STE WILLIAMS

Three and a half million. That’s how many unfilled cybersecurity jobs there are expected to be by 2021 —  more than the entire population of Iowa — according to Cybersecurity Ventures. It’s also up from 1 million in 2016, a 250% increase in five years, at a time when cybersecurity is becoming even more vital to protecting our way of life.

The industry has been talking about this talent gap for some time, but the speed at which the problem is growing is startling. And unless we do something to address the issue, things will keep getting worse, putting not only the future of the cybersecurity industry at risk but jeopardizing the safety of millions of individuals, businesses, and institutions worldwide.

To cure the problem, we must first understand the root cause. Visibility isn’t the issue — from data protection at Facebook to growing concerns about a new cyber Cold War with Russia, the cybersecurity field has never had a higher profile. And salary can’t be the issue, either — after all, this is an industry where the average annual paycheck is $116,000, roughly three times the national median income for full-time workers and around double what a high school teacher might expect to take home each year.

So, now is the time for us to think outside the box and inspire a new, unprecedented generation of cybersecurity professionals to step forward. And while there is no one sure way of doing so, the good news is that there are plenty of options.

A great place to start is with educating teachers and career guidance counselors about careers in cybersecurity. After all, for many of them, the field simply didn’t exist when they were in school. And if they don’t know what the job entails, how can they inspire young people to consider it? Government initiatives like the Department of Homeland Security’s free cybersecurity lesson plans for teachers can make a big difference, especially if replicated and scaled up with the help of private sector partners.

There’s also some work to do on our industry’s image problem. Far from its reputation as a geeky, siloed, and solely quantitative field, cybersecurity is an interesting, diverse, and — dare I say — sexy career. Highlighting the excitement that comes with a cybersecurity career can help attract people to the industry and reinvent the archetypal image of someone who is a “fit” for it. Cybersecurity requires creativity and collaboration skills as much as coding capabilities. Highlighting the wide range of skills needed could spark a new wave of college graduates from multiple degree disciplines to get into the field. And not just graduates but people currently working in different fields — including sales, client services, and marketing — all of whom possess valuable, transferable skills.

But if a major part of the solution to the talent gap lies with looking beyond traditional recruitment demographics, there is one group deserving particular attention: women. Right now, women represent more than 50% of college graduates in the US but only 10% of cybersecurity professionals. I have lost count of the number of industry conferences and events I’ve attended as an almost-lone female face.

As an industry, we could undoubtedly be doing a lot more to encourage women to join us. From challenging unconscious bias in recruitment to sponsoring cybersecurity-related events for girls in middle school, we need a system that educates and encourages women to consider careers in cybersecurity from an early age and supports them in pursuing it during adulthood.

Of course, I recognize my own role in this, too. Like my female peers across the industry, it’s my duty to be a vocal and active role model in inspiring young women and their parents about the opportunities and benefits of the job I love. I’d like to see more companies follow the example of the place where I work, EY, which sponsors the US Entrepreneur of the Year Awards. Like 2017’s technology category winner, Phyllis Newhouse, CEO of cybersecurity firm Xtreme Solutions, programs like this one can help unlock the talent we need to steer our industry — and others —into the future.

Closing the talent gap is, after all, about the future. As this transformative age continues to digitize the world and move life more online, we need an increasingly eclectic mix of the brightest and best minds, like Newhouse, to stay one step ahead of hackers and cybercriminals who are getting smarter, more determined, and more diverse all the time. 

The current — and growing — talent gap in cybersecurity puts all of us, along with our information, at risk. Unless we act now to close it, the gap itself may well be the least of our worries.

Related Content:

• Stats on the Cybersecurity Skills Shortage: How Bad Is It, Really?
• What Israel’s Elite Defense Force Unit 8200 Can Teach Security about Diversity
• Want Your Daughter to Succeed in Cyber? Call Her John

Shelley Westman is currently a Principal/Partner at EY in its Cybersecurity practice, where she has been since joining EY in September 2017. Prior to EY, Shelley served as Senior Vice President, Alliances Field Operations at Protegrity, where she stayed for about a year. … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/bridging-the-cybersecurity-talent-gap/a/d-id/1331858?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Adobe Stock (iQoncept)

One of the key ways to get developers to jump wholeheartedly onto the application security (appsec) bandwagon is to stop making it so darned difficult for them to shoehorn security processes into their daily workflows. A big ingredient to DevSecOps success is an organization’s ability to implement security tools that developers don’t hate.

To do that, organizations need to improve the integration between the security testing suite and all of the rest of the tools developers use to deliver software. The good news is that this kind of integration doesn’t have to break the bank. While it’s probably not possible to do this completely for free, the fact is that some of the most DevOps friendly security tools that integrate well into the continuous integration/continuous delivery (CI/CD) stack also happen to be free.

Here are some promising possibilities.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/application-security/10-free-devops-friendly-security-tools-developers-will-love/d/d-id/1331876?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s hard to keep a bad bot down. That’s just one of the lessons that comes with Wicked Mirai, the latest variation on the Mirai Internet of Things botnet software. In the newest version, multiple payloads are available for delivery in a package that includes at least three new exploits that demonstrate how its developers are continuing to expand its reach.

Researchers at Fortinet recently found this new variation, which they dubbed Wicked Mirai, named for a string within the code that seems to point back to the hacker responsible for the new variant. In looking at the code, they found malware that scans multiple ports on network devices, using open ports to download copies of different payloads depending on which ports are available.

The researchers note that the attack module shows evolution from the original Mirai code. The original relied on brute force attacks, using a theme and variation on “guessing” as a tactic, while the new version relies on a variety of port-related vulnerability exploits, some new and some very old, to gain access to a device.

Once on a system, Wicked Mirai contacts a CC server from which it downloads a payload. The payload seems to include something from the Sora, Owari, and Omni Mirai variant families — the specific download appears to have shifted between the three during the time that the researchers have been monitoring the server.

“The Mirai botnet variants we have grown accustomed to seeing are typically used as a ‘land and expand’ exploit kit,” says Dean Weber, CTO of Mocana, explaining that the code would hit a system and then pivot to infecting other devices on the network rather than immediately download malware payloads.

Wicked looks for specific vulnerabilities on a platform that the botnet can exploit. The reason for this tactical evolution is simple. “The bottom line is that this allows the botnet controllers to have a faster compromise time, which in the end, allows for the botnet to come online faster,” Weber says.

Wicked has also added IoT persistence to its toolkit, making the malware part of the IoT devices it infects beyond the occasional reboot seen in IoT networks. “The ability to achieve this level of persistence, combined with the ease of infection in the first place, is another example of why DDoS attacks continue to be on the rise,” says Sean Newman, director of product management at Fortinet.

Related Content:

• Hide and Seek Brings Persistence to IoT Botnets
• The Good, the Bad the Disruptive: Bots on the Wild, Wild Web
• Mirai Variant Botnet Takes Aim at Financials
• 7 Key Stats that Size Up the Cybercrime Deluge
• The Mirai Botnet Is Attacking Again…

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/iot/wicked-mirai-brings-new-exploits-to-iot-botnets/d/d-id/1331903?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Privacy activists are taking aim at major tech companies they argue are noncompliant with Europe’s new General Data Privacy Regulation (GDPR), which came into effect today.

Nonprofit organization None of Your Business (NYOB), founded by Austrian Facebook litigant Max Schrems, has filed official data protection complaints against Google, Facebook, WhatsApp, and Instagram. Schrems created NYOB to fight back against companies that break GDPR rules, which state companies can only process users’ data with legal justification.

There are multiple justifications for processing users’ data, including consent, the GDPR states. However, users can’t be forced into submitting their data in order to use a service.

NYOB says Facebook and Google violate GDPR by compelling users to agree to their privacy policies. The regulation is intended to give users a choice about whether to share their data, but the sense of freedom is eliminated when sites prompt people with “consent boxes,” which state a service can no longer be used if the visitor doesn’t consent to their data being processed.

“Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the ‘agree’ button–that’s not a free choice; it more reminds of a North Korean election process,” said Schrems in a statement.

The primary Facebook complaint was filed in Austria; those for Instagram and WhatsApp were filed in Belgium and Germany, respectively. Another case against Google, which argues Android’s consent requirements go against GDPR, has been filed in France.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy-group-facebook-google-policies-break-gdpr-laws/d/d-id/1331907?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Alarm bells are ringing. The grace period is over. As of today, supervisory authorities are officially free to lay down enforcement action for the European Union’s General Data Protection Regulation (GDPR). Now come the real questions: who gets hit first, for what, how hard, and when does the hammer drop?

There are probably as many answers to those question as there are supervisory authorities (SAs), and there are many, notes Omer Tene, vice president and chief knowledge officer of the International Association of Privacy Professionals. Tene points out that there are 28 different EU member states, and not only might they have individual federal authorities, but they may also have a dozen more for individual states – similar to the US system. Different authorities have different priorities and different “appetites” for litigation or punitive action, he says.

They also vary in their staffing and resources. As Michelle Dennedy, chief privacy officer of Cisco, puts it, the privacy field is small enough that almost everyone knows each other by name. While Tene doesn’t think there has been a connection between the size of authorities’ resources and the size of their appetities – some of the smaller ones going after the biggest companies in the past – Dennedy maintains it could affect the number of organizations they investigate.

GDPR sets down new rules about consent, requiring organizations to obtain individuals’ consent to collect, store, use, share, transmit, or sell their personal information for any reason – and an individual can withdraw that consent at any time, meaning that the organization must retrieve and destroy information as necessary. It includes rules about information security, including pseudonymization, encryption, and multi-factor authentication.

The law applies to the data of EU citizens, regardless of where the data resides, so it affects organizations across the globe.   

If you’ve started your compliance process but aren’t finished, you might not need to lose sleep. Yet. 

“I don’t think regulators are necessarily trying to play ‘gotcha,'” says Greg Sparrow, senior vice president and general manager of CompliancePoint. Rather than trying to stick it to the organizations that don’t have every control for every article in place yet, he says they’re looking for “willful neglect” and “blatant disregard” for the law and its intent.

Dennedy agrees. “A good will effort [to comply] is worth a lot. … You’re definitely going to help limit your risk [of punitive action], and more importantly you’re going to go a long way with your customers,” she says.

Don’t get too comfortable, though. The experts agree the enforcement actions – at least investigations – will come and come quickly. How quickly, and to whom? Here are the experts’ best guesses: 

1. Individual Citizens (and ‘Trolls’) Press the Issue 

Individual citizens can also bring their civil cases against companies under GDPR, without waiting for the nation-state supervisory authorities to take the lead. Tene says that is another question mark for GDPR: what will individual complaints look like, and what impact will they have. 

The first volley has already been launched. Privacy group noyb.eu, led by activist Max Schrems, filed complaints against Facebook, Google, Instagram, and WhatsApp today. The companies are accused of forcing users to consent to targeted advertising to use the services, without being given a genuinely free choice.

“We are hearing from our advisors and customers, of increased occurrences of ‘trolls’ that are testing out GDPR readiness with customers,” says 1touch.io CEO and co-founder Zak Rubinstein. “The first cases are likely to be the easiest to prove and will evolve around Data Subject Access Rights. This could take place as early as Q3 this year.”

2. ‘Shadier’ Company Investigated Within a Week, or Sooner 

GDPR gets lots of attention for the how it can bloody an organization with fines of 200 million Euro of 4% of global annual revenue. However, like a shark, GDPR has other rows of teeth it can sink into an organization – like orders to stop data processing activity, for example – which could be even more devastating.

It’s these other powers that IAPP’s Tene thinks will be put to most use, particularly against “shadier” companies doing “unwholesome” things with individuals’ private data. He gives Cambridge Analytica as an example as such an organization.

By issuing orders to stop data processing rather than simply leveling fines, Tene says, GDPR can “clear the ecosystem” of organizations that violate individuals’ privacy. Fines may not accomplish the same. “Anti-trust enforcers have had powers to issue fines for years and we still scarcely see those,” he notes. 

Tene says to expect a data protection authority to issue a complaint or begin an investigation against this sort of company within a week or two, maybe even within an hour of when GDPR enforcement goes into effect.

Michael Feiertag, CEO of tCell and former head of products at Okta, notes the same thing. Because there is so much abuse to choose from, the first companies to feel enforcement action  will be “smaller EU-based phone and email marketing firms using deceptive techniques to collect personal info from Germans and using it to peddle junk ‘Free pretzel with your Viagra’ offers,” says Feiertag.

He expects authorities to “spend their first years racking up popular wins to build confidence in the new regulatory regime. They will pick a number of truly bad actors and put them out of business with crushing audits, legal proceedings and fines.”

“The interesting wild card is whether the next Cambridge Analytica is discovered soon,” says Feiertag. “If so, I expect an ambitious [supervisory authority] to use its audit powers to disrupt that company’s ability to do business.”

3. Local Precedent-Setters Ready Way for Multinational Giant 

“If I was a regulator, I’d be thinking ‘well my staff hasn’t quadrupled, but we have to have an impact,'” says Cisco’s Dennedy. “So what I wouldn’t do is … have all of them go after an Amazon or a Google on Day One.”

She expects that an authority might choose one multinational “headliner” to investigate and then a cluster of local organizations – focusing on those that handle children’s data or pose public health/security risks, for example. 

CompliancePoint’s Sparrow anticipates the same pattern, for another reason. Enforcing the regulations upon a local entity, where there are “clear uncomplicated lines of jurisdiction,” he says, makes it easier to establish legal precedent.

“That sounds like perfect logic to me,” says Tene. “Maybe a nice halibut before your Moby Dick.” He notes, though, that these “halibuts” might actually be pretty big fish, locally. They might be household names in the region – major banks, healthcare facilities, or telecoms – but unknown internationally. 

4. A Tech Giant (Ahem, Facebook) Gets Audited Right Away

Experts do not think it will be too long before Moby Dick does get a call from the investigators, though.

“Within the next six months,” an investigation will launch, if not an enforcement action, says Sparrow. “They’re going to hit while they’ve got momentum. Facebook would likely be the top of the list.”

“Facebook and Google will get the call,” says tCell’s Feiertag.

Feiertag expects that major marketing or technology companies will be given “spot checks” on their compliance efforts soon, but not in anticipation of large enforcement actions. 

“The vast majority of these organizations are attempting to comply with the the law” as they understand its meaning, he says. “The audits won’t find much, but will begin to establish accepted practices and to ensure that the law continues to be followed.” 

Sparrow, however, says, “I do think Facebook is a little at risk.”

He noted that European regulators are “not afraid at all” to go after Silicon Valley tech giants, and that just this week Mark Zuckerberg told European Parliament in Brussels “We do expect [Facebook] to be fully compliant [with GDPR] on May 25th.” Not just “materially compliant” but “fully” compliant” (and just two months after the Cambridge Analytica revelations, too). 

“That’s a big assertion by Mark,” says Sparrow, “and you could easily poke holes in that.” 

5. Those With Lax Payment Card Security Will Be Given Just Enough Rope to Hang Themselves With

Payment card data continues to be a popular target with attackers – so companies that are reckless with payment card data will be high on GDPR enforcement authorities’ priority lists, predicts Michael Aminzade, vice president of global compliance and risk services at Trustwave.

“I expect the first enforcement to come from an industry where payment card data is prevalent such as retail, hospitality, or online storefronts in a country where secure code development practices and technologies like EMV chip use is less mature,” says Aminzade.

Aminzade doesn’t expect the the authorities to be quick on the draw, however. His guess is that the first action won’t happen for 12- to 24 months. “The European Union along with major industries and other stakeholders knows full well that not everyone is quite ready, so to hammer an organization early on would make less of an impact.” 

“The first monetary penalty is sure to sting to make a point, but unlikely to be the maximum – that will come further down the road,” he predicts. 

6. Changing the Way You Use Data

The first hits will come for the most obvious, most tangible offenses: passwords only where there’s supposed to be multi-factor authentication, or an outdated privacy policy that doesn’t pass muster. Eventually, though, GDPR will force fundamental changes to business models, experts say.

“There has been an inordinate amount of focus on the potential fines,” says Dave Lewis, global security advocate at Akamai Technologies. “The reality is that GDPR is very much a push towards ensuring the accountability of the data for which [companies] are stewards.”

Cisco’s Dennedy says that many businesses have more data than they can safely secure, and are coming around to the idea that they just won’t collect it in the first place. Business models were encouraged by the tenet that storage is cheap, but, she says, cheap storage isn’t ultimately a good thing, because it enabled more waste and created uncurated, unstructured data. 

“It’s kind of like that show ‘Hoarders,’ she says. “It’s smelly in there.”

Related Content:

• GDPR, WHOIS the Impact on Merchant Risk Security Monitoring
• A Data Protection Officer’s Guide to the Post-GDPR Deadline Reality
• GDPR 101: Keeping Data Safe Throughout the ‘Supply Chain
• 10 Security Innovators to Watch

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/risk/compliance/gdpr-oddsmakers-who-where-when-will-enforcement-hit-first-/d/d-id/1331898?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Malware could be one of the features of your fancy new Android tablet. According to researchers at Avast, this malware isn’t just pre-loaded: it’s fully baked in.

Some phones and tablets from ZTE, Archos, and myPhone are coming with malware called Cosiloon pre-installed. It’s an ad loader, and while it loads ads rather than steals information, it’s also impossible to fully eradicate since it’s built into the firmware of the infected devices.

There are two “dropper” apps that load ads over Web pages or games. One of the droppers is built into the firmware of the devices while the other is completely integrated into the operating system. Once active, they download ad presentation software that is highly sophisticated and thoroughly obfuscated, making the entire operation impossible to eradicate and very difficult to mitigate.

Avast found the malware on more than 18,000 devices in more than 100 countries. Most of the devices affected are not certified by Google, which is looking into remedies. Google said that as long as the malware is built into the firmware, there’s really very little it can do.

For more, read here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/mobile/android-malware-comes-baked-into-some-new-tablets-phones/d/d-id/1331910?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple