STE WILLIAMS

Implementing basic security hygiene can go a long way in ensuring your systems and website don’t get hijacked.

Image Source: Ebtikar via Shutterstock

Cybercriminals are increasingly hijacking enterprise systems and websites for cryptocurrency mining.

Crowdstrike and several other security vendors have recently reported incidents where businesses have suffered serious application – and operational – disruptions after attackers took over their systems to mine for Monero, and to a lesser extent, other digital currencies like Ethereum and Zcash.

In many other instances, criminals are surreptitiously installing cryptominers on websites and hijacking systems belonging to people visiting the sites.

Unlike ransomware and other malware, cryptominers are often legitimate software tools that are not always detected by anti-malware products. Since the only thing they do is use a system’s CPU resources to crunch algorithms, cryptomining tools can sometime run invisibly without anyone detecting them. Many cryptomining tools deliberately throttle CPU and power usage so their presence on a system becomes even more unobtrusive. In fact, performance slowdowns often are the only indication that a computer has been hijacked for cryptocurrency mining.

Like many other unwanted software tools, cryptocurrency-mining software presents a threat mainly to organizations that fail to follow basic and long-prescribed security hygiene. The tools are distributed like any other malware product, and protecting against them requires the same measures.

Here are some of the best practices you should already be following to protect against cryptomining tools – and any malware.

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/cloud/7-ways-to-protect-against-cryptomining-attacks/d/d-id/1331301?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Syncing security and product development early is now a “must do.”

For many organizations, the public cloud has become the sole route to market for new product introductions. This cloud infrastructure is owned and managed by a third party, freeing up the organization from the maintenance and cost that comes with a private cloud setup. With that, speed and scale are the main reasons why developers are moving to the public cloud, and now is the best time for security teams to tighten their partnerships with product development and IT teams.

Although native public cloud controls provide basic infrastructure security, enterprises are still responsible for securing the data they put in the cloud. For this reason, it’s important for security teams to get involved with product development early on to make sure that security considerations are baked into the product at all stages — well before the products ever reach the hands of customers.

Here are the top five things security teams should focus on when entering this next phase of public cloud deployment.

1. Demonstrate How Partnering with Security Teams Speeds Up the Product Development Process
A common misconception is that security teams slow down the product development process with seemingly unnecessary requirements and recommendations. However, the real concern should be how any redesign after a launch will slow down business processes and, ultimately, break customers’ trust. Product teams that engage with their security teams early on — beginning with the ideation phase and continuing throughout the product development cycle — will enjoy a more effective process for new product introductions. By sitting side by side with product development and making security a truly integral part of the entire process, security teams can demonstrate the positive impact of identifying appropriate security requirements, understand the overall architecture, and be ready to go into production with confidence.

2. Understand the Development Life Cycle
How teams approach product development can vary from group to group and even from product to product. Security teams that invest in understanding each group’s product development approach will gain a valuable understanding of the security controls that are needed to effectively defend against malicious activities. By making the entire product team aware of what’s needed from a security perspective during product discussions, there’s a better chance for collaboration when it comes time to do threat modeling, building in the right security capabilities, identifying the requirements for security testing, and pinpointing what the security operations team should be monitoring after the product is launched. Having these conversations directly with the product development team solves the significant problem of how to protect your data and your customers’ data downstream.

3. Incorporate Testing Before and After Launch
There are no shortcuts when it comes to continuous testing, and it’s unfortunately an often-overlooked part of the security stack. Before any product is made available to customers, you’ll want to find issues before attackers do. A focus on testing is critical at all stages, and you will want to continue testing even after the product is live and deployed in the cloud. It’s important for security and product development teams to understand that public cloud offers different types of services, from computing and storage to analytics, and each of these services has a unique set of security implications and threat scenarios that must be tested and solved for.

4. Ensure Continued Visibility
Security operations teams need to monitor activity in a way that is prevention-focused to stay one step ahead of adversaries. Many of the threat patterns remain the same for cloud-hosted workloads, but the conventional preventive measures used to thwart such threats don’t easily apply. When moving products to the cloud, security teams need to identify mechanisms to achieve high-fidelity threat detection within the cloud and ensure continued visibility. With visibility, you can prevent attacks and ensure strong capabilities to combat sophisticated tools and tactics. By establishing the right logging and monitoring capabilities from initial design phases, you can leverage automation and other innovative technologies and processes, and set teams up for success.

