STE WILLIAMS

New research from Google shows how different types of email attacks are more likely to land in corporate inboxes than personal ones.

Each minute, Google prevents more than 10 million unsafe emails from reaching users who could fall victim to phishing attacks or malicious attachments, report Ali Zand and Vijay Eranti of Anti-Abuse Research and Gmail Abuse at Google.

At last week’s RSA Conference, Google shared data on the diversity of security threats to corporate Gmail accounts.

Spam is a common problem, for example, but malware and phishing attacks are more likely to target enterprise users. Attackers send 4.3x more malware, 6.2x more phishing emails, and 0.4x as much spam to corporate inboxes than to personal email accounts.

Cybercriminals pick their victims based on several variables: the size and type of the business, industry, and geographical location. In a landscape where no two corporate entities face the same threats, security managers must adjust their strategies to align with specific attacks.

Looking at business inboxes as a baseline, Google found attackers are 2.3x more likely to target nonprofits with malware, followed by educational institutions (2.1x), and government-related industries (1.3x). Businesses are more likely to be targeted with phishing and spam attacks.

Research also shows entertainment, IT, and housing-related companies are most frequently targeted by spam as of Q1 2017. Financial, arts, and IT-related businesses are most targeted by phishing, and targeted financial phishing has increased. Ransomware is the largest malware threat.

The company also pulled interesting data on how spam varies across geographies. India and Japan have the most spammed inboxes as of Q1 2017. The world’s largest spammers — USA, Germany, and France — target other countries.

Google takes these types of findings and uses them to improve security across its products and services. It employs deep learning to stay ahead of spammers and prevent email abuse, and reports less than 0.1% of email in the average Gmail inbox is spam.

Check out more details on the Google blog.

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/google-shines-light-on-corporate-gmail-threats/d/d-id/1328220?_mc=RSS_DR_EDT

Medical insurance identification, medical profiles, and even complete electronic health record (EHR) databases have attracted the eyes of enterprising black hats, who increasingly see EHR-related documents as some of the hottest commodities peddled in the criminal underground.  A new report today shows that complete EHR databases can fetch as much as $500,000 on the Deep Web, and attackers are also making their money off of smaller caches of farmed medical identities, medical insurance ID card information, and personal medical profiles.

The data comes by way of a report from Trend Micro’s TrendLabs Forward-Looking Threat Research (FTR) Team, which took a comprehensive look at how attackers are taking advantage of healthcare organizations’ weaknesses to devastating effect. Cybercriminals always have their eyes open for new profitable revenue streams, and the poor security around increasingly data-rich EHR systems pose a huge opportunity for the bad guys.

“Monetizing raw data such as PII is nothing new in the underground. What makes EHR in the underground so different is that some of the data can be used to create a whole new list of offerings,” says Mayra Rosario Fuentes, the author of the TrendLabs report. “These wares include fraudulent documents like tax returns or fake IDs, fake driver’s licenses or birth certificates, but also stolen prescriptions with which the buyer can buy drugs. This gives them access to controlled substances such as Ambien, a popular sleep disorder medication known to be abused by many users.”

Fuentes and her FTR team combed through the Deep Web to understand pricing models used by the criminals to sell EHR data. Complete databases may be the most highly coveted items for sale, but other wares based on raw and processed stolen health data were well within the price ranges of even petty crooks.

Medical insurance IDs with valid prescriptions were selling for $0.50 US, and complete profiles of US victims including medical and health insurance data were selling for under $1. Meanwhile, fraudulent tax returns based on stolen medical records were marketed for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.

Attackers are practically printing money when it comes to this new line of stolen goods, considering how poorly healthcare organizations are protecting their key assets. According to a a separate report out today featuring a survey conducted by 451 Research on behalf of Thales, 69% of US healthcare organizations report their biggest spend is on perimeter defenses.

Meanwhile, they’re leaving holes in the network big enough to drive monster trucks through them, by way of Internet of Things (IoT) medical devices and other poorly secured systems. The TrendLabs report detailed research conducted through Shodan that showed how many of these systems were left accessible to the public internet with minimal to no access controls. Not only did these systems exposing the network to further lateral attacks, but in many instances they provided direct access to the EHR systems themselves, as was the case from exposed interfaces to Polycom conference systems that researchers found in one case.

