InfoSec Recruiting – Is the Industry Creating its own Drought?

InfoSec Recruiting – Is the Industry Creating its own Drought?:

The InfoSec industry has a crippling skills shortage, or so we’re told. There’s a constant stream of articles, keynotes, research and initiatives all telling us of the difficulty companies have in finding new talent. I’ve been in the industry for over 30 years now and through my role as one of the directors of Security BSides London, I often help companies who are struggling to grow their teams. More recently, my own circumstances have led me to once again join the infosec candidate pool and go through the job hunt and interview process.

I have been in the position of hiring resources in the past and understand that it is not easy and takes time. But having sat through a few interviews of my own now, I am beginning to wonder if we have not brought this situation upon ourselves. Are the expectations of recruiters out of proportion?

Yes

Are they expecting to uncover a hidden gem that ticks every single box?

Yes.

Is it really true that the infosec talent pool is running empty, or is it that the hiring process in the industry is creating its own drought?

Maybe?

Part of this situation may be coming from the way hiring managers are questioning candidates. There is no perfect questioning methodology, but today, focusing purely on technical questions cannot be a good solution because – LMGTFY – even fairly lazy candidates can study and prepare for any technical questions beforehand. It might seem obvious that a hiring manager needs to look at a wider scope, evaluating the candidate’s ability to learn, adapt, and demonstrate their analytic or creative capabilities, but this is the part that seems to be missed.

I’ve always taught and been taught that asking questions is a good thing because it demonstrates logical and analytical thinking and shows that you are trying to better understand the situation and audience and react with the most appropriate response. If a hiring manager simply pursues a vague line of questioning they’ll only ever be able to evaluate a candidate by taking a subjective decision. I’ve even heard reports that hiring managers have rejected a candidate on the basis that they felt the person would outshine them.

In people management, one of the rules that you learn is that you need to evaluate performance based on attainable and measurable indicators. I propose this needs to be the same for the hiring process so that the hiring manager can make a meaningful decision.

Ultimately, interviewing a candidate on the principles of discussion, exchange and analytic capabilities will help the hiring manager identify the right person. It’s important to assess whether the person has a good foundational skill set that allows them to analyse and understand the work that needs to be performed. A good candidate not only needs the technical competencies but also the softer skills that help them adapt, learn and acquire the broader capabilities needed to successfully integrate a team. Onboarding and probationary periods are there to allow a team to conduct a final check of the candidate’s technical and soft skills.

So what needs to change? I believe hiring managers need to ask themselves whether searching for that golden needle in the haystack is the most effective way to identify and recruit talent. By changing the perspective that the interview process should be more of a constructive discussion instead of vague and rigid Q&A, companies will get a better view of how that candidate might actually work on the ground. And by adapting questions to the level of experience in front of them, they are likely to see much more potential from every candidate that they engage with. Sure, the infosec talent pool might not be overflowing, but maybe our skills shortage isn’t quite as terrible as we might think.

(Via Liquidmatrix Security Digest)

A friend and former employee of mine has been in the job hunt. Recently we caught up over lunch. The stories he told of the interviews and the overall process gave me flashbacks in my own job hunt over five years ago.

Our industry likes to not learn easy lessons. And they fail to learn these lessons over and over again.

The approach I continue to advocate is to find the right fit for the position and team. And having some diversity in staff — in skills, abilities, and personalities as well as the traditional factors — makes for a stronger, more resilient team.

Also on:

The story of Mary

The story of Mary:

Mary spent a lot of time on the phone speaking with her CEO, general counsel, CFO and other business leaders in her company and at those she was evaluating for purchase. “A good deal doesn’t get done on email” she was fond of telling her co-workers. And it was true. So as Mary was waiting on her delayed flight to board at Newark International Airport one day, she decided to squeeze in one more call to try and finalize the terms of a merger that was coming together between her company and a competitor.  What Mary didn’t consider, as she was singularly focused on that conversation, was that she wasn’t alone in her conversation. Sitting near her, and listening to every word she said, was a financial reporter from a well-known business website. He put two and two together pretty easily. The pending merger would not be a secret for long.

You can use your imagination to guess what happened next. Story of the pending merger, which Mary had finalized on the call that day, broke online within 24 hours. Investors and speculators climbed all over the stocks of both companies and the fallout drastically changed the financial dynamics, effectively killing the deal. In the end, Mary’s company calculated that the failed merger attempt cost them $12 million, not to mention the lost market opportunity and value that the merger would have created. No one was ever able to tie the leak directly to Mary, but since there were so few people involved in the negotiations there were assumptions made. Mary’s career stalled after that.

(Via CSO Online)

I’ve talked before about my role in defending against outsiders learning about potential Mergers & Acquisition targets of a former employer. So much around this is old-school physical security and OpSec. It is challenging but fun work – very cloak and dagger.

The article is a nice reminder that all of your security budget going toward shiny boxes and cool services doesn’t protect against this very real risk scenario.

Also on:

Washington Needs a New Solarium Project To Counter Cyberthreats

Washington Needs a New Solarium Project To Counter Cyberthreats:

Sometimes the most significant legislative measures get the least attention at the time of passage. That may be the case with the Cyberspace Solarium Commission mentioned in the National Defense Authorization Act that was passed on June 18 by the U.S. Senate. Tucked into the bill crafted and sponsored by Sen. Ben Sasse (R-Neb.), the commission may not garner many headlines, but it could galvanize a strategic paradigm shift.

If the idea survives the House-Senate conference process and gets signed into law — and we very much hope it does — it could lead to the creation of the institutions, doctrines, resources, and strategy that the United States needs desperately in the realm of cybersecurity. As New York Times national security correspondent David Sanger argued in a recent essay, the United States is woefully unprepared for the age of cyberconflict.

… If properly led and implemented, the Sasse proposal for a Cybersecurity Solarium Commission could make a similarly timely and consequential contribution to national security. The NDAA provision self-consciously draws inspiration from President Dwight D. Eisenhower’s iconic Project Solarium exercise in 1953.

… Today, it seems like everyone is using cyberweapons, but not enough policymakers are thinking about them.

To be sure, there is a fair degree of strategic analysis and thinking in academia, in think tanks, and in the relevant Cabinet departments and agencies. But this thinking has not accumulated into definable strategies that have buy-in from the White House or that have aligned roles and responsibilities across department and agency lines.

… Neither the Obama nor the Trump administration has gone so far down the decision path, and so this commission may prove to be an enabling and action-forcing exercise, as Congress reasserts its Article 1 constitutional responsibility to “provide for the common defense.”

The United States cannot afford to wait. It is already clear that U.S. adversaries are willing to stage attacks in the cyber domain and believe they can do so with impunity: Witness Russia’s successful deterrence of the Obama administration from retaliating in 2016.

Advanced cyber capabilities and a willingness to run risks to use them are the common features of every major national security challenge facing the United States today, whether it is Iran, North Korea, Russia, or China. As a result, cyberthreats cast a long shadow over the full range of national security and foreign-policy issues, including trade, regional conflict, terrorism, and new great power rivalries.

Americans struggled to understand the nuclear threat from the Soviet Union. In an effort to overcome bureaucratic stovepipes and to catalyze fresh thinking, Eisenhower convened the Solarium exercise to help him assess and respond to an unprecedented national security challenge. With this new provision in the Senate version of the fiscal 2019 NDAA, Sasse has given the U.S. government the opportunity to make a similar landmark assessment and response.

(Via Foreign Policy)

Peter Feaver’s and Will Inboden’s article is an eye opener for me. I totally missed this somehow when I was learning about the NDAA. Based on recent actions in the Executive Branch of the US government, this looks like reasonable and better-late-than-never action by the Legislature. That is assuming it makes it makes it in to the final NDAA language, of course.

Read the whole article for the historical parallels and context.

What do you think?

Also on:

Holes punched in hull of maritime security

Crappy IoT on the high seas: Holes punched in hull of maritime security:

Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking and worse.

A demo at the Infosecurity Europe conference in London by Ken Munro and Iian Lewis of Pen Test Partners (PTP) demonstrated multiple methods to interrupt the shipping industry. Weak default passwords, failure to apply software updates and a lack of encryption enable a variety of attacks.

(Via The Register – Security)

Vulnerable ship systems: Many left exposed to hacking:

 

“Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems,” Pen Test Partners’ Ken Munro says, and points out that the advent of always-on satellite connections has exposed shipping to hacking attacks.

 

 

(Via Help Net Security)

Maritime navigation hack has potential to wreak havoc in English channel:

 

As reported by the BBC, security researcher Ken Munro from Pen Test Partners has discovered that a ship navigation system called the Electronic Chart Display (Ecdis) can be compromised, potentially to disasterous effect.

 

Ecdis is a system commonly used in the shipping industry by crews to pinpoint their locations through GPS, to set directions, and as a replacement to pen-and-paper charts.

 

The system is also touted as a means to reduce the workload on navigators by automatically dealing with route planning, monitoring, and location updates.

 

However, Munro suggests that a vulnerability in the Ecdis navigation system could cause utter chaos in the English channel should threat actors choose to exploit it.

The vulnerability, when exploited, allows attackers to reconfigure the software to shift the recorded location of a ship’s GPS receiver by up to 300 meters.

 

 

(Via Latest Topic for ZDNet in security)

I’ve been talking with companies in this space about these types of issues. While Munro’s research is telling, this is not shocking.

It does very nicely illustrate the real values in good penetration testing: challenging assumptions, taking nothing for granted, and divorcing motive from threat.

For example, the 300 meter location discrepancy could have nothing to do with the shipping company or the ship itself. It could be used by a crypto mining concern looking to delay the arrival of new GPUs for a rival firm. This type of attack could be part of a larger series of attacks, subtile enough that further investigation would be unlikely (as opposed to the English Channel scenario in the ZDNet article), and could reap substantial benefits for the crypto mining concern.

I believe it to be a war of pretexts, a war in which the true motive is not distinctly avowed, but in which pretenses, after-thoughts, evasions and other methods are employed to put a case before the community which is not the true case.

DANIEL WEBSTER: Speech in Springfield, Mass., Sept. 29, 1847

An Example of Deterrence in Cyberspace

An Example of Deterrence in Cyberspace:

In 2016, the US was successfully deterred from attacking Russia in cyberspace because of fears of Russian capabilities against the US.

I have two citations for this. The first is from the book Russian Roulette: The Inside Story of Putin’s War on America and the Election of Donald Trump, by Michael Isikoff and David Corn. Here’s the quote:

The principals did discuss cyber responses. The prospect of hitting back with cyber caused trepidation within the deputies and principals meetings. The United States was telling Russia this sort of meddling was unacceptable. If Washington engaged in the same type of covert combat, some of the principals believed, Washington’s demand would mean nothing, and there could be an escalation in cyber warfare. There were concerns that the United States would have more to lose in all-out cyberwar.

“If we got into a tit-for-tat on cyber with the Russians, it would not be to our advantage,” a participant later remarked. “They could do more to damage us in a cyber war or have a greater impact.” In one of the meetings, Clapper said he was worried that Russia might respond with cyberattacks against America’s critical infrastructure — and possibly shut down the electrical grid.

The second is from the book The World as It Is, by President Obama’s deputy national security advisor Ben Rhodes. Here’s the New York Times writing about the book.

Mr. Rhodes writes he did not learn about the F.B.I. investigation until after leaving office, and then from the news media. Mr. Obama did not impose sanctions on Russia in retaliation for the meddling before the election because he believed it might prompt Moscow into hacking into Election Day vote tabulations. Mr. Obama did impose sanctions after the election but Mr. Rhodes’s suggestion that the targets include President Vladimir V. Putin was rebuffed on the theory that such a move would go too far.

When people try to claim that there’s no such thing as deterrence in cyberspace, this serves as a counterexample.

Tags: , , ,

(Via Schneier on Security)

Well said and cited.

Is Your SOC Flying Blind?, (Sun, Jun 3rd)

Is Your SOC Flying Blind?, (Sun, Jun 3rd):

After you have finished impressing your VIPs, what actionable information should be displayed in your SOC to help them respond to threats in your environment?

Consider spending time this week ensuring your SOC wall is populated with meaningful screens that add value to your SOC by asking these questions.

  • Which security controls are not sending data to your SOC?
  • Would your SOC know when your most critical systems stopped sending their logs?
  • What is the baseline of traffic volume in and out of your sensitive network zones?
  • What is the health status of your security agents?

