InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
âThrough this crowdsourcing platform, Federal Civilian Executive Branch (FCEB) agencies will now be able to coordinate with the security research community in a streamlined fashion and those reporting incidents enjoy a single, usable website to facilitate submission of findings. The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified,â Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA, explained.
At the moment, this newly established VDP platform collects eleven vulnerability disclosure programs, published by the:
Federal Communications Commission (FCC)
Department of Homeland Security (DHS)
National Labor Relations Board (NLRB)
Federal Retirement Thrift Investment Board (FRTIB)
Millennium Challenge Corporation (MCC)
Department of Agriculture (USDA)
Department of Labor (DOL)
Privacy and Civil Liberties Oversight Board (PCLOB)
Equal Employment Opportunity Commission (EEOC)
Occupational Safety and Health Review Commission (OSHRC)
Court Services and Offender Supervision Agency (CSOSA)
This newly established VDP platform is run by BugCrowd, a bug bounty and vulnerability disclosure company, and EnDyna, a government contractor that provides science and technology-based solutions to several US federal agencies.
What skills should aspiring information security workers possess and work on? What certifications can come in handy more than others? What strategies should organizations employ to develop a well-staffed cybersecurity team? Where should they look for talent? What advice do those already working in the field have for those who want to enter it?
(ISC)ÂČ wanted to know the answer to these and other questions, so they asked 1,024 infosec professionals and 1,010 cybersecurity job pursuers in the U.S. and Canada.
When Pindrop surveyed security and fraud professionals across vital sectors including banking and healthcare, we discovered hundreds of teams that had made heroic efforts to continue operating in the face of huge obstacles. We were also reminded of the many ways that fraud threatens businesses and individuals facing turmoil.
Spikes in call volume left contact center agents overextended while lockdown protocols forced reorganizations and remote work; well-intentioned and generally beneficial programs like PPP loans provided new avenues for fraud; and fraud attempts shifted to new venues, like banksâ prepaid card divisions.
Today, we live our livesâand conduct our businessâonline. Our data is in the cloud and in our pockets on our smartphones, shuttled over public Wi-Fi and company networks. To keep it safe, we rely on passwords and encryption and private servers, IT departments and best practices. But as you read this, there is a 70 percent chance that your data is compromised . . . you just don’t know it yet.
Cybersecurity attacks have increased exponentially, but because they’re stealthy and often invisible, many underplay, ignore, or simply don’t realize the danger. By the time they discover a breach, most individuals and businesses have been compromised for over three years. Instead of waiting until a problem surfaces, avoiding a data disaster means acting now to prevent one.
No matter who you are or where you work, cybersecurity should be a top priority. The information infrastructure we rely on in every sector of our livesâin healthcare and finance, for governments and private citizensâis both critical and vulnerable, and sooner or later, you or your company will be a target. This book is your guide to understanding the threat and putting together a proactive plan to minimize exposure and damage, and ensure the security of your business, your family, and your future.
Many thought leaders have approached the skills shortage from a cumulative perspective. They ask âHow on Earth can companies afford to keep re-training their teams for the latest cyber-threats?â The challenge, to them, emanates from the impracticalities of entry level training becoming obsolete as new challenges emerge.
Of course, the question of ongoing training is very important, but I believe it has misled us in our evaluation of the growing disparity between the supply and demand of cyber-professionals. What we should be asking is âHow can we create a generation of cyber-professionals with improved digital skills and resilience to tackle an enemy that continually mutates?â
Defining the relationship between people and tech is of the utmost importance here. Cybersecurity is not merely a technical problem, itâs a human problem. This is a critical intersection. People are not the weakest link in an effective cybersecurity defense strategy, but the most crucial. However, technology is the apparatus that can properly arm us with the skills to defend against attacks.
The silver bullet
The only thing we can be certain of is that cyberattacks are taking place right now and will continue to take place for the foreseeable future. As a result, cybersecurity will remain one of the most critical elements for maintaining operations in any organization.
In addition, COVID-19 has been a significant catalyst in increasing uptake and emphasis on cyber skills since the steep rise in the use of digital platforms in both our work and personal lives has expanded the surface area for attacks and created more vulnerability.
