STE WILLIAMS

Facing a system and organization controls audit doesn’t have to be stressful for small and midsize businesses if they follow these guidelines.

Preparing for a system and organization controls (SOC) compliance audit for the first time can be challenging. Many organizations, especially small to midsize businesses (SMBs), underestimate the level of planning and effort that goes into completing a successful SOC audit, adding to their security-related stress.

Without proper preparation, SMBs risk missing milestones and deadlines, which can result in additional fees to complete a SOC audit. Addressing these 10 questions can help an organization prevent delays, determine their level of preparedness to complete an audit, and hopefully limit unnecessary work and effort from process owners and employees critical to the business.

1. Risk assessment: Has a risk assessment been completed?
Risk assessments should be performed annually in order to effectively identify, manage, and mitigate risks. As part of the risk assessment process, the organization should review the effectiveness of their current controls environment as well as consider the implementation of additional controls to further strengthen their internal controls environment.

2. Risk mitigation: Has management identified, selected, and developed risk mitigation activities for the risks identified during the risk assessment?
After identifying and assessing the severity of each risk, management should determine the risk mitigation strategy to be used for each identified risk based on the organization’s risk appetite. Management can use several different strategies including to accept the risk, mitigate the risk through the implementation of controls, transfer the risk to another organization, or avoid the risk by choosing to discontinue the associated process or removing the associated assets.

3. Control activities: Have control activities been identified, documented, and implemented to mitigate risks to an acceptable level that enables the organization to achieve its business objectives?
As part of the risk assessment process, controls within the environment are modified and implemented to mitigate critical vulnerabilities, deviations, and control gaps identified as part of the various evaluations performed (e.g., risk assessments, internal audits, vulnerability scans, etc.). Management should document their internal controls environment including identifying all key controls, who operates those controls, how often they operate, and the type of control each one is (e.g., manual, automated, preventive, detective, or corrective). The implementation of controls should be prioritized based on the organization’s business objectives and goals.

4. Vendor management: Are vendor management and oversight procedures formally defined and documented?
Organizations should formally define and document a third-party vendor management process annually that specifies the steps for evaluating the risks associated with vendors and business partners. Monitoring and oversight procedures include holding periodic discussions and performing site visits with vendors, independently testing vendor controls, reviewing attestation reports over services provided and monitoring external communications, such as customer complaints.

5. Monitoring: Does management have monitoring activities in place to evaluate the effectiveness of the internal control activities?
Management should implement monitoring procedures that require a formally documented management review on the effectiveness of the internal controls environment annually. Control activities to review include internal audits, metric reporting, vulnerability assessments, corrective actions for identified deficiencies or deviations, physical and logical access reviews, vendor management reviews, attestation report reviews and policy, compliance, and control and risk assessment reviews.

6. Control environment: Has management established key responsibilities, oversight structures, organization objectives, and a commitment to ethical values?
In order to effectively establish an organization’s controls environment and motivate employees to follow the defined procedures regarding those controls, management should define and document the responsibilities of its employees, especially those performing critical functions or tasks relating to the control’s environment in the employee handbook. If executive management exhibits a strong presence and positive tone to meet the organization’s objectives, and displays good character and morale, its employees likely will too.

7. Defined processes: Have key processes and procedures been formally defined, communicated and distributed?
Regardless of size, an organization should prioritize formally documenting its key processes and procedures relevant to the business operations and objectives. Key process and data flow diagrams should be documented and updated as necessary, and should include processes and procedures relevant to IT, human resourcing, business operations and client services, transaction processing, privacy requirements, and storage and communication. Key policies and procedure documents, as well as process and data flow diagrams, should be easily accessible to employees and any changes should be communicated in a timely manner.

8. System and asset identification: Has management identified key systems and assets required to provide its services to clients?
An asset listing that includes relevant systems, tools, applications, hardware, infrastructure, data and people should be maintained by management with documented owners and criticality levels assigned to each asset. Controls should then be identified and documented to ensure assets are appropriately protected and secured. Key security areas include configuration standards, identify access management, intrusion-detection systems and intrusion-prevention systems, firewall and router rules, file integrity monitoring (FIM) software, incident response tracking, and data recovery.

