Category Archives: education

From Naughty to NICE: Best Practices for K–12 Cybersecurity Education

In an effort to raise cybersecurity awareness and help both school districts and teachers develop security-based curricula, the National Institute for Cybersecurity Education (NICE), part of the National Institute of Standards and Technology (NIST), hosted two consecutive conferences this fall.

These back-to-back conferences brought experts from industry and academia together to share creative strategies to help educators teach youngsters how to change their “naughty” online behaviors into good cyber hygiene.

The NICE Conference in Miami was held in November, followed by December’s NICE K12 Cybersecurity Education Conference in San Antonio, which introduced some innovative technologies as well as multiple trainings to help schools make students more aware of how to protect themselves online and the many career paths available to them in cybersecurity.

Let the Youth Lead Cybersecurity Education

I had the pleasure of speaking at the NICE K12 Cybersecurity Education conference on how to create a cyber-aware classroom, but my presentation was just one of many and paled in comparison to that of the keynote speaker, Kyla Guru, a 16-year-old high school junior from Illinois who is the founder and CEO of Bits ‘N Bytes Cybersecurity Education (BNBCE), a youth-built nonprofit that provides suggestions for day events and classroom discussions.

Also among Guru’s list of notable cybersecurity education resources are CommonSenseMedia, CodeHS Cybersecurity, Facebook Security Centre and (ISC)2.

In her work over the past few years, Guru has seen that students are increasingly encouraged to take at least one computer science course starting in middle school, and are subsequently guided to pursue the subject with a progression of courses in high school.

Implement Student-Created Curricula

What’s unique about the BNBCE curriculum is that it’s created by youth. The nonprofit offers lessons on encryption, privacy policies, digital citizenship, data breaches, passwords and social engineering, all of which are organized by age group.

“BNBCE also produces animated videos tailored for each school’s core values and principles, as well as conducts outreach events and runs biweekly research-based blog posts on relevant cybersecurity concepts for the classroom. We would love to support schools as they integrate cyber in their classroom discussions,” Guru said.

How to Break Google’s Influence on a Generation

Recognizing that her generation is digitally driven and has been raised to consider “Googling” as sufficient research, Guru said it is critical that the time young people spend using technology as their new medium for discovery and exploration be spent securely and safely so they can learn without limitation.

“K–12 students are by far the greatest consumers of digital information there are. In fact, a recent survey showed that 82 percent of Generation Z shares that Instagram, Snapchat, Buzzfeed and other social media sites are their primary news sources,” Guru said.

Engage Students in Cyber Awareness

In the Cyber Day 4 Girls workshop, hosted by IBM in advance of the NICE K12 Cybersecurity Education conference, young women in grades six through nine had a chance to learn how to protect their online identities and internet-connected devices while working alongside some impressive female role models who are already studying and working in cybersecurity.

Attendees also heard about the defensive hacking curriculum created by IBM and Hacker High School (HHS), and how to infuse ethical hacking skills across the curriculum, which was presented by HHS director Kim Truett.

Learn more about Hacker High School

Industry Professionals: Step Up

Clearly, educators and students alike are doing their part to move the cybersecurity needle forward, but industry leaders also play a critical role in helping to raise cybersecurity awareness and education among today’s youth.

In his presentation to audience members at the Miami conference, Eduardo Cabrera, chief cybersecurity officer at Trend Micro, talked about the need for more partnerships between enterprises and the K–12 sector.

“We have to rethink what we are doing around cybersecurity education, not only from an awareness and hygiene perspective, but also from the perspective of establishing a permanent pipeline of talent from K–12 that feeds into higher education,” Cabrera said.

What would that actually look like, though? According to Cabrera, one model that could work is what has been happening with DevOps. “There is a concept or movement around DevOps that is speeding up the cycle, taking plays out of the playbook of agile development and looking at the partnerships required between operators, developers and testers. These microservices are creating smaller, quicker sprints. We need to move toward a DevOps model of workforce development.”

Rather than operating in silos, all connected parties can work together. “The operators are the industry, developers are educators and the testers are certifying bodies,” Cabrera said.

Teaching cybersecurity is not solely about STEM and technical skills, either, Cabrera said. “Soft skills are becoming equally as important as technical skills. We have a rock-star employee when they can be technical but equally as skilled at communicating and storytelling.”

Cybersecurity isn’t just about defending one’s digital footprint, after all, but is just one piece of a network of protection for the whole person. To teach the best, most complete self-defense is to teach the whole student — not just the computer-savvy parts.

The post From Naughty to NICE: Best Practices for K–12 Cybersecurity Education appeared first on Security Intelligence.

Operational Counter Intelligence (CI) Analysis Support for C Jobs in Quantico, Virginia – ClearanceJobs

clearancejobs.com - "ISC Consulting Group, Inc. is an Equal Employment Opportunity EEO/Affirmative Action Employer, committed to excellence through diversity. All eligible candidates (minorities, women, veterans, and in…


Tweeted by @ClearanceJobsVA https://twitter.com/ClearanceJobsVA/status/1074743162055376896

50 Years On, We’re Living the Reality First Shown At the ‘Mother of All Demos’

Thelasko quotes a report from Ars Technica: A half century ago, computer history took a giant leap when Douglas Engelbart -- then a mid-career 43-year-old engineer at Stanford Research Institute in the heart of Silicon Valley -- gave what has come to be known as the "mother of all demos." On December 9, 1968 at a computer conference in San Francisco, Engelbart showed off the first inklings of numerous technologies that we all now take for granted: video conferencing, a modern desktop-style user interface, word processing, hypertext, the mouse, collaborative editing, among many others. Even before his famous demonstration, Engelbart outlined his vision of the future more than a half-century ago in his historic 1962 paper, "Augmenting Human Intellect: A Conceptual Framework." To open the 90-minute-long presentation, Engelbart posited a question that almost seems trivial to us in the early 21st century: "If in your office, you as an intellectual worker were supplied with a computer display, backed up by a computer that was alive for you all day, and was instantly responsible -- responsive -- to every action you had, how much value would you derive from that?" By 1968, Engelbart had created what he called the "oN-Line System," or NLS, a proto-Intranet. The ARPANET, the predecessor to the Internet itself, would not be established until late the following year.

Read more of this story at Slashdot.

Parting Shots (Q4 2018 Issue)

infosecurity-magazine.com - According to statistics published in October, there are around three million vacancies in the cybersecurity industry. The research came from (ISC)² and of 1452 survey recipients, the highest gap is i…


Tweeted by @InfosecurityMag https://twitter.com/InfosecurityMag/status/1072474203809558529

Cyber-harcelé(e)s: «Je crois qu’on n’avait jamais voulu ma mort à ce point» | Renseignements Stratégiques, Investigations & Intelligence Economique

scoop.it - Voici l’histoire de Nathalie*, 25 ans. Son témoignage rejoint notre série « Pris pour cible » sur les persécutions en ligne. A travers ces expériences individuelles, 20 Minutes souhaite explorer tout…


Tweeted by @Expert_IE_ https://twitter.com/Expert_IE_/status/1072084254232858624

‘What Straight-A Students Get Wrong’

From a story: Year after year, I watch in dismay as students obsess over getting straight A's. Some sacrifice their health; a few have even tried to sue their school after falling short. All have joined the cult of perfectionism out of a conviction that top marks are a ticket to elite graduate schools and lucrative job offers. I was one of them. I started college with the goal of graduating with a 4.0. It would be a reflection of my brainpower and willpower, revealing that I had the right stuff to succeed. But I was wrong. The evidence is clear: Academic excellence is not a strong predictor of career excellence. Across industries, research shows that the correlation between grades and job performance is modest in the first year after college and trivial within a handful of years. For example, at Google, once employees are two or three years out of college, their grades have no bearing on their performance. Academic grades rarely assess qualities like creativity, leadership and teamwork skills, or social, emotional and political intelligence. Yes, straight-A students master cramming information and regurgitating it on exams. But career success is rarely about finding the right solution to a problem -- it's more about finding the right problem to solve.