Overall, though, young people remain our best hope for tackling the global cyber skills gap, and only by presenting cybersecurity to them as a viable career option can we start to address it. This is the critical starting point. Once we do this, the next important step is to give universities and schools the facilities to offer sophisticated cyber training.
Our community â that is, technologists, mathematicians and information assurance professionals â has generally adapted well to changes in the technology landscape.
At the start of the Cold War, the western security apparatus sought to understand the actions of their adversaries by intercepting radio signals bouncing off the ionosphere and analyzing the messages they carried. Later, when the Soviets moved to microwave transmissions, that same security apparatus deployed cutting-edge line-of-sight interception techniques.
Then, in 1977, after the Soviets began to successfully encrypt their communications, the NSA launched the Bauded Signals Upgrade program, delivering a supercomputer designed to compare encrypted messages with elements of plain text transmitted by mistake, allowing the agency to break many of the Sovietsâ high-level codes. Time and time again, our innovation has kept us safe, but only when we have prepared to meet the threat.
Quantum information theory, which has been explored since the beginning of the 20th century, has led to an exciting yet dangerous new prospect: new quantum algorithms to solve computational problems which have thus far proven to be intractable â or at least unachievable within a useful period â by classical computers. One such problem is the breaking of the Advanced Encryption Standard, a key pillar of modern data encryption.
A joint research team of engineers from Google and the Swedish Royal Institute of Technology published a study that theorized the breaking of a 2048 bit key in just 8 hours, something that would take todayâs classical computers over 300 trillion years. The catch? This theory requires a 20 million-qubit computer, and the largest quantum computer that exists today has only 65.
Their study, alongside many like it, tells us that quantum technology will present the greatest threat to the security of our critical systems in the history of computing. It may even be useful to us in future conflicts. However, quantum computers will need considerably more processing power than is available today and will require a significantly lower error rate if they are to be utilized for cyberspace operations.
To meet this challenge, institutions across the world are rushing to develop quantum computers that are capable of delivering on the promising theory.
The U.S. National Institute of Standards and Technology is currently evaluating over 60 methods for post-quantum cryptography, quantum key distribution, and other security applications. Early indications are that quantum technology will provide an ability to detect, defend, and even retaliate against all manner of future threats.
Away from security, most people understand that quantum computing has immense potential for good â with applications in the scientific and medical research fields easy to imagine. However, this vast computing power could also be used to undermine the classical computer systems that our nation relies upon so heavily.
In a climate where remote work became more prevalentâand in some cases, mandatoryâthose citing âlimited remote work possibilitiesâ as a reason for leaving their cybersecurity role saw a six-percentage point decline (45%) compared to the year before.
Though the cybersecurity workforce was mainly spared the pandemic devastation experienced by other sectors, the survey found that longstanding issues persist, including:
61 percent of respondents indicate that their cybersecurity teams are understaffed.
55 percent say they have unfilled cybersecurity positions.
50 percent say their cybersecurity applicants are not well qualified.
Only 31 percent say HR regularly understands their cybersecurity hiring needs.
If cybersecurity is a new concept for the business, first take the necessary steps to follow best practises, as set out by the NIST Cybersecurity framework, as a minimum. Furthermore, to enhance the organisationâs overall security maturity, there are 4 key categories that need to be addressed: cyber strategy and risk, network security, endpoint security, and threat detection and response capabilities.
What is the current level of the cyber strategy and risk?
Small business owners are focussed on running their business with cybersecurity often a secondary concern. To begin with, businesses should seek consultation from industry experts to provide an assessment of the infrastructure to determine areas of concern. This will help the business plan, adapt and grow to stay competitive. It also will provide insight into how the businessâ security measures stack up to the needs of the business currently and for the future.
An assessment by an external consultant can also examine whether the business is meeting compliance and regulatory requirements, which can be weaved into the security strategy. This guidance not only helps to improve the overall security posture, but also saves costs in the long run.