5. Have Comprehensive Playbooks and an Incident Response Plan
There’s no question that cloud security is now a board-level discussion. As security breaches continue to have outsize financial impact on organizations in all industries, executives and board members understand that cybersecurity threats are material risks that must be mitigated. It’s essential that cybersecurity leadership have an open dialogue with the C-suite about material risks to the business, and form detailed advance response plans to counter and manage the scenarios most likely to occur.

Understand the key stakeholders when it comes to deployment in the public cloud — and how these individuals should be engaged if an incident does happen. With comprehensive playbooks and an incident response plan in place well before any incidents occur, the security team can work with stakeholders to be prepared to address the attack surface in the public cloud environment.

Related Content:

• Securing Cloud-Native Apps
• 6 Questions to Ask Your Cloud Provider Right Now
• 93% of Cloud Applications Aren’t Enterprise-Ready

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 to Save $200 

Rinki Sethi is Senior Director of Security Operations and Strategy at Palo Alto Networks. She is responsible for building a world-class security operations center that includes capabilities such as threat management, security monitoring, and threat intelligence. Rinki is also … View Full Bio

Article source: https://www.darkreading.com/cloud/5-ways-to-get-ready-for-public-cloud-deployment/a/d-id/1331313?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Spending bill includes election technology grants for states to shore up security of their voting systems, reports say.

Congress has included $380 million for election cybersecurity in its new omnibus spending package, marking the legislative branch’s first official move toward improving security of the voting and election systems in the wake of concerns over Russian meddling in the 2016 race, Reuters reports.

The funding would include election technology grants for states to better lock down their election systems, according to report in The Hill. The bill also is expected to include additional funding for the FBI – $307 million – in its efforts to battle Russian nation-state cyberattackers.

Also in the package is $26 million for the US Department of Homeland Security’s cybersecurity unit for its programs helping states lock down their election systems.

Read more here and here. 

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/us-federal-spending-bill-includes-$380-million-for-securing-election-systems/d/d-id/1331340?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Too many cryptocurrency people are trying to force-fit blockchain technology into identity solutions, when ID needs its own solutions.

That’s the opinion of Steve Wilson of Lockstep Consulting, who this month co-authored a paper on identity for the Internet Society: Do Blockchains Have Anything to Offer Identity? with Steve Olshansky and contributor Robin Wilon, both of the Internet Society.

Speaking to Vulture South, Wilson said while there are plenty of people advocating “put ID on the blockchain” – usually blockchain experts rather than identity specialists – “it’s very rare for people to come up with a fully-elaborated use-case for identity”.

A transaction, he said, is single and self-contained: Bitcoin’s brilliance was allowing a simple transfer of value between people who may not either know each other, or need to know each other.

In a Bitcoin transaction, identity looks simple: a source wallet and a destination wallet, both of them only identified by a number.

It’s never that simple for real humans, Wilson told El Reg: “Identity is not transactional. It’s a means to an end, anyway, not the end – it’s quite rare for someone to go around identifying themselves all day.”

And that’s in spite of a simple truth, that in different circumstances, “Richard Chirgwin” will name not one, but many identities.

“The day in the life of an identity is much more complicated than people think,” he said.

Even “authentication” is multifaceted, he said: “Sometimes you authenticate to register for a service. Other times you authenticate to prove who you are to access the service, or to assert your right to operate a service (for example, the PIN that unlocks a phone)”.

Someone who’s identified themselves to their banking application, and who’s then authenticated themselves to access the application, might have to re-authenticate for a transaction the bank considers high-risk.

“These things are all slightly different when you give them a squeeze, and it’s not clear which of them have a natural fit with the blockchain”, Wilson said.

There’s another way in which the cryptocurrency blockchain model is at odds with identity services, Wilson said: the question of mining.

Mining has a specific purpose in Bitcoin and its cryptocurrency cousins: it’s the incentive that gets people trying to win the lottery of getting another Bitcoin into circulation.

Leaving aside the question of energy, Wilson said, it was a brilliant conception turned into a dystopia by the mining consortia, “bullies” that distort the system with a concentration of power.

