Just before midnight last Sunday evening (June 17, 2018), Elon Musk sent an email to all staff. He was dismayed, he said, to learn about a Tesla employee "making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties." However, in information security terms, an insider stole sensitive documents from Tesla. The motive is not as important as the act. It seems that Tesla does not operate adequate least-privilege measures, and does not have an internal traffic monitoring system capable of detecting and blocking the unsanctioned exfiltration of gigabytes of data. This failure has left Tesla with a PR nightmare that it must now manage and the incident has also had an impact on the company's share price which dropped more than 6% in trading at the time of writing this.

And with this in mind, enjoy our roundup of stories for this week…

Tesla Breach: Malicious Insider Revenge or Whistleblowing?

Just before midnight last Sunday evening (June 17, 2018), Elon Musk sent an email to all staff. He was dismayed, he said, to learn about a Tesla employee "making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties."

Malicious Insider Revenge or Whistleblowing? |  Kevin Townsend

When Bug Bounty Disclosure goes bad

There are vulnerabilities everywhere, you are a cybersecurity researcher, you then follow the bug bounty program process and share it responsibly with the vendor, then that vendor fixes the issue - but instead of sending the chopper over to you with a care package, they pretend like you didn't exist. Now what to do?.

Vendors, Disclosure, and a bit of WebUSB Madness |  Markus Vervier

How Edward Snowden made us think about and forget the Insider Threat

Five years ago, the news media went into a frenzy after The Guardian revealed details about National Security Agency (NSA) surveillance activities. The news was based on classified documents that former NSA IT contractor Edward Snowden stole while he had privileged access to NSA systems and data. It provided clarity on exactly how powerful the NSA’s information collecting machine was. It also gave new life to the “insider threat.”

Snowden illuminated how nefarious employees and contractors operate. He also cast a shadow over an additional class of insider threat made up of privileged users that includes employees, contractors, partners and executives that operate with their organizations’ best interests in mind. Since Snowden, this “trusted insider” segment has gone under appreciated with respect to risk it is driving and resources it deserves.

Five Years Later: Never forget the insider threat | Dtex Systems

I received an Email this morning from a long-time customer, you know the one, the potentially dreaded: “We have been compromised!”, which quickly took a really unexpected turn. I don’t think we as Cybersecurity professionals spend enough time discussing the wins,
I think we spend way too much time on the losses.

The email had the Subject Line: “Thank You” and ominously started with: “Gentlemen,”

It then continued: “As you know, we successfully (and highly so) thwarted a potential Ransomware attack. The succinct and active automated response from our technology platforms along with J2, promptly followed by mails and calls from your team”.

“This in itself is a testament to the phenomenal service and response time of j2, but upon further inspection, it would appear that the Ransomware in question had its latest update on the same day as the detection date, which means not only did we as Security Team respond and stop a potential catastrophe, it was with a zero-day attack!”

It finally concluded: “Hats off to your team, it has been, is and will be for a long time to come, an absolute pleasure to partner with you on our digital security adventure.

My first though was back to the conversation when this incident occurred and that my first Instinct, at the time, was to think about all the things that could have gone wrong, and better understand the attack vectors and what could have been done differently, and what we could have done better, then I had an a moment of enlightenment; this was a win! Through a combination of Technology, People and specifically collaboration, Automation or AI, we were collectively, able to thwart the attack – so we should take a moment to enjoy this brief moment in time;

So this one goes out to all the crazy ones, the misfits, the rebels, the troublemakers and customers that have to put up with this mad lot and that get up each and every day and fight the good fight,

I think the quote by Rob Siltanen is quite appropriate to celebrate this one small step:
“Here's to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently.
They're not fond of rules. And they have no respect for the status quo. You can quote them, disagree with them, glorify or vilify them.
About the only thing you can't do is ignore them. Because they change things. They push the human race forward. And while some may see them as the crazy ones, we see genius.
Because the people who are crazy enough to think they can change the world, are the ones who do.”

I’ll take the win!

And with this in mind, enjoy our roundup of stories for this week…

When Data-Centric Security is the “Secret Sauce” of Cybersecurity

As the name implies, data-centric security protects information at the data level instead of just protecting devices, applications and the perimeter. Data-centric security allows companies to automatically enforce adaptive usage controls on sensitive information, and critical systems; not only controlling who can access information, but what actions (view, edit, copy, print, share or screen share) are allowed once access is given and from which device or geo.

Collaboration is essential - from working with vendors to third-party contractors, it is key to getting the job done and staying competitive.
While data security may not be equally top of mind for companies across all industry, the proof is in the numbers - companies in every industry must be prepared.

Protecting Your ‘Secret Sauce - Why Data-Centric Security Is Key|  Vishal Gupta

Cybersecurity collaboration is key to dark web deterrent

Vigilance remains high as cyber intelligence experts anticipate the next big ransomware threat.
As well as adding more patches, experts say companies and public bodies need to collaborate more to tackle the threat from leaked cyber weapons.
It is estimated that at least a dozen NSA tools are being discussed and worked on by hacking forums on the dark web.