âOne of the biggest challenges we have in cybersecurity is an acute lack of market awareness about what cybersecurity jobs entail,â said Clar Rosso, CEO of (ISC)ÂČ. âThere are wide variations in the kinds of tasks entry-level and junior staff can expect. Hiring organizations and their cybersecurity leadership need to adopt more mature strategies for building teams.
âMany organizations still default to job descriptions that rely on cybersecurity âall starsâ who can do it all. The reality is that there are not enough of those individuals to go around, and the smart bet is to hire and invest in people with an ability to learn, who fit your culture and who can be a catalyst for robust, resilient teams for years to come.â
The year 2020 broke all records when it came to data lost in breaches and sheer numbers of cyber-attacks on companies, government, and individuals. In addition, the sophistication of threats increased from the application of emerging technologies such as machine learning, artificial intelligence, and 5G, and especially from greater tactical cooperation among hacker groups and state actors. The recent Solar Winds attack, among others, highlighted both the threat and sophistication of those realities.
The following informational links are compiled from recent statistics pulled from a variety of articles and blogs. As we head deeper into 2021, it is worth exploring these statistics and their potential cybersecurity implications in our changing digital landscape.
To make the information more useable, I have broken down the cybersecurity statistics in several categories, including Top Resources for Cybersecurity Stats, The State of Cybersecurity Readiness, Types of Cyber-threats, The Economics of Cybersecurity, and Data at Risk.
There are many other categories of cybersecurity that do need a deeper dive, including perspectives on The Cloud, Internet of Things, Open Source, Deep Fakes, the lack of qualified Cyber workers, and stats on many other types of cyber-attacks. The resources below help cover those various categories.
Top Resources for Cybersecurity Stats:
If you are interested in seeing comprehensive and timely updates on cybersecurity statistics, I highly recommend you bookmark these aggregation sites:
The Best Cybersecurity Predictions For 2021 RoundupWhy Adam Grantâs Newest Book Should Be Required Reading For Your Companyâs Current And Future LeadersIonQ Takes Quantum Computing Public With A $2 Billion Deal
Consumers seem somehow unable or unwilling to protect themselves. But our research reveals an interesting knock-on effect from this: consumers welcome organizations who take the security initiative â and actively move their business to them.
Good security is good for business
This situation is a huge opportunity for organizations to make security a differentiator. Our research reveals that consumers value companies they perceive as more secure, with 64% saying they would recommend a large organization that they think makes a big effort to keep their data secure. A business with clearly visible cybersecurity will reassure consumers and create confidence in its digital products and services, carving itself a competitive advantage.
Regular Naked Security readers will know weâre huge fans of Alan Turing OBE FRS.
He was chosen in 2019 to be the scientist featured on the next issue of the Bank of Englandâs biggest publicly available banknote, the bullseye, more properly Fifty Pounds Sterling.
(Itâs called a bullseye because thatâs the tiny, innermost circle on a dartboard, also known as double-25, thatâs worth 2Ă25 = 50 points if you hit it.)
Turing beat out an impressive list of competitors, including STEM visionaries and pioneers such as Mary Denning (first to unravel the paleontological mysteries of what is now known as Dorsetâs Jurassic Coast), Rosalind Franklin (who unlocked the structure of DNA before dying young and largely unrecognised), and the nineteenth-century computer hacking duo of Ada Lovelace and Charles Babbage.
The Universal Computing Machine
Turing was the groundbreaking computer scientist who first codified the concept of a âuniversal computing machineâ, way back in 1936.
At that time, and indeed for many years afterwards, all computing devices then in existence could typically solve only one specific variant of one specific problem.
They would need rebuilding, not merely âreinstructingâ or âreprogrammingâ, to take on other problems.
Turing showed, if you will pardon our sweeping simplification, that if you could build a computing device (what we now call a Turing machine) that could perform a certain specific but simple set of fundamental operations, then you could, in theory, program that device to do any sort of computation you wanted.
The device would remain the same; only the input to the device, which Turing called the âtapeâ, which started off with what weâd now call a âprogramâ encoded onto it, would need to be changed.
So you could program the same device to be an adding machine, a subtracting machine, or a multiplying machine.
