched); Adobe Reader XI 11.x (48% unpatched); and Google Picasa 3.x (48% unpatched).

Lindgaard says he’s surprised to see this trend, which is consistent quarter after quarter. “Security updates for each of these products are straightforward to download and apply, if the users are aware of the patches,” he notes.

Awareness is part of the problem. Many products and systems go unpatched because of dysfunctionality in the software supply chain, he continues. Not enough users and businesses are aware to invest in the resources they need to gain overview and solve the dysfunctionality, leading to a slowdown in patching.

Hackers know most private PC users don’t want to put in the effort for regular security maintenance. Researchers found the average device requires 26 different update mechanisms to patch 75 programs.

However, users are still at risk if they continue to run unsupported, end-of-life programs with software vulnerabilities.

“Patch, patch, patch,” says Lindgaard to private users and security pros . “But before you do, make sure you know which products you are running. Second, ensure you have the required vulnerability intelligence, so you actually know when — and what — you need to patch.”

Private users, he explains, should regularly scan their devices and wipe end-of-life programs from their systems. Enterprise security teams should work with software management teams to find and inventory their apps, and remove unsupported programs from the mix.

Related Content:

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/end-of-life-software-alive-and-well-on-us-pcs/d/d-id/1328247?_mc=RSS_DR_EDT

  • 23/02/2017
  • adm

How to Secure Hyperconverged Infrastructures & Why It Is Different

What’s This?

The next-generation datacenter requires new security practices, but that doesn’t mean everything we learned about datacenter security becomes obsolete.

Securing traditional datacenters used to be all about installing perimeter defenses, such as firewalls, to keep threats away from internal networks. While that was enough a decade ago, today’s next-generation datacenters are prone to advanced attacks from malware and hackers aiming to infiltrate and remain undetected for as long as possible.

Network segmentation using firewalls to protect data and users from cross-contamination can be extremely complicated in large infrastructures and environments. Any form of micro-segmentation increases in complexity as more endpoints are added to a network. Plus, this would require hardware that is not application-aware, and eventually create bottlenecks and performance problems as the network becomes more complicated.

Hyperconverged infrastructures (HCI) that describe software defined datacenters (SDDC) cannot rely on legacy security methods. They need a security model that’s just as flexible as the infrastructure it’s built on. The difference in securing traditional multi-dimensional infrastructures versus converged architectures is that the latter needs a more policy-based approach, intertwining security with applications. Instead of applying a network-based security model, hyperconverged infrastructures require application-based security policies that allow computing instances to communicate with each other, across network segments.

Application-based policies in hyperconverged infrastructures can help reduce complexity and allow security to focus on workloads instead of managing ports, virtual networks and access control lists. Individual computing instances, such as servers, users and workloads, can have security policies that describe their behavior throughout their entire lifecycle. With homogenous software configured for networking, storage and computing running equally across an entire cluster, it’s vital to always know your system’s state and configure alerts for when it changes.

Using more than one hyperconverged vendor helps reduce zero-day exploitation risks that could leave the entire infrastructure vulnerable. Limiting access to control planes for the entire hyperconverged infrastructure is also mandatory, as it helps deny attackers full access to all HCI clusters.

The next-generation datacenter requires new security practices, but that doesn’t mean everything we learned about datacenter security becomes obsolete. Firewalls are still great for securing a datacenter’s network perimeter and network segregation is still recommended. However, these new hyperconverged infrastructures require much more than that, as reducing systems to a single dimension comes with security challenges that need to be addressed.

Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/bitdefender/how-to-secure-hyperconverged-infrastructures-and-why-it-is-different/a/d-id/1328237?_mc=RSS_DR_EDT

  • 23/02/2017
  • adm

Exploit Kit-Based Attacks Decline Dramatically

But it’s too soon to call this downward trend a permanent shift, experts say.

Law enforcement actions and a relative dearth of zero-day bugs appear to have contributed to a sharp decline in exploit kit activity in recent months.

It’s too soon, however, to say whether the decline represents a permanent or temporary shift away from the use of exploit kits to drop malicious payloads.

