Daily Tech Digest - March 29, 2017

5 reasons your company can't hire a cybersecurity professional

The shortage in skilled cybersecurity professionals is only growing worse, with the projected talent gap reaching 1.8 million jobs by 2022. "It's definitely a seller's market," said Forrester analyst Jeff Pollard. "If you have security skills, there are plenty of opportunities available for you. If you have an interest in security and perhaps have a nontraditional background but are willing to learn, opportunities are certainly open from that perspective as well." However, the shortage has left many companies stuck: A recent report from ISACA found that 55% of organizations reported that open cyber positions take at least three months to fill, while 32% said they take six months or more. And, 27% of US companies said they are unable to fill cybersecurity positions at all.


6 Soft Skills Employers Should Be Looking For In Tech Talent


Forget experience and hard skills -- tomorrow's best talent will need soft skills, and it's fact that sourcing and recruiting pros need to be prepared to address. "From our own LinkedIn research last May, we know that, of 291 hiring managers we surveyed, their employers struggle to find candidates with the right soft skills for 59 percent of their open jobs, and 58 percent said the lack of soft skills among candidates was 'limiting their company's productivity,'" says Jennifer Shappley, senior director of talent acquisition at LinkedIn at a presentation at SourceCon, held earlier this month in Anaheim, Calif. ... The differentiator will be soft skills like adaptability, leadership, communication and others, she says. Here, Shappley shares six of the top soft skills she's looking for at LinkedIn and how to go about finding those.


Android VPN apps: How to address privacy and security issues

Armed with knowledge regarding these Android VPN apps, what can IT security professionals do about the situation? Whether this falls under your company's BYOD strategy, acceptable usage policies or some other aspect of its security program, such as security information and event management or malware protection, it needs to be addressed starting today. Obviously, you want to steer clear of any of the apps researched for the paper that might create risks in your particular environment. You might need to do your own vetting of these mobile apps, and may need to standardize on a handful of them. Tools by vendors such as NowSecure and Checkmarx, combined with network analyzers and other tools, can provide good insight to complement and even validate these new mobile VPN app research findings.


Why the internet of things isn't as vulnerable as it looks

Use of connected devices has exploded across critical infrastructure industries, resident in everything from industrial controls to financial systems, where the devices generate loads of data. That data, said Robert Griffin, lures attackers but also serves to boost security for infrastructure protectors. "For homeland security operators, IoT is now a component of critical infrastructure, where security is viewed as a common good for protecting each of our different 16 critical infrastructure sectors," said Griffin in a March 20 blog post, one of his first as acting undersecretary at S&T. He assumed that position in January, after Reginald Brothers moved to the private sector. Griffin said connected sensors provide data analytics that can be shared among security operators, helping improve performance, reduce costs and enhance security measures.


Automate DevOps so you can focus on a security-first culture

Organisations commonly feel like they have to trade off between security and productivity. That’s absolutely not the case but it needs the people shipping code and the security specialists to do some collaborative work up front. Sadly research by Gartner last year found that only 20% of enterprise security architects had properly engaged with DevOps initiatives and the majority of IT professionals felt information security was slowing down the ability of the IT department to respond to the needs of business. While working at HM Revenue & Customs I saw first hand how a great security team, willing to help redesign processes up front could help us to ship services which conformed to a common pattern quickly without putting users at risk. By putting a platform and tooling in place, we saw HM Revenue & Customs take projects which would have taken 18 – 24 months and deliver them in under six weeks.


Kaspersky: Criminals Make 95% Profit on DDoS

Kaspersky did a review of the Dark Web to find out the going rate for DDoS as-a-service, and found the average to be slightly higher than the example above—attacks typically cost $25 per hour, with the cyber-criminals making a profit of about $18 for every hour of an attack. The security specialist also found that organizers of DDoS services generally offer customers a tariff plan in which the buyer pays a per-second rental price for botnet capacity. For example, a DDoS attack of 300 seconds using a botnet with a total bandwidth of 125Gbps will cost about between $5 and $6. As for profitability, it should be noted that DDoS attacks and, in particular, ransomware DDoS have already turned into a high-margin business. “The profitability of one attack can exceed 95%,” the firm noted.


Intel digs in to keep Moore's Law alive

"Moore's Law is not dead, at least not for us," said Stacy Smith, Intel's executive vice president leading manufacturing, operations and sales, during an event to talk about manufacturing in San Francisco on Tuesday. At its heart, Moore's Law states that the cost of making chips goes down while the capabilities go up. Intel's interpretation of Moore's Law has changed multiple times. Initially, Intel was doubling transistors every 18 months, which then expanded to two years. On its most recent 14-nanometer process, that time line expanded to three years. With the new measurements, Intel will be able to boast that its manufacturing improvements are surpassing Moore's Law. The company also said it would cut the manufacturing cost per transistor by half with each new manufacturing process, which is in line with Moore's Law.


Why Siemens put $10 billion into digital transformation

Making use of the data collected by devices is key for industries wanting to move forward in the digital age. Half of all the data that exists in the world was created in 2016. And less than 0.5% of all the data collected last year was analyzed and used, according to Judy Marks, CEO of Siemens, explaining that she believes MindSphere will help industrial companies in particular make better use of their data and take them to the next level of competitiveness in manufacturing. Next47 is Siemens innovation startup unit, and as part of Siemens focus on startups, it will invest $1 billion over the next five years in startups, Busch said. ... Artificial intelligence was a key to one customer, where an AI brain was inserted into a turbine resulting in a 15-20% reduction in nitrogen oxide emissions. "This is how powerful artificial intelligence can be," Busch said.


Insecure Security Cameras Sound Like A Joke But Aren't

To be fair, these attacks do require the burglar (or, for that matter, murderer or rapist) to engage in a bit of physical gymnastics. The attacker first needs to get close enough to the camera to access Bluetooth — distances vary based on device and environment and it can even vary from initially making the handshake to maintaining the connection. But these are security cameras, so the attacker must achieve this potentially very short distance while also staying out of the camera’s view. After all, if the attacker is filmed before initiating the connection, the point of this exercise may be lost.
 This problem is hardly insurmountable. But it involves studying the camera beforehand to learn the proper angle and positioning needed to access Bluetooth without being seen.


How do identity governance and access management systems differ?

Identity governance relies on policies to determine if updated access is too risky for a particular user based on his previous access and behavior. These governance policies can be put into an automated workflow when a change is deemed a risk, and allows the owners of the application or the data to sign off on the update. This fixes the issue of having to recertify users annually, and takes more of an incremental approach to auditing access. If someone accesses a system they don't have permissions for, the identity governance system can flag the access as suspicious. They can even be notified if a user is attempting to access a resource they don't have access to, or that no one in their role is attempting to access.



Quote for the day:


"Failure is friend of success, its not trying that is its enemy." -- Gordon Tredgold