As a massive fan of Jennifer Leggio whom has been in the security industry for 17 years as a marketer, advisor, and writer. Her focus is on security culture, including disclosure, community issues, equality in security, disruptive trends, and even marketing best practices, all subjects very close to my own heart. In a recent write up she focuses on the key points from her Hack in the Box (HITB) Amsterdam keynote from a few weeks ago and covers some of the marketing fails in information security - including logo's and branded vulnerabilities.

What are these? you may ask; well basically there are people that work towards reducing harm and those that contribute to harmful outcomes and the latter tend to lend to all the confusion, fear, uncertainty, and doubt that distracts or disrupts a security practitioner's ability to do his or her job.

Some key points that stand out for me – again Jennifer, this is some great stuff!

• Speak with your management about creating an ethics or standards board.
• Express the end state you want is more truth and better security.
• Share that you are willing to support on a committee to provide guidelines.
• Company doesn't have a coordinated disclosure policy? Build one.
• Require credit for your work.
• Call out marketers, but focus on sharing how to do better vs. focusing just on what sucks.

It needs to be an inclusive and interactive dialogue between technical and non-technical folks, with next steps and outcomes. If we will build it. Will you come?
And with this in mind, enjoy our roundup of stories for this week…

Where Do Cybersecurity Professionals Come From?

When a Mommy cybersecurity professional and a Daddy cybersecurity professional love each other very much they hug each other in a special way to help each other make little cybersecurity professionals.

If only it were so easy! If it were, we wouldn’t have nearly 2.2 million unfilled cybersecurity jobs on the horizon.

We wouldn’t have millions of kids struggling with online and social media addictions on one end of the spectrum and kids with no access to the Internet on the other. So while the straight answer is, we make them, the less straight answer is how?

Where Do Cybersecurity Professionals Come From? |  Pete Herzog

Security by Design: The Network

Security by design is about designing secure environments with clear goals underpinned by real-world constraints. Realistic assumptions and constraints in terms of Business, Personnel, Staffing compliment, their abilities and the IT environment and the entire ecosystem are all critical steps in the security by Design process.
I really enjoyed this detailed take on the logic behind this very misunderstood concept.

Secure by Design: The Network |  Devon Taylor

The Best and Funniest Security Memes

AlienVault recently ran a contest on Twitter to collect the best InfoSec memes from the community. I really had to chuckle at some of these with the compendium blog on these funny as well as educational security memes. Since her blog on IT jokes from 2015 was so well received, maybe this meme thing will catch on too!

The Best and Funniest Security Memes | Kate Brew

Recent visits and prospective customer engagments have raised a few alarm bells in terms of the actual state of Information Security (Cybersecurity) across industry within South Africa. While conducting CSC 20 Controls reviews the conversation invariably turns to what has been done to date and why things taking so long? What needs to be done to fix the identified gaps? This engagement is often a massively enlightening experience for all parties, with the cordial handshakes and nodding of heads in varying degrees of common reference.

Where the wheels tend to come off is when the rubber starts to meet the road, this is where the troubles start. All engagements without exception agrees that something has to be done and it needs to be prioritised, usually according to a set of controls, and then sometime down the line don’t understand why there is no management support and still not enough resources to support the agreed initiatives.

Security is so much more than just a control framework, with a set of best practices and activities to address gaps, that need to be plugged, security is so much more than compliance or an endless tick and bash exercise. Of course, an organizations Information Security (Cybersecurity) success is a direct result of the CISO (Chief Information Security Officer). An effective CISO can mean the difference between valuable business function and a state of perpetual firefighting.

Every organization today has to be prepared for the threat of cybersecurity attacks and their crippling effects and destruction from both the inside out and the outside in. Just look at the news stories that regularly arise from the most current breach or the loss of operations due to a breach and service disruption, like shadow IT, poor IT hygiene, account take over, end user negligence, password reuse and ransomware, or malware attack. As a result, organizations are sharing more of their operational budgets on cybersecurity in extremely reactive ways to fight these growing incidents. Many organizations face these challenges in developing their cybersecurity program: establishing a full security program is expensive and the talent to execute the program is hard to find and retain.

Unfortunately, many CISOs, myself included, have a relatively short shelf life and based on recent Industry research, the average CISO organizational lifespan is anything from 24 to 48 months, with many, not myself included, leaving much sooner. This begs the question: Why are CISO out always on the look-out for new opportunities so often? Let’s explore this in this week’s blog; and with this in mind, enjoy our roundup of stories for this week…

Why do CISOs job hop?

Aside from earning more money, CISOs pursue other opportunities when current employers minimize cybersecurity commitments and efforts.
ESG and the Information Systems Security Association (ISSA) sought to answer this question in a recent survey of 343 cybersecurity professionals and ISSA members.
Top 4 reasons why CISOs change jobs frequently

• 38% of respondents say CISOs change jobs when they are offered higher compensation packages from other organizations. No surprise here, as CISOs are in high demand while the cybersecurity skills shortage has led to continuous salary inflation. Many CISOs are willing to jump ship when presented with an offer they can’t refuse.
• 36% of respondents say CISOs change jobs when their current employer does not have a corporate culture that emphasizes cybersecurity. Given the job market for CISOs, don’t expect cybersecurity leaders to simply go through the motions if the corporation isn’t committed to the cause.
• 34% of respondents say CISOs change jobs when the they are not active participants with executive management and the board of directors. CISOs are business managers who oversee a technology discipline. The data indicates that they will quickly fly the coop when they are treated as glorified system administrators.
• 31% of respondents say CISOs change jobs when cybersecurity budgets are not commensurate with the organization’s size or industry. As hard as it is to believe in 2018, there are still plenty of organizations willing to nickel and dime the CISO and settle for “good enough” security. This isn’t a strategy for long-term CISO retention or strong cybersecurity for that matter.

Why do CISOs change jobs so frequently? |  Jon Oltsik

Cybersecurity Has a Serious Talent Shortage. How to Fix It

Businesses tend to look for people with traditional technology credentials — degrees in tech fields, for example. Security is truly everyone’s issue; with every aspect of personal and professional data at risk all the time. So why limit security positions to people with BTech and four-year computer science degrees, when we desperately need varied skills across so many different industries? Businesses should open up to applicants whose non-traditional backgrounds mean they could bring new ideas to the position and the challenge of improving cybersecurity.

Cybersecurity Has a Serious Talent Shortage. |  Marc van Zadelhoff

4 places to find cybersecurity talent in your own organization

Organizations are missing opportunities to cultivate inside talent who may lack experience but already know the business and have the fundamental skills to succeed in cybersecurity.

Companies are scrambling to fill cybersecurity positions. Some 41 percent of CIOs surveyed by recruiting firm Robert Half Technology say that cybersecurity skills are in the greatest demand in their organizations. The non-profit organization (ISC)2, which provides information security education and certifications, predicts a worldwide shortfall of 1.8 million cybersecurity workers by 2022, 20 percent more than was predicted in 2015.

• First, lower expectations
  Organizations have become overly ambitious in their job descriptions that profile the ideal candidate, Companies must open up their demands and engage the HR department and unplug some of the more strict requirements, such as [requiring] a degree in computer science or x number of years of information security experience, and tend to overlook people in the process of achieving qualifications.
• Mid- and late- career employees
  Research firm Forrester sees a trend where large organizations are creating their own contingent labour pools using alumna or company retirees. Nike, for instance, has already adopted a self-sourcing model for temporary IT workers.
• Women
  Women represent only 11 percent of the global information security workforce today, according to a global study by (ISC)2, and they represent a large and talented labour pool for cybersecurity positions. Women in cybersecurity today enter the profession with higher education levels than men. Half of women in the profession have master’s degree or higher, compared to 45 percent of men. Globally, 42 percent of the women have undergraduate degrees in computer and information sciences compared to 48 percent of men. Among Millennials, 52 percent of women younger than 29 have computer science undergraduate degrees. The study recommends that more professional support, sponsorships and mentorships are needed for women in security and risk management.
• IT internships
  Most companies offer IT internships for soon-to-be university or college graduates, but interns with an interest in or aptitude for cybersecurity skills should be sought out early and courted. If a year down the road they’re not happy, you’re going to lose them.

4 places to find cybersecurity talent in your own organization | Stacy Collett

Why you need to focus on Cybersecurity Now!

Cyber security is the technologies and processes designed to protect networks, computers, programmes and data from attack, theft or damage. Personal information, intellectual property, big data and mergers & acquisitions information are common targets for cyber criminals.
Companies are strengthening their cyber security teams to enhance their capability to respond to the General Data Protection Regulations (GDPR). Companies are liable for any security breaches. Fines through the new regulation can be up to 4% of their annual turnover, if a company is found to not have sufficient active information security risk and contingency plans in place to protect the personal data with which they have been entrusted.

Cyber security a big focus for companies | Robert Walters\

Or you could outsource – Talk to us!

I received an Email this morning from a long-time customer, you know the one, the potentially dreaded: “We have been compromised!”, which quickly took a really unexpected turn. I don’t think we as Cybersecurity professionals spend enough time discussing the wins,
I think we spend way too much time on the losses.

The email had the Subject Line: “Thank You” and ominously started with: “Gentlemen,”

It then continued: “As you know, we successfully (and highly so) thwarted a potential Ransomware attack. The succinct and active automated response from our technology platforms along with J2, promptly followed by mails and calls from your team”.

“This in itself is a testament to the phenomenal service and response time of j2, but upon further inspection, it would appear that the Ransomware in question had its latest update on the same day as the detection date, which means not only did we as Security Team respond and stop a potential catastrophe, it was with a zero-day attack!”

It finally concluded: “Hats off to your team, it has been, is and will be for a long time to come, an absolute pleasure to partner with you on our digital security adventure.

My first though was back to the conversation when this incident occurred and that my first Instinct, at the time, was to think about all the things that could have gone wrong, and better understand the attack vectors and what could have been done differently, and what we could have done better, then I had an a moment of enlightenment; this was a win! Through a combination of Technology, People and specifically collaboration, Automation or AI, we were collectively, able to thwart the attack – so we should take a moment to enjoy this brief moment in time;

So this one goes out to all the crazy ones, the misfits, the rebels, the troublemakers and customers that have to put up with this mad lot and that get up each and every day and fight the good fight,

I think the quote by Rob Siltanen is quite appropriate to celebrate this one small step:
“Here's to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently.
They're not fond of rules. And they have no respect for the status quo. You can quote them, disagree with them, glorify or vilify them.
About the only thing you can't do is ignore them. Because they change things. They push the human race forward. And while some may see them as the crazy ones, we see genius.
Because the people who are crazy enough to think they can change the world, are the ones who do.”

I’ll take the win!

And with this in mind, enjoy our roundup of stories for this week…

When Data-Centric Security is the “Secret Sauce” of Cybersecurity

As the name implies, data-centric security protects information at the data level instead of just protecting devices, applications and the perimeter. Data-centric security allows companies to automatically enforce adaptive usage controls on sensitive information, and critical systems; not only controlling who can access information, but what actions (view, edit, copy, print, share or screen share) are allowed once access is given and from which device or geo.

Collaboration is essential - from working with vendors to third-party contractors, it is key to getting the job done and staying competitive.
While data security may not be equally top of mind for companies across all industry, the proof is in the numbers - companies in every industry must be prepared.

Protecting Your ‘Secret Sauce - Why Data-Centric Security Is Key|  Vishal Gupta

Cybersecurity collaboration is key to dark web deterrent

Vigilance remains high as cyber intelligence experts anticipate the next big ransomware threat.
As well as adding more patches, experts say companies and public bodies need to collaborate more to tackle the threat from leaked cyber weapons.
It is estimated that at least a dozen NSA tools are being discussed and worked on by hacking forums on the dark web.

Cyber security collaboration is key to dark web deterrent |  The Financial Times

Cyber security demands change in approach

We are already witnessing a coming together of sorts of technologies and their application like AI and People, where systems together with people are acting and providing analytic data that indicates ransomware attacks and if it is successfully exploiting weakness within the organisation at this very moment.

Already we are seeing a paradigm shift in incident response which fundamentally differs from our prejudiced understanding. Incidents are already the becoming mere possibility of a breach. Incidents are the proactive insights and remediation through active collaboration between technology, people and AI.

Cyber security demands change in approach | Warwick Ashford

Every moment of every day, we remain connected to the digital world through multiple devices and the sharing of our transactional and personal information across multitudes of applications, connected networks, online businesses and all manners of service providers. Please take a moment and let that sink in, take a moment to think about the sheer volume of your personally identifiable information is actually outside of your control and where and how much might be analysed continuously by hordes of Bots, AI and good and evil Research Analyst types? What is known about you and your activities and what safeguards are followed throughout? Like your daily tracking of your banking payments and incomes, no-one I know is completely aware or recalls every time their digital persona such as Current Address, Physical location, Username, E-mail and associated passwords, ID numbers or payment mechanisms like PayPal, bitcoin or credit card details are accessed or used in order to secure a payment or verify access or authorisation to one of their many accounts. In the world that we find ourselves ,we are the digital subject of much digital foot printing and the digital trail in every activity we do. As we are the owners of this digital fingerprint, the question: for what purpose is this data collected, shared and used, and do we have solid understanding of this usage and most importantly have we provided ongoing consent based of this ongoing usage. Do you know what your recourse is if you feel violated or “knock on wood”, you are a victim or source of another massive data breach?

Insider threat visibility and detailed linkage to external threat detection and response is key – chat to us we can help; with this in mind, enjoy our roundup of stories for this week…

Your legal rights when your personal data gets leaked in South Africa

In a developing story iAfrikan.com will be updating us as new information and responses are available. they have already alerted South Africa's Hawks (cybercrime unit) as well as South Africa's Information Regulator on your behalf, if you are part of the breach.

In a recent article published on iAfrikan.com, another breach has occurred, this time South African traffic fines online payments website, ViewFines. In this breach, the personal records of 934,000 South African licensed drivers has been disclosed. Enter Troy Hunt, an Australian security consultant and founder of haveibeenpwned who worked with iAfrikan.com in researching the data leak, and has also been able to positively identify the leaked database as belonging to ViewFines.

Your legal rights when your personal data gets leaked in South Africa |  BusinessTech
South Africa's ViewFines suffered major data leak |  Tefo Mohapi

The Dream of A More Secure Organization

There’s no way of completely ridding your enterprise of all risk. This realization can be an effective motivation to take appropriate measures to dramatically reduce your chances of a leak.
Use this motivation to provide focus and direction and address your risky behaviours and areas of current incidents as priority that may buy you valuable credibility and organisational currency by integrating these recommendations into your security strategy, you just might be able to add a few more hours of peaceful sleep to your nightly routine. The key is to take proactive steps before it’s too late. Sleep Well.

• Assume the Worst
  When it comes to storing credentials, assume that your user database will be accessed and copied by criminals. It’s better to go into this with your eyes wide open.
• Store Credentials the Right Way
  Recommend all credentials be stored by your corporate and customer facing applications using a strong cryptographic hashing algorithm like bcrypt, Argon2 or scrypt. If you mandate this across the board, you will make potentially leaked credentials nearly useless to criminals. The computational requirement make it infeasible to crack these algorithms (today), therefore any of these hashed passwords that are stolen cannot easily be decrypted and used against your customers, limiting your overall liability.
• Don’t Store Credentials the Wrong Way
  The worst way to store credentials is to use SHA1 or MD5, even with salts. Don’t be fooled by their commonality. They are easily cracked and your customers’ passwords will be revealed in plaintext. Once in plaintext, the criminals have free reign to use and sell them at will, opening up risk to both your organization and your customers.
• Transform Bad to Good
  Do a thorough scan of your credential stores. If you find any that use SHA1 or MD5, begin to migrate users to one of the stronger hashing algorithms we mentioned earlier. It’s worth the exercise to ensure all of your organization’s credentials are being stored securely and cannot be cracked.
• Enable Multi-Factor Authentication
  Multi-factor Authentication (MFA) adds another layer of security between your customers’ credentials and the criminals, often squeezing out the less sophisticated and more numerous criminals. While this extra step boosts protection, it could also be perceived as friction for users to log in. Therefore, incentivize customers to implement MFA.
• Use An Exact Match Solution
  The majority of criminals looking to find vulnerable accounts are relatively inexperienced and make use of simple ATO techniques that can be easily recognized by a variety of solutions. The more sophisticated criminals, however, know how to bypass MFA and other detection solutions. To block both kinds of criminals, use an exact match solution that compares your customers’ passwords to a comprehensive and current database of compromised accounts to see if there’s a match. When there is a match, a password reset is automatically enforced.
• Promote The Use of a Password Manager
  Take the hassle out of remembering multiple passwords by championing password managers. Password Managers are effective tools to reduce the threat of employees or customers reusing passwords. They make it much easier to select unique strong passwords for every account. While password managers greatly reduce the potential for ATO via password reuse, they should be implemented in conjunction with the other recommendations above.

What we do in the shadows - Dark Networks?

Not all dark web data is the same. There are three distinct communities of actors and special-access sites: low-tier underground forums, higher-tier dark web forums, and dark web markets. These three clusters line up with expert intuition of the dark web, appearing almost as if no other sensible organisation is feasible. Notable discovery of cross-posting between low-tier and higher-tier forums and the results of this Recorded Future research are directly reflected in their product and ontology. This new approach to categorization assists security teams in obtaining targeted, relevant dark web intelligence, facilitates their understanding of threats, and opens a window into the methods, tactics, and motivations of threat actors.

Dark networks : Social network analysis of dark web communities| Adrian Tirados