CISA, NSA, FBI, and similar organizations in the other Five Eyes countries are warning that attacks on MSPs — as a vector to their customers — are likely to increase. No details about what this prediction is based on. Makes sense, though. The SolarWinds attack was incredibly successful for the Russian SVR, and a blueprint for future attacks.
Daily Archives: May 17, 2022
(ISC)2 Offers 100,000 Free Entry-Level Certification Places
The 100K in the UK scheme is aimed at recent graduates and career changers seeking to work in cyber
Rezilion launches Dynamic SBOM for software supply chain devsecops
Aiming to help organizations manage security across the software development life cycle (SDLC), devsecops platform developer Rezilion is launching Dynamic SBOM (software bill of materials), an application designed to plug into an organization’s software environment to examine how multiple components are being executed in runtime, and reveal bugs and vulnerabilities.
Challenges that impact the Cybersecurity talent pipeline
Cyberattacks are alarming, and establishments must increase protections, embrace a layered attitude, and cultivate security-conscious users to combat growing concerns.
Cybersecurity leaders are being inundated with talent development resources offered, encompassing hiring, recruitment, and retention of the talent pipeline. Fifty percent of hiring managers typically deem that their candidates aren’t highly qualified. Globally, the cybersecurity professional shortage is estimated to be 2.72 million based on findings in the 2021 (ISC)2 Cybersecurity Workforce Study & ISACA State of Cybersecurity 2021 Survey.
The cybersecurity workforce demand is a standing boardroom agenda for CISOs and senior executive constituents. CISOs must work collaboratively alongside human resources to solve talent pipeline challenges.
A Cyber Seek 2021 assessment indicates 597, 767 national cybersecurity job openings; thus, assertively, organizations must address this immediate disparity through consensus-building, diversity of thought, and out-of-the-box thinking. CISOs must evaluate their current hiring practices, transform ideal-to-actual job descriptions, and scrutinize their HR/organizational culture to remove aggressive tendencies and embrace a more forward-leaning, authentic, and autonomous culture.
Talent development is considered the cornerstone to increasing diversity-infused candidates into the cybersecurity pipeline. Based on my experience, I have adopted a three-prong attack strategy to cultivate a unique palette of experience and knowledge to ascertain a solid talent-rich team.
This goes beyond the outdated mentality of third-party partnerships to lean on certificates, degrees, professional associations, and internship/fellowship programming to acquire unique talent. This approach, combined with interview preparation and stretch assignments, creates real-time, mutually beneficial skills for current team members.
Lastly, providing opportunities to showcase my employees’ newfound skills through conferences (internal/external), community engagements, and immersive responsibilities provide hands-on experiences & shadowing opportunities. This helps to level up knowledge transfer and strengthen mentorship/sponsorship programs that create a more synergistic, follow-then-lead approach to build the talent pipeline.
As a transformational leader, it is paramount to change current hiring practices to further reach untapped talent inside and outside the organization using my three-prong attack strategy:
1. Go where the talent is located. Seek talent that has the drive, ambition, and tenacity to level themselves up through self-driven, multipronged vectors and consequently are thirsty and self-motivated.
2. Survey current hiring practices to identify the talent gaps. (Who? Where? Why? When? What? & How?). Build a diverse talent pipeline and create new partnerships that are currently serving the population previously identified in the gap analysis.
3. “Try before you buy” mentality. Increase credibility and employee confidence through stretch assignments, mentorships/sponsorships, and leadership development tasks to align employees with exposure and insight before leaping to a new role.
My guiding principles lead me to ignite my employees’ inner authenticity and emotional intelligence to provide a team-oriented, future-oriented culture. This culture relies heavily on an in-group collectivism mindset to tap into “their inner leader.” Deeply coupled partnerships operate from a customized driver/navigator paradigm to provide an inclusive, autonomous environment.
In my experience, cybersecurity job descriptions primarily tend to be too inelastic. The panic-stricken job descriptions can turn away competent, qualified, and dedicated applicants. Plus, many highly qualified individuals do not have college degrees nor have attended boot camps or completed traditional security training that would be excellent security candidates.
Moreover, career changers are a large part of the untapped real estate that possess lucrative, diverse skillsets (i.e., lawyers, teachers, and librarians). Hiring candidates with the desire, passion, and willingness to learn or self-hone their skills should be treasured and respected. Pioneering thought leadership is vital to building an above-board Diversity, Equity, and Inclusion (DEI) focused organization to complement current best practices interlaced with a meet-them-where-they-are mentality to cultivate good results.
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.
Safari is a graphical web browser developed by Apple.
iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
macOS Monterey is the 18th and current major release of macOS.
macOS Big Sur is the 17th release of macOS.
macOS Catalina is the 16th major release of macOS
watchOS is the mobile operating system for Apple Watch and is based on the iOS operating system.
tvOS is an operating system for fourth-generation Apple TV digital media player.
Xcode is Apple’s integrated development environment for macOS
Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.
MITRE ATT&CK v11 adds ICS matrix, sub-techniques for mobile threats
The MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) Framework has become a mainstay of the cybersecurity industry. The framework represents relevant adversary behavior, and organizations can leverage it to bolster their cybersecurity defenses and improve their ability to detect common adversary behavior. It details adversary behavior across the attack lifecycle.
The framework has been around since 2013 and continues to get better. The framework and associated matrices have evolved to address emerging technology areas that organizations are increasingly adopting such as infrastructure as a service (IaaS), software as a service (SaaS), and containers. The latest release, MITRE ATT&CK v11, includes sub-techniques for both mobile and the addition of an industrial control systems (ICS) matrix. Those v11 updates are explained below along with insights you can use to help meet recent government requirements as well.
China’s cyber espionage focus: intellectual property theft
Chinese focus on the acquisition of intellectual property is a recurring topic, percolating to the forefront, the most recent being Operation CuckooBees, which has been detailed in a comprehensive Cybereason report. The report noted that the Chinese advanced persistent threat (APT) group has had many labels including Winnti and APT41 and is credited with being operational from at least 2019. Over the course of the past few years, the group siphoned off, according to Cybereason, hundreds of gigabytes of data from their targets.
CISOs worried about material attacks, boardroom backing
The threat of substantial material attacks and getting board support for their efforts are top-of-mind issues among the world’s CISOs, according to a new report released by Proofpoint Tuesday. While nearly half of the 1,400 CISOs surveyed for the annual Voice of the CISO report (48%) say their organization is at risk of suffering a material cyberattack in the next 12 months. That’s substantially lower than 2021, when nearly two-thirds of the CISOs (64%) expressed similar sentiments.
“That drop was a bit surprising,” Proofpoint Global Resident CISO Lucia Milica, who supervised the survey, tells CSO Online. When the pandemic hit, CISOs were scrambling to put temporary controls in place to deal with the explosion of remote workers and enable a business to operate securely, she explains. “Over the last two years, CISOs have had time to bring in more permanent controls to support hybrid work. That’s put more CISOs at ease in terms of feeling that they can protect their organizations.”