STE WILLIAMS

RSA CONFERENCE 2019 – San Francisco –It’s no secret cybersecurity has a people problem. Businesses struggle to find and retain talent, and they’re competing to hire the most skilled professionals. Still, burnout puts them at risk of losing those valuable employees.

The industry will be short an estimated 3 million people within the next two years, said Ann Johnson, Microsoft corporate vice president of cybersecurity, in her RSA Conference keynote. Seventy percent of IT employers say they face a moderate to extreme shortage in IT experts.

What’s more, she continued, work-related stress is causing 66% of IT professionals to seek employment elsewhere. Of those, 51% would take a pay cut in exchange for less stressful work. Technology can help solve these problems, but not if we don’t improve the focus on people.

“We must come together as an industry to address the major gaps we have,” said Johnson, noting how in addition to growing its talent pool, cybersecurity is challenged to diversify it as well. “If we do nothing to address these gaps, it will impact every single one of us in our everyday lives. We have the skills, we have the technology … we must have the will.”

Diversity and inclusivity go beyond gender, ethnicity, and race, she added, and security will benefit if we encourage additional ideas, capabilities, and backgrounds to help solve industrywide problems. “Educational background, social background, there’s a lot of things that make up diversity,” Johnson explained in an interview with Dark Reading.

We must focus on the power of people to improve security, she continued, pointing to initiatives inside and outside Microsoft to bring more people and skills into the industry. As part of the Security Advisor Alliance, for example, the company partners with junior-high and high-school students to educate them on security principles, capture-the-flag exercises, and employment.

Another example is the Microsoft Cybersecurity Professional Program, which teaches students 10 skills over 10 courses ranging from Enterprise Security Fundamentals, to PowerShell Security, to Microsoft Azure Security Services. Johnson also spoke about the Microsoft Academy for College Hires (MACH), which pairs undergrad and MBA students with employees to train them in various disciplines; Johnson noted some worked with her incident response team.

Working with students has taught valuable lessons in how future generations will learn, she said. In working with middle- and high-schoolers, for instance, experts found games helped engage students. “Gamification is important; making it fun is important,” she added. Gen Z is “truly digital native” and prefer instant communication.

Johnson also emphasized the importance of bringing new skills into the industry. “Businesses have a fixed mindset around the type of people they want enrolled,” she noted. Cybersecurity job descriptions demand a STEM degree, three years of coding, and other technical qualities.

“We’re not going to solve for our talent shortage if we only hire the person who fits this tiny, tiny little profile,” she said. “Businesses have to think differently about how they bring people in cyber.”

Mental Health: It’s Time to Talk About It
If security jobs remain unfilled, defenders will burn out, Johnson warned. “These folks are first responders, but we don’t treat them like that.” Security pros in different parts of an organization may be working around the clock when an event strikes or have to fly somewhere with little notice to help with incident response.

For CISOs and their teams, the stress level is always high, she added. If we want to empower people and amplify human capacity, we must consider the mental health of first-line defenders, she said. Mounting stress on defenders leads to more mistakes the longer an attack goes on.

Microsoft recently conducted its first “personal resilience training,” a program designed to train people on how to handle stressful environments, which received a positive response among participants, she added. “We must protect the mental health of our cyber defenders,” Johnson said.

Related Content:

• Meet the New ‘Public-Interest Cybersecurity Technologist’
• It’s Time to Rethink Your Vendor Questionnaire
• CrowdStrike Debuts Mobile Threat Detection System at RSA Conference
• 6 Tips for Getting the Most from Your VPN

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/to-improve-security-we-must-focus-on-its-people/d/d-id/1334093?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

For many of us, The Terminator series introduced us to the potential dangers of artificial intelligence (AI). As Skynet’s advanced AI became self-aware, it concluded that humanity was a threat to its existence and sprang into self-preservation mode, ultimately triggering a nuclear holocaust and deploying an army of Terminators to battle the resistance.

While this was purely fictional back in 1984, 35 years later, AI-powered threats are the new reality and raises the question: Are we headed for a Skynet-like future in which AI takes over the world? Perhaps we’re not quite there yet, but the ingredients are all there and it could be a potential recipe for disaster.

As our understanding of AI progresses and evolves, AI attacks will get more sophisticated and continue to improve. Maturing open source machine learning tools like TensorFlow from Google and others will be used in malcode, distributing even more damaging botnets, viruses, worms, trojans, targeted phishing expeditions, and so on. Of particular concern is the combination of machine learning, automated facial recognition and huge amounts of data in recent dumps. This  puts billions of people at risk of being compromised more than ever before.