You could compute numerical sequences such as mathematical tables to any desired precision or length.
You could even, given enough time, enough space, enough tape and a suitably agreed system of encoding, produce all possible alphabetic sequences of any lengthâŠ
âŠand therefore ultimately, like the proverbially infinite number of monkeys working at an infinite number of typewriters, reproduce the complete works of William Shakespeare.
he Federal Communications Commissionâs (FCC) Public Safety and Homeland Security Bureau on March 12 identified five Chinese companies they said posed a threat to U.S. national security. These companies are: Huawei Technologies Co., ZTE Corp., Hytera Communications Corp., Hangzhou Hikvision Digital Technology Co. and Dahua Technology Co.
The declaration, according to the FCC, is in accordance with the requirements of the Secure and Trusted Communications Networks Act of 2019, which requires the FCC to âpublish and maintain a list of communications equipment and services that pose an unacceptable risk to national security or the security and safety of U.S. persons.â
In June 2020, the FCC designated both ZTE and Huawei as national security threats. â⊠[B]ased on the overwhelming weight of evidence, the Bureau has designated Huawei and ZTE as national security risks to Americaâs communications networksâand to our 5G future,â said then-FCC chairman Ajit Pai. Pai continued, âBoth companies have close ties to the Chinese Communist Party and Chinaâs military apparatus, and both companies are broadly subject to Chinese law obligating them to cooperate with the countryâs intelligence services. The Bureau also took into account the findings and actions of congress, the executive branch, the intelligence community, our allies, and communications service providers in other countries. We cannot and will not allow the Chinese Communist Party to exploit network vulnerabilities and compromise our critical communications infrastructure. Todayâs action will also protect the FCCâs Universal Service Fundâmoney that comes from fees paid by American consumers and businesses on their phone billsâfrom being used to underwrite these suppliers, which threaten our national security.â
ZTEâs petition for reconsideration in November 2020 was immediately rejected. Huawai also petitioned for reconsideration, and their appeal was rejected in December 2020, after a few weeks of deliberation.
Todayâs world uses the information for a variety of purposes. City officials install traffic signals with traffic movement information, and accounting professionals use revenue and expenditure information to calculate annual earnings. So, experts established different domains intending to secures information. Such domains are Information security, Cybersecurity, and Ethical hacking.
Organisations have had to overcome countless challenges during the pandemic, but one that has continued to cause headaches is IT security for home workers.
A remote workforce comes with myriad dangers, with employees relying on their home networks â and sometimes their own devices â and without the assurance of a member of your IT team on hand if anything goes wrong.
But unlike many COVID-19 risks, these issues wonât go away when life eventually goes back to normal. Home working will remain prominent even when employees have the choice to return to the office, with a Gartner survey finding that 47% of organizations will give employees the choice of working remotely on a full-time basis.
Meanwhile, 82% said that employees would be able to work from home at least one day a week.
As such, organisations should reconsider if theyâre under the assumption that the defences theyâve implemented to protect remote workers are temporary.
Robust, permanent defences are required to tackle the array of threats they face. We explain how you can get starting, including our remote working security tips, in this blog.
Online work increases cyber security risks
Without the security protections that office systems afford us â such as firewalls and blacklisted IP addresses â and increased reliance on technology, we are far more vulnerable to cyber attacks.
The most obvious risk is that most of our tasks are conducted online. After all, if somethingâs on the Internet, then thereâs always the possibility of a cyber criminal compromising it.
They might attempt to do this by cracking your password. This could be easier than ever if youâre reusing login credentials for the various online apps you need to stay in touch with your team.
Meanwhile, according to CISOâs Benchmark Report 2020, organizations are struggling to manage remote workersâ use of phones and other mobile devices. It found that 52% of respondents said that mobile devices are now challenging to protect from cyber threats.
You can find more tips on how to work from home safely and securely by taking a look at our new infographic.
This guide explains five of the most significant risks you and your organisation face during the coronavirus crisis.
Alternatively, attackers could send phishing emails intended to trick you into either handing over your details or downloading a malicious attachment containing a keylogger.
The dangers of phishing should already be a top concern, but things are especially perilous during the coronavirus crisis.
Organisations should also be concerned about remote employees using their own devices.
This might have been unavoidable given how quickly the pandemic spiralled and the suddenness of the governmentâs decision to implement lockdown measures.
Still, where possible, all work should be done on a corporate laptop subject to remote access security controls. This should include, at the very least, 2FA (two-factor authentication), which will mitigate the risk of a crook gaining access to an employeeâs account.
This ensures that the necessary tools are in place to defend against potential risks, such as anti-malware software and up-to-date applications.
It also gives your IT team oversight of the organisationâs IT infrastructure and allows it to monitor any malicious activity, such as malware and unauthorised logins.
Control the risk
Any organisation with employees working from home must create a remote working policy to manage the risks.
If you donât know what this should contain, our Remote Working Policy Template provides everything you need to know.
It includes guidance on storing devices securely, creating and maintaining strong passwords, and an acceptable use policy for visiting websites that arenât work-related.
Organisations should also explain the technical solutions theyâve implemented to protect sensitive data and how employees can comply. For example, we recommend applying two-factor authentication to any third-party service that you use.
Although it shouldnât be a concern during the lockdown, your remote working policy should also address the risks that come with employees handling sensitive information in public places.
Security incidents are just as likely to occur even if there isnât a malicious actor. Consider how often you hear about employees losing their laptop, USB stick or paperwork.
Coronavirus: your biggest challenge yet
Disruption caused by COVID-19 is inevitable, and you have enough to worry about without contending with things like cyber security and compliance issues.
Unfortunately, cyber criminals have sensed an opportunity amid the pandemic, launching a spate of attacks that exploit peopleâs fear and uncertainty.
Therefore, itâs more important than ever to make sure your organisation is capable of fending off attacks and preventing data breaches.
To help you meet these challenges, weâve put together a series of packaged solutions. Meanwhile, most of our products and services are available remotely, so we donât need to be on-site to carry out things like security testing.
One virus is enough to worry about. Take action now to protect your business. Implement cyber security measures that help you respond to cyber attacks.
When Rinki Sethi heard that her 7th grade daughter applied to take a technology innovation class as an elective, she was thrilled. Sethi, who joined Twitter in September as its chief information security officer, said one of her passions is getting more young women interested in technology.
But when her daughter found out that she didnât get into the class, Sethi discovered a troubling statistic: 18 slots for the class went to boys, while only 9 were filled by girls. âI went and sat down with the principal and asked: âWhy are we turning down girls if thatâs what the ratio looks like?ââ Sethi recounted Monday at a virtual panel centered around women in cybersecurity. âWe need more women to enter this field, and I think thatâs the biggest problemâhow do we get more women and girls interested.âÂ
After learning that only 9 out of 27 kids in a #STEM elective @KMSCupertino are girls, I met with principal to discuss how can we can make this ratio more equal. After my meeting, I am happy to announce the principal has agreed to balance this out. @CUSDK8@CityofCupertino
However, Espinosaâs hard-earned experience is not simply limited to the boardroom. In his latest book, âThe Smartest Person in the Room: The Root Cause and New Solution for Cybersecurityâ, Espinosa shares his decades of experience in the fast-paced world of IT Security. The decades of combined experience can practically be felt dripping through the pages as the chapters outline the essential steps to overcome the biggest adversary in cybersecurity. No, not the cybercriminals, but the toxic culture that many cybersecurity professionals find themselves in. The book takes a holistic approach to self-betterment, discussing the importance of so called âsoft skillsâ in the world of cybersecurity.
![CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation by [United States Government Accountability Office]](https://m.media-amazon.com/images/I/51FIzAXr-CL._SX260_.jpg)
![The Cyber Skill Gap: How To Become A Highly Paid And Sought After Information Security Specialist! by [Vagner Nunes]](https://m.media-amazon.com/images/I/51mKZDGZ9vL.jpg)
![The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity by [Christian Espinosa]](https://m.media-amazon.com/images/I/41KIWmjt6sL.jpg)