Related Content:

• 8 Security Categories Healthcare Providers Need to Improve On
• Report Finds Healthcare Most Targeted By Ransomware
• Healthcare Hacks Face Critical Condition

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/stolen-health-record-databases-sell-for-$500000-in-the-deep-web/d/d-id/1328225?_mc=RSS_DR_EDT

Some 14% of IT decision makers from large companies would pay more than $500,000 to avoid public shaming or other devastating consequences after a security breach, according to a survey by Bitdefender of 250 IT decision makers at companies in the US with more than 1,000 PCs.

The survey shows only a third of US companies would refuse to pay attackers if their infrastructure gets compromised while two-thirds would pay an average of $124K. From those who would pay, some 40% would give less than $10K, 26% between $10K and $100K, and 19% between $100K and $500K.

These results confirm that negative media headlines could cause substantial financial damage, ruin business forecasts and severely damage reputations.

In a recent case, officials from Verizon, which agreed to buy Yahoo’s core properties for $4.83B in July, told reporters that the company has “a reasonable basis” to suspect the Yahoo security breach, one of the largest ever, could have a meaningful financial impact on the deal. This further highlights the risk that cyber incidents could alter significant transactions and even destroy whole companies under the enormous pressure from both stakeholders and media. In the minds of board members, IT decision makers in C-level suites are to blame for breaches. Failure to mitigate and act quickly and efficiently in case of a breach can cost CIOs and IT manager their jobs.

Bitdefender’s survey shows 64% of IT decision makers think their company’s IT security budget is sufficient, while 26% say it is adequate but the company is understaffed. Another 7% say they have enough budget but it doesn’t support expansion. Only 3% of IT decision makers surveyed said the IT security budget in their company is insufficient. The IT decision makers, on average, say only 64% of cyberattacks can be stopped, detected or prevented with the current resources.

Bitdefender’s survey also shows that 34% of companies acknowledge that they were breached in the past 12 months, while 74% of respondents don’t know how.

Cybercriminals can spend large amounts of time inside organizations without being detected; Advanced Persistent Threats (APTs) are often defined as threats designed to evade detection. In the virtualization paradigm, since nothing executed in raw memory is encrypted – just scrambled – APTs that try to execute malicious code on a virtual machine will be intercepted by Bitdefender’s hypervisor introspection technology long before they actually compromise the operating system. In fact, as soon as the malicious code, even delivered via a zero-day exploit, tries to execute in the VM’s memory, the introspection engine will immediately “see” the malicious action and the code that it was trying to execute.

This survey was conducted in October 2016 by iSense Solutions for Bitdefender on 250 IT security purchasing professionals from enterprises with 1,000 or more PCs based in the United States. The sample included CIOs/CEOs/ CISOs – 26 percent; IT managers/directors – 56 percent; IT system administrators – 10 percent; IT support specialists – 5 percent.)

Razvan, a security specialist at Bitdefender, is passionate about supporting SMEs in building communities and exchanging knowledge on entrepreneurship. A former business journalist, he enjoys taking innovative approaches to hot topics and believes that the massive amount of … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/bitdefender/survey-14--of-it-execs-would-pay-$500k-to-avoid-shaming-after-a-breach/a/d-id/1328221?_mc=RSS_DR_EDT

[UPDATED 9:50AM ET with new ESET information]

First there was a ransomware attack that spoke to its victims via a voice message, and now there’s one in the wild that requires the victim read aloud – via voice recognition – the code to free his or her infected mobile device.

Symantec researchers recently spotted a new variant of the so-called Android.Lockdroid.E mobile ransomware that now employs speech recognition APIs for the victim to input the unlock code rather than type it after paying the ransom. This bizarre yet creative twist to raises more questions than it answers about the attackers’ intent, given the obvious inefficiency and potential fallibility of the voice-recognition step.

The attack thus far has been targeting Chinese-speaking victims, and a ransom note written in Mandarin appears on the infected device’s window with instructions to contract the attackers via QQ instant messaging to receive payment instructions and the unlock code.

Since the victim’s device is locked up with the ransomware, he or she must use a separate device to contact the attackers, which in and of itself could discourage or preclude payment if the victim doesn’t obtain another mobile device to finish the transaction.

That bulky and inefficient feature of the attack has researchers baffled. The attackers may well just be “live-testing” this as another payment approach, says Kevin Haley, director of Symantec Security Response.

But Haley says it’s likely this new voice recognition feature could backfire on the Lockdroid attackers. “My guess is this isn’t going to work as well,” he says. “If the victim can’t figure out how to pay the ransom, [the campaign] isn’t going to do so well,” Haley says, adding that the researchers were unable to discern how many victims had fallen for the attack.

Android.Lockdroid.E’s new voice-recognition step follows its previous version’s similarly odd step of requiring the victim to scan a barcode in order to log into the QQ messaging app: via a separate, second device. Symantec a year ago first detailed the barcode feature, noting that the malware posed as a porn app and gave the attackers admin rights on the infected device.

The newest version harbors a few implementation bugs, according to Symantec, including improper speech recognition intent-firing and copy/paste flaws. The researchers say the authors likely are experimenting with new features to shake down their victims.

Lockdroid.E is similar but not related to another mobile ransomware variant dubbed Android/LockScreen.Jisut by ESET, whose number of detections doubled in 2016 over the previous year, according to new ESET data. Lukas Stefanko, a malware researcher at ESET, says his firm calls LockDroid.E Android/LockerPin or Android/Locker.

Symantec pointed out similarities between the two Android ransomware variants: “The usage of QQ messenger as the communication platform is common across this wave of ransomware, and almost all of the Lockdroid and LockScreen variants that use Mandarin instructions share similar properties,” says Dinesh Venkatesan, principal threat analysis engineer at Symantec. “In short, we can say that they may be from similar groups, but we don’t have solid proof that the two ransomware variants are related.”

An earlier variant of Android/LockScreen.Jisut actually spoke to the victims via a voice message. “After infecting the device, a female voice speaking Chinese ‘congratulated’ the victim and asked for 40 Yuans (approx. 6 dollars) to unlock it,” ESET said in a mobile ransomware report published this month.

That was likely the handiwork of young Chinese attackers—possibly teenagers, according to ESET. Unlike most ransomware that requires payment via Bitcoin or pre-paid cash vouchers to keep the money and recipient hidden, the LockScreen attackers don’t seem to be trying to hide. “If the information in the QQ profiles is valid, the malware operators are Chinese youths between 17 and 22 years old,” ESET said in its report.

Service With A Fee

Symantec’s Haley notes that other ransomware attackers are providing more “customer service” such as instant messaging assistance to help their victims learn about Bitcoin and how to obtain it, for example. “They’re just out there trying to get their percentage of [victim] customers up,” he says.

Ransomware overall is exploding: new data this week from Check Point found that ransomware attacks doubled around the globe in the second half of 2016, from 5.5% to 10.5% of all attacks. Desktop ransomware families Locky (41%), Cryptowall (27%), and Cerber (23%) are the biggest culprits.

The Hummingbad family of malware rules the mobile ransomware world for now, at 60%, according to Check Point. Meantime, other less pervasive but more bizarre forms of ransomware such as Lockdroid. E are popping up on mobile devices as ransomware authors toy with new ways to shake down their victims.

Lockdroid is going through “an evolution,” Symantec’s Haley notes.

Related Content:

• Android DroidJack Malware Spreading Via ‘Over-The Top’ Services
• 6 Ways To Keep Androids Safe
• How Not To Pay A Ransom: 3 Tips For Enterprise Security Pros
• FBI Official Explains What To Do In A Ransomware Attack

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/endpoint/speak-up-ransomware-attack-uses-voice-recognition-/d/d-id/1328235?_mc=RSS_DR_EDT

Yahoo’s sale to Verizon Communications has taken a hit as the previously announced price of $4.8 billion has been cut by $350 million in the wake of a series of serious security lapses at Yahoo, reports NBC News.

The concession announced yesterday is still less than an expected $1 billion cut, and has somewhat reduced investor concerns.

There have been worries that the Verizon deal with Yahoo could be shelved or see a much-reduced takeover price after Yahoo announced that more than 1 billion user email accounts had been compromised in what is regarded as the two biggest security breaches in history. The breaches occurred in 2013 and 2014, and Yahoo revealed them last year.

Read details on NBC News.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/yahoo-trims-its-price-tag-to-verizon-by-$350-million-/d/d-id/1328232?_mc=RSS_DR_EDT

A new study on Web application vulnerabilities by security software firm Contrast Security shows that sensitive data exposure affects 69% of these applications and is responsible for 26% of all vulnerabilities.

Some 80% of applications contain at least one flaw, with an average of 45 vulnerabilities per application: 55% are affected by cross-site request forgery and 37% suffered from security misconfiguration.

“All of these vulnerabilities have been documented in the OWASP (Open Web Application Security Project) Top Ten for over a decade, yet they’re obviously still a major problem,” said Jeff Williams, co-founder and CTO of Contrast Security.

On comparing application vulnerabilities across Java and .NET, researchers discovered that cross-site request forgery had a higher occurrence rate in Java applications (69%) as compared to .NET (31%). Additionally, .NET applications suffered from fewer injection flaws (17%) than Java (38%).

“Insecure code has become the leading security risk and, increasingly, the leading business risk as well,” Williams said.

The full survey is here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/80--of-web-applications-contain-at-least-one-security-bug/d/d-id/1328233?_mc=RSS_DR_EDT

Anybody can have their laptop stolen. It happened to Hillary Clinton’s campaign last fall, when three laptops were stolen from campaign workers in Philadelphia. In that case, the devices were ultimately recovered and no data appeared to compromised in what was considered a routine theft.

But laptop thefts can cost money. An Intel study from several years ago found that the average laptop theft costs companies roughly $50,000 – and up to $1 million in some cases.

Such thefts can be very damaging. Last year, Oregon’s Health Co-op, a nonprofit health insurance company, reported that a stolen laptop compromised the personal information of more than 15,000 current and former members.

Al Sargent, senior director of products at OneLogIn, notes that Kaspersky Lab found that the average worker takes more than 24 hours to report a lost or stolen device. That’s plenty of time for criminals to steal data or access the company’s corporate network.  

“Gartner reports that one laptop is stolen every 53 seconds,” Sargent says. “What we suggest is that companies look to a single sign-on solution to change the social contract. Basically, it’s the IT department telling the users to come up with one strong password in exchange for better security.”

Frank Dickson, research director for worldwide security products at IDC, says SSO with a strong password only goes so far, however.

“The problem I have with SSO is that it still relies on the password,” Dickson says. “There are other forms of authentication, such as push notification to a cell phone and a YubiKey that companies can use. SSO needs to be paired with strong authentication to add that extra level of protection.”

Alex McSporran, director at Control Risk and International SOS, adds that companies need to spend some time training employees on these issues, especially the ones who travel for business.

“The training will equip them with a better understanding of the nature of the risk, and the measures they can take to better secure their information,” McSporran says. “While technical defenses remain critical, appropriate training, planning, preparedness and vigilance can make a real difference.”

Here are some tips compiled from Sargent, Dickson and McSporran, for reducing laptop and laptop data thefts:

Deploy a single, very strong password. Companies moving to more cloud applications understand that it’s become impossible for users to manage a password for each cloud app. By issuing a single sign-on system with one strong password, they will make life easier for both the IT staff and the rank-and-file users. It’s much tougher to break into a well-thought out strong password. But SSO still has its single point of failure weaknesses, so experts recommend using multifactor authentication (see next tip).

Employ strong authentication. IDC’s Dickson is a stickler for strong, multi-factor authentication. He especially likes a push notification that gets authenticated on a cell phone. For example, if someone steals an employee’s laptop, they also need to have stolen their cell phone to access the laptop. Plus, people generally know when they’ve lost their cell phones and don’t wait 24 hours to report a loss, and most cell phones require a fingerprint ID or password.   

Rotate passwords. Teach people about the credential supply chain. When credentials are stolen they get bundled with other stolen credentials for sale on the black market. Change passwords every 30 days. In the event that a laotop is stolen, there’s a better chance that the password that was stolen will no longer be valid.

Do research on your travel site. Before your remote employees travel, have them research the potential threats to your company’s sensitive commercial information specific to the location they will be visiting. This will help them take effective security measures to help prevent problems during the trip.

Don’t broadcast your trip. Unless it’s your spouse, significant other, or key people at work, don’t advertise a business trip. People are free and easy on Facebook today about their travels and it may not always be a good idea.  

Think in terms of BYOD. Companies may decide that it just makes more sense to get out of the business of managing technology. Many companies are just giving people an allowance for a laptop and smartphone and making each person responsible for the device’s maintenance. From a security perspective, this can be scary, so if your company goes this route, know what kind of encryption the devices have. Macs come with FileVault and it’s possible to remote wipe devices via iCloud. For PCs, make sure they have full-disk encryption, experts say.

Related Content:

• The Hidden Dangers Of ‘Bring Your Own Body
• When Hackers Hack Hackers
• 10 Cocktail Party Security Tips From The Experts
• Epic Security #FAILS Of The Past 10 Years

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: http://www.darkreading.com/endpoint/6-tips-for-preventing-laptop-data-theft--------/d/d-id/1328236?_mc=RSS_DR_EDT

To understand how the bad guys have become so adept at producing the flood of uniquely hashed malware, we need to look at what our adversaries have been doing the past few years.

Why go back in history? Because software takes years to spread through society according to an “adoption curve.” Despite its unconventional path from programmer to user, malware follows this same multi-year curve before it pops up on our radar. Take today’s ransomware headlines, Mario Vuksan, CEO of ReversingLabs points out, “Ransomware has been around for a long time, and it’s just exploded the last two years.”

With malware this easy to use, why would your adversaries ever reuse malware files with a known fingerprint?
Image Source: Paul Shomo

Why We Should Identify Malware Families
In days past an analyst could look through threat intel to see overlapping intelligence where a given hacking crew hit their organization and other victims using the same malware hashes. Today, how do you track your malware sample back to a crew of bad actors who work off a common code base, or use common builders if they use uniquely hashed malware against all their victims? With all the zero-day malware, URLs and network communications are probably better used for attribution.

Malware reverse-engineers can manually deconstruct binaries back to their source code to identify familial DNA. But while rapid hashing of binary instances have been a mainstay of malware identification, no automated method to classify familial DNA has emerged.

Recognizing Polymorphic Malware
Builds of variants may morph their file hashes with small changes. Yet since a malware family centers around source code which defines common capabilities, sections of binaries holding this functionality remain constant across all their children.

Some vendors are able to recognize malware by noticing sections of binary files implementing functionality rather than hashing the entire file. As Tomislav Pericin, chief software architect at ReversingLabs noted, polymorphic malware can’t be correlated “based on hashing all the bits of the file anymore, that’s why we developed our own algorithms to say these files are functionally similar” and thus part of a malicious family.

We’re seeing examples of companies innovating new ways to detect polymorphic variants with partial hashing algorithms. Maybe in the future vendors will extend these approaches to cataloging families for threat intelligence, and as aides to attribution.

It won’t happen overnight, this task is bigger than just the threat intelligence vendors. We’d have to see the industry as a whole move towards standardized ways to classify malware’s familial DNA.

This is the second in a two-part series on the slow death of malware fingerprinting. You can click on What To Do When All Malware Is Zero-Day? to read the first installment.

Related Content:

• Why Security Investigators Should Care About Forensic Research
• Why Marrying Infosec Info Governance Boosts Security Capabilities
• How Technologies Incubated A Decade Ago Shape The World Today

Paul Shomo is a senior technical manager at Guidance Software, Inc. He first joined Guidance’s new product research group in 2006, which launched the industry’s first incident response solution. For years Paul managed and architected cybersecurity and forensic products, and … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/why-we-need-to-reinvent-how-we-catalogue-malware/a/d-id/1328222?_mc=RSS_DR_EDT

Much has already been written about the threat that Internet of Things (IoT) devices pose to the larger Internet. Think about the October 2016 Mirai botnet attacks and the discussions since then. But this column isn’t about that. It’s about the specific threat that Internet-connected devices pose to an enterprise network, and how we can intelligently apply network architecture to achieve security aims.

