Friday, July 15, 2016

Sizing the Cybersecurity Skills Gap: A white paper

Whether you're in charge of the security of your organization’s data and systems, or working in IT security, or looking for a career, it is hard to ignore headlines like this: “One Million Cybersecurity Job Openings in 2016.” The term “cybersecurity skills gap” is now being used as shorthand for the following assertion: there are not enough people with the skills required to meet the cybersecurity needs of organizations. (You will also see cyber skills gap as a short form of cybersecurity skills gap, but some people also use cyber skills gap for the broader lack of people with skills like coding, networking, etc. so I often use cybersecurity skills to avoid ambiguity)

But is this gap real? Is the million missing people claim true? The security industry has a shaky record when it comes to numbers, something I talked about at Virus Bulletin last year in the context of cybercrime (see paper and video of session here). At this year's Virus Bulletin in Denver I will be presenting a paper about efforts to address the cybersecurity skills gap. I am also studying aspects of the problem for my MSc dissertation (see CISO Survey).

In the midst of all this work I accumulated some observations about the size of the cyber skills gap and wrote them up in my spare time, in the form of a paper titled Sizing the Cyber Skills Gap. I hope folks find this useful.
.

Monday, July 11, 2016

The Effective CISO Survey: A call for participation


Are you a CISO? Do you work for or with a CISO?

If you answered yes to any of those questions, please consider taking the 12 minute survey I am conducting for my MSc in Security and Risk Management at the University of Leicester in England. Your participation would be greatly appreciated and you can get an early copy of the resulting report. To get right to it, the survey starts here: http://cisosurvey.org.

SURVEY NOW CLOSED. PLEASE CHECK BACK IN OCTOBER
FOR A REPORT ON THE RESULTS
 
Why am I doing this? To find answers to this question: What do you need to be an effective Chief Information Security Officer? This is the subject of my dissertation, a piece of original research about 15,000 words in length, conducted in Leicester's Criminology Department, pictured below (it may look like Hogwarts, but it ranks among the world's top universities).

University of Leicester, Department of Criminology
(I kid you not, I took this myself on my first visit)
The question about what it takes be an effective CISO is not merely academic, it is also of immediate practical importance. Right now, under-staffed crews of information security folks are struggling to hold the line against criminal activity in cyberspace. And there are not enough people in the education and employment pipeline to fill all of the open defensive positions. 

This situation is referred to as the "cyber skills gap" and later this month I will be releasing a white paper in which I examine the claim that there are one million unfilled cybersecurity positions globally (there will be a link on this page). In the US alone the gap could be as big as 200,000. This situation, which has been building for some time, has caused many countries to begin pouring money into cybersecurity education and workforce training. However, some of these funds may be wasted because there has been very little research into what a cybersecurity career is like. What does success look like? What is job satisfaction like? What personality traits are a good fit for cyber roles, and so on. On the bright side, by studying these questions we may find ways to close the skills gap and make cyberspace a safer place (hmm, I wonder if optimism is an important trait).

I decided to devote my dissertation to one small part of this cyber research gap: what it takes to do the top job, to be the person who manages information security for the organization: the CISO. My research led me to create the Effective CISO survey, which is carried out through SurveyMonkey but accessed via a website I created at cisosurvey.org, all of which has passed the university's ethics review process.

If you want further verification, or have any questions about this project at all, please email my university email account which is stcnn at student.le.ac.uk, where nn = is a two digit number, the one you get when you multiply four by itself. The address is also displayed beneath the university logo at the top of the page.

So, if this survey subject is of interest to you, and you would like to get an early look at my results, and you have about 12 minutes, please consider participating at cisosurvey.org.

THANK YOU!

Wednesday, June 15, 2016

20 years of CISSP, ELOFANTs and other cybersecurity acronyms

This article is about some things I don't know, and some other things that you might not know.

For example, I don't know who was the first person to pass the exam to become a Certified Information System Security Professional or CISSP (pronounced sisp). The CISSP website says the certification program was launched in 1994.

(That means if someone tells you they've been a CISSP for more than 25 years, and the current year is 2016, then they may be fibbing.)

I became a CISSP in May of 1996, something that I wrote about recently in an article on We Live Security: What the CISSP? 20 years as a Certified Information Systems Security Professional. The CISSP qualification has served me very well over the last 20 years, so I felt obliged to address some of the reasons some people criticize it, and did so in that article. Those criticisms not withstanding, I would encourage anyone who meets the experience requirements for the CISSP to apply for, pass the test for, and then maintain CISSP certification (you need to earn continuing education credits every year to stay certified).

The place to start learning about CISSP is the website of the issuing body, the International Information Systems Security Certification Consortium. This non-profit organization is known as (ISC)2 which is pronounced “I-S-C-squared” because the name contains two each of those three letters, which is cute but sometimes a pain for typographers and search engines.

Another cybersecurity acronym that's been on my mind lately is CISO, as in Chief Information Security Officer, a title often used to designate the person most directly responsible for the organization's information system security. I am studying CISOs as part of my studies at the University of Leicester. I will soon be launching a survey on the subject (that I will link here when it goes online).

Of course, a lot of CISO's have certifications from (ISC)2 and that reminds me of something else I don't know, the answer to an interesting question, one that is not asked during the six hour CISSP exam: Is (ISC)2 an acronym?

Seriously, I don't know the answer, but speaking of acronyms and unknowns, I coined an acronym for an unknown a few weeks ago: ELOFANT. Those letters stand for Employee Left Or Fired, Access Not Terminated. (Those letters also account for the image at the top of the article.) I wrote about ELOFANTs here.

The point of coining this acronym was to draw attention to the fact that one of the biggest risks to company networks and data are people who have departed the organization but still have access to some of all of its data: ELOFANTs. Here are a few data points to back that up:
ELOFANTs are not a new problem, but these days they may be a bigger problem than in the past thanks to the proliferation of apps that companies use, particularly cloud-based sharing and collaboration apps, credentials for which might not be centrally tracked like corporate network access usually is. So let me leave you with a couple of questions to which your organization's CISOs should know the answer: how do you determine what access to the organization's data a departing employee has, and how do you revoke it?
.

Thursday, May 12, 2016

Jackware: coming soon to a car or truck near you?

As 2016 rolls on, look for headlines declaring it to be "The Year of Ransomware!" But what kind of year will 2017 be? Will it be "The Year of DDos" or some other form of "cyber-badness" (kudos to my ESET colleague Cameron Camp for coining that term). Right now I'm worried that, as the years roll on we could see "The Year of Jackware" making headlines.

What is jackware?

Jackware is malicious software that seeks to take control of a device, the primary purpose of which is not data processing or communications, for example: your car. Think of jackware as a specialized form of ransomware. With ransomware, the malicious code encrypts your documents and demands a ransom to unlock them. The goal of jackware would be to lock up a car or other piece of equipment until you pay up. Fortunately, and I stress this: jackware is currently, pretty much, as far as I know, theoretical, not yet "in the wild".

Update: Jackware in the news...

Unfortunately, based on past form, I don't have much faith in the world's ability to stop jackware being developed and deployed. So far the world has failed abysmally when it comes to cybercrime deterrence. There has been a collective international failure to head off the establishment of a thriving criminal infrastructure in cyberspace that now threatens every innovation in digital technology you can think of, from telemedicine to drones to big data to self-driving cars.

Consider where we are right now, mid-May, 2015. Ransomware is running rampant. Hundreds of thousands of people have already paid money to criminals to get back the use of their own files or devices. And all the signs are that ransomware will continue to grow in scale and scope. Early ransomware variants failed to encrypt shadow copies and connected backup drives, so some victims could recover fairly easily. Now we're seeing ransomware that encrypts or deletes shadow copies and hunts down connected backup drives to encrypt them as well.

At first, criminals deploying ransomware relied on victims clicking links in emails, opening attachments, or visiting booby-trapped websites. Now we're also seeing bad guys using hacking techniques like SQL injection to get into a targeted organization's network, then strategically deploy the ransomware, all the way to servers (many of which aren't running anti-malware).

The growing impact of ransomware would also seem to be reflected in people's reading habits. Back in 2013, one of my colleagues at ESET, Lysa Myers wrote an article about dealing with the ransomware scourge. For the first few weeks it got 600-700 views a week. Then things went quiet. Now it is clocking 4,000-5,000 hits a week and the war stories from victims keep rolling in.

But how do we get from ransomware to jackware? Well, it certainly seems like a logical progression. When I told Canadian automotive journalist David Booth about ransomware on laptops and servers, I could see him mentally write the headline: Ransomware is the future of car theft. I knew David would see where this could be headed. He's written about car hacking before, going deeper into the subject than most of the automotive press.

The more I think about this technology myself, the more I think that the point at which automotive malware becomes serious jackware, and seriously dangerous, will be the conjunction of self-driving cars and vehicle-to-vehicle networks. Want a nightmare scenario? You're in a self-driving car. There's a drive-by infection, silent but effective. Suddenly the doors are locked with you inside. You're being driven to a destination not of your choosing. A voice comes on the in-car audio and calmly informs you of how many Bitcoins it's going to take to get you out of this mess.

Why give the bad guys ideas?

Let's be clear, I didn't coin the term jackware to cause alarm. There are many ways in which automobile companies could prevent this nightmare scenario. And I certainly didn't write this article to give the bad guys ideas for new crimes. The reality is that they are quite capable of thinking up something like this for themselves.

Can I be sure there's not some criminal out there who's going to read this and go tell his felonious friends? No, but if that happens it's quite probable that his friends will sneer at him because they know someone who's already done a feasibility study of something like jackware-like (yes, the cybercrime underworld does operate a lot like a fully evolved corporate organism). We are not seeing jackware yet because the time's not right. After all, there's no need to switch from plain old ransomware as long as people keep paying up.

Right now, automotive jackware is still under "future projects" on the cybercrime whiteboards and prison napkins. Technically it's still a stretch today, and tomorrow's cars could be even better protected, particularly if FCA has learned from the Jeep hack and VW has learned from the emissions test cheating scandal and GM's bug bounty program gets a chance to work.

Unfortunately, there's this haunting refrain I can't quite get out of my head, something about "when will they ever learn..."

Sunday, May 08, 2016

White paper on US data privacy law and legislation

Recently I put together a 15 page white paper titled Data privacy and data protection: US law and legislation. Among the 80 or so references at the end of the paper you will find links to a lot of the federal privacy laws, and some of the articles I cited.

Back in 2002 when I published a book on
data privacy, I asked the cat to "look shy"
and
she struck this pose (honest!)
I figured this would be a handy resource for folks looking to learn more about how data privacy works in the US. Of course, some would say data privacy doesn't work in the US, and the white paper is written with that opinion in mind. Frankly, the whole subject is pretty complex and in writing this paper I found out I had been wrong, or at least, not quite right, about quite a few things.

Knowing how data privacy protection has evolved in the US so far should help inform its further progression. Clearly, data protection will continue to evolve in the EU and US with the arrival of the General Data Protection Regulation (GDPR), also known as the European Data Protection Regulation (the GDPR is not discussed in the white paper – the subject probably merits one of its own – I have been clipping news on GDPR here and tweeting it here)

For more on the white paper, which was made possible by ESET, visit the We Live Security website, and be sure to sign up for regular news on all manner of data privacy and cybersecurity topics by email.

If a white paper is too much and you're just getting started in your data privacy reading, here are some good places to start:


Thursday, March 10, 2016

Infowar and Cybersecurity: Pitfalls, history, language, and lessons still being learned

I recently registered to attend a very special event in the cybersecurity calendar: InfoWarCon. The organizers of this unique gathering ask all participants to write a short blurb about what they bring to the proceedings. You can read what I wrote later on in this post, but first, some background.

The Information Warfare Conference

An institution created by my good friend Winn Schwartau, InfoWarCon has been around from more than 20 years. Even if you haven't heard of Winn, I bet you've heard the phrase: "Electronic Pearl Harbor". Winn was the first person to use that term, as recorded in his testimony to Congress about the offensive use and abuse of information technology in 1991. That was five years before CIA Director John Deutch made national headlines using the term, also in congressional testimony (you may recall President Clinton issuing a presidential pardon to Deutch after he was found to have kept classified material on unsecured home computers).

The first InfoWarCon I attended was the one held at the Stouffer Hotel in Arlington, Virginia, in September of 1995. In those days, Chey and I were both working for the precursor to ICSA Labs and TruSecure, then known as NCSA, a sponsor of InfoWarCon 95. The agenda for that event makes very interesting reading. It addressed a raft of issues that are still red hot today, from personal privacy to open source intel, from the ethics of hacking to military "uses" of information technology in conflicts.

Winn was passionate that there should be open and informed debate about such things because he could see that the "information society" would need to come to grips with their implications. Bear in mind that a lot of the darker aspects of information technology were still being eased out of the shadows in the 1990s. I remember naively phoning GHCQ in 1990, back when I was writing my first computer security book, and asking for information about TEMPEST. The response? "Never heard of it; and what did you say your name was?" When I first met Winn he was presenting a session on a couple of other acronyms, EMP bombs and HERF guns. That was at Virus Bulletin 1994, one of the longest running international IT security conferences (my session was a lot less interesting, something about Windows NT as I recall).

The InfoWarCon speaker lineup in 1995 included a British Major General, several senior French, Swedish, and US military folks, Dr. Mich Kabay - chief architect of one of America's first graduate level information assurance programs, and Scott Charney, now Corporate Vice President for Microsoft's Trustworthy Computing. Many of those connections remain active. For example, the Swedish Defence University is involved in this year's InfoWarCon, via its Center for Asymmetric Threat Studies (CATS). Recent InfoWarCons have eschewed the earlier large-scale public conference format in favor of a more intimate event - private venue, limited attendance, no media - more conducive to frank exchanges of perspectives and opinions.

For Chey and I, the trip to InfoWarCon16 is personal as well as professional - after all, we have known the Schwartaus for more than two decades, somehow managing to meet up in multiple locations over the years, from DC to Florida, Las Vegas to Vancouver, not to mention Moscow. So when I got to the registration page for InfoWarCon16, which asks all prospective attendees and invitees to submit a short “What I Bring to InfowarCon” blurb, my first thought was "I don't need no stinking blurb!" But that soon passed as I relished an excuse to convey something of my background in a new, and hopefully interesting, way. Here is what I wrote...

A Student of Information Technology Pitfalls

Mining coal in the Midlands, 1944 © IWM
I was born in 1952, in the English county of Warwickshire, in a small terraced house heated by fireplaces that burned coal. That coal was mined from one of 20 pits under our county, some of which were more than a century old by then. Between 1850 and 1990, pitfalls in mines in the Midlands killed hundreds of men as they toiled to fuel the industrial revolution. Across Britain during that time period coal pits claimed over a hundred and fifty thousand miners, but theirs were not the only lives taken by fossil-fueled industrial technology. Consider this: a few months after I was born, 12,000 Londoners died from a single air pollution incident, of which burning coal was a primary cause (the Great Smog of 52).

And so it was that, many years before computers came into my life, I was well aware technology brings pitfalls as well as benefits. Like many of the swords displayed in Warwick castle, originally built by William the Conqueror in the eleventh century, technology is double-edged. This is certainly true of information technology. It can be good for growth, good for defense, but also tempting for offense.

Since I started researching my first computer security book in the late 1980s I have thought long and hard about such things, sometimes in ways that others have not. I have listened closely to the language invented to articulate the uses and abuses of this technology. For example, in 2014, I presented a paper at CyCon titled “Malware is called malicious for a reason: the risks of weaponizing code” in which I introduced the term ‘righteous malware’ (IEEE CFP1426N-PRT).

 In 2015, I analyzed the problem of measuring the scale and impact of cybercrime in the peer-reviewed Virus Bulletin paper: “Sizing cybercrime: incidents and accidents, hints and allegations”. The serious shortcomings of both public and private sector efforts to address this issue were articulated and documented in detail. I am currently doing post-graduate research at the University of Leicester seeking to identify key traits of effective cybersecurity professionals. But more importantly, for the past 25 years I have engaged myself as much as possible - resources and life events permitting - in the ongoing conversation about how best to reap the benefits of information technology without suffering from what have been called its downsides, its pitfalls.

Speaking of which, it is relevant to note, in the context of InfoWarCon, that the word pitfall did not originate in coal mines, but on the battlefield. The Oxford English Dictionary identifies 1325 as the first year it was used in written English. The meaning? “Unfavourable terrain in which an army may be surrounded and captured.” To me, that doesn't sound a whole lot different from some parts of cyberspace.