Creating a new identity entry on (say) Bitcoin would incur a mining cost, but that’s not the only model available. Wilson mentioned more recent initiatives like Hedera (based on the Hashgraph algorithm, with participants maintaining the ledger for small payments), Vera One (a fee-for-service blockchain that charges a few cents per transaction), and others.

Those models are far more transparent than Bitcoin, he said, another important consideration for identity services.

Any identity service needs to handle a few identity primitives at a minimum: adaptability to different types of transactions involving identity, a proof of identity sufficient for registration, access (that is, “it’s me again”), and a permanent (probably PKI-based) signature.

As the paper said, these kinds of requirements are “fundamentally different from that of enterprise IAM [identity and access management], which typically requires much more rigorous key lifecycle management and access controls than public blockchains offer.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/22/internet_society_blockchain_identity/

Black Hat Asia Wearable devices – and anything that relies on an app to help with configuration – has at least three attack surfaces and your existing secure development lifecycle probably isn’t going to cope with the complexity that creates.

So said Kavya Racharla, a security research manager for Intel’s Sports Group, and Deep Armor founder and CEO Sumanth Naropanth at the Black Hat Asia conference in Singapore today.

The pair explained that a typical wearable is developed in a hurry – often six months from conception to shipping – which doesn’t leave much time to consider all the possible security SNAFUs.

Wearables themselves have predictable security requirements: they’re computers with storage and a networking connection. But because wearables are for personal use, they can also leak personal data. Racharla said her research has revealed wearables that store the text used for voice prompts in plaintext. If that same file also stores a user’s name, that’s in plaintext too.

Wearables are now a two-horse race and Google lost very badly

READ MORE

Matters are further complicated by the fact that a wearable will often share data with several smartphone apps. One might record data, another control music, while a third sends TXT messages to the app. But the pair explained that Bluetooth shares its signal with all apps on a mobile device, creating potential leakage of personal information intended for consumption by an exercise-tracker into other apps or for malware dedicated to slurping the Bluetooth feed from a wearable device. Such concerns also assume that developers applied proper encryption to the wearable-to-smartphone link and implemented Bluetooth correctly. One slip and … you get the rest.

And then there’s the cloud, where many wearables store data and analyse it so that users [wearers – Ed] can get a picture of their performance. Mistakes as simple as a misconfigured AWS S3 bucket can cause trouble, while a simple XSS attack could expose personal data and even identify an individual wearable device.

To make life even more complicated Naropanth said he knows of circumstances in which a single wearable device has been rebranded by multiple companies, but all data resides in a single database. Under such conditions, developers need to exercise caution so that Nike customers remain separated from Adidas customers, to use Naropanth’s hypothetical example of the risks in play.

Racharla and Naropanth therefore advanced the idea of extensions to common secure development lifecycles to take into account the fast development cycles wearables demand. The pair recommended a development methodology that adds distinct lifecycles for security and privacy, plus the creation of an incident response plan should a wearable be found to be leaking data. That plan means that legal teams will need to be deeply involved in wearable product development.

The pair added that the issues they’ve described aren’t unique to wearables: plenty of industrial devices are now provisioned with a smartphone app, then talk to a local gateway or directly to a multi-tenanted cloud service. Those devices have three attack surfaces, too. And as we all saw when the Mirai botnet sprang up in video cameras, all an attacker needs is one to do bad work. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/22/holy_sweat_wearables_have_three_attack_surfaces/

Britain will spend £345m ($486m) upgrading its F-35B fighter jets to the most recent, combat-ready, version of the aircraft’s operating system.

The figure was indirectly revealed by defence procurement minister Guto Bebb, in response to a Parliamentary question.

“The UK’s contribution will be around 4.5 per cent of F-35 Program common upgrade costs, from which the UK gains 100 per cent of the benefit,” said Bebb in his answer to Plaid Cymru MP Jonathan Edwards.

Figures reported by The Times newspaper pegged US estimates for upgrades to the supersonic stealth fighter at £7.67bn ($10.8bn) for software development and £3.84bn ($5.4bn) for deploying those upgrades across all F-35s ever built.

F-35 flight tests are being delayed by onboard software snafus

READ MORE

The sum payable by the UK is for deploying Block 4 of the F-35’s core software to the UK’s jets, which number 15 airframes at the time of writing. As we reported in January, the mishmash of OS versions currently running on the global F-35 fleet has hampered flight testing as ever more bug reports pile up from pilots and maintenance crews.