A recent report from Trend Micro showed that attacks involving exploit kits fell from 27 million in 2015 to a mere 8.8 million in 2016. The decline was especially noticeable in the second half of last year when attacks against Trend Micro customers involving the use of the notorious Angler exploit kit dropped to near zero from 3.4 million separate attacks in the first quarter of 2016.

Much of the sudden decline in exploit kit activity, according to Trend Micro, appears related to last year’s arrest of 50 individuals in Russia believed associated with the Angler exploit kit. The arrests resulted in an almost immediate and significant drop off in exploit kit activity. To put that in perspective, Angler in 2015 accounted for more than 57% of all recorded incidents involving exploit kits.

In addition, Neutrino and Nuclear, two other popular exploit kits also stopped being actively used in 2016. While it is not clear what prompted their demise, it is likely that a lack of zero-day vulnerabilities played a part. There were a lesser number of zero-day vulnerabilities in 2016 compared to previous years making exploit kits less lethal than usual.

“The shelf life of exploitable vulnerabilities and zero-days is decreasing rapidly,” says Patrick Wheeler, director of threat intelligence at Proofpoint another vendor that has reported a sharp decline in exploit kit activity recently. Total exploit kit activity declined a massive 93% between January and September last year, according to Proofpoint

Angler itself has been replaced by another exploit kit dubbed RIG. But overall attack traffic volume associated with exploit kits is nowhere near their highs of 2015.

“Essentially, software developers, security vendors, and organizations are patching vulnerabilities so rapidly now that exploit kits are simply much less effective than they used to be,” he says. This has made it hard for threat actors to achieve reasonable returns on their investments in exploit kits.

“Malicious email volumes have increased dramatically while mobile attack kits and [exploit kits] for IoT devices and routers have all emerged to fill the void,” he says.

Enterprises should not be lulled into a sense of false security by the drop off in exploit kit activity, says Jon Clay, director of global threat communications at Trend Micro. The decline does not necessarily mean exploit kits will not continue to be used in attacks, he says.

Vulnerable systems are still a viable way to compromise a system and gain a foothold into an organization. Enterprises should not use the trend as an excuse not to do proper patching, he says.

“We have started to see private exploit kits being developed and used by cyber gangs,” with the resources to develop such kits on their own, he says. The operators of Lurk and Pawn Storm espionage campaigns are two examples of threat groups that have used their own exploit kits to attack targets, he says.

“So we could be seeing a trend where exploit kits go private versus public,” he cautions.

Michael Marriott, a research analyst at Digital Shadows, says there’s been a great deal of change in the exploit kit landscape over the past year. But it would be a mistake to overestimate the impact of the demise of Angler and Nuclear exploit kit activity.

He points to the recent public release of source code for an exploit kit dubbed Sundown as one example of the continued threat actor interest in exploit kits. “Following the release of this source code, it’s likely we will see more exploit kits being sold across criminal forums,” he says.

“By understanding the most popular exploit kits, as well as the vulnerabilities they most commonly exploit and their favored attack vectors, organizations can learn which vulnerabilities to patch as a priority,” Marriott says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/exploit-kit-based-attacks-decline-dramatically/d/d-id/1328246?_mc=RSS_DR_EDT

  • 23/02/2017
  • adm

Microsoft Releases Security Updates For Some, Not All, Flaws

February 21 release addresses Adobe Flash Player bugs for Internet Explorer on Windows 8.1 and Edge for Windows 10.

After delaying its Patch Tuesday security release slated for February 14 reportedly owing to a last-minute hitch, Microsoft this week issued security patches but only for some vulnerabilities, Fixes for two known zero-day vulnerabilities were not addressed in the release, notes security expert Graham Cluley.

The February 21 release covers vulnerabilities in Adobe Flash Player for Internet Explorer users on Windows 8.1 and Edge for Windows 10. Missing, however, were the flawed Windows handling of SMB traffic and another software bug made public by Google last week.

Both these flaws can be exploited if not fixed soon: exploit code for the flaw involving memory corruption bug was published on GitHub, for example, and can be used to launch distributed Denial-of-service attacks.

Read more here.              

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/microsoft-releases-security-updates-for-some-not-all-flaws/d/d-id/1328248?_mc=RSS_DR_EDT

  • 23/02/2017
  • adm

Road Map To A $200,000 Cybersecurity Job

Looking to get ahead in cybersecurity? Here are four areas to keep in mind as you make a five-year career plan.

The economics of supply and demand shape today’s cybersecurity job market. Each year, US employers post more than 120,000 openings for information security analysts and roughly one-third go unfilled. Hiring managers are bracing for a continuation of this trend, with demand for cybersecurity professionals expected to grow steadily through 2018.

Unsurprisingly, cybersecurity salaries reflect this severe talent scarcity. The median annual wages for information security analysts is more than 10% greater than that for all computer occupations, and almost 150% higher than that of all US occupations, according to the Bureau of Labor Statistics. And as high-ranking roles including chief security officers begin reporting directly to CEOs and corporate boards, compensation is likely to jump further.

More on Security Live at Interop ITX

For those with the right skills and experience, it’s a job-seeker’s market. But universal demand and negligible supply don’t change the fact that cybersecurity is an evolving field. Strategies, threats, and the skills to combat them can and will pivot over the coming months, making it more difficult for candidates to qualify — and stay relevant — for these lucrative opportunities.

Landing the Job, and Rising through the Ranks
Faced with boundless opportunity and constant change, IT professionals need to make strategic choices about their own development to build a long-term cybersecurity career. Here are four areas to keep in mind as you map out your five-year plan:

  1. Progressive certifications: Technical certifications are valuable for any IT professional hoping to stand out in an applicant pool, and the same rules apply to cybersecurity jobs. For entry-level, midcareer, and executive positions alike, employers increasingly want verification of job-seekers’ security chops. Foundational certifications such as CompTIA’s Security+ are becoming a prerequisite for anyone starting a cybersecurity career, demonstrating a solid grasp on IT threats, compliance, and identity management — but by no means should your education end there. From the International Information System Security Certification Consortium’s Certified Information Systems Security Professional (CISSP) and CompTIA’s Cybersecurity Analyst (CSA+) and Advanced Security Practitioner to ethical hacking certifications, there are ample opportunities for training and specialization targeted at more experienced professionals looking to move up the ladder.
  2. Strategic communication skills: Cybersecurity does not fall only under a CISO or IT department’s purview. Responsibility (and accountability) for defending corporate data and devices lies, in part, with end users, C-suites, and boards of directors as well. Cybersecurity experts must be able to communicate effectively with each audience, whether to educate employees about the dangers or secure buy-in for new security investments. To graduate into senior leadership roles, cybersecurity professionals need to demonstrate communication mastery with external audiences. As more organizations become embroiled in data breaches and legal matters (over issues such as encryption), they’ll need experts with not only technical smarts but the capacity to navigate crisis communications and public sector partnerships. 
  3. Government clearances: Almost all industries are in need of more cybersecurity manpower, but the public sector is one vertical playing a fervent game of catch-up. Per the Federal Cybersecurity Workforce Strategy released last July, the government is on the hook to more proactively identify internal cybersecurity gaps, better recruit security experts, and develop career paths to retain top talent. Beyond technical certifications, public administration cybersecurity jobs are almost three times as likely to require security clearances than cybersecurity openings in general. Obtaining the appropriate clearances in advance can set a resume apart, and expedite the hiring process.
  4. Digital forensics: As organizations and governments around the world accept the inevitability of cyberattacks (or, at least, attempts), greater attention and resources must be paid to what happens in their wake. The field of digital forensics — extracting “evidence” from devices and other IT systems to understand, potentially prosecute, and later prevent, cybercrimes — is in need of more than a few good recruits. As threats from state-sponsored actors, organized crime groups and hacktivists rise, the public and private sectors need experts who specialize in reverse-engineering attacks and threat hunting. Professionals who concentrate their training around digital forensics now will be invaluable as the cybersecurity landscape becomes more globalized and litigious.

Despite employers’ pressing need for cybersecurity talent, job and promotion-seekers need to take a calculated approach to developing their careers. Tremendous responsibility and generous salaries aren’t simply up for grabs — they’re the reward for professionals with the most comprehensive, future-proof expertise. 

Related Content:

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/road-map-to-a-$200000-cybersecurity-job/a/d-id/1328218?_mc=RSS_DR_EDT

  • 23/02/2017
  • adm