Author Archives: Hazel Burton

Distorting the truth: The roots of online political disinformation campaigns

On today’s episode of the Security Stories podcast we discuss the history of online manipulation campaigns, and how they’re used today to try and influence political elections.

To do that, we welcome back Theresa Payton, the first female CIO of the White House and author of ‘Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth’.

Also joining us is Nick Biasini. Nick is a threat researcher within Cisco Talos and recently published a paper called ‘The Building Blocks of political disinformation campaigns’. The paper is part of Talos’ hands on research into election security.

We chat about some of the things that shocked Theresa when she was doing her research into manipulation tactics. And Nick talks about the amplification methods that are being used to spread certain lies online. Plus, we talk about what can be done to curb these campaigns with only a few weeks to go until the United States general election.

This is a really fascinating discussion, and whilst it highlighted the huge challenges that we’re facing at the moment, Nick and Theresa shared a lot of great information on how we can overcome them.

Also in this episode, Ben Nahorney shares his latest research on current threat trends. This time we rank the Indicators of Compromise that organizations have encountered grouped by particular topics, including ransomware, credential stealing, and looking at the top operating system IoCs.

Episode time stamps

0.00 Intro
03:01  Discussion on disinformation campaigns with Nick Biasini and Theresa Payton
42:45  Threat trends with Ben Nahorney
52:09  Closing remarks

Play the episode

You can listen to this podcast on Apple PodcastsSpotifyGoogle Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

Further resources:

‘The Building Blocks of political disinformation campaigns’

Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth’

The post Distorting the truth: The roots of online political disinformation campaigns appeared first on Cisco Blogs.

Openness and support: Discussions on why diverse representation in cybersecurity matters

Security Stories podcast
Security Stories Podcast

I can honestly say that the two discussions featured in the latest episode of the Security Stories podcast have inspired and motivated me more than anything else has recently.

I really hope that as many people as possible get to listen to this episode. And I’m definitely not just saying that for my podcast stats 🙂

Diversity in cybersecurity discussion

Firstly, I caught up with my co-host Noureen Njoroge, as well as Leticia Gamill, Cisco’s Channel leader for Canada and Latin America, and Matt Watchinski, Vice President of Cisco Talos.

Together, we discuss a crucial topic in cybersecurity: the significance of diverse representation, and what that can do for the industry.

Leticia oversees team members based across seven countries, and is a passionate supporter of diversity in cybersecurity. Last year she created a non-profit called LATAM Women in Cybersecurity to encourage more women in Florida and Latin America to enter the field.

As the leader of Talos, the largest commercial threat intelligence group in the world, Matt oversees all the intelligence activities necessary to support our security products and services that keep customers safe.

Matt is a huge ally for diversity in cybersecurity. Within Talos, he has created a culture and a hiring policy that ensures voices from multiple backgrounds can be heard.

And of course most regular Security Stories listeners already know my co-host Noureen, but just in case this is your first time listening, Noureen is a threat intelligence customer engineer. She’s the founder of Cisco’s global cybersecurity mentoring forum, running mentoring events twice a month.

She’s also the founder of the Mentors and Mentees women in Cybersecurity group on LinkedIn and the president of North Carolina Women in Cybersecurity (WiCyS) Affiliate chapter.

Noureen is listed among the Top 30 Most Admired Minority Professionals in Cybersecurity by SeQure World Magazine, and was recently crowned winner of the Cybersecurity Woman of the Year 2020 award.

Together, we talk about what leaders can be doing to ensure they’re hiring from a diverse pool of talent, and where they can hire people beyond the usual recruitment channels. We also discuss how organizations can build a culture of mentoring so that members of diverse teams can feel valued, and retainment levels are strong.

Meeting Mike Hanley

Our CISO story for this episode is Cisco’s new Chief Information Security Officer, Mike Hanley.

Mike steps into the role of CISO for Cisco after spending five years with Cisco Duo. He originally joined to run Duo Labs, and was soon asked by Dug Song to be Vice President of Security and to build and nurture the team around him.

During our chat, Mike talks about what the past few months have been like after stepping into the role of CISO for Cisco in the middle of a global pandemic.

A very revealing note for me: I don’t think there was an answer that Mike gave where he didn’t refer to his team. People are clearly the most important aspect of his role, and in this interview you can see exactly why.

In fact, here’s a comment Mike shared that particularly struck a chord with me:

“I’m constantly in awe of the innovative ideas that the people in my team come up with to solve problems. I have middle-school teachers, designers, engineers, and many more fields of expertise in my team – and every single one of them has brought something really unique and significant.”

From the importance of hiring diverse talent, to building a culture of appreciation, openness and fun (he used the word fun six times in the first few minutes – I was keeping count!), Mike’s interview is a fascinating listen for anyone leading a team today.

Episode time stamps

0.00 Intro
02:27 Discussion on diversity in cybersecurity
46:49 Mike Hanley interview
1h 26: Closing remarks

Play the episode

You can listen to this podcast on Apple PodcastsSpotifyGoogle Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

The post Openness and support: Discussions on why diverse representation in cybersecurity matters appeared first on Cisco Blogs.

Technology as a Security Springboard: How These Experts Pivoted to Cybersecurity

Last week I highlighted some of the brilliant stories which are covered in our new eBook, “Diversity in cybersecurity: A Mosaic of Career Possibilities”.

For this blog, we meet some new folks, and uncover how they got their unique starts in the industry.

What’s interesting about these stories in particular, is that most people started in a general field of technology. But something happened during that time to persuade them to go into cybersecurity.

Katie Moussouris | CEO of Luta Security | @k8em0 | (LinkedIn) 

There wasn’t a defining moment for me because cybersecurity as an industry wasn’t really called an industry yet. I became a hacker at an early age, but back then, we were just focusing on computer security, which was an offshoot of computer science.

I think a lot of people who have been in cybersecurity for as long as I have—over 20 years professionally—have a very meandering path that led them down this career rabbit hole.

For myself, I was a molecular biologist, and I was working on the human genome project at MIT. I decided molecular biology wasn’t for me, but I wasn’t quite sure what I wanted to do.

So I took a detour, which I thought was temporary, into the systems administrators group at the genome center at MIT. I helped them build those systems out, and then, I took another systems administration job at MIT in the Department of Aeronautics and Astronautics. There, I took care of the network that helped launch some Mars rovers. This was the late 90s we’re talking about here.

From there, defending the systems that I was in charge of led me back into the nascent security fold.

Sophia McCall | Junior Security Consultant | @spookphia | (LinkedIn) 

I was interested in computers from a young age. IT was always my favorite subject; I always wanted to pursue something in technology as a career. I remember when I was about 14 or 15, I completed the IT material so quickly in class that the teachers ended up having to write up separate extra exercises just for me every week!

After school, when I was about 16, I progressed to college to complete a BTEC Level 3 Extended Diploma in Software Development. Over two years, I learned to build and program everything you could think of: websites, games, mobile applications, scripts, and more. On this diploma course, we had a networking module that focused on security.

It was at this point when I definitely heard my “calling.”After nearly two years of building things, I discovered that breaking them was much more fun! 

Following this “Eureka” moment, I applied to study a BSc (Hons) in Cyber Security Management at university.

Four years later, including a year’s placement in industry and a huge amount of community involvement, I completed my degree with First Class Honors. I’m now about to commence my first role in the industry as a Junior Security Consultant of penetration testing. 

Ken Westin | Head of Competitive Intelligence, Elastic | @kwestin | (LinkedIn) 

I was working as the Webmaster and Linux Administrator for a company whose endpoint security product blocked USB flash drives from connecting to systems. At that time, my only exposure to security was on the defensive side.

I was curious about how the USB malware we were trying to block worked and how it got into forums where some of these tools were being traded. I therefore started experimenting with them and set out to build several Proofs of Concept (POCs) that would steal data from systems, phone data home to a server, etc.

I went down a lot of rabbit holes in my research, and I even built a website called USBHacks.com that provided samples of the USB malware to help educate network admins. (This was also the first time the FBI reached out to me.)

Around this time, one of my co-workers had his car broken into and his laptop bag stolen. We joked about what would have happened if a thief had stolen my bag and plugged in one of my weaponized flash drives into a computer.  

After the conversation, I started building tools based on my USB malware that were designed to protect devices and data if they were stolen. 

Richard Archdeacon | Advisory Chief Information Security Officer, Duo Security, Cisco | (LinkedIn) 

Like most people, I fell into cybersecurity through exposure to some really big security events. I had a background in IT transformations. Security was becoming increasingly important at the time, but it was still low on the radar unless you worked at a bank or financial organization.  

That all started to change with the big virus attacks. Code Red, Nimda, and the “I Love You” virus all swept us up by surprise at the time (security was still low on the radar unless you worked at a bank or financial organization). In one of the virus attacks, I saw a whole corporation lose its email system.

This didn’t occur simply through the attack; much of it transpired because of a faulty incident response. Everyone at the company was panicking and answering every warning email with a “CC all” reply. So it ground to a halt.  

It struck me that this meant nobody knew how to prevent or respond to these attacks and that security was going to be vital going forward. All our digital transformations would come to naught if a simple attack could cripple us. So we had to develop security in the same way that we were changing IT. 

I think the final confirmation for me came when we read reports from SOCA and other organizations that showed the link between hackers and organized crime. It struck me then that we were not dealing with script kiddies but bad people who were committed to doing bad things to innocent victims. This was more than just a job; it was a calling. 

Omar Santos | Principal Engineer – Product Incident Response Team, Cisco | @santosomar | (LinkedIn)  

It started when I left college and joined the United States Marines. I was in the U.S. Marine Corps, and my military occupational specialty was in electronics and secure communications. From there, I shifted into networking and specifically network security. That’s when I knew that cybersecurity was for me. 

After I left the Marine Corps, I joined Cisco in 2000, and I was part of the technical assistance center. I was supporting firewalls, IPS devices, VPNs, and a lot of encryption. 

From there, I shifted gears into advanced services, which is now called “CX,” or the customer experience. Along the way, I did secure implementations, a lot of network design, and architectural reviews. 

At the end, I was actually doing penetration testing and ethical hacking against many large Cisco customers. I shifted gears again, and now Im part of the product security incident response team where we specialize in vulnerability management. I also concentrate on helping industry-wide efforts. I’m the chair of several industry-wide initiatives like FIRST and OASIS.

Mo Amin | Independent Cyber Security Culture Consultant  | @infosecmo | (LinkedIn) 

When I started out, it wasn’t called “cybersecurity” back then. It was IT security.

The defining moment for me was when I got involved in a forensic investigation after my manager at the time asked if I wanted to shadow him and learn a few things. I was working in desktop support, and I found it fascinating. It was the catalyst for me.  

From there, I made a lot of mistakes, learned a lot, and adapted. I’ve been fortunate enough to work with some really good people along the way, and I still find the work interesting. 

Rebecca Herold | CEO, The Privacy Professor | @PrivacyProf | (LinkedIn) 

I got onto the information security, privacy and compliance path at the beginning of my career as a result of creating and maintaining the change control system at a large multinational financial/healthcare corporation.

I didn’t even realize change control was a critical information security control at the time until I started seeing the ways in which human interactions and noncompliance with procedures caused some major problems, such as down-time (loss of availability) for the entire corporation.

After I went to the IT Audit area, I performed an enterprise-wide information security audit. As a result of that audit, I recommended that an information security department be created.

There, I created all the corporation’s information security and privacy policies along with their supporting procedures, and created the training program, established requirements for the firewalls and web servers, performed risk assessments, established the requirements for one of the very first online banks at a time before there were any regulatory requirements for them, and generally oversaw the program. I’ve loved working in information security and privacy, simultaneously, ever since.

 

Fareedah Shaheed | CEO and Founder, Sekuva | @CyberFareedah | (LinkedIn) 

At first, cybersecurity was just an interesting career path. But once I got into corporate, I realized that there was more to security than coding or networking.  

My corporate job introduced me to the world of security awareness and the human aspect of security that I didn’t know existed. In that instant, my entire world changed, and my career in cybersecurity was solidified. 

Instead of security being reduced to lines of code or sitting at a desk for eight hours, it became about the human brain, teaching, and authentically connecting with people. 

And once I started my own business and brand, I fell deeply in love with creating a movement and tribe around security awareness and education. 

Now, it’s no longer about the “right career” but about the “right calling.”

It became something much more than me and my curiosity. It became an industry where I could create massive transformation and impact.  

Martijn Grooten | Researcher, Writer, and Security Professional | @martijn_grooten | (LinkedIn) 

During my very first security conference back in 2007, I saw a talk on the Julie Amero case: a teacher who faced a long prison sentence because malware on her laptop had displayed adult content to a class of minors. 

It taught me how security can have an impact on people’s lives and also how different people can have very different threat models. 

The latter lesson I think is relevant well beyond IT security. It could help us understand society better as a whole. 

 

Noureen Njoroge | Cybersecurity Consulting Engineer, Cisco | @EngineerNoureen | (LinkedIn) 

Curiosity led me to a cybersecurity career. I was that one student who always had questions to ask.

Upon obtaining my Bachelor’s Degree in Information Technology, I landed a Systems Admin role, which involved lots of routing, switching, and datacenter tasks. Truly humble beginnings, indeed.

Those late-night shifts at the datacenter were the core foundation of my career, as I learned a lot.   

While at this role, I attended a lunch-and-learn session that was hosted by the Infosec team. They shared information on the latest malware trends, tactics, techniques, and procedures used by threat actors.

I was so fascinated by the knowledge shared, and I asked so many questions to the point where they offered me the opportunity to shadow the team in order to learn more. It was this opportunity that deepened my interest in security.  

Later on, I was offered an opportunity to join the MIT Cybersecurity program. From the knowledge I had already attained, I knew that cybersecurity would be the future, and I wanted to be part of it. 

Looking back, I am glad to have embraced every opportunity presented, for “It’s better to be prepared for an opportunity and not have one than to have an opportunity and not be prepared.” – Whitney M. Young, Jr. 

Jason Lau | Chief Information Security Officer, Crypto.com | @JasonCISO | (LinkedIn) 

As part of my engineering degree, we had to experiment with integrated circuit chips and program them to do a variety of different things. It just so happens it was around that time when the first ever PlayStation was released.

In my spare time while getting my engineering degree, I researched and hacked” the boot sequence of the machine with a ModChip” I programmed, and I was able to play video games from different regions around the world. (Back in those days, games were on CDs and had country regional restrictions on them. Some of the best games never came to my region!) 

I was one of the first with these ModChips at that time, so my friend and I started to help others on the side. This freelance job was quite thrilling and exciting!

This was my first experience with hacking and reverse engineering. It taught me how to use root cause analysis to really dig deeper in order to understand the underlying technology and reasons for why things worked (and didn’t work). 

This is a fundamental skill which I have found useful in my cybersecurity career. 

Phillimon Zongo | Chief Executive Officer at Cyber Leadership Institute | @PhilZongo | (LinkedIn) 

I would say my eureka moment came around the end of 2015 when I went back to the drawing board and took a deep look at my career path. I felt like my career had stagnated. 

I wanted to specialize in cybersecurity because by that time it was one of the fastest growing fields within the technology risk space. It was clearly the center of attention for the board of directors, regulators, customers, and even investors. Instead of spreading myself thin across every aspect of technology risk, I wanted to go deep in cybersecurity. 

I realized that there was a major problem in cybersecurity: a lot of the material that I was reading was very technical in nature, but it was almost impossible for me to link cybersecurity tools to strategic business goals.

I realized that the subject of cybersecurity was confined within the corridors of IT. It was supposed to be a responsibility of everyone from the front office staff to the board of directors and cybersecurity professionals themselves. That’s when I realized there was a major gap. 

After months of researching and talking to other people, I realized that I needed to develop skills that would help me translate the complex side of cybersecurity into a language that was understandable by senior business leaders. 

 

Want to learn more about how technology propelled these experts into cybersecurity? Download our eBook: Diversity in cybersecurity: A mosaic of career possibilities today. 

The post Technology as a Security Springboard: How These Experts Pivoted to Cybersecurity appeared first on Cisco Blogs.

Podcast: Taking the unconventional career path in cybersecurity

Security Stories podcast
Security Stories Podcast

In the latest episode of the Security Stories podcast, we take on the topic of cybersecurity careers.

Myself, Ben Nahorney and Noureen Njoroge are joined by guests Mitch Neff, Marketing Lead at Cisco Talos, and Corien Vermaak, Cybersecurity Partner Sales Lead for Cisco APJC.

We each discuss on how we all got our starts in the cybersecurity industry. As it turns out, none of us took a conventional path!

The five of us also talk about the people and the mentors that helped us along the way, including some practical advice for anyone who wants to be a mentor, or gain a mentor.

We then passionately tackle the topic of job descriptions and why they might be contributing to the so called “cybersecurity skills gap”. We also talk about what hiring managers can do to make sure they’re not putting the right people off with their words.

The interview

Curtis Simpson, Chief Information Security Officer at Armis

For our main interview, I had the pleasure of chatting to Curtis Simpson, Chief Information Security Officer at Armis to discover his story.

A self taught cybersecurity geek, Curtis spent 20 years at Sysco, building a decentralized network before moving to Armis.

Curis talks about how he changed perceptions of cybersecurity being “just a cost centre”. He gave some great examples of how cybersecurity is directly tied to business outcomes, such as the productivity of the sales team.

He also touches on just how difficult a decision it was to leave after 20 years, but ultimately he knew it was the right thing.

Finally, we discuss how his organization has reacted to the global pandemic, and I learn about Curtis’ take on the current threat landscape, particularly around securing IoT devices.

We hope this episode proves that that there is no singular footpath into cybersecurity.  And that’s no bad thing.

Time stamps

0.00 Intro
3.46 Interview with Curtis Simpson
47.26 Discussion on careers in cybersecurity
1.42.00 Close

Play the episode

You can listen to this podcast on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

More career related resources

Here are some more resources as mentioned in our careers discussion:

Noureen’s cybersecurity mentoring hub: https://cybersecmentorship.org
Noureen’s mentor and mentee group on LinkedIn: https://www.linkedin.com/groups/8673525/
Cisco NetAcademy courses: https://www.netacad.com/courses/cybersecurity
Blue Team Village Discord of which Talos are a sponsor: https://discord.com/invite/blueteamvillage

Also check out our just published eBook: Diversity in Cybersecurity: A Mosaic of Career Possibilities

The post Podcast: Taking the unconventional career path in cybersecurity appeared first on Cisco Blogs.