Cyber security collaboration is key to dark web deterrent |  The Financial Times

Cyber security demands change in approach

We are already witnessing a coming together of sorts of technologies and their application like AI and People, where systems together with people are acting and providing analytic data that indicates ransomware attacks and if it is successfully exploiting weakness within the organisation at this very moment.

Already we are seeing a paradigm shift in incident response which fundamentally differs from our prejudiced understanding. Incidents are already the becoming mere possibility of a breach. Incidents are the proactive insights and remediation through active collaboration between technology, people and AI.

Cyber security demands change in approach | Warwick Ashford

As a massive fan of Jennifer Leggio whom has been in the security industry for 17 years as a marketer, advisor, and writer. Her focus is on security culture, including disclosure, community issues, equality in security, disruptive trends, and even marketing best practices, all subjects very close to my own heart. In a recent write up she focuses on the key points from her Hack in the Box (HITB) Amsterdam keynote from a few weeks ago and covers some of the marketing fails in information security - including logo's and branded vulnerabilities.

What are these? you may ask; well basically there are people that work towards reducing harm and those that contribute to harmful outcomes and the latter tend to lend to all the confusion, fear, uncertainty, and doubt that distracts or disrupts a security practitioner's ability to do his or her job.

Some key points that stand out for me – again Jennifer, this is some great stuff!

• Speak with your management about creating an ethics or standards board.
• Express the end state you want is more truth and better security.
• Share that you are willing to support on a committee to provide guidelines.
• Company doesn't have a coordinated disclosure policy? Build one.
• Require credit for your work.
• Call out marketers, but focus on sharing how to do better vs. focusing just on what sucks.

It needs to be an inclusive and interactive dialogue between technical and non-technical folks, with next steps and outcomes. If we will build it. Will you come?
And with this in mind, enjoy our roundup of stories for this week…

Where Do Cybersecurity Professionals Come From?

When a Mommy cybersecurity professional and a Daddy cybersecurity professional love each other very much they hug each other in a special way to help each other make little cybersecurity professionals.

If only it were so easy! If it were, we wouldn’t have nearly 2.2 million unfilled cybersecurity jobs on the horizon.

We wouldn’t have millions of kids struggling with online and social media addictions on one end of the spectrum and kids with no access to the Internet on the other. So while the straight answer is, we make them, the less straight answer is how?

Where Do Cybersecurity Professionals Come From? |  Pete Herzog

Security by Design: The Network

Security by design is about designing secure environments with clear goals underpinned by real-world constraints. Realistic assumptions and constraints in terms of Business, Personnel, Staffing compliment, their abilities and the IT environment and the entire ecosystem are all critical steps in the security by Design process.
I really enjoyed this detailed take on the logic behind this very misunderstood concept.

Secure by Design: The Network |  Devon Taylor

The Best and Funniest Security Memes

AlienVault recently ran a contest on Twitter to collect the best InfoSec memes from the community. I really had to chuckle at some of these with the compendium blog on these funny as well as educational security memes. Since her blog on IT jokes from 2015 was so well received, maybe this meme thing will catch on too!

The Best and Funniest Security Memes | Kate Brew

Recent visits and prospective customer engagments have raised a few alarm bells in terms of the actual state of Information Security (Cybersecurity) across industry within South Africa. While conducting CSC 20 Controls reviews the conversation invariably turns to what has been done to date and why things taking so long? What needs to be done to fix the identified gaps? This engagement is often a massively enlightening experience for all parties, with the cordial handshakes and nodding of heads in varying degrees of common reference.

Where the wheels tend to come off is when the rubber starts to meet the road, this is where the troubles start. All engagements without exception agrees that something has to be done and it needs to be prioritised, usually according to a set of controls, and then sometime down the line don’t understand why there is no management support and still not enough resources to support the agreed initiatives.

Security is so much more than just a control framework, with a set of best practices and activities to address gaps, that need to be plugged, security is so much more than compliance or an endless tick and bash exercise. Of course, an organizations Information Security (Cybersecurity) success is a direct result of the CISO (Chief Information Security Officer). An effective CISO can mean the difference between valuable business function and a state of perpetual firefighting.

Every organization today has to be prepared for the threat of cybersecurity attacks and their crippling effects and destruction from both the inside out and the outside in. Just look at the news stories that regularly arise from the most current breach or the loss of operations due to a breach and service disruption, like shadow IT, poor IT hygiene, account take over, end user negligence, password reuse and ransomware, or malware attack. As a result, organizations are sharing more of their operational budgets on cybersecurity in extremely reactive ways to fight these growing incidents. Many organizations face these challenges in developing their cybersecurity program: establishing a full security program is expensive and the talent to execute the program is hard to find and retain.

Unfortunately, many CISOs, myself included, have a relatively short shelf life and based on recent Industry research, the average CISO organizational lifespan is anything from 24 to 48 months, with many, not myself included, leaving much sooner. This begs the question: Why are CISO out always on the look-out for new opportunities so often? Let’s explore this in this week’s blog; and with this in mind, enjoy our roundup of stories for this week…

Why do CISOs job hop?

Aside from earning more money, CISOs pursue other opportunities when current employers minimize cybersecurity commitments and efforts.
ESG and the Information Systems Security Association (ISSA) sought to answer this question in a recent survey of 343 cybersecurity professionals and ISSA members.
Top 4 reasons why CISOs change jobs frequently

• 38% of respondents say CISOs change jobs when they are offered higher compensation packages from other organizations. No surprise here, as CISOs are in high demand while the cybersecurity skills shortage has led to continuous salary inflation. Many CISOs are willing to jump ship when presented with an offer they can’t refuse.
• 36% of respondents say CISOs change jobs when their current employer does not have a corporate culture that emphasizes cybersecurity. Given the job market for CISOs, don’t expect cybersecurity leaders to simply go through the motions if the corporation isn’t committed to the cause.
• 34% of respondents say CISOs change jobs when the they are not active participants with executive management and the board of directors. CISOs are business managers who oversee a technology discipline. The data indicates that they will quickly fly the coop when they are treated as glorified system administrators.
• 31% of respondents say CISOs change jobs when cybersecurity budgets are not commensurate with the organization’s size or industry. As hard as it is to believe in 2018, there are still plenty of organizations willing to nickel and dime the CISO and settle for “good enough” security. This isn’t a strategy for long-term CISO retention or strong cybersecurity for that matter.

Why do CISOs change jobs so frequently? |  Jon Oltsik

Cybersecurity Has a Serious Talent Shortage. How to Fix It

Businesses tend to look for people with traditional technology credentials — degrees in tech fields, for example. Security is truly everyone’s issue; with every aspect of personal and professional data at risk all the time. So why limit security positions to people with BTech and four-year computer science degrees, when we desperately need varied skills across so many different industries? Businesses should open up to applicants whose non-traditional backgrounds mean they could bring new ideas to the position and the challenge of improving cybersecurity.

Cybersecurity Has a Serious Talent Shortage. |  Marc van Zadelhoff

4 places to find cybersecurity talent in your own organization

Organizations are missing opportunities to cultivate inside talent who may lack experience but already know the business and have the fundamental skills to succeed in cybersecurity.

Companies are scrambling to fill cybersecurity positions. Some 41 percent of CIOs surveyed by recruiting firm Robert Half Technology say that cybersecurity skills are in the greatest demand in their organizations. The non-profit organization (ISC)2, which provides information security education and certifications, predicts a worldwide shortfall of 1.8 million cybersecurity workers by 2022, 20 percent more than was predicted in 2015.

• First, lower expectations
  Organizations have become overly ambitious in their job descriptions that profile the ideal candidate, Companies must open up their demands and engage the HR department and unplug some of the more strict requirements, such as [requiring] a degree in computer science or x number of years of information security experience, and tend to overlook people in the process of achieving qualifications.
• Mid- and late- career employees
  Research firm Forrester sees a trend where large organizations are creating their own contingent labour pools using alumna or company retirees. Nike, for instance, has already adopted a self-sourcing model for temporary IT workers.
• Women
  Women represent only 11 percent of the global information security workforce today, according to a global study by (ISC)2, and they represent a large and talented labour pool for cybersecurity positions. Women in cybersecurity today enter the profession with higher education levels than men. Half of women in the profession have master’s degree or higher, compared to 45 percent of men. Globally, 42 percent of the women have undergraduate degrees in computer and information sciences compared to 48 percent of men. Among Millennials, 52 percent of women younger than 29 have computer science undergraduate degrees. The study recommends that more professional support, sponsorships and mentorships are needed for women in security and risk management.
• IT internships
  Most companies offer IT internships for soon-to-be university or college graduates, but interns with an interest in or aptitude for cybersecurity skills should be sought out early and courted. If a year down the road they’re not happy, you’re going to lose them.

4 places to find cybersecurity talent in your own organization | Stacy Collett

Why you need to focus on Cybersecurity Now!

Cyber security is the technologies and processes designed to protect networks, computers, programmes and data from attack, theft or damage. Personal information, intellectual property, big data and mergers & acquisitions information are common targets for cyber criminals.
Companies are strengthening their cyber security teams to enhance their capability to respond to the General Data Protection Regulations (GDPR). Companies are liable for any security breaches. Fines through the new regulation can be up to 4% of their annual turnover, if a company is found to not have sufficient active information security risk and contingency plans in place to protect the personal data with which they have been entrusted.

Cyber security a big focus for companies | Robert Walters\

Or you could outsource – Talk to us!