For an intranet, IoT devices create an overlay network comparable to the vast high-rise Los Angeles commercial building in Die Hard, where most of the 1988 movie takes place. In the film, Bruce Willis plays the role of New York City cop John McClane, who visits his estranged wife at her office Christmas party in Nakatomi Plaza in L.A. The party gets attacked by terrorists, and McClane saves the day with some ingenuity, firepower, and brawn.

L.A.’s Fox Plaza, location for Die Hard’s fictional Nakatomi Place
Image Source: Capture Light via Shutterstock

In a recent blog post entitled “Nakatomi Space,” Geoff Manaugh (author of the BLDGBlog architecture blog and the book The Burglar’s Guide to the City, both of which I recommend for any cybersecurity professional) describes the movie as a great study in the unintended effects of architecture. He writes:

Over the course of the film, McClane blows up whole sections of the building; he stops elevators between floors; and he otherwise explores the internal spaces of Nakatomi Plaza in acts of virtuoso navigation that were neither imagined nor physically planned for by the architects.

His is an infrastructure of nearly uninhibited movement within the material structure of the building.

The parallels to cybersecurity are striking: network and security architects typically design networks to meet the obvious business needs of connectivity and speed. But this approach creates unintended consequences. Look around your office now and you’ll probably see network-connected printers (quite common for about two decades), VoIP phones (standard for a decade now), and probably IP-enabled cameras and building controls such as HVAC, and door and building access mechanisms such as proximity card readers (increasingly common in the past decade). In both network security and Nakatomi Space, the infrastructure was created to enable occupants to use and traverse the space, or systems, as the case may be.

Without this out-of-sight support infrastructure, the usability of the main space dramatically drops. An additional challenge is that both types of infrastructures are typically invisible from a defense standpoint. We all tend to overlook the real and digital equivalent to air ducts and windows. The attack surface  this creates for enterprises was demonstrated by Ang Cui in his Stepping Pwns talk. He and his team at Red Balloon were able to compromise a network without touching a standard computer. This avoids the bulk of the defenses installed: antivirus, logging, file, and process integrity checks, for example, undermining the majority of an enterprise’s security efforts.

Applying the lessons of physical space security to network defense has been on my mind for many years. Since I first visited Halifax, Nova Scotia, about a decade ago, I’ve been eager to try and apply fortification lessons to network security. The fort at Citadel Hill, for example, “connects” via a network of flags and signals to a network of towers in the harbor waterway leading to the city. This enables defenders to signal the approach of enemy ships, giving the city hours to raise their defenses. However, in the years since I began reading Manaugh, I’ve instead begun to focus my thinking on how intelligent building designers utilize architecture and landscape features to actively defend their inhabitants.

I’m reminded of the writings of Major Gen. Sir Ernest Dunlop Swinton’s Defence of Duffer’s Drift, a 1904 novel about lessons learned in the defense of a river during the Boer War. In the story, the protagonist reveals the strengths and weaknesses of various fortification positions. A combination of natural and manufactured structures alerted defenders to attackers as they approached, and forced them to attack from a weaker position. These types of insights have gone largely ignored in network security lessons. When designing networks, the castle wall narrative has been prevalent for too long – at the expense of designs that parallel security features of well-defended cities.

Network security architecture can, and should, learn a lot from building and city architecture. The lessons can be abstracted to achieve the same goals, namely spotting intruders as they approach, and confusing them should they gain entry, or at least slowing their progress. Historically, we architected networks with a distinct management network and a separate data network. The management network requires combinations of physical and logical controls to limit access to a small set of administrators. With an increasing number of IoT devices, some administrators have advocated building a similar separate network for control devices to keep them away from the data that comprises corporate assets. This would, at the least, prevent the “Stepping Pwns” attack whereby attackers bounce around between computers and data once inside the network.