One recent data dump is now raising alarm flags because it has the potential to affect millions of people. Known as Collections #1–5, well over 2 billion usernames and passwords were dumped onto the Dark Web. With data the foundation of AI, hackers can now carry out machine learning-based operations that leverage automated facial recognition and the information in Collections #1–5 to traverse social media networks and other sites to carry out automated spearphishing campaigns and a variety of other villainous exploits.

An AI populated with billions of email password pairs has a huge head start on leveraging evasive and powerful attack tools such as DeepLocker and Social Mapper. Consider the kill chain of shared credentials between corporate and personal emails. That’s a very soft target for the Terminator of malware. Even if only 1% of the passwords in the “Collections” are still accurate and shared across accounts, that is well over 20 million vulnerable victims. From statistical analysis, we know the rate is far higher than that.

So, how bad could it get? Realistically, a mass collective hive of botnets with knowledge of credentials, email, facial recognition, and social networks could make AI phishing lures that will be make email unusable. Theoretically, with Collections #1–5 at its disposal, Skynet could now take over the world.

Which leads us to the need for a Resistance. Fortunately, Skynet does not exist… at least, not that we know of. But it will take a lot more than John Connor to win the AI war with cybercriminals. It will take a global coalition of brilliant minds and organizations from the private and public sectors fighting fire with fire, deploying AI-based security solutions that can keep pace, outmaneuver, and outthink these AI-powered attacks. The US Department of Defense echoed this sentiment in a recently unveiled summary of its official artificial intelligence strategy:

We cannot succeed alone; this undertaking requires the skill and commitment of those in government, close collaboration with academia and non-traditional centers of innovation in the commercial sector, and strong cohesion among international allies and partners. We must learn from others to help us achieve the fullest understanding of the potential of AI, and we must lead in responsibly developing and using these powerful technologies, in accordance with the law and our values.

Perhaps the late Stephen Hawking said it best: “Unless we learn how to prepare for, and avoid, the potential risks, AI could be the worst event in the history of our civilization.”

Or as the Terminator might say: “Hasta la vista, baby.”

Related Content:

• 10 Threats Lurking on the Dark Web
• The Double-Edged Sword of Artificial Intelligence in Security
• Machine Learning, Artificial Intelligence the Future of Cybersecurity
• The Enigma of AI Cybersecurity

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Chris Rouland is Co-Founder and Chief Executive Officer of Phosphorus Cybersecurity, Inc. A 25-year veteran of the information security industry, Chris is a renowned leader in cybersecurity innovation and disruption. In his career, Chris has founded and led several … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/artificial-intelligence-the-terminator-of-malware/a/d-id/1333976?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Questionnaires are a vital part of understanding how your vendors manage cybersecurity risk; they’ll help you understand the investments your vendors have made for positive risk outcomes across people, processes, and technology. They’re especially useful because, frankly, there are some questions you can’t get answers to unless you ask.

Yet as valuable as questionnaires are for assessing third-party risk, they have shortcomings. Here are best practices that can enhance your third-party risk program and get the most value from your vendor questionnaire process.

Challenge #1: Longer questionnaires mean greater costs.
The length of a questionnaire has financial implications. For example, according to a study by RiskRecon, each additional security assessment question can cost anywhere from $11.62 to $34 — that’s a huge range. (The range is due to economies of scale related to asking questions. The more questions you ask, the lower the cost to add an additional question to the questionnaire.) Add another $10,000 if you conduct an on-site visit. Long questionnaires can also take a long time for the vendor to answer, which can slow down your business.

Best Practices: 
Know the scope of what you’re asking.

• Only ask questions you need answered. Don’t ask questions that are irrelevant to the relationship you have with your vendor.
• Understand whether a standards-based questionnaire is right for your organization or whether you need to develop a custom one.

Challenge #2: Questionnaires don’t always show you reality.
Your vendors don’t know what they don’t know, and neither do you! That’s a problem because you trust your vendors to give accurate answers — not just best guesses. Questionnaires are inherently biased because they’re answered by the enterprise being assessed, so you’ll never receive fully objective answers.

Best Practices: 
Trust, but verify.

• Require your vendors to provide objective evidence of information security performance. This can include reports of independent network and web application security assessments.
• Leverage cybersecurity risk ratings data to gain objective verification of a large swath of the assessment criteria. In our experience, risk ratings data can objectively verify between 25% and 55% of assessment questions. For example, a common assessment question is “Do you encrypt email communications?” Cybersecurity risk rating providers can discover the vendor’s email servers and check to see if it implements email encryption through STARTTLS.
• Use open source intelligence — providers can describe the quality of your vendors’ cybersecurity based on passive observation.

Challenge #3: Questionnaires are typically administered at a fixed frequency.
The classic approach to assessing third parties is to divide vendors into inherent risk tiers (high, medium, low, etc.) and then establish a fixed frequency administration schedule. The problem here is that you’re allocating risk resources without regard to risk: Vendors managing risk well are allocated the same assessment resources as vendors that are managing poorly.

The frequency of questionnaires should instead be based on known vendor performance.

Best Practices:
Instead of assessing vendors at the same frequency (for example, all high-risk vendors annually), make the assessment frequency part of your assessment strategy.

• Determine assessment frequency based on residual risk rather than inherent risk.
• Continually monitor your vendors’ ratings and adjust your assessment schedules accordingly.
• Establish the best frequency for your objectives.

Challenge #4: Questionnaires are generic, but your vendors aren’t.
If you want to get the most out of a questionnaire, make sure you ask the right questions based on your relationship with the vendor. The idea is to shape the questionnaire to the risk context that you’re analyzing. Not every question will apply to every vendor; more importantly, you’ll want to ask some vendors additional questions that won’t apply to others.

Best Practices:
Know your vendor, then shape the questionnaire accordingly.

• Use the questionnaire to target the data you’re most interested in; don’t waste time gathering information you already have.

Challenge #5: Questionnaire-based assessments are infrequent.
Because questionnaires have to be administered by a person in your company and responded to by a person in the other company, it takes time to complete the entire process. In the meantime, entire digital ecosystems can emerge and change. New vulnerabilities can arise.

Best Practices:
Use cyber-risk ratings — they’ll tell you if vulnerability management performance is degrading, if your vendor has systems behaving maliciously on the Internet, and reveal a host of other issues.

• Don’t only rely on a vendor questionnaire; make a cybersecurity risk rating platform an integral part of your third-party vendor security investigation.

Challenge #6: Know which questions to ask.
Even if the vendor knows everything there is to know about its security (which never happens), the onus is on you to ask the correct questions. Let’s say you want to know if your vendor is managing all of your assets. Consider two questions: Do you track systems in a configuration management database? How do you ensure that you have a complete inventory of all of your systems? The first question will tell you that it bought some software that’s helpful for managing assets but says shows nothing about whether or not it’s tracking all of their its assets. However, the second question forces the vendor to reveal its strategy.

Best Practices:
Craft the question after determining what you want to discover in the answer.

• Never ask yes/no questions unless they’re very specific. (For instance, “Do you have a CISO responsible for all security aspects of protecting my relationship with you as a critical vendor?”)
• Ask for details on processes, not just software purchases

Questionnaires are useful in finding out what vendors have invested in across people, processes, and technology. Still, using questionnaires effectively can be challenging. With some strategic thought and planning, you can get the data you need for good risk outcomes.

• Know the scope of what you’re asking.
• Trust, but verify.
• Instead of assessing vendors at the same frequency (such as all high-risk vendors assessed annually), make the assessment frequency part of your assessment strategy.
• Know your vendor, then shape the questionnaire accordingly.
• Craft the question after determining what you want to discover in the answer.

Related Content:

• 6 Eye-Raising Third-Party Breaches
• New Approaches to Vendor Risk Management
• 20 Endpoint Security Questions You Never Thought to Ask

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly White is the CEO and co-founder of RiskRecon where he is transforming third-party cyber risk management. Kelly has held various enterprise security roles, including CISO and Director of Information Security for financial services companies. Kelly was also a practice … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/its-time-to-rethink-your-vendor-questionnaire/a/d-id/1334011?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA CONFERENCE 2019 – San Francisco – Matt Mitchell was working as a data journalist at The New York Times during the 2013 trial of George Zimmerman, who shot and killed unarmed teenager Trayvon Martin. The case, in which Zimmerman was ultimately acquitted after claiming self-defense, hit Mitchell, who lives in Harlem, close to home. “I needed to do something to help my community,” he says.

Martin’s death represented a tragic escalation in what Mitchell had seen over the years with racial profiling. He had witnessed law enforcement’s targeting minorities in Harlem using electronic surveillance – automatic license-plate readers, CCTV cameras, and social media activity monitoring. He also knew underrepresented groups who lacked the technology resources needed to know how to secure themselves from online scams and other threats.

So Mitchell created CryptoHarlem, an organization that offers free workshops and training in basic cryptography tools in the mostly African-American community. It also inspired him to build a new, full-time career as a public interest cybersecurity expert. Like many pioneers in security, he had honed some white-hat hacking skills on his own as a teenager. “I was hacker since I was a kid in the late ’80s. There were no jobs in cyber then: Cybercrime was the only ‘job,'” he recalls.

Mitchell describes himself as “a hacker and a civil rights advocate.” At his day job for a Berlin, Germany-based nonprofit called Tactical Tech, he assists and trains nonprofits, NGOs, and civil society groups in cybersecurity defenses, practices, and skills. “At the end of the day, whether you’re underrepresented or marginalized because of your identity, you’re going to face a lot of threats … and digital threats,” Mitchell says.

Some cybersecurity experts such as Mitchell are answering this new call in their careers to use their hacking and security skills and technology for the public-interest sector. Their work inspired a mini-track here at the RSA Conference this week on public-interest technologists, led by renowned security expert Bruce Schneier, who convinced the conference organizers to host the all-day event.

Schneier, who set up the program in conjunction with the Ford Foundation, points to the legal sector’s tradition of offering pro bono work as a parallel to what cybersecurity potentially could do. “In a major law firm, you are expected to do some percentage of pro bono work. I’d love to have the same thing happen in technology,” he says. “What I want to do … is tell the security community, ‘Look, there is a need. We’re really trying to jump-start this movement.”  

Schneier says this growing public interest tech field currently includes tech policy work for Congress and the Electronic Frontier Foundation, projects such as Tor and Signal for privacy, as well as experts who provide security for nonprofits, such as Human Rights Watch. Johnny Long, a veteran security researcher best known for his pioneering work in Google hacking, also runs a group called Hackers for Charity that donates computers and other technology equipment to underdeveloped nations. It has been in operation for several years now.

Mitchell holds his free workshops in a Harlem community center, where he also helps citizens who have fallen for phishing scams, or want to “protect my grandma” or help their friends organize without risking online harassment or surveillance. He sees his work at CryptoHarlem, funded by the nonprofit Calyx Institute, both as a way to help those most in need of online protection as well as a way to bring diversity to the traditionally white- and male-dominated cybersecurity sector: He also educates and exposes the Harlem community to cybersecurity best practices and helps budding hackers acquire the skills and key certifications for employment.

“It’s not learning to code anymore; it’s learning to hack,” he explains. “I’m part of a community of hundreds of black hackers. You [typically] don’t see them speaking at conferences or employed at corporations. Many are in nonprofits, civil service. I’m serving my community.”

Mitchell, who will speak on the public-interest track this week, admits that a full-time public-interest cybersecurity expert doesn’t command the same salary as a commercial position with a private-sector company or security vendor. Even so, you can make a living at it: “You can make money, but not crazy money,” he says.

‘Canary in a Coal Mine’
There’s also the renowned Citizen Lab, based at the University of Toronto, a research operation that focuses on development, policy, and legal aspects of technology, human rights, and security. There, senior researcher John Scott-Railton studies targeted malware operations, cyber militias, and online disinformation threats to civil society. He says the cybersecurity industry’s traditional approach to protecting end users in high-risk groups has been all about training and individual responsibility rather than offering platforms that better protect them.

But, he says, that’s starting to shift: “[In] a decade we’ve come away with [what] is a strong sense that we really do need to do more to provide security to these high-risk groups,” he says. It’s about “the security of all users,” he adds.

Scott-Railton, who with colleague Bill Marczak discovered how some nations including the United Arab Emirates and Mexico were employing the Pegasus spyware program to target their citizens, says high-risk groups often serve as a “canary in a coal mine” for the next big threats. “What happens to them is often a couple of years before the general population,” he notes.

Help for these communities means providing them with security and privacy training, and investigating cases of online spying and hacking, Scott-Railton says.

Phishing, the most common first step of a cyberattack, could be thwarted with one move by the security industry, he says. “This is something that tech companies could stop tomorrow if they wanted to push out mandatory two-factor authentication at the time of creation and made it as easy to do,” he says. Instead, companies steer clear of adding “friction” to the user experience or degrading performance, he says.

“So, instead, they teach them to spot bad things,” like phishes, and that’s a human error-prone solution, he says.

Security Vendors Get Religion
Some security vendors already offer free products and services to the public. Cisco’s DuoSecurity provides a free version of its multifactor authentication application, for example. Yubikey donates its encryption keys to CryptoHarlem. Cybersecurity training platform Cybrary offers Mitchell’s group access to free security courses. 

[CONTINUED ON PAGE 2]

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/cloud/meet-the-new-public-interest-cybersecurity-technologist/d/d-id/1334073?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple