Cyber Security Talent Shortage and Industry Dynamics

Cyber-crime is at an all-time high. Recently, 40 million credit card numbers were stolen from Target in 2013, nearly 100 million healthcare records were stolen from Anthem last year, and just a few months ago, 1 billion accounts were compromised at Yahoo.

Cyber-crime is becoming very lucrative and cyber criminals are becoming extremely sophisticated. As a result, these types of massive breaches are expected to continue and cause billions of dollars of damage because the biggest challenge currently facing the industry, is the fact that there is a massive shortage of security professionals. There are 238,000 unfilled cyber security jobs in the U.S. and 1,000,000 globally.

Evolve Security Academy is currently tackling this talent shortage by starting the country’s first cyber security bootcamp. Evolve recently announced their hiring rate for 2016 and the success of their graduates can be attributed primarily to the real work experience they gained by performing live security assessment work on not-for-profit companies throughout the Evolve program. 88% of graduates seeking a cyber security job got hired within 120 days and experienced an average salary increase of 55%.

Evolve knows that there is still a long way to go in order to solve this talent shortage crisis and believes that the bootcamp model is the quickest and most effective way to train individuals and get them in the industry to start defending against the cyber-criminals.

Click below if you are interested in learning more about how to enter the fast growing cyber security industry to read Evolve Security Academy’s White Paper on Cyber Security Talent Shortage & Industry Dynamics.

 

Hacker Motivation – Past, Present, Future

 

 By Tolu Akinterinwa

“The hacking trend has definitely turned criminal because of e-commerce” – Kevin Mitnick

For many, hacking is a word that they have become very familiar with given the rate at which they hear it every day. The majority of us understand hacking: the practice of using a computer to intercept or steal a person’s information without their consent. Hacking threats remain a big issue for both individuals and organizations given the rising level of sophistication and determination of the hackers. The emergence of networked computers and with the interconnectedness of everything from the devices in our pockets to the automated garages in our homes, information security risks are greater than ever before, and it is easier than ever for hackers to gain access to our information. 

Most people probably wonder why the ‘bad guys’ hack and the reason(s) they do so. It is important for individuals and in fact businesses to understand the motivating factors of the hackers given that the damages they can do could be extremely serious. An understanding of the hackers’ motivation will particularly assist IT security personnel in strengthening their defenses and to take necessary measures to better control access to company information. 

The factors that motivate hackers have evolved over time. In the early 60’s, "hacker" was a positive term for a person with a mastery of computers who could push programs beyond what they were initially designed to do. Primarily, hacking was used in the good old days for learning about systems and IT in general. Hacking was also done for the fun of it; kids were breaking into any computer system they could find for bragging rights and to satisfy their curiosity. It was more of being able to overcome a challenge coupled with the thrill of knowing that they are doing something not meant to be done. Hacking in the past was mostly just for personal gratification. 

In recent years, hacking has taken on dark connotations. Eric Holdeman explained in his article ‘The Good Old Days of Hacking’ that “it does not seem that long ago when cyber security meant keeping 13-year-olds from breaking into your network for fun”. Today, hacking has become criminal and is big business when you measure the impacts they are having across the board. Hackers do not hack for the fun of it. No longer are they curious and playing games. Today’s sophisticated attackers or hackers work to penetrate more than just government websites; they are driven by financial gain and target people’s personal financial data. A large portion of hacking attempts fall under this category. Hackers usually install malware on individual computers to collect passwords to sensitive user accounts. Hackers also directly break into merchant or credit card processor databases to collect credit card numbers or other data that would facilitate the stealing of money from unsuspecting victims. They compromise company websites and trick users into revealing sensitive data, such as their passwords. Ransomware is a rising trend and a growing threat to businesses as well; a scenario where malicious code locks up (encrypts) computer files and demand a ransom to decrypt the files. 

Idealism or hacking to disrupt is another motivating factor for the ‘bad guys’ in recent times. This is also known as hacktivism. The hackers carry out Denial of Service (DoS) attacks in an attempt to make a machine or network resource unavailable to its intended users. There are various hacktivist groups (LulzSec and Anonymous) that try to make a statement by venting their anger and targeting a company to disrupt their business and create confusion. They hack to reveal security loop holes or show general disapproval for the business. 

While hacking for disruption and financial gain continues to be a growing trend, hacking for notoriety has not ceased. These hackers are usually ‘fame seekers’. They attack their targets in order to work their way up to notoriety. A teenage Austrian hacked into 259 companies over a 90-day period and once he got caught up by the police, he admitted that a combination of boredom and desire to prove his skills were the motivation for his act.