Read more of this story at Slashdot.

How Tomer Agayev Fights Financial Fraud Through Curiosity, Suspicion and Education

Tomer Agayev leads a security team that keeps our hard-earned savings safe from fraudsters.

As threat research team lead at IBM Trusteer, Tomer guards the gateway to threats both known and unknown. His team’s responsibility is to monitor new and emerging threats, understand them intimately, and feed information to the cybersecurity protection content development teams so they know how to best defend against financial fraud.

The products developed by Tomer’s Trusteer colleagues are deployed by the world’s biggest financial institutions to protect their clients against malware, phishing, social engineering and more, and their success is largely thanks to Tomer’s penchant for figuring out what makes threat actors tick.

The World of Security Is ‘Pretty Amazing’

Tomer previously served in the Israeli Defense Forces and spent his last year of service as a system administrator and IT team leader. So when he entered the civilian workforce, information security was an obvious first port of call.

Tomer joined Trusteer in March 2013 as a help desk representative, but it wasn’t long before he felt he needed a change.

“I wanted to expand my knowledge, especially in a company like this that deals with information security at its heart,” he said. “That whole world is pretty amazing, and I knew there was more to learn and accomplish.”

So he spoke to managers and human resources, eager for an opportunity to grow and “make myself something bigger.” Luckily, Trusteer is a supportive and nurturing environment to work in, Tomer emphasized, and he soon began a new role as a security threat researcher.

Social Security: How Tomer Educates the Masses

One of the most common types of attack Tomer’s team encounters is social engineering.

“Most of the time, the threats will target the bank’s customers themselves; it’s the most popular attack,” he said.

He mentioned the work his team has done in Brazil to combat phone-based schemes: Fraudsters call businesses, introduce themselves as bank employees, and then trick customers into installing malware on their machines or prompt them to disclose their credentials.

It’s difficult to combat social engineering because it comes down to education, Tomer explained. Still, his team works tirelessly to research these cases and feed banks information to educate their customers about threats. By analyzing the malware, he said, the team can protect against malicious action regardless of social engineering.

“Even if the fraudster tries an attack, it would fail because our products are better and more powerful,” he said.

Still, it’s impossible for any mere human to keep up with the ever-evolving threat landscape, which is why the Trusteer team works with many automated processes. Tomer spoke proudly of its lab, which analyzes around half a million malware samples every year. As valuable as automation is, however, this analysis is augmented by manual hunting.

“This is one of the strengths of our threat research team,” he said. “We need to be in the trenches to know what’s going on, even if it’s not coming from the threat intelligence feeds we established,” he said.

Even if a threat hasn’t yet targeted the financial world, it’s still on Tomer’s radar; the Trusteer team often sees techniques shared across threat actors, he said.

Tomer Agayev fights financial fraud for IBM Trusteer

A Threat Researcher Never Stops Learning

The life of a threat researcher is fast-paced and high-stakes, and there are new and unprecedented challenges to overcome every day. But that doesn’t bother Tomer in the slightest.

“It’s a lot of fun,” he said. “You need to learn all the time, which is something very important to me. When I’m stuck in one place that doesn’t challenge me, it’s a problem.”

In his free time, Tomer prefers quieter pursuits, such as nature photography and spending time with his wife.

“It’s the quiet; it’s very peaceful,” Tomer said of his photography hobby. “A lot of times, I find nature more fascinating than even a beautiful city landscape. It’s just so big and vast.”

Why You Should Always Be Suspicious

To work as a threat researcher, Tomer emphasized, you need to be curious, suspicious and ready to question what other people say. While conducting forensic analyses, threat researchers strive to “collect all the pieces of the puzzle” in order to recreate the entire scenario enacted by the fraudsters. Tomer likened this aspect of the job to solving a new mystery with each instance of fraud.

“In order to understand fraud, sometimes you need to think like a fraudster,” he said. “We need to try to understand how the other side would think to better understand how to combat them.”

Tomer also wants to make sure his friends and family are educated and aware of how to spot the fraud schemes that his team encounters so often.

“It’s a bit harsh to say, but the internet is not a safe place,” he said. “People just need to be aware that not everything that shines is a diamond.”

Meet Fraud Analyst Shir Levin

The post How Tomer Agayev Fights Financial Fraud Through Curiosity, Suspicion and Education appeared first on Security Intelligence.

Stephane Dardenne on LinkedIn: “Conférence intelligence économique à l’IUT de Poitiers Une conférence de l’antenne “sécurité économique et protection des entreprises” de la formation administrative Poitou-Charente (FAPC) s’est déroulée le 04 décembre 2018 à l’Institut Universitaire de Technologie (IUT) à Poitiers. Le colonel (réserviste citoyen de la gendarmerie) Jacky Sicard, l’adjudant-chef (réserviste de la gendarmerie) Jean-Michel Lathière et le maréchal des logis chef Yannick Labetoulle ont ainsi sensibilisé 38 étudiants de 2ème année de Génie Mécanique, à l’intelligence économique et plus particulièrement aux Cyber-menaces. Merci aux 3 intervenants pour leur professionnalisme. Pour mémoire, 19 fiches de prévention en ce domaine sont disponibles sur le site de la préfecture de la Vienne : https://lnkd.in/diQwn86″

linkedin.com - Conférence intelligence économique à l'IUT de Poitiers Une conférence de l'antenne "sécurité économique et protection des entreprises" de la formation administrative Poitou-Charente (FAPC) s'est déro…


Tweeted by @dardennestephan https://twitter.com/dardennestephan/status/1070730581225426944

Frauen MINT Award 2019

challenge.telekom.com - Es ist wieder soweit! MINT-Studentinnen aus aller Welt haben die Chance sich mit Ihrer Bachelor- oder Masterarbeit in einem MINT-Studienfach für den heißbegehrten Frauen-MINT-Award 2019 zu bewerben. …


Tweeted by @TelekomKarriere https://twitter.com/TelekomKarriere/status/1069927411301670912

El 12% de los niños españoles quiere ser youtuber, influencer o community manager | Marketing Directo

marketingdirecto.com - Según el estudio Future Lab, elaborado por la Fundación CINNED en colaboración con People Excellence, las profesiones más modernas y recientes ganan popularidad entre los jóvenes españoles. Aunque ca…


Tweeted by @JoanLluisRubio https://twitter.com/JoanLluisRubio/status/1068248346274537479

CIDSI

cgii.gob.bo - Se ha desempeñado laboralmente en distintas instituciones tanto públicas como privadas, en Bolivia fue Supervisor de la División Legal Tributaria de la firma Berthín Amengual y Asociados; Consultor d…


Tweeted by @N4Security https://twitter.com/N4Security/status/1068161074724306944

Revoir le cadre législatif pour mieux prévenir le cyber harcèlement et mieux poursuivre les auteurs. | Renseignements Stratégiques, Investigations & Intelligence Economique

scoop.it - Revoir le cadre législatif pour mieux prévenir le cyber harcèlement et mieux poursuivre les auteurs. Etudier avec les acteurs de la modération les possibilités d’information et de signalement aux aut…


