Almost a third of chief information security officers (CISOs) and IT security managers in the UK and US are considering leaving their current organization, according to new research. Not only that, but a third are planning to quit their jobs within the next six months. ... many IT security leaders are struggling to keep up with evolving threats and new cybersecurity practices, while also reporting issues around recruitment, retention and work-life balance that are prompting many to turn away from the industry. When asked about the aspect of their role that they disliked most, 30% cited the lack of a work-life balance, with 27% saying that much time was spent on 'firefighting' rather than addressing strategic business issues. On top of the 32% of CISOs planning a departure due to the stresses of the job, 52%, admitted that they are struggling to keep up to date with new frameworks and models such as Zero Trust, while a further 20% felt that having the right skills on their team was "a serious challenge".
There’s a different way to think about the practice of security: as a vision- and mission-based endeavor. When security practitioners log in each day to start work, they are protecting people they care about: their colleagues, partners and customers. They’re also safeguarding their organizations’ ability to do business in a complex world by delivering vital products and services that others need and ensuring society functions as intended. As a result, security teams are creating a better world for everyone. For employees in organizations, these connections may either be explicit or implied. Security professionals who protect national infrastructure for a government agency, a nonprofit’s ability to deliver aid or an e-commerce firm’s ability to deliver goods will likely see the value in safeguarding their organizations’ business and operations. Yet, countless others provide processes or services that enable the effective functioning of businesses and community life. These professionals, too, should take pride in fulfilling their organization’s vision and mission.
Carrie Goetz, D.MCO and Principal/CTO at StrategITcom, LLC, and a frequent speaker at Network Computing events, offered up some spooky incidents she has encountered over the years. “There was the case of cleaning people plugging vacuum cleaners into UPS outlets when cleaning the data center and shutting them down. Happened every night sometime between 2 and 4 AM. The only way we caught it was to sit up there at that time.” “Or how about doing an audit of the gear in a data center? The customer thought they had about 2,600 servers, and we found over 3,000 physical machines. Some had not passed a bit of traffic in years.” Talk about a nightmare. She noted, “decommissioning was not in their vocabulary until after the audit.” Another example should send chills down any IT manager’s spine. “We took over a contract for a prison health care provider. They had previously hired another company. When all of the deliveries were late, the customer started investigating and found out that the company was staging their servers in a shed with a dirt floor and no AC running. They kept going up and down, and two failed for dirt and moisture.”
When I joined the business 33 years ago, nobody ever talked about cybersecurity. I don’t recall the word. Everything was physical: what if somebody’s gotten into my flat or I’m afraid someone’s going to take my car, attack me in the street to take my watch or my wallet or whatever. Obviously, the world has become much more digital. All these fears and threats became digital. What I would say over the past few years is that we’ve seen a massive amplification of risk. Large companies have a board and an IT group under the board looking at cybersecurity. They take it very seriously. They are scared to death of any brand damage. They are relatively focused, which is not the same as being well equipped. What I’ve found out over the last six months is that more and more small and mid-sized businesses are paying a lot more attention to cyber. When I open the newspaper, there’s not a day without a small story about a major cyber negative impact on a business. There was a recent cyberattack on a French hospital that sent them back to the Middle Ages – it lasted for months. Of course, SMBs taking cybersecurity seriously is an opportunity for us to help them with this threat.
The Digital Shadows Photon research team have been tracking cyber threats coalescing around the World Cup over the past 90 days using a specially created alert system. They have found that broadly, threats to the event can be arranged into four categories – brand protection, cyber threat, physical protection and data leakages. Of these, most of the observed activity relates to the cyber threat category. “Scams could present themselves in many forms,” the Photon team wrote in a newly published online advisory. “For instance, financially motivated threat actors often plant in malicious URLs spoofing these events to fraudulent sites, hoping to maximise their chances of scamming naive internet users for a quick, illicit, profit. “At the same time, hacktivist groups may exploit the public attention given to such events to exponentially increase the reach of their message. State-sponsored advanced persistent threat (APT) groups may also decide to target global sporting events to achieve state goals to the hosting country or the broader event community.”
The agile model is known for its flexibility and responsiveness to change. This makes it ideal for projects that are constantly evolving or that require quick turnarounds. However, this flexibility can also be a downside, as it can lead to scope creep and unrealistic expectations. The V-shaped model is more rigid and structured, but this can also be seen as a strength. This model helps to prevent scope creep by clearly defining the deliverables at each stage of the project. It also provides more structure and transparency, which can help to keep stakeholders informed and on track. However, the downside of this model is that it can be inflexible and resistant to change. So, which model is best for your project? Ultimately, it depends on your specific needs and objectives. The Agile software development life cycle model is a great choice for small to medium-sized projects. This is because it offers flexibility and adaptability, which are essential when working on smaller-scale projects. So if you need a flexible and responsive approach, then the agile model may be a better fit.
It’s a different role as you shift from manager to director. It’s realizing your entire organization is essentially run by someone else tactically, so really backing off and letting them fail or succeed on their own. And then you have to figure out how to focus very differently on alignment, making sure all the leaders are on the same page, because now you have really good leaders and they’re all running in different paths. In IT especially, managers tend to want to hang on to some of the hands-on work after they become directors, and that’s often because they’re promoted due to skill, not leadership. So suddenly they find themselves at a director level and they’re just a really good engineer. They don’t have any other tool in their toolkit except doing it themselves. So it’s hard for them to let others own things completely. It’s really important to get a good mentor or someone in place to help them. Usually what you hear is the horror stories, where someone fails miserably and then they learn and pick themselves up and go again. We’ve got to find a way to prevent that.
If companies fail to frequently audit access policies to ensure that external groups can only access the systems they need, this is another avenue that hackers can easily exploit. It’s also essential to immediately cut off access after parting ways with a consultant and periodically confirm that former contractors no longer have access. Ensure an established timeline for auditing access policies – and never allow it to slip. Addressing password hygiene is another critical consideration. According to the most recent Verizon Data Breach Investigations Report, over 80 percent of hacking incidents involved stolen credentials. And studies have repeatedly shown that at least 71 percent of people reuse passwords. If just one of the sites associated with a reused password has been breached, then all other accounts protected by that password are also at risk. With workforce management challenges on the horizon for 2023, it’s essential to implement policies and procedures addressing the inherent security vulnerabilities of the Great Resignation.
Stealing session cookies has become one of the most common ways that attackers circumvent multifactor authentication. The Emotet malware, the Raccoon Stealer malware-as-a-service, and the RedLine Stealer keylogger all have functionality for stealing sessions tokens from the browsers installed on a victim's system. In August, security software firm Sophos noted that the popular red-teaming and attack tools Mimikatz, Metasploit Meterpreter, and Cobalt Strike all could be used to harvest cookies from the browsers' caches as well, which the firm called "the new perimeter bypass." "Cookies associated with authentication to Web services can be used by attackers in 'pass the cookie' attacks, attempting to masquerade as the legitimate user to whom the cookie was originally issued and gain access to Web services without a login challenge," Sean Gallagher, a threat researcher with Sophos, stated in the August blog post. "This is similar to 'pass the hash' attacks, which use locally stored authentication hashes to gain access to network resources without having to crack the passwords."
To combat the lack of internal knowledge around how AI systems are developed, the auditing experts agreed on the pressing needed for a standardised methodology for how to conduct a socio-technical audit. They added that while a standardised methodology currently does not exist, it should include practical steps to take at each stage of the auditing process, but not be so prescriptive that it fails to account for the highly contextual nature of AI. However, digital rights academic Michael Veale said standardisation is a tricky process when it comes to answering inherently social questions. “A very worrying trend right now is that legislators such as the European Commission are pushing value-laden choices around fundamental rights into SDOs [standards development organisations],” he said ... Another risk of prescriptive standardisation, according to Brown, is that the process descends into a glorified box-ticking exercise. “There’s a danger that interrogation stops and that we lose the ability to really get at the harms if they just become standardised,” he said.
Quote for the day:
"What I've really learned over time is that optimism is a very, very important part of leadership." -- Bob Iger