It may seem unrealistic to assume that hacking for financial gain, disruption or notoriety will cease to exist. But in the event that this occurs, what is the ‘futuristic’ motivating factor for the ‘bad guys’? What could be the driving force for hackers to continue their practices despite barriers due to presumably improved or tighter security programs or platforms? Not only will understanding the hackers’ motivation assist IT security personnel in tightening their own defenses, it helps the entire IT security industry design programs, policies and software to strengthen information security as a whole. 

Companies continue to leave many security loop holes (e.g. weak passwords), and will likely do so for the foreseeable future. Regardless of the driving force or motivation of hackers, companies need to continuously strengthen their defense mechanisms to prevent unauthorized access to their networks, data and customers’ data.

Sources:
http://www.sptimes.com/Hackers/history.hacking.html
http://www.emergencymgmt.com/emergency-blogs/disaster-zone/thegoodolddaysofhacking.html

Bug Bounties and Zero-Day Responsible Disclosure

By Matthew Stelnicki

Bug bounties have become a widely acceptable form of vulnerability testing within organizations of all sizes. Organizations as small as newly created start ups all the way to the Pentagon host bug bounty programs, which usually offer large rewards to participants who discover security flaws. As with anything there are two sides to this equation. While bug bounty programs may be an efficient and cost effective way to identify zero-day vulnerabilities within an environment, they also may welcome anyone to potentially access sensitive data, and may not be suitable for companies with an immature security posture.

Bug bounty programs are a great and cost effective way to test an environment. When hiring a pen-testing team companies typically pay for the entire time they are working, as opposed to bug bounties, where payments are only made in the case of successful intrusions. Most of the time is spent trying and failing and failing some more before someone can successfully find and properly exploit an issue. Financially it makes sense for an organization to take this approach to finding hard to discover issues rather than the traditional pen-testing route. 

Bounty programs also bring in large crowds with many different testing methods. This has both its ups and downs. Bringing in large crowds is a great way to test the entire environment in many different ways; however, keeping all the participants within scope can be an challenging. Even when the rules are clearly stated, participants might have the urge to go the “extra mile” or beyond the boundaries to gain access. If these participants are willing to bend the rules here, where are their limits? With a large number of security researchers and hackers performing a pen-test on a target system, it is hard to filter out the participants who have another agenda in mind. 

Outside of bug bounties, hackers and security researchers are always on the hunt for zero day bugs within organizations that can potentially be a huge threat to the public. When these vulnerabilities are found there is a process of responsible disclosure that should be followed when releasing these discoveries to the public. Typically, when a zero day bug is found all parties involved come together to discuss an appropriate period of time to resolve the issue before it is released to the public. It is important to allow the organization a chance to remediate their vulnerabilities before going public so they're reputation remains intact, and the details of their systems’ vulnerabilities are not spread to hackers with malicious intents before the fixes are made. One issue bug hunters have with notifying organizations of their zero day bugs is that they often want compensation for their discoveries. However, they are not able to force an organization into compensation since that would classify as extortion and, in a way, they then begin to become the criminals they work to help protect against. 

Bug bounty programs have proven to be a cost effective approach to intensive penetration testing of an organization with a mature security program. The programs have also gained support from those in the hacking community who believe in keeping the confidentiality, integrity, and availability of these systems for the organization and the public who depend on these systems. When properly executed, bug bounty programs work in favor of both sides by offering compensation where it is earned, and providing an incentive to those who participate to release their findings appropriately. For environments that may be less mature from a security perspective, or where compliance requirements have to be met traditional penetration testing is the better choice.
 
References:
https://bugcrowd.com/list-of-bug-bounty-programs
http://www.computerworld.com/article/2484196/application-security/bug-bounties--bad-dog--have-a-treat-.html
http://betanews.com/2016/01/11/the-pros-and-cons-of-implementing-a-bug-bounty-program/
https://en.wikipedia.org/wiki/Responsible_disclosure

The Verizon Data Breach Report in Seven Minutes

By Ariel Ehrlich

It had started just like any other day. A typical morning, reviewing the schedule and mentally preparing for a budget meeting, and then it broke. It broke first on the internet, so the public knew before you did. Trending on twitter, reported en masse by news outlets ranging from Reuters, CNN to Wired. Suddenly everyone is hysterical, there are 100's of unread emails in your inbox that were not there a moment ago, and the phone is ringing, ringing-- You slam the office door to shut it out, stumble into the seat behind your desk, as the acute feelings of paranoia and panic set in. This is it. How could it happen? What did they take? Where do you go from here? Is it all over?
 
This is what it feels like to be breached, and in 2016 it is becoming the norm. We are all targets, regardless of industry, whether you a single mother, a student, a CEO, a two-person startup, or a global enterprise. It is not "if", but "when". 
 
And the numbers are staggering. According to a study done by MIT Technology Review, the average cost of a large data breach is $3.79 million. Breaches are now reaching staggering, daunting levels, costing companies millions of dollars and involving millions of stolen or compromised records, and astonishing terabytes-worth of data from seemingly well-protected multinational corporations, banks to government agencies.
 
The Verizon 2016 Data Breach Report analyzes thousands of data breaches and security incidents from the past year, revealing important trends and patterns. By examining the Data Breach Report, we can better anticipate how to protect ourselves in the future. 
 
WHO is affected?
Everyone. Every single industry is a target, whether you work in entertainment, transportation, education, mining, or agriculture. The top three most affected industries being public, information and financial services, but every industry is a target.

Industries are attacked in different ways. Never make any assumptions; just because we think that two things are alike, the threats they face can be completely different. Even within specific industries, subgroups of the same industry are attacked in different ways.

In a perplexing trend, it seems many subsectors in completely unrelated industries actually share a closer threat profile than do subsectors within the same industry. For example, laundry services and spectator sports share very similar threat profiles, and each of the manufacturing subsectors have more in common with central banks than with each other.

So what do laundry services and spectator sports, and what do manufacturing and banks have in common? We're not sure either. But this proves that there is no "one size fits all" solution, even on an industry-wide level.

WHO is hacking?
The hackers responsible for data breaches are: 
•    Activists ("hacktivists") 
•    State-affiliated
•    Related to organized crime

About 85% of hackers are external. The remaining hackers are mostly internal with a very small number of partner actors.

WHY are they attacking?
The exact motives for these attacks are hard to know, but they differ based on the target and type of attack.

  • Financial gain. This is the primary motivation for organized crime. Organized crime is responsible for 73% of "crimeware" on the web, which is malware designed for scamming victims for money, data theft or extortion. This includes “ransomware” which has grown increasingly popular in the last year. 
  • Ideological motivation.  Activists often have moral and political motivations, whether promoting social change, advocating for freedom of speech, human rights, or acting as internet vigilantes. Activists may use a DDoS attack to temporarily take down a government website as a form of political protest, or leak confidential government documents like Wikileaks, or user lists to the public, like the Ashley Madison leak.
  • Cyber-espionage. State-sponsored attacks focus on surveillance and information-gathering, as well as intellectual property. Often coming from the governments of North Korea, China and Iran (or our own United States), over 95% of cyber-espionage attacks use phishing campaigns to target government agencies, information and manufacturing industries. In addition to gathering information, these attacks establish a persistent presence on user devices, which allows the attackers to continue to explore the network undetected.

HOW are they attacking?
There are many attack methods that can be used to cause a massive data breach, but here are some of the most common attack trends that you need to know:

  • Phishing. Phishing is a type of social engineering, which arrives in the form of an email that tricks the user into installing a type of malware. The top three methods are usually email attachment or email link, and sometimes through web drive-by. Phishing campaigns are alarmingly effective; if 10 emails are sent, there is a 90% chance that at least one person fall victim, and nearly half of people open and click on phishing links within the first hour.
  • Denial-of-Service. Denial-of-service (DoS) attacks make a machine or network unavailable to its intended users by interrupting services of a host connected to the internet. Distributed denial-of-service (DDoS) attacks are DoS attacks that use many computers, often a compromised system, or a botnet which is a network of computers programmed to receive commands without their owner's knowledge. The targeted system is flooded with traffic until the target server can no longer receive new connections and becomes inaccessible to users. DDoS attacks are less common overall but have gotten more severe.  
  • Malware. Short for "malicious software," malware is software that is intended to damage or disable computers or perform other unwanted activities; it can steal passwords, enable remote access, or encrypt user data. Common malware examples include viruses, worms, trojans and spyware. Malware has multiple possible delivery vectors, including phishing emails, either as email attachments or links, installed through web drive-by, vulnerabilities in web applications, remote exploits and even targeted attacks. Twenty types of malware account for 70% of all malware activity, topped by a nefarious "Sinister 7". Most malware aims for command-and-control botnet membership, credential theft and/or other forms of fraud, and organized crime is responsible for most of malware, and public, information and retail industries are most targeted.
  • Point-of-Sale. This is malware written to steal customer payment data (usually credit card data) from retail checkout systems, also known as the “point-of-sale”. POS attacks can be aimed at small businesses as well as large businesses, and mostly affect the accommodation, entertainment and retail industries. POS attacks peaked in 2011 and 2012, but they are still a common trend and have become more complex in the past few years, adapting to attack larger organizations with more complex, multi-step attacks including active RAM scraping.
  • Vulnerabilities. Many attackers take advantage of well-known vulnerabilities in software programs. Common vulnerability exposures are published in a free, public dictionary. Unfortunately, many companies don't pay attention, even if the vulnerabilities are common and openly known and patches have been available for months or even years. 99.9% of exploited vulnerabilities were compromised more than a year after the vulnerability was published. Well-publicized vulnerabilities from last year include Stagefright and Heartbleed.
  • Mobile. Mobile devices are not generally a preferred vector in data breaches, but they are still important to consider. Almost all mobile malware is found on Android devices (96% mobile malware is targeted at Android), and most of it is adware, which is software that delivers ads to make money. Adware is not typically actually harmful but will aggressively collect user data, often without user permission. Fortunately most mobile malware is very short-lived, 95% lasts less than a month, and only a very small amount includes truly malicious malware.

WHAT can we learn from this?
There is no "one size fits all" solution to prevent data breaches. This implies that security regulations (compliance) imposed on an industry level are not the best approach. Companies should consider what asset they most value, what level of risk is acceptable, and devise a unique plan to protect and secure their own assets.
 
Constant vigilance is necessary. It is essential to make sure your software is up to date, firewalls and anti-virus software are maintained, and patch vulnerabilities as quickly as possible, and review these technical measures on a quarterly basis.

Improving detection and response times. Most data breaches happen very quickly. A shocking 60% percent of attackers are able to compromise an organization within mere minutes, and 75% of attacks spread from victim 0 to victim 1 within one day. Detection and response times vary depending on the types of attack (for example, half of organizations took 35 or fewer days to discover malware events), but improving response times can have a great impact on minimizing and preventing data breaches.

Human behavior and human errors. Humans are really the weakest link. Most data breaches can be traced back to something a person did or did not do, like an employee opening a phishing email and triggering malware, or a vulnerability that has been neglected to be fixed, because of laziness or ignorance, or an employee with more authorization than necessary accessing systems they shouldn’t. This is very alarming, but it also a good sign because human behavior can be changed as awareness is increased. This also reveals that things are within our control. Phishing, social engineering, insider misuse, and miscellaneous errors especially are all very direct results of human decisions. Improving employee awareness and training employees on these topics will help prevent data breaches. 

Citations:
- Verizon 2016 Data Breach Investigations Report
- http://whatis.techtarget.com/definition/POS-malware-point-of-sale-malware
- https://www.technologyreview.com/s/545616/cybersecurity-the-age-of-the-megabreach/

Hello World

 

 

By Paul Petefish

It is with great pleasure and pride that I introduce Evolve Security Academy – the first of its kind hands-on, fully immersive Information Security education program focused on creating well-rounded cybersecurity professionals and placing them into high paying jobs.  

There is a massive workforce shortage in Information Security space and everyone is feeling it. More than 200,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years, according to a Peninsula Press analysis of numbers from the Bureau of Labor Statistics (a project of the Stanford University Journalism Program).

A few other interesting statics:

  • Demand for U.S. information security professionals is expected to grow by 53 percent through 2018 according to a Rand Corporation study.
  • Demand for cyber security professionals over the past five years grew 3.5 times faster than demand for other IT jobs and about 12 times faster than for all other jobs, according to a 2014 report by Burning Glass Technologies in Boston.
  • Channel Partners reported that The Pentagon plans to triple its cyber workforce, the FBI’s Cyber Division plans to hire 1,000 agents and 1,000 analysts, and the U.S. Department of Homeland Security (DHS) is hiring 1,000 cyber security professionals. 

A staggering number of traditional schools (high schools, colleges and universities) aren’t giving their graduates the concrete, practical skills they need to acquire the jobs that are being created in the digital economy according to Howard Tullman, CEO of 1871, the top university-affiliated incubator in U.S. Students often pursue a traditional four-year education with the promise of a high paying job after graduation. Unfortunately, job placement is not a focus of most traditional colleges, and students are left without a job and significant debt.

With the rise of Big Data, every day, we create 2.5 quintillion bytes of data – so much that 90 percent of the data in the world today has been created in the last two years. We are quickly wandering into the wild west of big data and the responsibility lies on the cybersecurity professionals to ensure all of this data is kept safe and secure. 

It will never be possible to replace talented and trained security minded people with technology. Evolve Security Academy’s mission is to change the current education model by delivering affordable relevant training, and an outstanding educational experience.