Tweeted by @Expert_IE_ https://twitter.com/Expert_IE_/status/1067009908661465088

NominacionesiAgua 2018 en base 6

iagua.es - El pasado viernes fueron las #nominacionesiAgua, con un importante en redes sociales (twitter, Facebook, Instagram, linkedin, etc…). Alejandro compartió un tweet que se habían superado los 3 millones…


Tweeted by @iAguaEspana https://twitter.com/iAguaEspana/status/1066975865534263296

La burocracia en la cuarta transformación

animalpolitico.com - A partir del 1 de diciembre, el nuevo presidente se convertirá en la cabeza de la burocracia federal. Quedará atrás el tiempo de las promesas de campaña, de los anuncios de nuevos propósitos y priori…


Tweeted by @LaBambiPuebla https://twitter.com/LaBambiPuebla/status/1065679308625244165

How Cloud Security Architect Andi Hudson Nurtures Today’s Youth to Protect Tomorrow’s Data

There’s rarely a time in the day when Andi Hudson isn’t immersed in technology. When he’s not fulfilling his duties as IBM’s cloud security architecture lead in the U.K., he’s reaching out to the next generation of cyber professionals through volunteer work with universities and colleges. Or, he’s teaching his own young kids how to write in Python, or how to make wacky contraptions, such as an automated irrigation kit and a Tesla coil that plays music.

Simply put, Andi Hudson lives and breathes tech and security, and he’s always happy to chat about anything from cloud security, to artificial intelligence (AI), to the impact of the Internet of Things (IoT) to the neuroscience of privacy denial.

“For me, cybersecurity has to start right at the very beginning,” he said, speaking from his home in South Wales. “Giving kids access to this stuff is important, but even more important is teaching them to use it ethically and responsibly.”

Spreading the Gospel of Data Privacy

No matter what else he’s doing, Andi is always keeping a close eye on the future. He’s particularly interested in artificial intelligence, data privacy and what the C-suite needs to pay more attention to.

Much of it comes down to the data, which Andi classified as “the oil of tomorrow.” He believes that, given the right bits of information, cybercriminals can steal data (including identities) and “really go to town with this information.” He’s also worried about the confirmation bias this level of sharing brings — that our “likes” are collected and we’re grouped with other users who share the same ideas opinions. To quote Andi, quoting author Cory Doctorow: “It’s not about what you have to hide; it’s about what you choose to share.”

“We give away so much information so freely, to a degree I think the horse has already bolted,” he said. “That’s why I invest so much of my own time in educating academia, because they’re the next generation. But it doesn’t just start at universities and colleges; it starts at home in the family, and in primary school and secondary school. Security is not a product — it’s a process.”

Andi is a science, technology, engineering and mathematics (STEM) ambassador, as well as a Barefoot volunteer with Computing at School (CAS). He visits primary schools to nurture the next generation of cyber professionals. Andi shows the faculty how to teach computational science, helps children understand the importance of STEM subjects and exposes them to careers in technology.

Andi Hudson, cloud security architecture lead at IBM

A Nontraditional Approach to Cloud Security

When he’s not nurturing the youth, Andi leads a growing team of architects at IBM Security U.K. Part of his role is to ensure that all the individual skill sets in security keep cloud-based applications front of mind. IBM promoted him to lead after catching wind of the impressive work he did in the London insurance market, building collaborative cross-vendor solutions for a new target operating model that enables 9,000 U.K. financial services companies to work together.

“IBM never really had a cloud team that encompassed a lot of those different skill sets,” he said. “A lot of the traditional architecture always sat in resource pools within somebody else’s data center — but, of course, with the cloud, that’s all different now. They’re not using their own data centers anymore; they’re using ours.”

While Andi primarily works hands-on with clients on cloud-related transformation projects, he also gets to speak at conferences and, of course, engage with the education sector in both his day job and his volunteer work.

A member of the South Wales Cyber Security Cluster, Andi works with Cardiff’s three universities to make courses as relevant as possible according to the latest industry trends. That plays into the work IBM does with Exeter University, and may soon start doing with Warwick University and the University of the West of England.

“It’s about making a difference,” he said before launching into a story from last year when, at the height of the Petya and WannaCry ransomware outbreaks, he found himself in a war room on a weekend trying to reverse-engineer a client out of an attack.

“You know when you feel sick in your stomach, the nerves and anxiety? I’ve had it before when I used to work for a services company; we switched the system off once and it didn’t come back on,” he recalled. “You have this gut-sickness feeling. You’ve just done a lot of work, you’ve had no sleep, and you know you won’t get any sleep or food until this problem’s gone. It was exactly like that — that sick feeling.”

Why Security Leaders Need to Tell It Like It Is

Luckily, Andi was so close to the customer and had been so hands-on with the account that he was able to solve the problem and develop a watertight remediation plan. He even won an award for his work.

The key, he said, is his willingness to have frank discussions about security, even if it means telling clients what they don’t want to hear. Andi has found that this nontraditional approach helps him develop closer relationships with clients and break conversational barriers that would otherwise stymie progress.

“I think that clear, open transparency just resonates with customers,” he emphasized. “A lot of things were always taboo — certain things you didn’t say to certain executives, and certain things you didn’t cover — but if you want a real, secure solution, unfortunately you have to have those conversations.”

This transparency is especially crucial today, given the lightning-quick pace of change in the industry and ever-evolving nature of the cyberthreat landscape.

“The fact is, it keeps changing — and what’s right today might not be right tomorrow.”

That’s why Andi always has his eyes on tomorrow — both in terms of the threats his clients will have to contend with and the next generation of cybersecurity heroes that will defend them.

The post How Cloud Security Architect Andi Hudson Nurtures Today’s Youth to Protect Tomorrow’s Data appeared first on Security Intelligence.

Face à un cyber ouragan, comment la France peut se préparer | Renseignements Stratégiques, Investigations & Intelligence Economique

scoop.it - Mieux échanger l'information sur les cyberattaques, protéger les PME, renforcer l'arsenal législatif, développer l’expertise technologique et la formation... Le rapport "Cybermenace : avis de tempête…


Tweeted by @Expert_IE_ https://twitter.com/Expert_IE_/status/1065564683783016448

Concursos Interjet

interjet.com - Este aviso de privacidad forma parte del uso del sitio web: www.interjet.com ABC Aerolíneas, S.A de C.V. (Interjet) con domicilio en Av. Capitán Carlos León s/n Col. Zona Federal Aeropuerto Internaci…


Tweeted by @interjet https://twitter.com/interjet/status/1065325658069442560

Delegada na equipe de Moro integrou Lava Jato e operação marcada por suicídio de reitor – Política – Estadão

politica.estadao.com.br - O ex-juiz federal Sergio Moro, futuro ministro da Justiça e Segurança Pública, trouxe para auxiliá-lo nos trabalhos de transição de governo a delegada da Polícia Federal Érika Marena, que atuou nas o…


Tweeted by @DeCastroAlves https://twitter.com/DeCastroAlves/status/1064947627580669954

Virginia To Produce 25K-35K Additional CS Grads As Part of Amazon HQ2 Deal

theodp writes: Developers! Developers! Developers! To make good on the proposal that snagged it a share of the Amazon HQ2 prize, the State of Virginia is also apparently on the hook for doubling the annual number of graduates with computer science or closely related degrees, with a goal to add 25,000 to 35,000 graduates (Amazon's HQ2 RFP demanded info on "education programs related to computer science"). To do that, the state will establish a performance-based investment fund for higher education institutions to expand their bachelor's degree programs, and spend up to $375 million on George Mason University's Arlington campus and a new Virginia Tech campus in Alexandria. The state will also spend $50 million on STEM + CS education in public schools and expanding internships for higher education students. Amazon is certainly focused on boosting the ranks of software engineer types. Earlier this month, Amazon launched Amazon Future Engineer, a program that aims to teach more than 10 million students a year how to code, part of a $50 million Amazon commitment to computer science education that was announced last year at a kickoff event for the Ivanka Trump-led White House K-12 CS Initiative. And on Wednesday, Amazon-bankrolled Code.org -- Amazon is a $10+ million Diamond Supporter of the nonprofit; CS/EE grad Jeff Bezos is a $1+ million Gold Supporter -- announced it has teamed with Amazon Future Engineer to build and launchHour of Code: Dance Party, a signature tutorial for this December's big Hour of Code (powered by AWS in 2017), which has become something of a corporate infomercial (Microsoft recently boasted "learners around the world have completed nearly 100 million Minecraft Hour of Code sessions"). Students participating in the Dance Party tutorial, Code.org explained, can choose from 30 hits like Katy Perry's "Firework" and code interactive dance moves and special effects as they learn basic CS concepts. "The artists whose music is used in this tutorial are not sponsoring or endorsing Amazon as part of licensing use of their music to Code.org," stresses a footnote in Code.org's post. So, don't try to make any connections between Katy Perry's Twitter endorsement of the Code.org/Amazon tutorial later that day and those same-day follow-up Amazon and Katy Perry tweets touting their new exclusive Amazon Music streaming deal, kids!

Read more of this story at Slashdot.

Confapi & Legalità, Marisa Manzini, storia di un magistrato che con coraggio ha sfidato le cosche calabresi

primapaginanews.it - Informativa ai sensi della legge n. 196/03 sulla tutela dei dati personali Il trattamento dei dati personali è effettuato ai sensi del D.Lgs 196/03 "Codice in materia di protezione dei dati personal"…


Tweeted by @presidenteprimo https://twitter.com/presidenteprimo/status/1063328623959179265

Please Spread The Word: Cybersecurity Scholarships From (ISC)² and the Center for Cyber Safety and Education – CTOvision.com

ctovision.com - The following info comes via friends at isc2.org, please share this with any you believe eligible: Each year, (ISC)² and the Center for Cyber Safety and Education partner together to offer scholarshi…


Tweeted by @TheCyberThreat https://twitter.com/TheCyberThreat/status/1063251696678252544

Yo confieso…

elcatocomunista.wordpress.com - que desde el año pasado he estado impartiendo clases de Religión Católica, el curso pasado en la Enseñanza Pública y el presente en la Enseñanza Concertada. Yo confieso que en ningún momento requerí …


Tweeted by @seminario_mayor https://twitter.com/seminario_mayor/status/1063190600151781376

Cyber-risques : FM Global lance son outil interactif en ligne d’évaluation | Renseignements Stratégiques, Investigations & Intelligence Economique

scoop.it - Le groupe mutualiste spécialisé dans la couverture des risques industriels a décidé de développer son offre de cyber-protection en lançant un outil d’évaluation des risques en ligne. Les cyber-attaqu…


Tweeted by @Expert_IE_ https://twitter.com/Expert_IE_/status/1063045756364427267

Schutz vor Cyber Threats

report.at - Dies zeigt, dass die Erkennung und Reaktion auf komplexe Angriffe gestärkt werden muss. Security Intelligence as a Service von T-Systems schließt diese Lücke und verbessert im Falle von Cyberangriffe…


Tweeted by @tsystemsde https://twitter.com/tsystemsde/status/1062952588004544512

How Can Industry Leaders and Academia Help Improve Cybersecurity Education?

Just as the field of cybersecurity grew out of information technology, cybersecurity education is evolving as an offshoot of the computer science field. The current state of cybersecurity course offerings as an underdeveloped computer science footnote is allowing the skills gap to grow. To change this, higher education has to address the theoretical and hands-on skills students need to do their jobs post-graduation.

Without sufficient expert staffing, security teams lack the resources necessary to do their jobs effectively; in this way, the skills gap itself is a significant security risk. How, then, can the industry educate the next generation at scale? While there is no one answer, let’s take a look at what’s going on in classrooms across colleges and universities to see how higher education can evolve to meet the needs of the industry.

How to Recognize Shortcomings in Cybersecurity Education

By taking a closer look at the actual cybersecurity training programs higher education currently provides, industry leaders can help draw the road map of where it needs to go. How can they improve its offerings without bankrupting students who are already spending tens of thousands of dollars on degrees that fail to prepare them for the real-world problems they will face?

Bo Yuan, professor and chair of the Department of Computing Security at Rochester Institute of Technology (RIT), acknowledged that many undergraduate degree programs in cybersecurity start out with common introductory courses in computing and mathematics, such as Computer Science I and II and Calculus, eventually ramping up to more specialized training.

“As they get further into the program, students at RIT take more cybersecurity-focused courses, including Introduction to Cryptography and Cyber Security Policy and Law,” Yuan said. “In master’s degree programs, courses often focus on the theoretical foundations of computing security and how to become leaders in the implementation of computing security and information assurance policies and practices.”

To ensure that graduates are able to successfully transition from the classroom to the security operations center (SOC), cybersecurity education leaders should expand and more deeply integrate their hands-on learning opportunities.

Why Student Outreach Is Crucial

With the hefty price tag on degrees these days, students need to be judicious in the programs they choose. But it’s also up to industry leaders to reach out to their future recruits and help connect them with opportunities. Although one-to-one engagement across school districts is impossible, any role security professionals can play is a significant investment in long-term cybersecurity strategy.

Steering students cybersecurity training programs that offer them the chance to detect, identify and respond to existing threats in a simulated environment will yield the best returns. Unfortunately, those opportunities are not equally available to all students, and many won’t have the exposure they need to recognize their specialized interests within computer science early enough to plan effectively to get there.

Collaborate to Offer Experiential Learning

Hands-on learning opportunities are essential for cybersecurity students, and many academic institutions, including RIT, enable students to gain experience through simulated real-world exercises. But the students need to know what’s out there before making career-defining decisions to specialize one way over another.

To that end, some security companies have already parterned with educational organizations to extend opportunities for such immersive training.

“We have a heavy hands-on component to the degree programs with labs and project assignments,” Yuan explained. “Additionally, RIT computing security students are required to do two terms of co-ops (paid internships) before graduation.”

Yuan noted that RIT students have engaged in cooperative educational experiences with organizations such as IBM, Eaton Corporation and government agencies. These experiences often lead to job offers before graduation; both students and recruiters are reaping the benefits of these arrangements.

Why It’s Important to Make Connections Early

Through internships and co-ops, students can develop strong cybersecurity skills in the field, which hiring organizations desperately need to keep up with the evolving threat landscape. The Advanced Cyber Security Center (ACSC) and the University of Massachusetts created the Cybersecurity Education and Training Consortium (CETC) to bring industry leaders and students together. According to a press release, “The CETC will connect higher education leaders with business leaders to promote academic programming in cybersecurity that aligns with the needs of Massachusetts employers.”

Higher education programs around the world should partner with the cybersecurity industry to learn more about the needs of students and professionals. Through these innovations, students and enterprises can gain efficient access to both learning opportunities and talent. By working together with institutions of higher learning, businesses can ensure that students come out of learning programs armed with an understanding of the existing threat landscape and how to monitor its constant change so that they are fully equipped to do their jobs.

The post How Can Industry Leaders and Academia Help Improve Cybersecurity Education? appeared first on Security Intelligence.

How to create a sticky cybersecurity training program

Organizations know that training employees on cybersecurity and privacy are not only expensive but time-consuming. However, given that current threats are targeting businesses more than consumers, introducing and teaching cybersecurity and privacy best practices in the workplace has undoubtedly become an absolute must.

Creating a successful training program is a massive undertaking. It doesn’t just require one to grab “Cybersecurity 101” material from the Internet, stuff it in a PowerPoint presentation, and expect trainees to understand what’s at stake, let alone change unwanted behaviors. It’s more thoughtful and systematic than this.

Putting together a cybersecurity and privacy training program that is not only effective but sticks requires an incredible amount of time, effort, and thought in finding out employees’ learning needs, planning, creating goals, and identifying where they want to go. Without these, imparting knowledge on cybersecurity and privacy would be ineffective, not to mention costly.

We’re past asking the wrong questions (“Where do I start?”) at this point. But if you’re still weighing your options on whether your organization should do an awareness campaign instead of a full-blown training or education program, we’ll help make it easier for you. Although awareness, training, and education are used interchangeably or compounded together in this field, in reality, these three are entirely different at their core.

Awareness, training, and education

Awareness is in the heart of what we do here at Malwarebytes Labs. We impart learnings by writing about matters related to cybersecurity, which include news, opinion pieces, thought leadership, malware analyses, business and consumer guides, and quarterly threat reports. But for companies aiming to solidify specific security skills that employees need to function, awareness might not be enough.

A security awareness campaign aims to make employees realize that particular actions or responses toward, say, an email of questionable origin could actually be dangerous. The National Institute of Standards and Technology (NIST) defines awareness, training, and education as follows:

  • Awareness is not training. The purpose of awareness is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.
  • Training strives to produce relevant and needed security skills and competencies.
  • Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response.

The IT Security Learning Continuum as described by NIST, which can serve as an excellent backbone for organizations in creating their own cybersecurity learning framework.

NIST also recognizes that awareness can be the foundation of training. That said, organizations may not have to pick one over the other. They can start with awareness, then training, then education, should they choose to produce specialists. In this blog post, we’ll focus solely on the middle ground: training, from its conception to follow-through.

Why training doesn’t work: Let us count the ways

While training is an excellent approach for building security literacy in an organization, it doesn’t always work out as planned. Reasons why training may be ineffective include (1) trainees didn’t learn much from the program, (2) trainees didn’t change their behavior after the program, and (3) trainee learnings aren’t retained for a long time. Let’s also list down a few additional points to keep in mind before putting together a training program to keep our expectations in check.

Training is done once a year. Traditionally, organizations hold training sessions once per year, but when it comes to cybersecurity, this would have to change dramatically. It’s important to hold regular sessions, especially for new hires, to stay on top of any new tactics cybercriminals are adopting that might affect the business. Also, organizations must keep in mind that cybersecurity best practices shouldn’t be the only discipline they should train employees on. They should also pay particular attention to addressing insider threats and workplace violence.

Training is optional. Organizations who aren’t serious about cybersecurity but want to tick off a box conduct a training session (usually a short one) where employees are merely encouraged to attend but are not required. With breaches happening on a regular basis across industries, an employee base that understands cybersecurity has become a necessity in every organization. Governments recognized this need long before and passed legislation to hold organizations accountable for handling and securing assets. Complying with laws requires training, especially for employees who directly use data assets as part of their work.

Training is only conducted for non-managerial employees. This is another traditional scenario we see in the workplace. Many may not realize this, but a lot of employees in the managerial position are none the wiser when it comes to cybersecurity. Often, they’re unaware of any security measures and policies the organization already has in place. It is then crucial for the organization to include management in the training sessions.

Training is boring/is too long/has too much information to digest. In turn, the supposed learnings that the training is supposed to impart are not adequately delivered and received. Trainees often feel that there is too much for them to digest (especially if this is the first time they hear all this), and the majority of them end up confused or have too many questions. IT directors and educators will recognize that glazed over look.

Keeping training expectations in check

Below is a list of points organizations must always bear in mind to temper their expectations and avoid making decisions that would set themselves up for failure.

  • While there is no such thing as perfect security, there is also no such thing as the perfect training program. The closest thing to it would be a program that has been custom-designed to fit the specific organization by individuals with a solid background in cybersecurity.
  • Training isn’t the silver bullet that cures all cybersecurity ailments in an organization. Breaches can still happen.
  • Training won’t change your workforce overnight. Change is difficult, and often, not welcomed by employees. So, expect a level of resistance, hang in there, and overdose on repetition.
  • Training employees doesn’t make them experts. But at the very least, organizations must aim at making every employee competent enough in cybersecurity to do their job well while consistently exercising safe computing habits.

Tips for developing an effective cybersecurity training program

PRE-TRAINING

This is the preparation stage where much of the thinking, brainstorming, and planning takes place. The work here requires a tremendous amount of time, and some organizations may find the wait a hard pill to swallow while breaches are happening left and right. At the end of the day, though, companies will realize that pre-planning is worth the wait.

  • Get executive buy-in or sponsorship. In an organization, it’s challenging—if not impossible—for any program to start and achieve momentum if executives don’t support it. So, getting their blessing before doing anything else should be a priority. Furthermore, executives can help direct and shape the future of the company’s overall cybersecurity learning program.
  • Create a training task force. Once approved, the organization must then create a task force, ideally comprised of representatives from different departments, including upper management. The task force’s size should be relative to the size of its organization. It’s essential to have an exclusive group responsible for the organization’s cybersecurity learning needs not only to assume accountability but also to adequately address a need and enforce the program.  At this stage, the organization can also invite an external third-party as a consultant to be part of the task force.
  • Get to know your workforce and the company cultures influencing them. One of the first duties of the task force is to assess their potential trainees—including personnel in the managerial level—and finding out what motivates them, how they learn, and what they need to learn.
  • Create a roadmap and include the result they want to aim for. The task force can now use the information they received from their assessment to design the training program and how content can best be presented for maximum learning. It would also be wise to identify bad computing behaviors they have observed from employees and aim to change them. Note: Regardless of how the organization decides to train employees, the training should be based on teaching cybersecurity and privacy best practices and local and international security standards.
  • Prioritize. Once the task force has identified bad behaviors that need to change, the team must then determine the top three they want to address. Doing so avoids information overload. For example: Since every employee in an organization handles emails, the team can focus on introducing risks one may find in their inboxes, identifying risk indicators, highlighting the current insecure practices of employees, and then providing changes to these behaviors that, in turn, mitigate the risks.

Read: Insider threats in your work inbox


  • Decide on the best training approach or strategies to use for your target trainees. There is no one-size-fits-all approach here. The task force can use the traditional classroom-style method, computer-based training (or e-learning), or a combination of the two—otherwise known as blended learning. As a rule of thumb, e-learning is the ideal method for learnings that may need repetition (especially for new hires). Someone in the task force familiar with adult learning methodologies could significantly contribute to further optimize the learning method. For example, the group can plan on solidifying learning weeks after the initial training by having learners go through simulations. Any failure in the simulations is a new learning opportunity.
  • Communicate. This is the part where the task force should socialize the organization’s plans for training the staff, why this is important, what the organization is trying to achieve, and how the training will be conducted. Get buy-in from stakeholders and official sign-off from executives before the first email goes out alerting employees about the upcoming training and having them block off their calendars. The task force can also help employees by sending out regular notices of upcoming training details (or any changes to them) as the date approaches.
  • Prep trainees with an online course before training. Should the task force decide to take the blended learning route, the task force may want to consider preparing employees by having them undergo an online course as a primer to the training proper. The course could be an introduction to terms they may likely encounter during the training but not have heard of, such as business email compromise (BEC). This way, trainees would be able to pick up the jargon used in the training without having to look up acronyms in the dictionary.

PERI-TRAINING

Now that organizations have identified which employee behaviors they want to focus on improving, and they know how to effectively impart the training, it’s time to now deliver the training to employees. The work doesn’t stop here.

  • Think of the trainer as a facilitator, and not a lecturer. The person presiding over the program should encourage interaction and openness, as employees will better retain knowledge as active participators.
  • Make the training environment open and friendly to allow every trainee to speak up without being forced or put on the spot.
  • Make training more interactive. In this age, there are more creative ways to present information than clicking through PowerPoint slides. Videos, voiceovers and/or podcasts, articles, and infographics are at an organization’s disposal. They can also participate in live demos, role-playing, and simulations where possible.
  • To help trainees retain learnings, use mid-course quizzes, exercises, and post-completion summaries.
  • Consider using an online platform for final exams. In this way, companies can also integrate gamification techniques to make exams more fun and less stressful.

As a side note, the task force may want to consider allowing an informal talk or chat among the facilitator and trainees outside the training room and into, say, the company break room or the coffee shop just across the road. This chat could be a further discussion about the topic or learnings of the day’s training or an opportunity for trainees to ask questions.


Read: How to create an intentional culture of cybersecurity


POST-TRAINING

At this point, the task force’s work is almost done—but not yet.

Activities that happen after the training shouldn’t be optional. In fact, the post-training stage is as indispensable as the pre-training stage. Without this, the effectiveness of the training will not be measured, feedback won’t be acted upon, and eventually, the program will stagnate. Note, however, that post-training doesn’t just involve monitoring effectiveness but looks to produce continuous improvement of the program and company-wide promotion of sound cybersecurity and privacy behaviors.

  • Implement awareness acknowledgments to foster accountability for all employees. Awarding trainees a completion certificate seems to be a popular end-result of security training programs. But what if, instead of or in addition to the certificate, organizations had trainees sign acknowledgment documents to promote accountability. After investing in and conducting an effective training program, companies should expect their workforce to comply with the new cybersecurity and privacy policies in place. Nothing can solidify this message more than to have them put their names down on paper acknowledging that they should now know better.
  • Set up a portal within the intranet that contains training materials for employees to revisit at their own comfort. If possible, allow employees to access these materials on any device, anytime and anywhere, but only with a VPN. The task force can also add more skill-building resources, such as simulations, for employees to practice what they have learned at any given time.
  • Consider creating an FAQ page to anticipate the usual questions from employees. Not all questions are raised and answered during or immediately after training. And often, one employee has the same concern as the another. Having an accessible go-to page to address questions about cybersecurity helps trainees get a leg up before the training, and keeps answers to important questions handy long after the program has ended.
  • Create visual cues around the workplace to keep the learnings fresh. Posters, emails, newsletters. Basically, the works.
  • Make reporting of cybersecurity and privacy incidents readily available to employees. At some point in the future, that proverbial “potentially malicious” email could drop into your employee’s work inbox. Being trained, they would realize that something is off and likely take caution when dealing with it. If a simple reporting system is in place, such as having a dedicated room for cybersecurity and privacy incident reporting in Slack, it would be easier for anyone to raise questions or concerns about suspicious emails. For emails that may have been sent by imposters, a flagging and verification process should be in place for employees to know and properly handle such an incident.
  • Update training materials when necessary. Expect this to happen on a regular basis, especially when new and appropriate case studies come up or more effective teaching methods come to light.

Technology and training do go together

All too often, organizations recognize weaknesses in their systems and network, so they focus on putting money on the best software to beef up. And all too often, organizations also recognize flaws in their employees’ online habits due to lack of training or awareness, yet training on matters relating to cybersecurity and privacy doesn’t happen because of budget and resource constraints.

But while it is crucial to address weaknesses in systems that only technology can solve, organizations must realize that, holistically, its security can only be as good as its firewall or AV. Beyond that, we have people who, while lacking awareness, are a threat to security. For employees to transform from liability to last layer of defense, every person in the organization—from the Chief Executive Officer to the receptionist—must undergo at least one general training on cybersecurity and privacy, which only gets more in-depth and tailored for individual departments. Neglecting this could cost organizations more than just money; their reputation as a service provider, competitive advantage, and overall business success are also at stake.

Theodore Roosevelt once said that knowing what’s right doesn’t mean much unless you do what’s right. He’s right. It’s not enough for employees to know what to do. They need to absorb it and apply what they know, changing any bad behaviors and adopting safer online practices. The lessons need to stick. In order to achieve this, organizations must create a highly effective training program that ensures employees know and understand why that training is essential, and guarantees that employees follow requirements by holding them accountable. These are tried-and-tested ways organizations can hold their own in this era of breaches.

The post How to create a sticky cybersecurity training program appeared first on Malwarebytes Labs.

Ep. 110 – From SECTF to Pro SE with Whitney and Rachel

So many times we get asked how can you become a professional social engineer.  This month we talk to two amazing women who were never in the industry, took a huge risk and it paid off.  Join us in this fascinating conversation with Whitney Maxwell and Rachel Tobac. Oct 8, 2018

Contents

Download

Ep. 110 – From SECTF to Pro SE with Whitney and Rachel

Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form!

Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music

And check out a schedule for all our training at Social-Engineer.Com

Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 110 – From SECTF to Pro SE with Whitney and Rachel appeared first on Security Through Education.

Social-Engineer Newsletter Vol 08 – Issue 108

 

Vol 08 Issue 108
September 2018

In This Issue

  • Information Security, How Well is it Being Used to Protect Our Children at School?
  • Social-Engineer News
  • Upcoming classes

As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that.


Check out the schedule of upcoming training on Social-Engineer.com

3-4 October, 2018 Advanced Open Source Intelligence for Social Engineers – Louisville, KY (SOLD OUT)

If you want to ensure your spot on the list register now – Classes are filling up fast and early!


The SEVillage at Def Con 26 would not have been possible without it’s amazing Sponsors!

Thank you to our Sponsor for SEVillage at DerbyCon 8.0!


Do you like FREE Stuff?

How about the first chapter of ALL OF Chris Hadnagy’s Best Selling Books

If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!


To contribute your ideas or writing send an email to contribute@social-engineer.org


If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.


Our good friends at CSI Tech just put their RAM ANALYSIS COURSE ONLINE – FINALLY.

The course is designed for Hi-Tech Crime Units and other digital investigators who want to leverage RAM to acquire evidence or intelligence which may be difficult or even impossible to acquire from disk. The course does not focus on the complex structures and technology behind how RAM works but rather how an investigator can extract what they need for an investigation quickly and simply

Interested in this course? Enter the code SEORG and get an amazing 15% off!
http://www.csitech.co.uk/training/online-ram-analysis-for-investigators/

You can also pre-order, CSI Tech CEO, Nick Furneaux’s new book, Investigating Cryptocurrencies: Understanding, Extracting, and Analyzing Blockchain Evidence now!


The team at Social-Engineer, LLC proudly uses:


A Special Thanks to:

The EFF for supporting freedom of speech

Keep Up With Us

Friend on Facebook Facebook
Follow on Twitter Twitter

Information Security, How Well is it Being Used to Protect Our Children at School?

Information Security, How Well is it Being Used to Protect Our Children at School?

August and September are ordinary months to some, but to others they are a time of mixed emotions. It’s the start of another school year. Some are sad to see their children off, while others celebrate that day. The start of the school year brings with it a lot of paperwork and sharing of sensitive information. How well is information security being used to protect our children’s information, and even the school staff’s, personally identifiable information (PII)? How well is it being used to protect against social engineering attacks?

Think about the information that the schools keep; when you registered your child, you may have had to give them copies of their birth certificate, social security number, your phone number, and other personal information. You may have had to give your own social security number, especially if you had to fill out an application for free and reduced-price meals, or you had to register to volunteer at the school. If your child is in a college or university, even more information has to be given such as financial records, medical records, and high school transcripts. What is being done to keep that information secure?

When I read the following headlines they make me a little concerned, how about you?

These are only a few of the many stories out there. According to the Breach Level Index by Gemalto, the education sector had 33.4 million records breached in 2017 and a total of 199 reported breaches. This is a 20% increase of reported incidents over 2016. It gives meaning as to how widespread the incidents are when I see it visually on the K-12 Cyber Incident Map by the K-12 Cybersecurity Resource Center.

Who are breaching school networks and why are they doing it

Who are trying to breach a school’s network? It’s not just the student doing it to change grades or for fun, it’s also the elite attacker and the common cybercriminal. Thanks to the ease of availability of hacking tools, and the sharing of malicious attack techniques on the dark web, they are able to install ransomware, encrypt drives, and demand payment to decrypt them. They are also able to exfiltrate PII and passwords to gain further access to networks and steal and create identities. Identity thieves will use the child’s information to create their own false identity where they can take out credit cards and loans, ruining your child’s credit. When this happens, it can make it difficult to get a license, go to college, or get any loans.

How are they doing it?

Cybercriminals are opportunists who will take advantage of any vulnerabilities, especially with organizations that are less secure. Unfortunately for educational institutions, their security stance is usually poor and at a high risk. They battle staffing and budgetary constraints, their view of cybersecurity has been one of a low priority, and they view security as an inconvenience.

Another point of weakness is the ease of accessibility to the school’s network. They usually have free Wi-fi, large numbers of desktop and mobile devices, and weak passwords which all present potential points of entry into the network. In addition, students will browse the web from insecure networks and often pick up malware which can then be inadvertently shared with others via email or uploads of coursework to the secure school network.

So, what do cybercriminals do? They use a variety of web- and email-based attacks that are at their disposal. One web-based attack is that they actively target sites where students will commonly browse. These are often completely legitimate sites, such as Thesaurus.com. No click required; just viewing the ad can initiate the malware download.

An example of an email-based (phishing) attack targeting education was at Northeastern University, where some Blackboard Learning users were targeted by an email that tried to influence the reader into clicking a link that was disguised to be legitimate and tried to compel the action by using a time constraint.

With web- and email-based attacks, the cybercriminal can deliver ransomware and steal student records. All at a great cost to the school system and to those that have their information compromised.

What can be done?

When it comes to protecting our children we are willing to do anything, so what can we do to protect our children’s information?

Here are some things that parents can do:

1. Make sure that the personal computer that is used to log into the school’s network is up-to-date;

2. Make sure that computer has more than just an antivirus installed, add malware protection as well;

3. Be proactive and educate yourself and your children on security awareness;

  • Read the Social Engineer Framework;
  • Have your child create usernames that don’t contain personal information, such as birth year;
  • Look at using a private VPN when on an insecure network, such as at Starbucks. Trustworthy VPNs will usually have a fee for using them;
  • Teach children the importance of not giving out information;
  • Use a secure password manager and don’t share passwords;
  • Make sure teens don’t take a picture of their license and share it on social media; and
  • Don’t throw important documents in the trash, shred them.

4. Be watchful of your student’s browsing activity; and

5. Something you may wish to look into is an identity theft protection service to protect your child against identity theft.

Remember that just because you are asked to give out information doesn’t mean you have to. Ask, “why is it necessary for them to have that information?”

Schools need to follow the industry best practice in information security and we, as parents, need to demand that it be done. Schools should also be forced to address the human element in security:

  • Staff, teachers, students, and parents need to be educated and used as a line of defense; and
  • Institute security awareness training which includes: Performing simulated phishing exercises; Recruiting on-campus security advocates; and Holding onsite security education activities, lectures, and in-class training.

Following these suggestions will help to protect our children’s information at school.

Need Inspiration?

If you want some inspiration, look at what some schools are doing:

  • One example is that the July 2017 article of The Educator in San Diego, CA said that, “the local ESET office runs an annual cyber boot camp for about 50 middle and high school students.”
  • Another example was in the June 2017 article of The Educator, where it discusses how the Macquarie University in Australia uses the BlackBerry AtHoc as part of the University’s Emergency Management Plan and that the system will assist the school in managing and mitigating social engineering incidents, for example, by sending a message to staff and students recommending not to open a certain email or click on a certain link.

To some, the suggestions may be easier said than done, but, if they aren’t followed, the school nearest you may be the next cybersecurity incident we read about. Information security must be implemented to protect the sensitive information (PII) that is housed at the schools, especially that of protecting our children’s information.

Stay safe and secure.

Written By: Mike Hadnagy

Sources:

https://www.theeducatoronline.com/au/news/is-your-school-protected-against-cyber-threats/237855

https://www.theeducatoronline.com/au/technology/infrastructure-and-equipment/how-malware-could-be-threatening-your-school/246146

https://edtechmagazine.com/k12/article/2016/04/how-ever-worsening-malware-attacks-threaten-student-data

https://blogs.cisco.com/education/the-surprisingly-high-cost-of-malware-in-schools-and-how-to-stop-it

https://blog.barkly.com/school-district-malware-cyber-attacks

https://in.pcmag.com/asus-zenpad-s-80-z580ca/124559/news/facebook-serves-up-internet-101-lessons-for-kids

https://www.stuff.co.nz/business/105950814/schools-promised-better-protection-from-ransomware-as-taranaki-school-blackmailed

https://www.eset.com/int/about/why-eset/

As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.


 

 

The post Social-Engineer Newsletter Vol 08 – Issue 108 appeared first on Security Through Education.

Computer Science and Diversity

Today I saw a tweet quoting Mark Guzdial's blog saying "In last five years, little progress in increasing the fraction of American CS BS degree recipients who are African Americans."  It is a problem I've given quite a bit of thought to, but in my thinking, diversity is a problem I approached from another angle.  I've always been pleased that a large number of women have decided to work on the problems I care about.  When I came to the University of Alabama at Birmingham (UAB) I didn't come to "teach Computer Science."  I came to try to change the way we train, recruit, and equip cyber crime fighters.  I was fortunate that our department chairs in Computer Science (Anthony Skjellum) and Justice Sciences (John Sloan) believed that was something worth doing.  Since then, we've moved from having a certificate in Computer Forensics, to a Masters in Computer Forensics and Security Management, to a full Bachelors degree in Digital Forensics.  But the passion has stayed the same.  How do we train, recruit, and equip cyber crime fighters?

I hadn't realized that we were necessarily doing something unique until I had a visit from Jenn Lesser in April of 2013.  At the time, Jenn was the Security Operations Manager for Facebook.  We had a full agenda of things we were hoping to discuss with her, but something happened that halted all of that.  She came into my office, closed the door, and said  "You have SIX WOMEN working in your lab!  Would you mind if we cancel everything else and just let me interview them?"  At the time my lab was much smaller and that represented about 1/3rd of my employees. What Jenn learned was that most of the women in the lab were there because they wanted to fight crime, right wrongs, and serve the cause of Justice.  When they realized that learning to program and analyze hard drives, network traffic, and email headers could help serve that cause better, they were all in.

This fall, I'll have interactions with 83 students in the classroom and 28 of them are women. 11 of the 48 people on my lab payroll today are women, and I hope we'll hire several more at our job fair later this week! I should note that these are not "Computer Science" courses, but rather Computer Forensics courses being taught for Criminal Justice credit.

How do we recruit women?  It's the same as what our ladies told Jenn Lesser back in 2013.  None of them come to our program because they want to write code.  They come because they want to dedicate themselves to the cause of Justice, and they have learned, perhaps in an introductory course from myself or my colleague Arsh Arora, or perhaps in an introductory course from Criminal Justice professor Martha Earwood, that being skilled in technology is a force multiplier.  If you want to protect the financial assets of the elderly, technology helps.  If you want to identify and stop child predators and human traffickers, technology helps.  If you want to fight against hate speech on the Internet or cyber bullying in the schools, technology helps.  If you want to identify and stop the malware that it is stealing our data, finances, and intellectual property, technology helps.

As I was reading through Guzdial's blog post and following the linked stories, I read Kenneth Bowman's post on African American Computer Science enrollment, and also the 2017 Taulbee Survey on Computer Science Enrollment from the Computer Research Association.

The Taulbee survey has some stark numbers for US Citizen, Female, and African American enrollment in Computer Science at all levels.

At the PhD Level

In the US and Canada, they found 124 Computer Science departments awarded 1,557 PhDs.  891 went to "non-resident aliens."  291 went to Females.  10 went to African Americans.  Of the 291 females, 164 were non-resident aliens.  Of the American females, 64 were White, 27 Asian, 4 Black, and 2 Hispanic.

Of 12,689 PhD students currently studying Computer Science in 135 departments, 8,058 (64.3%) are non-resident aliens, 2,734 (21.1%) are female, and 170 are African American.

What about Masters Level?

132 US Computer Science departments awarded 12,483 Masters degrees last year.  8,813 (73.8%) are non-resident aliens.  26.1% of those students who reported a gender were female (3,162 females and 8,956 males). 111 (0.9%) of the students were Black.  Of the 3,162 females, 2,462 (81%) were non-resident aliens.  Of the American females, 272 were Asian, 250 were White, 32 were Hispanic, and 24 were Black.

Of the 25,126 currently enrolled Masters students in Computer Science, 16,414 are non-resident aliens.  Of the 6,682 females, 5,183 are non-resident aliens.  Of the 1,499 resident females, 661 are White, 620 Asian, 95 Hispanic, and 81 Black.

And at the Bachelor's Level?

131 reporting US Computer Science departments awarded 19,907 Bachelors degrees last year. At the Bachelor's level, we have a much greater percentage of American students.  Only 12.5% of these were non-resident aliens.  But of those remaining 15,433 students, only 547 were Black.  Of the 3,198 female Bachelor's degrees awarded, 2669 went to Americans women.  Of these, 1,110 (35%) were White, 1,104 (35%) were Asian, 200 (6%) were Hispanic, and 93 (3%) were black.

Of the 86,569 students currently enrolled in Computer Science Bachelor's programs, 10,704 were non-resident aliens.  Of the 75,865 citizens in CS BS programs, 13,358 (17.6%) were female. By ethnicity, 39,416 (51.9%) were White, 21,113 (27.8%)  were Asian, 8,395 (11%) were Hispanic, and 3800 (5%) were Black.

The Question

The question that data like this leaves me with is this?  Could it be that the lack of interest in Computer Science from women and minorities (especially African Americans) is similar to what I've found in my lab?  Perhaps the key to encouraging Computer Science is to look at it rather than a Subject to be studied, but as a Tool to be Mastered to enable the study of something else?  Computer Science as a tool (in my case) to improving your ability to help fight for Justice.  Computer Science as a tool to improving your ability to fight disease and illness.  Computer Science as a tool to improving your ability in economics. Computer Science as a tool to improving your ability to fight poverty.

Instead of asking "How to we get more women (or blacks) to study Computer Science?" Perhaps we should be asking "How can we learn what women (and blacks) want to make their life's work and show them how Computer Science can help make them do their life's work better?"









Bloxham Students Caught Buying Legal Highs at School


Bloxham Students Caught Buying Legal Highs at School


It’s true what they say: History repeats itself. This is especially true in the world of web security where tech-savvy students, with an inquisitive nature try to find loopholes in school filters to get to where they want to be or to what they want to buy.

Back in September we blogged about two high profile web filtering breaches in the US; highlighting the cases of Forest Grove and Glen Ellyn Elementary District. Both made the headlines because students had successfully circumvented web filtering controls.

Now the media spotlight is on Bloxham School in Oxfordshire, England, after pupils were caught ordering legal highs from their dorms. See what I mean about history repeating itself? Okay, so the cases aren’t identical, but there is a unifying element. The Forest Grove student was found looking at erotica on Wattpad, students from Glen Ellyn students were caught looking at pornography, and at Bloxham it’s “legal” highs. The unifying factor in all three cases is that they were facilitated by a failure in the school’s web filter. 

The difficulty, though, is working out what exactly went wrong with Bloxham’s filter, because none of the details surrounding the technicalities have been announced. Were students allowed access to website selling recreational drugs, or was there an oversight on the part of the web filtering management? In the original story broken by the Times, a teenage pupil was reported to have been expelled, and other students disciplined following an investigation by the school which found they had been on said websites.

Without knowing the details, it is probably wrong to speculate, however, i’m going to do it anyway! It’s entirely possible Bloxham chose a more corporate focussed web filter. In a corporate environment, “legal" highs may not present as much of an issue as in an education setting. With a strong focus on education, Smoothwall’s content filter has always been good at picking up these types of site. This is aided by the real-time content filter not reliant on a domain list, as these sites are always on the edge of the law, and move rapidly. Because the law is different depending upon where you live - and, indeed, rapidly changing regarding these substances, Smoothwall doesn’t attempt to differentiate between the grey area of “legal highs” and those recreational substances on the other side of the law. All of them come under the “drugs” category. This gives a solid message across all age ranges, geographies and cultures: it’s best not to take chances with your health!

Thousands of People Could Die if U.S. Power Grid is Attacked

Thousands of People Could Die if the U.S. Power Grid is Attacked.  “A terrorist attack on the U.S. power grid could be more destructive than superstorm Sandy, possibly costing hundreds of billions of dollars and leading to thousands of deaths, the National Academy of Sciences said.” Are You Prepared?  And if not, what are you doing about it?  See full article at businessweek.com

 

The post Thousands of People Could Die if U.S. Power Grid is Attacked appeared first on Quick Start Survival.