Share what you find valuable on your SOC wall!

(Via SANS Internet Storm Center, InfoCON: green)

Typical mistakes of SOCs – forgetting the audience, not accommodating multiple audiences, and not providing content tailored to each audience. Metrics, analytics, dashboards, and reporting are every bit important as any other SOC function.

Cyber security: We need a better plan to deter hacker attacks says US

Cyber security: We need a better plan to deter hacker attacks says US:

The US needs to fundamentally rethink its strategies for stopping cyber attacks and should develop a tailored approach to deterring each of its key adversaries, according to a new government report.

The report published by the US State Department — like a recent paper on botnets — comes in response to an executive order signed by President Donald Trump last year, which called for a report “on the nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.”

The report said that while the US has become dependent upon sophisticated networked information systems, its rivals have been learning to exploit that dependence to “steal from Americans, disrupt their lives, and create insecurity domestically and instability internationally.”

The cyber threat posed by rival states — and by Russia, China, Iran and North Korea in particular — is often alluded to by intelligence agencies, but the US and its allies have struggled to find a way to deter these cyber intrusions.

The unclassified cyber-deterrence overview published by the State Department doesn’t mention particular countries, but said that strategies for deterring malicious cyber activities “require a fundamental rethinking”. The report said that the US has made efforts to promote a framework for “responsible state behaviour in cyberspace”, but noted that this has not stopped state-sponsored cyber incidents.

 

“The United States and its likeminded partners must be able to deter destabilizing state conduct in cyberspace,” the State Department warned.

Of course, the US has plenty of military muscle should it come to full-on cyberwarfare, but it’s much harder to tackle cyber attacks that don’t necessarily deserve an armed response — which make up the majority of attacks.

 

The report said the US should develop a broader menu of consequences that it can impose following a significant cyber incident. The US should also take steps to make it easier to prove who is behind cyber attacks, it said.

Another big problem is the poor state of cyber security. “Efforts to deter state and non-state actors alike are also hindered by the fact that, despite significant public and private investments in cybersecurity, finding and exploiting cyber vulnerabilities remains relatively easy,” the report said.

“Credibly demonstrating that the United States is capable of imposing significant costs on those who carry out such activities is indispensable to maintaining and strengthening deterrence,” the report added.

According to the State Department, the three key elements of cyber deterrence should include:

  • Creating a policy for when the United States will impose consequences: The policy should provide criteria for the types of malicious cyber activities that the US government will seek to deter. The outlines of this policy must be communicated publicly and privately in order for it to have a deterrent effect.
  • Developing a range of consequences: There should be “swift, costly, and transparent consequences” that the US can impose in response to attacks below the threshold of the use of force.
  • Building partnerships: Other states should work in partnership with the US through intelligence sharing or supporting claims of attribution.

(Via Latest Topic for ZDNet in security)

Curious what your take is on this, Dear Friends.

I’m not sure how the State Department, the U.S. government’s diplomats, think that this kind of response is workable diplomatically. Maybe it is in the report, which I have yet to read. But who needs context to respond?

All Women on Deck at RESET Cyber Conference

All Women on Deck at RESET Cyber Conference

With more than 15 female experts in cybersecurity scheduled to speak on the evolving cyber threat landscape, RESET, hosted by BAE Systems, claims to be challenging the status quo with its all-female speaker lineup.

Scheduled for 14 June at the Kennedy Lecture Theatre, University College London (UCL), the conference is open to all security professionals and will “provide in-depth knowledge of destructive cyber-attacks and criminal operations, threat hunting and strategy, and human centric security. In panel discussions, we consider public and private roles in defending cyber space and the risks of securing the un-securable as new technologies emerge.”

What is unique about this event is the speaker lineup. BAE Systems threat intelligence analysts Kirsten Ward and Saher Naumaan have launched the event not only to bring professionals together to engage in a discussion about the evolving threat landscape, but also in part to showcase the impressive women who are often not invited to speak at industry conferences.

Click through to get all the details.

A Feynman-ian Approach to InfoSec solutions

I enjoyed and learned from 100 Years of Feynman, which starts from his eponymous formula and evolves into these tips for solving physics problems:

  1. Read the question! Some students give solutions to problems other than that which is posed. Make sure you read the question carefully. A good habit to get into is first to translate everything given in the question into mathematical form and define any variables you need right at the outset. Also drawing a diagram helps a lot in visualizing the situation, especially helping to elucidate any relevant symmetries.
  2. Remember to explain your reasoning when doing a mathematical solution. Sometimes it is very difficult to understand what students are trying to do from the maths alone, which makes it difficult to give partial credit if they are trying to the right thing but just make, e.g., a sign error.
  3. Finish your solution appropriately by stating the answer clearly (and, where relevant, in correct units). Do not let your solution fizzle out – make sure the marker knows you have reached the end and that you have done what was requested. In other words, finish with a flourish!

(Via In The Dark)

For InfoSec we can extrapolate three similar tips for engaging with clients, either our internal ones or with external:

  1. Read the RFP/RFI! Listen to the customer! Write down, in your own simple words, your understanding of the client’s request. Communicate it back to them to make sure the understanding is as complete as possible.
  2. When delivering the response/proposal/etc. make sure you “connect the dots” between the client’s request and your solution. Make sure you account for and document assumptions. Explain why the proposal is the way it is.
  3. Finish your response appropriately by stating the answer clearly. Do not let your solution fizzle out – make sure the marker knows you have reached the end and that you have done what was requested. In other words, finish with a flourish!

Item 1 reminds me of a recent almost bad event at work. A potential client reached out about a RFP. They were looking for a security solution with a specific scope and desired outcome. We had a meeting with the client about their goals and objectives. They were clear and precise.

Skip ahead less than one week and suddenly a few leaders in my organization decided to make our RFP response something completely different. My vocal dissents were vetoed. The proposal proceeded with this alternate option. It was as if the client came to our restaurant to eat dinner and we decided to sell them recipe books instead.

Worse, there was nothing in this new approach that was truly new – every piece was obviously recycled generic sales material.

The client was not amused. When we met again the client shut down all extraneous-to-their-request discussions and materials. Since some of the team had not abandoned answering the RFP directly, we were able to pivot and still make a strong proposal.

Another recent proposal I worked on illustrates doing all three items well. The client clearly stated their goals in conversation but their RFP was mostly untethered to the goals, almost as if two different teams drafted each independently. Subsequent client conversations gave us what we needed to form a more complete understanding of the business needs.

The proposal was large compared to the RFP, but the space was needed to completely connect the dots between the client’s broad & disconnected needs and how we would deliver them for the desired business outcome. The response included all of the Who-What-Where-When-Why-How structures to clearly communicate our solution.

There is no shortage of experts in this field. By and large we all think we are one, so we rush to solution without always listening and understanding. Taking a page out of Richard Feynman’s approach to solving physics problems can help address such failings.

Also on:

Duct Tape & Baling Wire -vs- DRM

Appliance Companies Are Lobbying to Protect Their DRM-Fueled Repair Monopolies

The bill (HB 4747) would require electronics manufacturers to sell replacement parts and tools, to allow independent repair professionals and consumers to bypass software locks that are strictly put in place to prevent “unauthorized” repair, and would require manufacturers to make available the same repair diagnostic tools and diagrams to the general public that it makes available to authorized repair professionals. Similar legislation has been proposed in 17 other states, though Illinois has advanced it the furthest so far.

Companies such as Apple and John Deere have fought vehemently against such legislation in several states, but the letters, sent to bill sponsor David Harris and six other lawmakers and obtained by Motherboard, show that other companies are fighting against right to repair as well.

(Via Motherboard)

The right to repair used to be assumed. I remember working on my grandfather’s car with my Dad. I remember changing oil and tires and brakes and head units and shocks and mufflers, &t for that and other cars.And I wasn’t (and still am not) a car guy.

I built and fixed computers when replaceable parts were the norm.

My Dad, members of my family, and people with whom I went to university worked on farms and ranches & regularly repaired the heavy equipment.These were the real instances of duct tape and baling wire.

How about early the early telephone system, which sometimes used barbed wire stretched along fences in rural communities?

We’re not in the early telephone days. We’re in a world where companies can prevent their customers from having agency over products they purchase. Companies can put their customers at risk and not allow the very same customers to protect themselves or even be able to figure out if they’re at risk in the first place.

Also on: