{"id":25099,"date":"2022-07-08T15:10:36","date_gmt":"2022-07-08T19:10:36","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=491878"},"modified":"2022-07-18T11:03:04","modified_gmt":"2022-07-18T15:03:04","slug":"cyber-security-today-week-in-review-for-friday-july-8-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-july-8-2022\/","title":{"rendered":"Cyber Security Today, Week In Review For Friday July 8, 2022"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday July 8th, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/23666252\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"2\">\n<p data-ar-index=\"3\">In a few minutes I\u2019ll be joined by Terry Cutler, head of Montreal\u2019s Cyology Labs. But first a look back at some of the bigger news that happened in the past seven days:<\/p>\n<p data-ar-index=\"4\">A report from a big insurance broker says the rate of increases in cyber insurance is slowing. Terry and I will look at that. We\u2019ll also examine a report that small and medium-sized businesses are still slow adopting multifactor authentication. And we\u2019ll discuss whether people who want to start a career in cybersecurity should get a university degree or IT certifications \u2014 or both.<\/p>\n<p data-ar-index=\"5\">Someone <a href=\"https:\/\/www.itworldcanada.com\/article\/no-confirmation-yet-on-claim-that-data-on-1-billion-chinese-are-in-stolen-police-databases\/491761\" rel=\"noopener\">is selling what they say is stolen data on 1 billion Chinese residents<\/a> held by the Shanghai police department. If true, that would be data on almost everyone in the country. No one has yet verified the volume of the claimed stolen data. As of the recording of this podcast Shanghai police hadn\u2019t commented.<\/p>\n<p data-ar-index=\"6\">A Marriott hotel staffer in Baltimore was tricked last month into giving a threat actor access to their computer. The attacker then copied personal and corporate data on that machine. That\u2019s what the international hotel chain <a href=\"https:\/\/www.databreaches.net\/exclusive-marriott-hacked-again-yes-heres-what-we-know\/\" rel=\"noopener\">told DataBreaches.net this week<\/a>. The news service quotes Marriott as saying there\u2019s no evidence the attacker got into any other computer. Marriott said it will be notifying more than 300 people about the theft of their information.<\/p>\n<p data-ar-index=\"7\">More malicious JavaScript code has been found in downloadable packages on the open-source NPM repository, <a href=\"https:\/\/blog.reversinglabs.com\/blog\/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites\" rel=\"noopener\">say researchers at ReversingLabs.<\/a> As is common, the packages impersonate the names of legitimate modules. But when included in software they lead to the copying and exfiltration of sensitive data.<\/p>\n<p data-ar-index=\"8\">Security teams used to looking for signs of the Cobalt Strike beacon in their IT environment as evidence of compromise have another indicator to look for. <a href=\"https:\/\/www.itworldcanada.com\/article\/attackers-abusing-another-threat-simulation-tool-report-warns\/491680\" rel=\"noopener\">It\u2019s called Brute Ratel<\/a>. Like Cobalt Strike, Brute Ratel is a tool used by penetration testers. But Palo Alto Networks warns that threat actors are copying it to help further their cyber attacks.<\/p>\n<p data-ar-index=\"9\">Finally, <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-187a\" rel=\"noopener\">American cyber agencies are warning<\/a> that North Korean-sponsored hackers are using the Maui strain of ransomware to go after hospitals and research institutions in the healthcare sector.<\/p>\n<p data-ar-index=\"10\"><i>(The following transcript has been edited for clarity. To hear the full discussion play the podcast)<\/i><\/p>\n<p data-ar-index=\"11\"><strong>Howard:<\/strong> I want to start with an issue that wasn\u2019t in the headlines this week but is on the minds of cybersecurity leaders, and that\u2019s the shortage of IT staff with cybersecurity skills to fill the needs of organizations.<\/p>\n<p data-ar-index=\"12\">I thought of this because on Tuesday I came across a Twitter thread started by cybersecurity podcaster Jack Rhysder who recalled that he graduated with a computer science degree from a major university but couldn\u2019t find a job in the field for 10 years. It was only after he earned a certification for a network product from a particular manufacturer that he got a job and his career took off.<\/p>\n<p data-ar-index=\"13\">Which raises the question: If I want to start a career in cybersecurity, where should I begin? Is a university or college IT or cybersecurity degree enough? Should I also get a certification from Cisco\/Microsoft\/CompTIA or another source?<\/p>\n<p class=\"western\" data-ar-index=\"14\"><strong>Terry Cutler:<\/strong> Here\u2019s my personal experience: A year or two ago I hired an intern They were doing a three-year program in cybersecurity. But they didn\u2019t have the proper skill set to even be employable on day one. And it was very frustrating because when I dug deeper [I found out] They learned from Powerpoint slides for almost three years. How is this possible? They had never even installed Windows 10 or [Linux] Kali. Then we found out things like the teacher is just one chapter ahead of the students. They\u2019re not even in the field. When universities reach out to senior cyber security guys \u2014 and I\u2019ve had the privilege of being one of them \u2014 a lot of times they don\u2019t have the time to teach because it\u2019s just too time-consuming. That\u2019s exactly why we teach online, because we can update the curriculum whenever we want. Here\u2019s the other challenge: People say they want to go into cyber security, but cyber security is an umbrella term. It\u2019s so huge. Do you want to become a pen tester, an incident responder, a reverse malware engineer, a security architect or a product designer? One of the questions that I often get is where do I even start?<\/p>\n<p class=\"western\" data-ar-index=\"15\">Here\u2019s another thing: If you are not passionate about computers and cybersecurity this field will destroy you. You will burn out if you\u2019re just in it for the money.<\/p>\n<p class=\"western\" data-ar-index=\"16\">If you want to transition from regular IT and want to come into cyber security look for courses like the <a href=\"https:\/\/www.comptia.org\/certifications\/a\" rel=\"noopener\">CompTIA A+<\/a>, <a href=\"https:\/\/www.comptia.org\/certifications\/network\" rel=\"noopener\">CompTIA Network+<\/a> and the <a href=\"https:\/\/www.isc2.org\/Certifications\/CISSP\" rel=\"noopener\">ISC2 CISSP<\/a> program. Those will get you well-rounded. From there you can decide what [or if] you want to specialize in. And If you\u2019re a junior, or if you\u2019re not even in this field yet, definitely apply for internships [while studying]. Your goal here is to try to prove your worth.<\/p>\n<p class=\"western\" data-ar-index=\"17\">One problem is that students are promised hundred-thousand dollars salaries when they come out of school, which is not true \u2026 The demand is there, but you need to prove yourself.<\/p>\n<p class=\"western\" data-ar-index=\"18\"><strong>Howard:<\/strong> I imagine it\u2019s really hard for an IT leader who wants to hire \u2014 or is being forced to hire \u2014 a beginner to work solely or mainly on cyber security. I suspect everyone wants a staffer with at least five years of experience, and perhaps justifiably so because this is cybersecurity. Sometimes the fate of the company is on your shoulders. Are those doing the hiring for younger staff too demanding? Or let me put it in a different way: Is there a difference between an entry-level job in IT and an entry level job in cyber security?<\/p>\n<p class=\"western\" data-ar-index=\"19\"><strong>Terry:<\/strong> I\u2019ve seen postings looking for the unicorn cyber security expert, and it just makes no sense at all. Going back to the students being promised $100,000 when they come out of school, that number is far from the amount they\u2019ll get. And that\u2019s why they need to follow senior cyber security experts online, take their free courses, and watch their YouTube videos. Because in our videos we share real-life experiences. So if you\u2019re able to assimilate that information you\u2019ll be able to help protect the company you work for right now. The other thing is students should volunteer their time to earn an employer\u2019s trust. It\u2019s really great for folks like us. As an employer, we get solicited all the time and what makes you better than the next guy is gonna be drive and passion. And if you\u2019re able to understand [device and application] auditing and all that kind of stuff then you have a leg up on the other guy. I get a lot of backlash online from students who say they\u2019re never working for free. Pay me the big bucks because cyber security is in demand. But if you\u2019ve got no experience, you\u2019ve got to prove yourself. So I think by sharing your knowledge and applying at places where you can show your value is really going to help.<\/p>\n<p class=\"western\" data-ar-index=\"20\"><strong>Howard:<\/strong> How did you start in IT, and what got you into cybersecurity?<\/p>\n<p class=\"western\" data-ar-index=\"21\"><strong>Terry:<\/strong> I had a different track. When I graduated from high school I tried to take some college programming courses and hated it. It got to a point where I knew more than a teacher because I\u2019d been passionate about computers since the age of 10. So I dropped out and started going into specialized courses. At the time I want to specialize in Novel technology \u2014 Netware and all these things. So I took courses on Novel networks and seven or eight years later I actually worked for Novel as a support engineer. But in 2005 or 2004 I started getting inspired by watching television shows like CIS and Jack Bauer [in <em>24<\/em>], and I wondered, \u2018How does <a title=\"Cyber Security Today, July 8, 2022 \u2013 IT provider recovering from a cyber attack, more action from Karakurt and Chinese attackers and new Linux malware\" href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-july-8-2022-it-provider-recovering-from-a-cyber-attack-more-action-from-karakurt-and-chinese-attackers-and-new-linux-malware\/491898\" rel=\"noopener\">Chloe O\u2019 Brian<\/a> break all those IT systems so fast?\u2019 And that\u2019s when I found a course called the certified ethical hacker, where they teach you the same techniques that the bad guys use to break in \u2014 except using these skills for good. I was able to convince my boss to send me to Washington to take this course, where I had the privilege of training with the FBI, the NSA and the Navy Seals who were students in my class. And from there I saw the opportunity to share my knowledge with the world. Companies need to know how they\u2019re being hacked into, and individuals need to know how to protect yourself online. By pushing out a lot of content and doing a lot of volunteer work and not charging for things and getting testimonials and building up a personal brand is how I\u2019ve been making influential lists around the world.<\/p>\n<p class=\"western\" data-ar-index=\"22\"><strong>Howard:<\/strong> It\u2019s certainly different than when you and I were in high school. Today throughout Canada and the U.S. there are a number of high schools where you can take IT courses. They include a cyber security component, or after school there\u2019s cyber security training that you can take. Governments in both countries support the <a href=\"https:\/\/www.itworldcanada.com\/article\/toronto-high-school-team-wins-2022-cybertitan-cybersecurity-competition\/484871\" rel=\"noopener\">CyberTitan<\/a> [in Canada] and CyberPatriot [in the U.S.] high school competitions, so it\u2019s easier for a high school student to gain some IT and cyber security knowledge before they go into college.<\/p>\n<p class=\"western\" data-ar-index=\"23\"><strong>Terry:<\/strong> The more you know [the better]. What\u2019s interesting, though, is that because I don\u2019t have a bachelor\u2019s degree in IT or whatever for some employers I can\u2019t be hired [full time] \u2014 but I can work as a senior consultant. It\u2019s crazy.<\/p>\n<p class=\"western\" data-ar-index=\"24\"><strong>Howard:<\/strong> When you talk to your colleagues about hiring young talent what do they say?<\/p>\n<p class=\"western\" data-ar-index=\"25\"><strong>Terry:<\/strong> They think it\u2019s extremely difficult. There are a couple of factors. Obviously the students lack skills. They expect very high pay. But the biggest challenge is [employers know] that there\u2019s absolutely no loyalty, which means the moment you train them up they will jump to the next high-paying job.<\/p>\n<p class=\"western\" data-ar-index=\"26\"><strong>Howard:<\/strong> Hey, that\u2019s capitalism. Some experts say in addition to hoping for and wanting some people with IT experience you should look inside your organization for talent. For example, the IT support staff, marketing or communications staff. You can find people who have a number of skills, including communication skills, which are very important. And they\u2019re willing to learn \u2014 but the organization has to be willing to put up some resources for training.<\/p>\n<p class=\"western\" data-ar-index=\"27\"><strong>Terry:<\/strong> I totally agree with you. But what\u2019s going to happen is once they get trained they typically leave. And that\u2019s why I love to work with consultants, who most of the time run their own businesses. I can switch him up whenever I want, and if I want to can them I just don\u2019t have to call them back.<\/p>\n<p class=\"western\" data-ar-index=\"28\"><strong>Howard:<\/strong> Internal training may not cost as much as IT leaders. Last month the ISC2, which runs the Certified Information Systems Security Professional certification, issued the results <a href=\"https:\/\/www.isc2.org\/News-and-Events\/Press-Room\/Posts\/2022\/06\/16\/ISC2-Research-Finds-Employer-Hiring-Practices-Must-Evolve-to-Overcome-the-Workforce-Gap\" rel=\"noopener\">of a survey of members<\/a>. Forty-two per cent said that the cost of training and entry-level staffer to the point where they can handle assignments independently would cost less than US$1,000. That\u2019s not very much.<\/p>\n<p class=\"western\" data-ar-index=\"29\"><strong>Terry:<\/strong> There\u2019s a double edge sword here. Okay because you can go on training sites like Cybrary and Udacity and there are really decent courses for under $100. But a lot of these courses teach you how to pass an exam. So you can end up with a candidate that has like nine recent certifications but he\u2019s never run a vulnerability scan against a customer\u2019s network. That\u2019s why I love courses like offensive security, where a candidate is put in a simulator and they have to hack into a system within 24 hours in order to pass the exam. If you have certifications like that you\u2019re employable and usable on day one.<\/p>\n<p class=\"western\" data-ar-index=\"30\"><strong>Howard:<\/strong> But I think that part of the survey was trying to say it\u2019s not only a matter of pay for your employee to take a course but it\u2019s also the cost of internal training, to be beside someone and to initially help them get on their way. The point is the cost of that sort of training \u2014 the time that a manager may take with a young staffer \u2014 is not all that much.<\/p>\n<p class=\"western\" data-ar-index=\"31\"><strong>Terry:<\/strong> There\u2019s a hidden cost, too. Let\u2019s say this course is five days long. You still have to pay the employee\u2019s salary. So he\u2019s not available to work. He\u2019s in training all week. And a lot of courses happen outside of Canada. There\u2019s travel and lodging costs. It could be a $5,000 course at the end.<\/p>\n<p class=\"western\" data-ar-index=\"32\"><strong>Howard:<\/strong> This survey said that certifications are considered by IT pros the most effective method of talent development for entry and junior-level practitioners. That was followed by in-house training, conferences, external training and mentoring.<\/p>\n<p class=\"western\" data-ar-index=\"33\"><strong>Terry:<\/strong> I believe it, and the reason is because the experts in the field are the ones building and updating the curriculum on a regular basis. That\u2019s the biggest difference between a certification course and a college or university degree.<\/p>\n<p class=\"western\" data-ar-index=\"34\">\u2026<\/p>\n<p class=\"western\" data-ar-index=\"35\"><strong>Howard:<\/strong> There\u2019s also the fact that those seeking entry level jobs also have to be able to sell themselves to a potential employer.<\/p>\n<p class=\"western\" data-ar-index=\"36\"><strong>Terry:<\/strong> This is why building a personal brand comes in very handy. You should be doing this because if you\u2019re able to master communication skills and share your knowledge of what you know in cybersecurity via YouTube or blogs or writing content it\u2019s going to really give you a leg up against the next candidate.<\/p>\n<p class=\"western\" data-ar-index=\"37\"><strong>Howard:<\/strong> Let\u2019s talk about now cyber insurance. The cost of coverage has gone up significantly in the past three years, but a report last week from a big insurance broker called Marsh thinks that maybe the rate of increase is slowing. What are you hearing from people who you talk to?<\/p>\n<p class=\"western\" data-ar-index=\"38\"><strong>Terry:<\/strong> I\u2019m hearing similar, and that\u2019s because so many firms are failing to even qualify for the insurer\u2019s minimum threshold to protect themselves from a cyber attack. They don\u2019t even have the basics in place.<\/p>\n<p class=\"western\" data-ar-index=\"39\"><strong>Howard:<\/strong> But it certainly makes sense for insurance companies to be demanding. You want to get cyber insurance The insurance company wants to lower the odds that it has to pay out claims. So it\u2019s going to be demanding proof that your firm is doing the right things to lower risk.