9. Sufficiency of change control procedures: Has management defined and formally documented sufficient change control procedures, including addressing risks resulting from developer and promoter access not being segregated between people/teams?
A common struggle for many SMBs is the establishment of change control procedures that include segregating incompatible duties. Because of size, it can be challenging to enforce a segregation of developer and promoter access. Where possible, separate environments for production, test, and development should be maintained, as well as the ability to segregate those with access to develop and implement code changes. If job roles cannot be appropriately segregated, the organization should consider a detective control such as the implementation of a FIM software or reviewing change logs weekly for unauthorized changes.

10. Privacy: Has management established privacy policies and notices in accordance with applicable requirements, and are the privacy policies and notices communicated to data subjects?
Where personal information is collected, stored, transmitted, or processed by an organization, it is critical that the organization formally define and document both an internal privacy policy and procedures document, as well as a privacy notice meant for data subjects whose personal information is collected, stored, transmitted, or processed.

When SMBs prioritize preparing for a SOC audit, it increases their likelihood of finishing on time, staying within budget, increasing the efficiency during the testing phase, and decreasing the amount of additional auditor requests.

Related Content:

• 7 Big Factors Putting Small Businesses At Risk
• Bridging the Gap Between Security DevOps
• Long-Lining: Reeling In the Big Fish in Your Supply Chain
• How Network Logging Mitigates Legal Risk

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Rethinking Cybersecurity Hiring: Dumping Resumes Other ‘Garbage.’“

Andrew Houshian is an Associate Director/Practice Lead of SOC and Attestation Services at A-LIGN. Andrew’s responsibilities include supporting and managing the completion and review of SOC and attestation reports, building out practice content and materials, publishing … View Full Bio

Article source: https://www.darkreading.com/risk/compliance/10-steps-to-assess-soc-maturity-in-smbs/a/d-id/1335934?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Roundup Here’s the latest security news in handy digest form of stories you may have missed over the last week.

NordVPN bug causes connection confusion

Reg reader Tony writes in to tell us of an interesting security bug that arises when running NordVPN in tandem with the Cloudflare 1.1.1.1 WARP service in iOS. The end result is a connection that looks to be protected by NordVPN, but in reality it is completely exposed.

Here’s how it works:

The user first connects to 1.1.1.1 with Warp, then disables the app without turning off Warp. Then, when connecting to a NordVPN server with ikev2 protocol, the iOS device will report as being connected to NordVPN and secured, without actually being connected. In other words, you’re connected and protected, but you’re not.

Our man tells us he has already reported this issue to NordVPN, so if they deem it serious enough to patch, expect an update. If you use Nord and 1.1.1.1 in tandem, it might be a good idea to double-check your IP address is indeed being hidden.

ESET sounds alarm over Casabaneiro attack

The research team at ESET has detailed a bank hacking operation that is hitting both fiat and cryptocurrency operations in Mexico and Brazil.

Known as Casabaneiro, the attack uses fake pop-up windows to trick users into entering their account details, which are then sent by the malware to a command and control server.

What is particularly unique about this attack, says ESET, is the way it runs its command and control system. Infected machines do not go directly to the command server, but rather a YouTube page where a link to the CC machine is embedded in the video description. The infected machines access the page then follow the link, making it appear to admins as if the user is just watching a video.

“What makes this technique dangerous is that it does not raise much suspicion without context,” ESET explains.

“Connecting to YouTube is not considered unusual and even if the video is examined, the link at the end of the video description may easily go unnoticed.”

It’s 2019, and WhatsApp can be pwned by a GIF

If you haven’t updated your copy of WhatsApp in a while, now would be a good time. That’s because Singapore-based bug hunter Awakened has spilled the beans on a remote code execution flaw in the messaging tool.

The vulnerability, designated CVE-2019-11932, is exposed when the user opens or receives from a friend (and automatically opens) a specially-grafted GIF image. The file then triggers a double-free vulnerability that would potentially allow for code execution.

To avoid the bug, make sure you are running WhatsApp version 2.19.244 or later.

Microsoft pushes update for an update

Redmond has kicked out a second attempt at its patch of CCE-2019-1367.

The Windows maker had first tried to patch the remote code execution memory corruption bug last month, but had to recall and replace the update following reports that the patch was causing some machines to be unable to properly print. Users and admins will want to get this fix as soon as possible, at least before Tuesday when the October patch dump hits.

Signal breaks up call snooping flaw

The Signal messaging app has patched a logic error that would have potentially left users vulnerable to surveillance.

Google Project Zero’s Natalie Silvanovich said that in the Android and iOS versions of the App would allow user with a modified app to call someone else and then force their client to accept the call.

In practice, this means a caller could place a call to their target and listen in on them without the recipient being any the wiser. Updating to the latest versions of Signal for iOS and Android will patch the bug.

But Signal’s cofounder Moxie Marlinspike has pointed out that the flaw is only in the Android build of the secure messaging app, and has said it has now been fixed.

Bug found in NSA’s Ghidra tool

The next time you make a dumb coding error, remember that everyone, even the NSA, goofs up from time to time. The intelligence bod says its experimental Ghidra security research tool contains CVE-2019-16941, a remote code execution bug that could be triggered with a specially-crafted XML file.

The flaw can be fixed by updating to the latest Ghidra build.

Bye-Zynga: mobile games maker loses data on 218 million users

Games company Zynga has been relieved by hackers of the names, email addresses, login IDs, and hashed passwords of more than 200 million players. The pilfered database is also said to contain in some cases phone numbers, password reset tokens, Facebook IDs, and Zynga account IDs.

If you play a Zynga game, it would not be a bad idea to change your password ASAP, and if you re-used the password on other sites (don’t do that) you’ll want to change those too. ®

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/05/security_roundup_october_4/

The Iranian government has attempted to hack into hundreds of Office 365 email accounts belonging to politicians, government officials and journalists last month, Microsoft has warned.

“We’ve recently seen significant cyber activity by a threat group we call Phosphorous, which we believe originates from Iran and is linked to the Iranian government,” Microsoft’s vice president of customer security and trust Tom Burt said in a blog post on Friday.

Redmond’s bit wranglers observed more than 2,700 attempts to hack into 241 different accounts, according to the software giant. It noted that those accounts “are associated with a US presidential campaign, current and former US government officials, journalists covering global politics and prominent Iranians living outside Iran.”

Microsoft says that only four of the 241 accounts were compromised and none of them were connected to government officials or presidential campaigns. It says the accounts are now secure the owners are aware of the activity.

Notably, Microsoft says the hacking efforts were “not technically sophisticated” but used personal information gathered elsewhere to try to prompt password reset or account recovery in an effort to get into the accounts.

“For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account,” Microsoft explained.

It also appears that the hackers attempted to bypass two-factor authentication. “In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets,” the company said. It described the attackers as “highly motivated and willing to invest significant time and resources.”

Instead Microsoft proposes that people used its Authenticator app, which provides a login code that changes every 30 seconds in order to access their accounts.

How come Iran?

The company did not go into any detail over why it believes the Iranian government is behind the hacks beyond noting that those targeted included “prominent Iranians living outside Iran.” Presumably, it was able to identify the same pattern of hacking efforts with other accounts not directly connected with Iran and extrapolated from that.

As to why it released the information publicly, Microsoft said that there were two reasons: first that “we all – governments and private sector – are increasingly transparent about nation-state attacks and efforts to disrupt democratic processes;” and second that “publishing this information should help others be more vigilant and take steps to protect themselves.”

It then flagged its own security on its email service, noting that all Microsoft customers can see a log of efforts to access their email, and flag a special “AccountGuard” service it runs for anyone that is “part of a political campaign, a political party committee or an NGO or think tank working on issues related to democracy.”

Redmond said that 60,000 accounts in 26 countries have the additional protection and to date it has issued 800 notifications of Office 365 users of attempted nation-state attacks.

Trump World

The timing of the announcement has come at an increasingly interesting time with impeachment proceedings against President Trump for soliciting foreign help with a political rival.

