Wouldn’t it be nice if, along with grades for English, Science, and Algebra this year, our child’s report card included quarterly feedback on their mental health?  

Recently, actor Tom Holland of Spider-Man fame reported on his mental health publicly by deleting several of his social media accounts. The actor stated that his social media accounts had become “detrimental” to his mental state and that he “spirals” when he reads things about himself online. He used words like “overstimulating” and “overwhelming.”  

And parents were likely “overjoyed” giving cyber high fives all around with Holland’s transparency in talking so publicly about social media’s link to mental health. Because if you are a parent you know. 

As we head into a new school year with high hopes in tow, Holland’s decision also challenges us to pay closer attention to how social media could potentially impact our kids’ mental health.   

A few questions for families to consider: 

Have we (really) talked about the mental health risks connected to social media (cyberbullying, body image issues, digital drama, tech addiction, fake news, and FOMO)?  
What social media safety topics do we need to refresh (based on age)? 
Have we put the right digital safeguards in place to minimize mental health risks? 
How much time online is appropriate for my child’s age and maturity level? 
Are my child’s mood changes age-appropriate, or is it something more? 
Has my child’s appearance, attitude, health, or grades changed?  
Does my child feel supported and know where to turn for help? (Am I sure of that, or am I making assumptions?) 

Every child’s maturity and cognitive ability to handle online challenges will differ, so a one-size-fits-all digital wellbeing plan isn’t likely to work. Here are a few insights and tips that may be helpful as you shape the method that works for your family.  

Explore healthy social media limits.  

Explore time limits. Research continues to find that reducing social media use directly reduces loneliness, depression, and anxiety. Most every child needs help with balance, especially at the start of a new school year when a new routine is in play. Pay attention to your child’s social media use and consider establishing time limits if needed. Be sure to include your child in the conversation. Ask them to define what a healthy digital balance means to them and how to tie (or untie) behaviors to those goals 
Pay attention to friend groups. As a parent, you’ve got a million things to pay attention to, but few things are more important than the people your child consistently spends time with on and offline. This circle of influence is powerful and can change online constantly. 
Make your parent-child relationship a priority. Not all signs of emotional distress will be visible; some will be subtle or intentionally hidden by your child. That’s why it’s so important to take the time to connect, listen, and truly understand how your child is doing.
Practice digital health. Digital, mental, and physical health are intertwined. Show your child what balanced and healthy digital habits look like. These include online health in conflict management, wise posting and commenting, and time limits. Offline, this includes modeling healthy physical habits such as exercising, meditation, and deep breathing, building healthy face-to-face relationships, and getting enough sleep.
Know the signs. Consider looking more closely into how your child’s online activities might impact them emotionally. Be aware of shifts in behavior, grades, and sleeping patterns. Know the signs that they may be experiencing online bullying.   
Layer Up Your Power. Consider technology your parenting partner to help reduce the mental health risks your child may encounter online. Parental controls on family devices can help you monitor their wellbeing and set time limits.
Proceed with care. If you know your child is having challenges online, it’s important not to overreact and restrict device use altogether. Kids need peer connection, and online is where they tend to connect the most (like it or not, agree or not). Consider ways to help them balance their time online. Discuss the pros and cons of their favorite apps before making drastic changes.   
Ask for help. Talk with your kids daily, and if you believe they need additional help beyond your scope of knowledge, be prepared to find resources to help. If you or a family member is in immediate crisis, visit the emergency room or call National Suicide Prevention Lifeline at (800) 273-8255. 

Any way you slice it, many unknowns come with every new school year, especially if you have tweens or teens. Social media adds a layer of complexity to those unknowns. However, with some forethought and follow-through, you can navigate those risks one day at a time.  

The post Back-to-School: Balancing Social Media & Mental Health appeared first on McAfee Blog.

Read More

The threat actor using the common Go programming language and a custom toolkit claims twenty victims

Read More

Topics that are top of mind for the week ending Sept. 2 | Shift-left efforts falling short. What CISOs earn and what stresses them out. The quantum computing risk for critical infrastructure. Securing machine learning systems. And much more!

1 – Shift left: Still a work in progress

Shifting security left – meaning, starting security checks earlier in the software development process – has been widely hailed. But, as a new study shows, adoption of “shift left” practices is falling short.

In the study “Software Security During Modern Code Review: The Developer’s Perspective,” University of Zurich researchers interviewed 10 developers and polled another 182 online, and found:

Developers acknowledge the importance of security code reviews, and view it as their responsibility, but it’s not top of mind for them.
Most companies expect developers to do security code reviews, but many don’t provide them with security training.
Developers rank a lack of security training and knowledge as their main security-related challenge.
Developers are often unclear on who’s responsible for what regarding application security, and thus they may neglect doing their part.
They report struggling with assessing the security of third-party software libraries and the security of the interaction between app code components.

Challenges developers face concerning security during code reviews

(Source: “Software Security during Modern Code Review: The Developer’s Perspective” study, University of Zurich, Aug. 2022)

The researchers recommend that companies do a better job of educating developers about security and of motivating them to review code by providing incentives and recognition.

More information:

“A Practical Approach for Shifting Left” (Tenable)
“What is shift left testing?” (TechTarget) 
“Shift Left: Where Cloud Native Computing Security Is Going” (The New Stack)
“Shifting security left requires a GitOps approach” (TechTarget)
“OpenSSF director warns over secure development” (The Stack)

2 – All you ever wanted to know about CISOs in 2022

How much do CISOs earn? Which career paths do they take to become a CISO? How long do they stay at their jobs? What keeps them up at night?

You can find answers to those – and many more – questions in the “2022 Global Chief Information Security Officer (CISO) Survey” from executive search firm Heidrick & Struggles.

Key findings from the survey, which polled 327 CISOs from the U.S., Europe and Asia-Pacific:

Regarding the most significant threats facing their organizations, most respondents included ransomware (67%), followed by insider threats (32%), nation/state attacks (31%) and malware attacks (21%.)
CISOs’ team size grew compared with last year, reflecting the increasing investment in cybersecurity by organizations.
CISOs have broad visibility with their board of directors, with 88% saying they present to either the full board or to a board committee.
Median cash compensation for CISOs in the U.S. rose to $584,000 from $509,000 in 2021. Total compensation, including equity grants and other incentives, increased to $971,000 from $936,000.
Regarding tenure length, 77% of respondents have been at their current job for at least three years, up from 56% of respondents in 2021’s survey.
When asked about “personal risks,” CISOs ranked stress at the top (59%), followed by burnout and by higher-than-usual staff turnover

(Source: “2022 Global Chief Information Security Officer (CISO) Survey” from Heidrick & Struggles, August 2022.)

More information:

“Cybersecurity on the board: How the CISO role is evolving for a new era” (TechMonitor)
“7 best reasons to be a CISO” (CSO)
“Effective Board Communication for CISOs” (CISO Street)
“7 mistakes CISOs make when presenting to the board” (CSO)

3 – Guidance for securing ML and AI systems

Machine learning (ML) and artificial intelligence (AI) have become ubiquitous across all types of applications, which makes them an attractive target for cybercriminals – and creates a need for security teams to protect these systems.

The latest guidance for combatting “adversarial machine learning” attacks comes from the U.K.’s National Cyber Security Centre (NCSC), which has just published a set of security principles for systems that have ML technology.

As an NCSC data science researcher explains in a blog post, to test software for vulnerabilities and weaknesses, one must understand how it works, but this is often difficult with ML, for a variety of reasons. 

In its guidance, the NCSC addresses critical ML weaknesses and challenges; the differences between ML security and standard cybersecurity; and its development of specific security principles.

More information:

“What is Adversarial Machine Learning?” (Towards Data Science)
“Adversarial machine learning explained” (CSO)
“5G networks vulnerable to adversarial ML attacks” (TechTarget)
“Data-tampering attacks are hard to detect” (Protocol)
“How to protect your ML models against adversarial attacks” (The Next Web)

4 – Struggling to fill IT, cybersecurity jobs? Look for non-tech candidates

The shortage of IT workers remains a global problem, and is particularly pronounced in cybersecurity, so what’s a hiring manager to do? A popular suggestion is to consider candidates without tech experience. A new article from McKinsey & Co. backs it up as a good idea.

Titled “Overcoming the fear factor in hiring tech talent,” it’s based on an analysis of anonymized online work histories of about 280,000 tech pros. Here’s a stat that jumps out: 44% transitioned to IT from non-IT occupations. And almost three in five U.S. IT managers started in non-IT roles.

Other interesting findings about these IT pros:

70% started in professional services, healthcare or other science, technology, engineering and mathematics (STEM) fields.
Common first IT roles included app developer, IT support and document manager.
They show a stronger ability to acquire new IT skills than their IT “lifer” counterparts.
They tend to move quickly up the ladder to more specialized, sophisticated roles in areas like cybersecurity.

Recommendations for finding good candidates include:

Look for motivated candidates within your own organization.
Make bold hiring decisions and consider “soft skills” like:

Analytical mind
Attention to detail
Problem solving ability
Adaptability
Communication skills

Don’t rule out mid-career workers who are eager for a change.
Once they’re in IT, provide them with plenty of training and education.

More information:

“Companies are desperate for cybersecurity workers” (Fortune)
“Cybersecurity skills gap: Why it exists and how to address it” (TechTarget)
“Cybersecurity teams need to fill jobs. They’ll need entry-level roles.” (Protocol)
“What Can Be Done to Overcome Cybersecurity Staff Shortage?” (Bank Infosecurity)
“Hiring entry-level and junior candidates can alleviate the cybersecurity skills shortage” (TechRepublic)

5 – CISA: Critical infrastructure must prep for quantum computing threat 

Here’s a heads up for critical infrastructure organizations: Quantum computing is coming and you should start preparing for its cybersecurity risk now.

What’s the problem? When they become available, possibly around 2030, powerful quantum computers will break existing public-key cryptographic algorithms, which would create a global data-privacy and security disaster.

Consequently, the U.S. government is trying to get the country ready. For example, “quantum resistant” cryptographic algorithms are being developed, an effort slated for completion in 2024 with the release of a new standard.

The government is also providing guidance to cybersecurity teams, as we’ve explained in this blog. However, critical infrastructure faces particularly complex challenges, so the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a guide for this sector.

Here are some key takeaways:

Among the 55 national critical infrastructure functions provided by government and businesses, these four will offer foundational support via products, patches and software:

Providers of online content and communication services
Providers of identity management services
IT providers
Protectors of sensitive information

Because their hardware is geographically dispersed and has a long replacement lifecycle, organizations with industrial control systems (ICS) should factor quantum-computing risks into new hardware purchases.
NCF providers that store confidential data long-term must prevent “catch and exploit” attacks, in which hackers try to steal this data and decrypt it once quantum computers are available. 

CISA also reiterated the importance of taking steps now, like inventorying the systems and applications that use public-key cryptography, as well as the most critical data to be secured long-term. 

More information:

“Quantum apocalypse: Experts warn of ‘store now, decrypt later’ hacks” (Silicon Republic)
“CISA Warns Critical Infrastructure to Prepare for Mass Post-Quantum Systems Migration” (NextGov)
“A Peek Into CISA’s Post-Quantum Cryptography Roadmap” (Dark Reading)
“CISA Releases Guidelines to Aid Companies Transition to Post-quantum Cryptography” (Infosecurity Magazine)

6 – Quick takes

Here’s a roundup of vulnerabilities, trends, news and incidents to put on your radar screen.

Microsoft is warning about a malware called MagicWeb, “a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server.” MagicWeb is being used by the Nobelium APT – of SolarWinds fame – to maintain persistent access to compromised environments. More information and analysis from Redmond Magazine, ZDNet and Dark Reading. 

Ransomware attacks surged 47% in July compared with June, with the new Lockbit 3.0 variant accounting for most of the attacks (52), according to NCC Group.

LastPass, provider of a popular password manager app, disclosed that an intruder accessed parts of its dev environment and stole portions of source code, but said no customer data was compromised.

Google has disclosed multiple vulnerabilities in Chrome, and the most severe could lead to arbitrary code execution.

Wordpress is recommending users update to the latest version because it patches three security issues, including a SQL injection bug.

Google has launched a bug bounty program specifically for vulnerabilities found in any of its open source projects.

Atlassian warned about a critical severity vulnerability in BitBucket Server and Data Center 7.0.

Read More

Best practices are designed to help developers bolster security

Read More