<\/p>\n<p class=\"western\" data-ar-index=\"40\">Terry: Absolutely. There\u2019s a couple things that they\u2019re looking for right away. They want to know if you got antivirus in place, data loss protection technology, DNS filtering, endpoint protection, email security, a firewall, intrusion detection technology in place, event logging, and an incident response plan. For just those pieces alone you\u2019re looking at several full-time employees working in cybersecurity. Otherwise you need automation technologies in place that can help detect things.<\/p>\n<p class=\"western\" data-ar-index=\"41\"><strong>Howard:<\/strong> And one of the biggest things cyber insurance companies want to know is if you have multifactor authentication, because it\u2019s been proven that good multifactor authentication is a great way to lower the odds of you being successfully attacked. I raise this because there was a report out this week by the Cyber Readiness Institute, which did a survey of the adoption of multifactor authentication among small and medium businesses. They found that only 46 per cent of small businesses around the world that they surveyed have implemented multifactor authentication. And of them, only 13 per cent require multifactor authentication for employees for most account or application access. What\u2019s going on here?<\/p>\n<p class=\"western\" data-ar-index=\"42\"><strong>Terry:<\/strong> What I\u2019m hearing from customers that it\u2019s just too complex to set up. Having this multifactor authentication hinders their workload. They don\u2019t want to log in every couple of minutes or every couple of hours. So a lot of times employees find ways to try and bypass it. The other issue I\u2019m seeing is they don\u2019t have enough help desk staff to handle the amount of calls they\u2019re getting from users with having problems.<\/p>\n<p class=\"western\" data-ar-index=\"43\"><strong>Howard<\/strong>: But with multifactor authentication you shouldn\u2019t have to log in [with an extra step] every time. And if you\u2019re an ordinary user your browser is going to store of the [multifactor] credentials. I can understand where things are stricter for IT departments where the type of multifactor authentication used may be with a Yubikey or an RSA key and you\u2019ve got to have it plugged in. Employees who have broad access across the enterprise may have to log in more than others. But generally speaking for most employees you shouldn\u2019t have to log in multiple times a day with MFA.<\/p>\n<p class=\"western\" data-ar-index=\"44\"><strong>Terry:<\/strong> But in some of cases that we\u2019ve done, especially in healthcare care, they change the token key frequently so they\u2019ve got to log in at least once a day with the two-step, especially if they\u2019re using a VPN. So that\u2019s where the challenge comes in. They don\u2019t understand that passwords are leaking on the dark web and there\u2019s more than 10 ways to bypass one-step verification. They don\u2019t realize the importance of multifactor authentication until it\u2019s too late.<\/p>\n<p class=\"western\" data-ar-index=\"45\"><strong>Howard:<\/strong> So what\u2019s it going to take to get small and medium-sized businesses to take multifactor authentication more seriously \u2014 other than the fact that they\u2019re going to get hit over the head if if they want to get cyber insurance?<\/p>\n<p class=\"western\" data-ar-index=\"46\"><strong>Terry:<\/strong> There might be regulatory fines at some point [for not having MFA]. But understand there\u2019s no easy button it for cyber security. We\u2019re trying to not make it complex. But there\u2019s no easy way. So it\u2019s a difficult balance between not hindering productivity of the employee and security.<\/p>\n<p data-ar-index=\"47\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-july-8-2022\/491878\">Cyber Security Today, Week in Review for Friday July 8, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion about what qualifications people need to start a career in cyb<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-25099","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25099","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=25099"}],"version-history":[{"count":5,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25099\/revisions"}],"predecessor-version":[{"id":25592,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25099\/revisions\/25592"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=25099"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=25099"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=25099"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}