FBI called in to investigate 2018 Mountain State mobile voting system hacking

READ MORE

Last night, Trump’s insistence that he had not sought a “quid pro quo” in which the Ukranian government agreed to investigations in return for US security funding and a visit to the White House was directly questioned when text messages between senior diplomats were published in which they explicitly and repeatedly indicated exactly that.

That revelation came just hours after Trump responded to widespread criticism of his actions in repeatedly asking Ukraine’s president to investigate Joe Biden’s son by publicly asking China to do the same in front of TV cameras.

While much of Washington, including the media, seemed caught up in soap operatics, security professionals continue to plead with everyone to take the issue of foreign intervention in US elections more seriously.

Microsoft’s announcement this morning highlights again that hostile nations are investing significant energy and resources into disrupting American elections by stealing and weaponizing private information. ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/04/iran_politicians_hacking_microsoft/

The US government is renewing its efforts to talk tech firms out of using end-to-end encryption methods that would keep police from snooping on conversations.

The Department of Justice on Friday held what it dubbed the “Lawful Access Summit,” a morning-long presentation aimed at convincing people that police must be able to see all conversations on messaging platforms in order to protect the public, specifically children, from predators.

“Outside the digital world, none of us would accept the proposition that grown-ups should be permitted to mingle in closed rooms with children they don’t know in order to groom them for sexual exploitation,” offered US deputy attorney general Jeffrey Rosen.

“Neither would we ever accept the idea that a person should be allowed to keep a hoard of child sexual abuse material from the scrutiny of the justice system when all of society’s traditional procedures for protecting the person’s privacy, like the Fourth Amendment’s warrant requirement, have been satisfied. But in the digital world, that is increasingly the situation in which we find ourselves.”

In particular, the DOJ has zeroed in on Facebook. The social network recently announced its intention to make all of its chat services, not just WhatsApp, end-to-end encrypted platforms that will place keys in the hands of the users themselves.

“We must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity,” the DOJ says to the social network.

“Not doing so hinders our law enforcement agencies’ ability to stop criminals and abusers in their tracks.”

Rather than demand the backdoor ability to decrypt communications on demand, the DOJ is suggesting tech firms instead offer a “front door” to let police present a warrant and receive copies of the conversations they wish to view. Unfortunately, the authorities don’t seem to have any idea what that “front door” would actually look like in the context of an end-to-end encrypted service.

While Facebook did not respond to a request for comment, this discrepancy was noted by critics of the plan, including Senator “Silicon” Ron Wyden, who point out that, in essence, the DOJ is still asking for a backdoor to get at encrypted communications. He warned that those backdoors are likely to be abused, either by unscrupulous law enforcement officers or by hackers who steal the encryption keys and use them for their own ends.

“Nearly every aspect of our lives depends on the defense of strong encryption – our home devices, location tracking, microphones and cameras on our phones, bank accounts, and on and on. If companies succumb to this pressure campaign, then child predators, domestic abusers and internet crooks will have a red carpet to do harm to innocent people,” said Wyden.

Low Barr: Don’t give me that crap about security, just put the backdoors in the encryption, roars US Attorney General

READ MORE

“It is no surprise that William Barr, with his long record of calling for government surveillance of innocent Americans, is pushing another bad-faith effort to vastly expand surveillance without addressing the real problems facing our people.”

Wyden also points out that the DOJ’s push can only extend to companies located in the US, which are just a small fraction of those currently offering end-to-end encrypted services.

“American providers of end-to-end encrypted apps like WhatsApp regularly share valuable metadata with law enforcement. This enables the police to locate criminals and identify those they are talking to. In contrast, foreign encrypted messaging services like Telegram will not share any data with the US government,” Wyden offers.

“Mr. Barr’s proposal to have tech companies tap the phones of innocent Americans will do nothing but drive criminals to use foreign encryption services, where they will be even harder for the police to catch.” ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/04/us_government_encryption/

Joseph Amato’s attempt to surveil his girlfriend by attaching a hidden GPS device to her car led authorities to surveil the alleged mobster, and ultimately to his indictment by a grand jury.

Amato, said to be a captain in the Colombo organized crime family of La Cosa Nostra, was among 20 defendants charged by the Justice Department with racketeering, extortion and loansharking, among other crimes, including cyberstalking.

The government unsealed three indictments on Thursday in the Eastern District of New York where the defendants were arraigned. Beyond Amato (60), others named in the indictments include alleged Columbo family members Daniel Capaldo (54, aka “The Wig” and “Shrek”), Thomas Scorcia (52), and Vincent Scura (58, aka “Vinny Linen”), as well as alleged Colombo family associates Joseph Amato, Jr. (26) and Anthony Silvestro (28, aka “Bugz”).

According to court documents, the investigation began three years ago after Amato had been cyberstalking his then girlfriend.

“In November 2016, a GPS tracking device was found on an MTA bus in Staten Island during a routine maintenance inspection: it had been hidden in an oil pan,” the government’s detention memo states. “In fact, Joseph Amato had purchased the device to place a girlfriend, identified herein as Jane Doe, under close surveillance and used the tracking device in an attempt to maintain control over her.”

Amato, the filing says, tried to intimidate the unidentified woman by boasting about his reach in the New York City area, stating in one email, “This is my island. Not yours. I have the eyes all over.”

But government investigators had eyes all over Amato, in the form of court-authorized wiretaps, after Jane Doe discovered the GPS tracker on her car and removed it. The detention memo suggests she placed it on an MTA bus to thwart Amato’s surveillance.

Stalking cheap Chinese GPS child trackers is as easy as 123… 456 – because that’s the default password on 600k+ of these gizmos

READ MORE

When the bus inspection turned up the tracking device, the FBI and the NYPD began looking into Amato. “The government’s commenced a larger investigation of Amato following the discovery of the tracking device that had been registered to him,” the detention memo states.

The court documents detail various alleged criminal activities that would have fit right in to HBO’s mafia series The Sopranos, like threatened beatings and attempting to fix an NCAA men’s basketball game by offering to pay thousands of dollars to team members to ensure they lost by a significant amount.

“One of the stunning things revealed in this investigation, it seems members of the mafia families that were once almost romanticized by Hollywood and pop culture, have resorted to acting like playground bullies,” said William Sweeney, assistant director-in-charge of the FBI in a statement.

“As alleged, they are still up to their old extortion and bribery schemes, and terrorizing their victims, but they are also still getting caught.” ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/04/gps_cyberstalking_indictment/

Google is warning owners of some popular Android devices to keep a close eye on their gear following the release of an exploit for an unpatched flaw.

A post from the Chocolate Factory’s in-house Project Zero crew outlines the flaw, a use-after-free bug in the Android Binder driver that could be exploited by a local app to elevate privileges.

In fact, strike the “could” because Google bug-hunters say the flaw is already being targeted in the wild by criminals to compromise some Android devices, including the Pixel 2, Samsung S7-S9, Moto Z3, and Huawei P20, among others.

While the flaw in question is unpatched in the Android kernel, the underlying use-after-free issue has been known for years and was patched. In the more recent versions of Android, however, it re-emerged. There is currently no CVE number associated with the flaw.

“This issue was patched in Dec 2017 in the 4.14 LTS kernel, AOSP Android 3.18 kernel , AOSP Android 4.4 kernel , and AOSP Android 4.9 kernel,” notes Project Zero’s Maddie Stone, “but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review.”

Microsoft has made an Android phone. Repeat, Microsoft has made an Android phone. A dual-screen foldable mobe not due until late 2020

READ MORE

Early speculation by the team is that the in-the-wild exploits were the work of NSO Group, the Israeli security software firm known for dealing in malware for government agencies. When contacted by The Register for comment, however, NSO group firmly denied the allegation.

“NSO did not sell and will never sell exploits or vulnerabilities,” a spokesperson said.

“This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.”

As the vulnerability must be exploited locally, users and admins will go a long way towards protecting themselves by making sure they do not download any apps from untrusted sources and keep their systems updated to block against other flaws that could be chained with this bug to create remote attacks. ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/04/android_alert_google/

In a market that favors the job seeker, what are some alternatives to resume-sifting that will identify the talent you need?

While on the hunt for cybersecurity talent, Domini Clark is finding that the more things change, the more things stay the same.

“The irony is that as highly technical as the cyber talent pool is, the best way to actually reach the people you need to reach is to go ‘old school,” says Clark, who leads technical executive search firm Blackmere Consulting, which specializes in recruitment for cybersecurity positions.

In a job seekers’ market, in which infosec positions are red-hot and candidates have their pick of opportunities, Clark has been having more success lately by working more traditional methods of tracking down talent – research, connections, networking, and in-person meetings.

And so she now works to reach candidates face-to-face, through events, meetings, and other real-life opportunities to engage with talent. 

Clark is one of many recruiters looking to diversify strategies for finding security employees in an ongoing skills gap impacting the industry. According to the InfoSec Institute, the shortage of cybersecurity professionals has grown to nearly 3 million globally, with approximately 498,000 openings in North America alone. This is happening in tandem with increased spending and prioritization of security in businesses around the globe. Gartner forecasts worldwide spending on information security products and services will reach more than $124 billion in 2019, an increase of 8.7% from the previous year.

With employers so desperately in need of help with security initiatives and seeking an edge to get workers interested in what they have to offer, what are some creative alternatives to resume-sifting to find the help you need?

Develop and Work Personal Connections
Beyond showing up, Clark believes the power lies in actually getting to know people — even if it starts in a virtual forum — by reaching out and asking for a conversation before even gauging the talent’s interest in a position. Get involved in community and industry groups and start working those relationships, she advises.

“With all of the recruiting tools available to find, screen, and communicate with talent, nothing beats actual connections,” she says. “The days of ‘post-and-pray’ are gone. Not to mention, cyber talent tends to be overwhelmed with surface reach-outs by recruiters [who] don’t understand the industry or their specific skill set in relation to the opportunity. Community involvement, and credible networking may be old school, but human interaction goes a long way in engaging with hard-to-find talent.”

Clark says she relies more frequently on forming those personal connections and relationships versus low-touch keyword searches and cold emails. Her goal, she says, is to create a solid reputation for Blackmere and a trusted network that talent will keep coming back to when looking for work and that employers will want to tap when they need help.

Try Local Colleges and Universities
IBM Security’s Academic Outreach program focuses on partnering with educational and research institutions to develop cybersecurity talent and close the skills gap. It offers training opportunities, scholarships for cybersecurity study, and sponsor hacking contest for teens.

Heather Ricciuto, who leads the program, says the goal is to both identify talent and raise awareness of the various security career paths—an understanding she says is severely lacking among young people.

“The biggest issue in security hiring that I have observed is the general lack of cybersecurity career awareness amongst students of all ages,” Ricciuto says. “In general, students do not know what a cybersecurity professional does. Those who believe they have some understanding typically have a misconception of the profession at large, based on what they see on television and the big screen. Academic outreach plays a big role in building awareness amongst students, faculty, and parents.”

For regional HR recruiters seeking security talents, a local school may also have programs in place or may even willing to form a partnership to create security education opportunities.

Tap New Recruiting Technology
CyberSN’s Deidre Diamond, founder and CEO, and Mark Aiello, president, think the employer–employee matching process should be more like using a dating site.

CyberSN, a talent acquisition firm focused on cybersecurity professionals, debuted its KnowMore platform at Black Hat in August to sync up what they said is a pool of qualified talent who simply aren’t being matched to the right opportunities.

“In our opinion, the No. 1 fundamental problem is that companies are relying on the old traditional hiring methods: draft a job description, which is usually garbage, post this garbage on a job site, and then complain when all the responses are garbage,” Aiello says.

This is compounded by recruiters who rarely understand cybersecurity well enough to draft a job description that makes sense to the cyber professionals who read it, he adds. KnowMore uses a common language between the talent seeker and the job seeker in order to build both job and talent profiles. CyberSN likens the language to what is used on dating sites like Match.com and eHarmony.

“As Match.com and eHarmony have taught us, quality matching of fewer candidates is the best recipe for success,” Aiello says.

KnowMore also makes matches based on projects and tasks of the job, as well as the professional’s experience, base salary expectations, desired location, educational background, citizenship requirements, and career progression pathways.

Reconsider the Criteria for Hiring
In an ideal world, hiring managers would have their pick of educated and experienced job candidates. But in a pinch, it is time to consider hiring people who simply have a foundation for success in security despite not having the precise education, credentials, and experience the company wants.

In a blog post, information security expert and writer Daniel Miessler said the cybersecurity hiring gap is due to a lack of entry-level positions. And companies are missing out on people with raw talent and a bit of experience that would make them a great hire for a security role simply because they may lack credentials. He advocates instead for hiring managers to focus on practical skills when considering talent instead of a standard checklist of job must-haves.

IBM Security’s Ricciuto echoes Miessler’s sentiments. She says those recruiting and hiring for security roles also need to expand their viewpoints on what makes a qualified candidate for different types of security jobs and reach beyond the normal candidate pools.

“There are many different types of skills and abilities needed in the security industry, so expanding hiring and recruitment efforts to reach a wider variety of talent and removing barriers for getting these candidates through the hiring process is also key,” she says.

Look In-House
Zane Lackey, chief security officer at Signal Sciences and former CISO of Etsy, espouses looking inward to develop new security talent and building a program of “security champions” throughout the organization.

“If you can’t scale security through direct hiring, you’ve got to find another way. Developing your existing employees into security champions can help close that skills gap,” wrote Lackey in a blog post.

One aspect of this strategy is to make an effort to embed security skills within other teams in the organization, such as product and development teams. This creates a more nimble and responsive structure throughout the businesses with a more pervasive understanding of risk.

But the second, even more critical, step in this plan is to find internal candidates who want to develop security skills. Lackey did this at Etsy by offering voluntary security training—a lunch-and-learn on how to attack your own application. The class allowed the organization to pull in a self-selected group of people who found security interesting.

“They came away with both raised consciousness about the risks they might be creating for the company and practical ways to reduce them,” Lackey said. “Instead of trying to train everyone at a low level and not making much of an impact, our security team focused on the people who were naturally interested in security and helping them develop real skills.”

One Size Does Not Fit All
Each organization will have its own differing needs for the security team, and no one strategy will work for finding the talent needed to fill critical infosec roles. But it’s clear organizations need to get creative, put in the time, and try new tactics in order to build out their security program today.

Related Content:

• The Inestimable Values of an Attacker’s Mindset Alex Trebek
• Community Projects Highlight Need for Security Volunteers
• Culture Eats Policy for Breakfast: Rethinking End-User Security Awareness Training
• 6 Essential Skills Cybersecurity Pros Need to Develop in 2019

 

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/rethinking-cybersecurity-hiring-dumping-resumes-and-other-garbage-/b/d-id/1336000?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A group tried to access West Virginia’s mobile voting app in 2018; now, the FBI is looking into what actually happened.

West Virginia’s mobile voting app is the latest target of an FBI investigation into attempts to hack the 2018 midterm elections through Voatz, an experimental app that lets voters who are active military or registered to vote abroad vote from their phone. According to a statement from US attorney Mike Stuart, “…there was no intrusion and the integrity of votes and the election system was not compromised.” He has, however, referred the issue to the FBI for investigation into attempts to compromise the system.

Voatz co-founder and CEO Nimit Sawhney told CNN that a group of individuals tried to illegally access the system. While they were stopped, Sawhney said the company felt required to notify the FBI of the attempt. Stuart wrote that, while the investigation is ongoing, “No legal conclusions whatsoever have been made regarding the conduct of the activity or whether any federal laws were violated.” 

He also noted that any threat to voting will be taken seriously, possibly taking aim at exercises such as the Voting Village at DEF CON. “Whether in the name of an academic exercise, a mere challenge or thrill, or to actually cause harm,” Stuart wrote, “we will treat every risk extremely seriously and as a threat to Critical Infrastructure.”

For more, read here and here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How the City of Angels Is Tackling Cyber Devilry.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/fbi-investigates-mobile-voting-intrusion/d/d-id/1336005?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft detected the so-called Phosphorus nation-state gang attacking 241 user accounts associated with a US presidential campaign, current and former US government officials, journalists, others.

A well-known Iranian nation-state hacking team has targeted 241 user accounts connected to a US presidential campaign, as well as existing and former government officials, journalists, and Iranian nationals residing outside that nation, according to Microsoft, which discovered the attacks.

Between August and September, Microsoft’s Threat Intelligence Center spotted the so-called Phosphorus hacking group — aka APT 25, Charming Kitten, and Ajax Security Team — going after specific Microsoft customers. The group made more than 2,700 attempts to get those accounts, ultimately targeting 241 of them. They ultimately compromised four user accounts, none of which were associated with the US campaign or US government officials.

“Microsoft has notified the customers related to these investigations and threats and has worked as requested with those whose accounts were compromised to secure them,” said Tom Burt, corporate vice president of customer security and trust for Microsoft, in a blog post about the incident today.

The hackers spoofed password reset or account recovery alerts as a way to infiltrate the victim accounts. “For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets,” Burt explained.

Phosphorus has been a relatively active threat group. Microsoft in March took down 99 phishing and other malicious websites run by Phosphorus, and the group was spotted in December 2018 targeting email accounts of US Treasury members, defenders, detractors, Arab atomic scientists, Iranian civil society figures, DC think-tank employees, and officials charged with enforcing the former US-Iran nuclear deal.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Rethinking Cybersecurity Hiring: Dumping Resumes Other ‘Garbage.'”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/iran-caught-targeting-us-presidential-campaign-accounts/d/d-id/1336007?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Quite likely in response to all the kerfuffle about location tracking, Google has extended Incognito mode to Maps.

The data gobbler, which has been accused of secretly tracking users’ locations even when the setting is turned off (along with Facebook and mobile apps, et al.) and which has faced allegations of its “deceitful” tracking being against EU law, announced the new Incognito Mode for Maps on Wednesday.

Google noted that this is just one of a slew of privacy goodies it’s been rolling out since earlier this year, including the My Account dashboard it introduced in May, designed to make it easier for users to control the settings related to their privacy and data; sticking Incognito mode into more apps, like Search and YouTube; and auto-delete for location and activity history, also introduced in May.

What Incognito mode in Maps will do

Incognito mode in Maps is going to keep your device from recording your Maps activity on that device.

For example, the places you search for won’t be saved to your Google Account, nor will they be used to personalize your Maps experience. So if you share a device with, say, your partner, they won’t know that you’ve searched Maps for jewelry stores to buy an engagement ring, nor if your route then included a stop at the Golden Banana club before you headed home.

Incognito mode for Maps will start rolling out later this month, first on Android, with the iOS version following soon after, Google said.

It’s easy to turn on and off, Google says: you just select it from the menu that appears when you tap your profile photo, and you can turn it off at any time to return to a “personalized experience with restaurant recommendations, information about your commute, and other features tailored to you.”

What Incognito mode in Maps won’t do

Make no mistake, Incognito mode won’t make you a silent, trackless online ghost. As we’ve noted in the past – when writing about Incognito mode and all the ways that researchers and cash-strapped, ad-dependent websites have detected and defeated it – the problem with private browsing or anonymity modes is that they don’t actually do what you may think they do.

They block web history from being recorded on a device, which is great if you share a device with somebody else and don’t want them to know just exactly what you’re up to online. But they don’t block everybody else who’s watching: ISPs, advertisers, website owners, and all the other snoopers, profilers and marketers.

Most of the things you might think would confuse the bloodhounds, like a VPN or Cloudflare’s new Warp, actually just force you to choose which bloodhounds you’re prepared to trust. If you want to leave everyone guessing, the only game in town is the Tor browser.

YouTube, too

Also, this: Google says that it’s expanding the auto-delete for Location History and Web App Activity it introduced in May. Now, it’s bringing auto-delete to YouTube history. You’ll be able to set the time period to keep your data – 3 months, 18 months, or until you delete it, the same as with Location History and Web App Activity – and Google says “we’ll take care of the rest.”

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KkXzlbi_Sso/