If the above discussion suggests anything, it’s that corporations shouldn’t be passive in their IoT network security. Instead, admins should ensure that they not only have visibility into what’s going on in the Internet-connected device network, but also guarantee that visibility through the entire structure of the network. Anyone who moves through the infrastructure must leave an indelible trail and be thwarted at every turn, lest they treat it as an unobstructed air duct through Nakatomi Plaza. I urge companies to turn those (virtual) air ducts into a confusing set of passages, perhaps even traps, and prevent thermostats from becoming stepping stones.

Related Content:

• IoT Security: A Ways To Go, But Some Interim Steps For Safety
• Cloud Security IoT: A Look At What Lies Ahead
• The Internet Of Things: When Bigger Is Not Better

Dr. Jose Nazario is the Director of Security Research at Fastly, and is a recognized expert on cyberthreats to ISPs, network subscribers, and enterprises from cybercrime and malware.
He was previously the Research Director for Malware Analysis at Invincea Labs. Before his … View Full Bio

Article source: http://www.darkreading.com/iot/tunneling-through-the--walls--of-iot-in-the-enterprise/a/d-id/1328201?_mc=RSS_DR_EDT

Sobering news on the cybersecurity hiring front: More than 20% of organizations get fewer than five applicants for an open security job and more than half of all positions (55%) take at least three months to fill with a qualified candidate.

Of those who do apply, fewer than 25% are actually qualified for the posted job, according to a new ISACA report released at last week’s RSA Conference in San Francisco.

It won’t surprise anyone in IT management to learn that it’s extremely challenging to fill open jobs in information security. But the ISACA’s report on the state of security hiring quantifies those challenges more starkly.

The source of the problem doesn’t appear to be money, says Eddie Schwartz, an ISACA director and also EVP of cyber services at security vendor DarkMatter. “We continue to see a lack of qualified candidates, even though companies are offering extremely competitive salaries, higher than other IT jobs,” Schwartz says.

The report, generated from an email survey to ISACA members around the world, also honed in on an infosec applicant’s most important qualifications, which are apparently less about their training and more about the hands-on, practical experience they bring to the table.

“What we’re going to see is a continued departure from a bunch of letters after people’s names and verifying that they have the skills needed,” Schwartz says, referring to acronyms like CISSP, and others. So rather than just writing code and answering rudimentary security questions, infosec candidates can expect to be in dropped into live-fire scenarios that reflect their levels of experience.

“If you’re an apprentice, they’d be more rudimentary, but if you’re an expert you’re going to be asked to work in more advanced scenarios,” Schwartz says.

In the last 20 years, many employers have taken the approach of bringing on a cybersecurity professional as a generalist, then encouraging him or her to add certifications and climb the ladder as their experience and knowledge grew, Schwartz says. Others tried to draw security talent from their organization’s pool of software coders. But employers typically haven’t done enough “shepherding” of security talent, cultivating skills internally, and training people to replace their bosses, he adds.

More recently, the industry started in the direction of creating apprentices, journeymen, and masters of infosec. He points to ISACA’s own CSX certification program as an example of that hierarchical progression.

But clearly, the security talent-nurturing equation needs a refresh.

ISACA and employers have work to do with educators and their computer engineering and IT management programs, Schwartz adds. And employers need to start embracing how Millennial and Gen Y professionals work and learn.

“They prefer just-in-time training and ratings like the ones in gaming systems,” Schwartz says. “They’re all about how they can continually gain knowledge and how they rank relative to their peers.”

ISACA is starting to see corporations incentivize Millennials to take part in team-based training, for example, with one goal to improve their ratings, he adds.

Other key findings from ISACA’s state of cyber security report:

• 32% of respondents say it takes six months or more to fill their security positions.
• Only 13% report receiving 20 or more applications for a security job.
• 13% of respondents cite referrals or personal endorsements as the most important attribute for candidates; 12%, certifications, followed by formal education (10%), and specific training (9%).

Related Content:

• How Businesses, Employees Can Navigate The Security Hiring Process
• You Can’t Hire Your Way Out Of A Skills Shortage … Yet
• ‘Kevin Durant Effect’: What Skilled Cybersecurity Pros Want
• Why Cybersecurity Certifications Matter — Or Not

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/fewer-than-one-fourth-of-cybersecurity-job-candidates-are-qualified/d/d-id/1328244?_mc=RSS_DR_EDT