In a previous post, we introduced the concept of defense-in-depth and explained how it strengthens an enterprise’s security program against a

Read More

Gene Spafford wrote an essay reflecting on the Morris Worm of 1988—35 years ago. His lessons from then are still applicable today.

Read More

Google has added a new real-time app scanning capability to Google Play Protect in order to help it better protect against malicious apps installed from outside the official app store.

Read more in my article on the Tripwire State of Security blog.

Read More

Scott Scheppers, chief experience officer for AT&T Cybersecurity, weighs on how his team is addressing the cybersecurity talent shortage. This is part one of a two-part blog.

The boundaries between the physical and digital worlds are decreasing. The Internet of things (IoT), artificial intelligence, blockchain technology, and virtual reality are buzzwords that have already made their way into everyday language. Services that were traditionally hardwired, such as copper landlines and traditional PBX systems, are being brought online through cloud computing and Voice over Internet Protocol services. For many businesses, the chosen catchphrase to describe this movement is ‘digital transformation’. According to Forbes, this transformation is not only growing at an exponential pace but is also one of the most impactful business trends in 2023. 

While this shift promises increased efficiency and growth, it also opens more opportunities for cybersecurity attacks and, consequently, an accelerated need for cybersecurity experts. Unfortunately, the latter part is where the industry is facing a challenge.

The (ISC)2 2022 workforce study revealed there is a shortage of 3.4 million cybersecurity specialists, an increase of 26% from the previous year. On the other hand, the Bureau of Labor Statistics reported that the field is expected to expand by more than 33% from 2020 to 2030. The industry’s need for skilled cybersecurity practitioners is, in fact, growing faster than the number of people entering the field.

To address some of these pressing issues, Scott Scheppers, chief experience officer (CXO) at AT&T Cybersecurity, lends insight on how his team is meeting the challenge of hiring and retention.  Scheppers has more than 30 years of experience in security, and his team staffs nine global network and security operations centers that run 24/7/365. Throughout his career, Scheppers has witnessed the industry’s explosive growth firsthand. He was on the front lines of National Defense before Cybersecurity was even a fully developed concept.

“When the cyber domain began growing in the late ’90s,” says Scheppers, “it wasn’t even called cybersecurity. There was just a bunch of IT professionals worried about keeping the IT department running. They didn’t think operationally. They just had to service desks, close tickets, and make emails work. Then, in the late ’90s and early 2000s, we had demonstrations of how easy it was to hack someone’s email. That was just the beginning.”

He continues, “When I first started in the air force, I was an intelligence offer. In intelligence, you focus on what the adversary is doing, collect information, and analyze it. This is different from the IT department, that is mainly focused on keeping things running.”

“In the intelligence team, our focus is the adversary. We needed to be constantly thinking strategically about how to combat the rise in cybercrime. And so, our team was perfectly positioned to transition into cybersecurity. I entered the Air Force as an intelligence officer and was the head of cybersecurity by the time I left. During this time, I watched the transformation of cyber into a critical warfighting domain. It was a crazy time of sick or swim. I am grateful to have been part of teams that led our national response to key cybersecurity events.”

After Scheppers’ time of service in the government, he accepted a position in AT&T’s Cybersecurity department. Today, he oversees the operations team that runs all of AT&T’s managed security services. AT&T is, in fact, among the top cybersecurity services companies in the world, providing cybersecurity consulting and managed network and security operations for small to large enterprises, as well as mid-size business and government organizations.

Scheppers saw a difference in leadership style in his transition from government to civilian organizations. “In the Air Force, leaders essentially ‘own’ every aspect of their airmen’s lives; when you want to move someone for vitality or the betterment of the unit, they don’t get a vote.  In civilian organizations, people do get a vote on who their boss is.  In fact, people often follow a boss from job to job.  This adds a wrinkle to leading the organization.  You must win the hearts and minds of your team daily by growing and delivering for them.”

He describes his current position of leadership. “Today, I have great people that are doing great things in my organization. If I set the table correctly, I hope for a relatively boring day where I can focus on touchpoints or strategize on higher levels to plan the next steps of the organization.”

What are the biggest misconceptions about hiring in Cybersecurity?

According to Scheppers, one of the biggest misconceptions in entry-level Cybersecurity recruitment is that certifications equate to potential and capability. “People often think they need to hire someone with a bunch of certifications to be successful,” Scheppers states, “But I don’t think entry-level workers need to come in with piles of certifications. If they have them, that’s great, but these certifications alone don’t translate to a great hire.”

“In my organization, we look for people with inquisitive mindsets who like to solve problems – like the detectives in CSI,” Scheppers adds with a chuckle. “Of course, you can’t loathe IT-related things, but the truth is, you don’t need a cybersecurity degree to get started. If you have basic computer skills and an inquisitive mindset, you are off to a great start.”

Scheppers believes this common misconception is one of the reasons companies struggle with hiring cyber professionals. “Right now, there is a shortage of people in the field and it’s highly competitive to hire existing professionals. If companies only accept entry-level people with all the right certifications, they’re going to end up paying a high price. The key is to train your people. Then, you can also build your own culture in the process.”

“A few of the characteristics I look for are from Patrick Lencioni’s definition of an ‘ideal team player’,” Scheppers adds. “Ideal team players are people who are hungry to learn, humble, and people smart. These qualities are foundational to healthy organizational cultures.”

When recounting previously successful hires, he shares that they have hired people who came from selling entertainment packages door-to-door or pulling fiber lines in the attics. “Although they weren’t your typical cybersecurity hires, they had the qualities we look for. So, you bet we brought them onboard. Not only have they been outstanding performers, but they have also grown into key leaders of our operation.”

While this hiring mindset may apply to entry-level hires, Scheppers clarifies that this is not a rule across the board. “If I need someone with specific experience who can hit the ground running from day one, I’ll have to find someone more experienced.” In such cases, those specialized, verifiable skills and training are important.

He adds, “Certifications and courses are valuable, and they matter in this industry. They help provide credibility and sharpen skills. For those who come in and don’t have the education needed to succeed, we provide them with opportunities to grow here! Just note that certifications are not the only metric for bringing an entry-level hire onto the team.”

Read More

Two flaws have near-maximum CVSS scores

Read More

Juniper Research warns telcos they need bilateral agreements in place

Read More

Attempts to deploy Cerber variant on Confluence servers

Read More

In recent times, the humble password’s efficacy as a security measure has come under scrutiny. With tendencies to be easily guessed, stolen, or bypassed, passwords have been deemed inadequate for securing sensitive information. Thankfully, more secure alternatives have emerged, with terms such as “two-factor” and “multi-factor” authentication gaining traction.

However, these terms may seem abstract to those unfamiliar with them, potentially leading to confusion about their functions and differences. This article aims to break down these forms of authentication, explaining how they work and how they can enhance online information security.

Single-Factor Authentication

Before diving into the intricacies of multi-factor and two-factor authentication, it is pertinent to understand their predecessor: single-factor authentication. The simplest form of authentication, single-factor authentication, requires only one factor to verify a user’s identity. Typically, this involves matching a password with a corresponding username, a method used universally for online account logins.

While convenient in its simplicity, single-factor authentication carries glaring security flaws. Easy-to-guess passwords or stolen credentials can lead to unauthorized access, compromising the security of user accounts and confidential information. Hence, it became necessary to introduce additional layers of security to the authentication process, giving rise to two-factor and multi-factor authentication.

→ Dig Deeper: The Optus Data Breach – Steps You Can Take to Protect Yourself

Two-Factor Authentication

Two-factor authentication augments the simplicity of single-factor authentication with an extra layer of security. Besides providing a password, users are also required to verify their identity with an additional factor that only they possess. This additional factor often takes the form of a unique code sent to the user’s mobile phone.

The rationale behind this method is straightforward: even if a hacker manages to secure a user’s password, they would still require the unique code to gain access. However, it is important to note that this method is not completely foolproof. Crafty hackers able to intercept the unique code or create duplicate websites to steal credentials can still bypass this security measure. Despite these vulnerabilities, the complexities involved in these hacking methods make two-factor authentication considerably safer than its single-factor counterpart.

Also worth mentioning is “true” two-factor authentication, which involves giving users a unique device, such as a security token, that generates a unique code for the user. This code, which changes at set intervals, is matched with a profile in a database, making guessing impossible.

Multi-Factor Authentication

Building upon the concepts of two-factor authentication, multi-factor authentication introduces even more factors for user verification. These factors usually include something that the user possesses and something unique to their physical being, such as a retina or fingerprint scan. Location and time of day can also serve as additional authentication factors.

While the notion of multi-factor authentication may seem like a concept from a science fiction movie, it is already being used extensively, especially by financial institutions. Advancements in camera technology have enabled the implementation of facial recognition as a secure method of recognition, adding another factor to the multi-factor authentication process.

→ Dig Deeper: Banks are Using Biometric Measures to Protect Against Fraud

Implementing Two-factor and Multi-factor Authentication

With the potential vulnerabilities associated with single-factor authentication, implementing two-factor or multi-factor authentication for sensitive online accounts becomes a necessity. These added layers of security help to safeguard your digital information from unscrupulous elements. Two-factor authentication utilizes a password and an extra verification layer, such as a unique code sent to your mobile device, to ensure that you’re indeed the account holder. With multi-factor authentication, additional verification elements are added, such as biometric data or your physical location.

So how do you implement these forms of authentication? Most online service providers now offer two-factor authentication as an option in their security settings. Once you’ve opted for this extra level of security, you’ll be required to input a unique code sent to your mobile device each time you attempt to log in. For multi-factor authentication, the process might require additional steps, such as providing biometric data like facial recognition or fingerprints. However, these extra steps are a small inconvenience compared to the potential risk of your sensitive information being compromised.

→ Dig Deeper: Make a Hacker’s Job Harder with Two-step Verification

Understanding Biometric Authentication

Biometric authentication is a subset of multi-factor authentication that relies on unique physical or behavioral traits for verification. Biometric authentication methods include facial recognition, fingerprints, iris scans, voice recognition, and even your typing pattern. These methods are gradually becoming mainstream, with smartphone manufacturers leading the way in implementing fingerprint scanners and facial recognition technology into their devices. Biometric authentication’s edge over traditional passwords lies in its uniqueness; while passwords can be guessed or stolen, biometric traits are unique to each individual.

As with all forms of technology, biometric authentication also has its drawbacks. For instance, it may not always be accurate, as facial features or fingerprints may change over time due to aging or injury. Also, there are valid concerns about privacy and the potential misuse of biometric data if it falls into the wrong hands. However, with proper safeguards and data encryption in place, biometric authentication can be a secure and efficient way to protect online accounts from unauthorized access.

McAfee Pro Tip: Biometric authentication definitely has its strengths and weaknesses, so it’s important to choose the best combination of authentication and security software for your devices and accounts. Learn more about the opportunities and vulnerabilities of biometric authentication. 

Final Thoughts

As our digital footprint grows, so does the need for secure authentication methods. Single-factor authentication, although simple and convenient, is no longer sufficient to protect sensitive online information. Two-factor and multi-factor authentication provide an additional layer of security, significantly reducing the risk of unauthorized access.

Additionally, advancements in biometric technology have introduced a new realm of secure verification methods unique to each individual. Remember, the goal is not to eliminate all risks but to reduce them to a level that’s acceptable and manageable. When setting up your online accounts, always opt for the highest level of security available, whether it’s two-factor, multi-factor, or biometric authentication. Take full advantage of these methods, and ensure you’re doing everything you can to safeguard your digital information.

The post Two-Factor vs. Multi-Factor Authentication: What’s the Difference? appeared first on McAfee Blog.

Read More