So far all of the core OS versions developed for the F-35 have been written to get the aircraft through the key tests it has to meet for its formal declaration of Initial Operating Capability (IOC), which is the point where the aircraft, its main sensors and its main weapons can all be used together in a warlike situation. The UK expects to declare IOC for the F-35B in December this year.

Block 4 of the F-35’s core OS is intended to be the final combat-ready version, though, judging by its comments on the previous version, Block 3F, the US Department of Operational Test and Evaluation appear to think this may not be the case.

IOC can be compared to Full Operating Capability (FOC). Think of IOC as similar to Windows’ Safe Mode – it’ll do a handful of core tasks OK but you haven’t got full functionality – and FOC as the whole shebang.

Cost has been an ever-present factor in public discussions about the F-35 project as a whole. The fighter is already expected to be the most expensive military aircraft ever produced, even before any fully operational versions are deployed.

Of public concern in Britain is the Ministry of Defence’s extreme reluctance to confirm simple details such as “are we still buying 138 F-35Bs?”, “how much are we paying for each aircraft?” and “have we accounted for spares and upgrades?”

The answer to the latter question would appear to be “no”, judging by the ominous silence of the MoD.

While Lockheed Martin, the aircraft’s builders, have previously told The Register that they want to get the cost per jet down by 14 per cent, the current price of an F-35B is $121m (i.e. 75 per cent of the 2012 price of $161m, as quoted by the defence procurement minister in February, at the link), which is £85m at current exchange rates.

617 Squadron RAF, the first frontline British F-35B squadron, is scheduled to form up in the UK this summer. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/22/f_35b_block_4_upgrades_cost_uk_345m/

If you listen carefully, you’ll hear the sound of a very small ship coming in: Netflix has joined Bugcrowd, offering bounties of up to US$15,000 for vulnerabilities.

The bounty program covers a host of apps and platforms. Netflix Android and iOS mobile apps are included, the various APIs at netflix.com, nine other domains on netflix.com, its *.nflximg.net, nflxext.com, and nflximg.net domains.

Netflix’s announcement explained that the Bugcrowd public launch follows a private program initiated in September 2016, which grew from 100 researchers at the start to more than 700 today.

Since the private launch, Netflix has “attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in”, the post said.

Behave, white hats: Netflix’s rules state that if you access customer information, you have to stop testing and submit the bug. Researchers should also only launch attacks at their own accounts, and (naturally enough) not hose the Netflix servers.

Stay within the bounty’s rules, and Netflix promises not to sue, which is an important consideration in a world where litigation is increasingly deployed to try and silence research rather than fix vulnerabilities.

The company’s full vulnerability disclosure terms are here.

Dropbox also on the ‘we won’t sue’ list

Dropbox has also promised it won’t sue researchers that play nice. The company today published guidelines to give researchers safe harbour.

Dropbox’s Chris Evans wrote that vulnerability researchers have “faced decades of abuse, threats, and bullying”.

Evans has seen it all, apparently, from legal threats, referrals to authorities, attacks on character, abuse of process to gag researchers, and more.

He says Dropbox realised its own disclosure program (at HackerOne) didn’t offer enough protection, so it’s been updated.

Particularly welcome are promises that America’s Computer Fraud and Abuse Act and Digital Millennium Copyright Act won’t be deployed against good-faith security research; and if a third party tries to intervene to block research under the Dropbox project, the company will “will make it clear when a researcher was acting in compliance with the policy (and therefore authorised by us)”.

Researchers are instructed that Dropbox won’t negotiate bounties under any kind of duress, and asked to give the company reasonable time to roll out fixes. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/22/netflix_bounty_dropbox_promise/

GandCrab ransomware’s developers have iterated the code rapidly, researchers found.

The relative quiet in ransomware attacks so far in 2018 may be a bit misleading, as ransomware developers have been busy and in some cases moving their craft forward with techniques used in enterprise software development.

According to researchers at Check Point, that’s just what the creators of ransomware variant GandCrab are doing. GandCrab, a fairly recent entrant to the ransomware scene, infected over 50,000 victims and reaped more than $600,000 for attackers in the first two months of this year.

That’s a notable return to the criminals, but it’s not the most significant thing about GandCrab: “The most interesting point, and what makes it different is that the way the ransomware is developed and maintained – the whole approach,” says Michael Kajiloti, team leader of malware research at Check Point.

The way that it’s developed and maintained looks very much like the Agile development discipline used in many enterprise development shops today.

Rather than releasing malware that had been developed and tested for reliability before going public, Kajiloti says that GandCrab’s developers released software with significant flaws – one made it easy to decrypt GandCrab’s encrypted files without paying the ransom – but then rapidly iterated new versions to solve the problems and evade new techniques for detecting the malware.

Jon Clay, director of global threat communications at Trend Micro, says his firm has seen the same sort of behavior in their research of GandCrab. “They’re doing a number of iterations pretty quickly,” he says, noting that, while frequent iteration isn’t completely unheard of, it is unusual in the malware business.

Clay also says that the ransomware’s developers have been improving more than just the encryption and decryption routines. “They improved the persistence of the malware. They’re being more rigorous in their attempts to keep the software on the system,” he explains.

In the beginning, Crab was an under-engineered ransomware that managed to still be effective, according to Check Point. Now, Kajiloti says, “We’ve seen it evolve from simple and messed-up ransomware to something that’s a real threat because it’s becoming harder and harder to find flaws.” And in fixing those flaws, the malware writers acknowledge the “help” of researchers in finding errors and creating new defenses.

Ben Herzog, a malware researcher at Check Point, says, “If you look through their [GandCrab’s developers] logs they are full of the names of researchers so they’re in a constant dialogue with the people researching them. They’ll include the names of researchers in domain names as a way of ‘honoring’ successful takedowns.”

And, in Herzog’s view, that dialogue is part of what makes the GandCrab developers different. “What’s novel is the whole picture,” he says. “We’ve seen them take less than a week to fix decryption flaws and proactively fix flaws that weren’t yet in the wild, so the guys have the capability to release a good product but they chose to go in this method.”

A Criminal Network

One of the other unusual aspects of GandCrab is the way it’s delivered or, in this case, the ways in which it’s delivered. “While they use mal-spam (spam email carrying a malware payload) there are two exploit kits where they’ve added [GandCrab] as a dropper,” Clay says. “They also use a drive-by download campaign and a pirated software bundle that features this. There are four or five arrival vectors. Usually something will use one or two but not all of these in the same campaign.”

A variety of distribution methods is an artifact of the financial model the developers have used, one based on the affiliate model seen in legitimate businesses. Kajiloti says the affiliate model isn’t unique but has been successful. “The authors themselves aren’t the only ones spreading the ransomware – they have affiliates who can buy the ransomware and spread it themselves,” he says.

“Law enforcement tends to go after the attackers, so the back office is less vulnerable. I think this group is using it both for profitability and to obfuscate their existence,” says Clay.

New Old Defense?

Does this new ransomware mean that businesses should look to new defense methods? Check Point has stated that GandCrab is a fifth-generation attack: one that involves multi-vector attacks driving a need for threat prevention rather than simple threat detection. “If you’re asking what to do about ransomware, you’re ahead of the game already. The game is played on the field of being blindsided,” says Herzog.

“Organizations need to continue to do what they need to. Layered security is important,” says Clay, who points out that smaller organizations should be especially diligent. “When they scan the system to encrypt, they look for removable drives, RAM drives, network drives – any and all drives attached to the system. In a small business, all systems tend to be attached to the central server and that could cause real problems,” he explains.

Ultimately, it’s the effectiveness of protection, Clay says. “Organizations need to protect themselves and have a very good layered protection plan in place. Block things at the source versus just focusing on the endpoint: that’s the worst place to detect ransomware,” he says.

Related Content:

• A Secure Enterprise Starts with a Cyber-Aware Staff
• Malware ‘Cocktails’ Raise Attack Risk
• What Happens When You Hold Robots for Ransom?

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is executive editor for technical content at InformationWeek. In this role he oversees product and technology coverage for the publication. In addition he acts as executive producer for InformationWeek Radio and Interop Radio where he works with … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/gandcrab-ransomware-goes-agile/d/d-id/1331336?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A US government commission has asked the public for its thoughts on possible changes to the military’s selective service rules to allow the conscription of technical talent, including those with computer-oriented skills, regardless of sex or age.

The National Commission on Military, National, and Public Service, in accordance with the Congress in the 2017 National Defense Authorization Act, has been directed to consider how to encourage more people to participant in military, national and public service, in order to assure national security.

At the behest of Congress, the commission has been directed to solicit public input on possible rule changes. The commission did so in February through a notice published to the Federal Register, the official record of US government actions.

Among the various aspects of the US Selective Service System being re-evaluated is whether it might make sense to change the process to ensure that individuals with technical skills needed for national defense – medical, language, cyber, and science, technology, engineering and mathematics (STEM) skills – are be required to register for a possible draft “without regard to age or sex.”

The US Selective Service presently requires men, ages 18 through 25, to register. Bills have been introduced in Congress to require women to register but have not become law.

Any Selective Service changes won’t happen soon – the commission isn’t required to submit its recommendations to the President and Congress until March 2020. But the commission wants to hear from the public by April 19, 2018, via email, web submission form (3,000 characters at most), or postal mail.

Government agencies and the military have had a difficult time attracting individuals with computer skills. In 2014, former FBI director James Comey, for example, suggested the FBI would have to loosen its drug rules to hire pot-smoking hackers, before insisting he was only joking in the wake of criticism.

In any event, the tech talent shortage is said to be serious. The US Department of Homeland Security, for example, supports the US Cyber Challenge, a program to “to significantly reduce the shortage in today’s cyber workforce,” by replacing them with semi-smart computer software.

“There is a radical shortage of people with the technical skills that are needed in time of conflict, ” Alan Paller, director of research for The SANS Institute, told The Register.

But Paller suggests just changing the rules to cover a broader set of people with cyber skills won’t achieve the desired results.

There’s a very small set of people with the right skills and just calling them up from the private sector then could leave businesses vulnerable, he suggested.

Paller, however, expressed optimism that the cyber talent shortage can be addressed in a few years through the development of programs to identify those with aptitude for cybersecurity.

“The problem has never been the development of the people,” he said. “It has been finding the 10 or 15 per cent of people who are naturals at it.”

Paller pointed to programs like Cyber Discovery in the UK and Girls Go Cyber Start in the US, initiative to encourage the exploration cyber security as a career possibility. The latter program, he said, nearly doubled the number of high school girls considering cyber security careers from 36 per cent before to 70 per cent afterwards.

In a phone interview, Katie Moussouris, the CEO of Luta Security, said the military faces a variety of cyber talent challenges related to both intake of personnel and retention.

“You can’t simply enlist in the military and say I want to focus on cybersecurity,” she said. “Where you end up is not based on willingness or aptitude.”

And then once military personnel gain computer skills, the desire for family life, better pay, and not moving around makes the private sector more attractive, she said.

Moussouris suggests that simply lifting gender and age restrictions for the Selective Service won’t work without cultural and organizational adaptation in the military. “The quarters, the accommodations, and the culture need a transition,” she said, if the military is to achieve greater gender balance.

As for the age limits, Moussouris said it’s an issue because many cyber operations happen in dangerous environments and the military does not want people with physical limitations endangering others team members.

“If there can be more remote advisory positions where you’re given a task and can do it from a non-war zone, the age restrictions can be lifted,” she said. “That would be a way to get the older folks like me who might want to serve involved.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/21/uncle_sam_mulls_drafting_grayhaired_hackers_during_times_of_crisis/

Homeland Security Secretary Kirstjen Nielsen told Congress today that her department is working to assist states with their election systems’ security.

US Department of Homeland Security Secretary Kirstjen Nielsen told the Senate Intelligence Committee today that the agency is “prioritizing election efforts … over all other critical infrastructure sectors” including finance, energy, and communication critical infrastructure.

Nielsen was testifying before the committee in a hearing on election security. The committee yesterday announced recommendations for bolstering the cybersecurity of US election systems, and Reuters reports that Congress today is expected to roll out a bill today that earmarks $400 million for election security.

DHS is assisting states in shoring up their cybersecurity, Nielsen told the committee, and more than half of all states already have signed up for DHS’s vulnerability scanning services that pinpoint flaws and security holes in the systems.

Read more here. 

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/dhs-chief-election-security-now-top-priority-among-critical-systems/d/d-id/1331331?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple