Category Archives: education

(ISC)2 Report Finds Cybersecurity Workforce Gap Has Increased To More Than 2.9 Million Globally | Information Security Buzz

informationsecuritybuzz.com - Despite 59% of cybersecurity professionals saying the widening workforce gap puts their organizations at risk, a majority of workers report strong job satisfaction and are focused on developing new s…


Tweeted by @mandreano https://twitter.com/mandreano/status/1052618194483957760

Why You Should Practice and Drill to Prepare for a Cyber Emergency

Nowadays, businesses operate in a ubiquitous computing environment, relying on information technology to enable the speed and agility of modern business practices from payroll to public offerings. With the vast amount of email content and links that are populating employee inboxes, just one click on a phishing scam can cause a cyber emergency that results in the loss of millions of dollars and customer loyalty — not to mention a lengthy remediation process that amasses additional costs over time.

Spammers Don’t Take Days Off, So Neither Should You

According to the Ponemon Institute’s “2018 Cost of a Data Breach Study,” the average cost of a data breach globally is around $3.86 million. The cost of a mega breach — an event that involves the loss of 1 million to 50 million records — is between $40 million and $350 million, depending on the number of compromised records.

Of the security events recorded in the study, 48 percent were caused by malicious or criminal attacks, including the use of phishing and social engineering techniques to gain unauthorized access to corporate networks. Inboxes are slammed with spam every day of the week, increasing the odds of successful compromise.

The IBM X-Force Kassel research team operates a network of globally distributed spam honeypots, which collect billions of unsolicited email items. Last year, the research team pulled a sample of worldwide data to gain insight into when attackers’ spam bots were the most active.

A look at the same sample size from 2018 echoes last year’s findings: Spammers never rest. However, they are primarily active on Tuesdays and Wednesdays, clocking in at 21 percent and 22 percent, respectively. In addition, they tend to take a less aggressive stance on Saturday (4 percent) and Sunday (9 percent), when offices are less populated and therefore not as target-rich of an environment.

Spam Data, Incident Response

A 5-Step Approach to Avoiding a Cyber Emergency

Any coach or instructor will tell you that you get what you train for. In the heat of the moment, our practiced reactions determine the speed and course of our actions. To provide better online security throughout the organization, user vigilance must be a practiced part of the daily workflow.

The U.S. Fire Administration outlined five key components for designing an effective fire safety education program. In cybersecurity, we can apply that same approach to train personnel to consistently avoid the flames of phishing and react effectively to inadvertent compromise.

1. Assess Your Environment

Begin by gathering information about your workforce and network security posture to identify where risks and vulnerabilities may exist. If you’re going to build a safe and consistent security environment, governance is key. Employees must understand what the organization deems right or wrong. Likewise, network defenders should be well-versed in existing policies and procedures for addressing cyber emergencies.

Using examples of previously successful breaching techniques — such as mimicking the phishing scams that already made it through the organization’s safety net — can help you determine how familiar employees are with the dangers of current-day deception and social engineering scams. Meet with IT managers to learn what procedures are in place to help protect against exposure and minimize risk. This is also a great time to ask network defenders about secure email gateways, orchestration and automation, password protection, and two-factor authentication (2FA).

Finally, whether hosted locally or in the cloud, a best practice for email security is to take a layered approach. Digital fortification — from the network perimeter down to individual device hardening — that is built into corporate IT planning can help reduce exposure and risk.

2. Develop a Clear Escalation Map

Every emergency action plan needs to identify key internal and external stakeholders. Who should respond and who needs to be notified if a malicious link is accessed and the network is set ablaze?

Speed and calmness are everything in this moment. Companies that have an in-house incident response (IR) team or an on-call service to confirm and respond to a breach stand to substantially reduce losses in the event of a compromise. According to the “2018 Cost of a Data Breach Study,” companies with a low mean time to identify (MTTI) a breach — less than 100 days — saved more than $1 million. Likewise, companies with a low mean time to contain (MTTC) a breach — less than 30 days — saved more than $1 million compared to those that took longer than 30 days.

A company’s IR plan should clearly outline who to contact in different departments and ranks — in network security, the C-suite and the IR team component, but also the PR team and the company’s legal counsels. The plan should make it easy to reach them, know their responsibilities and have a clear view of their resources for carrying out mission-critical functions in the event of a cyber emergency.

3. Plan and Implement Your Incident Response

Once you have analyzed your risk environment and identified stakeholders, it’s time to establish objectives and create a plan of action. In case of suspected activity, employees should be able to recognize a phishing scam, whether via email or on the phone, and react appropriately as part of their everyday workflow. To do this, you need to recognize, react and repeat.

Recognize

Establish what “normal” looks like to help personnel readily identify what key indicators should not be trusted. For example:

  • Was the email solicited or did it come out of the blue? While some criminals craft very personal emails, most cast a wide net that can be avoided.
  • Do you recognize the sender, and does the domain check out?
  • Does it read, and is it formatted, like a legitimate email?
  • Do the embedded links point to authentic domains?

React

Identify the next steps that personnel should take when something alarming appears. Is the organization set up to enable quick and effective reporting of suspicious emails and activity? Ensure that any employee can easily report an issue to IT security and the IR team. If a user identifies something malicious, a referenceable policy should be in place that clearly states where to forward it and how to flag it. Statistics should then be captured from these events and used to help establish trending threats.

If an employee has already clicked a link, identify what needs to happen next to correct the situation, from pulling the plug to quarantining the network. If a larger issue is confirmed or an attack is underway, each corporate player should know his or her role. Decisive action can save priceless moments when reacting to a digital threat.

Repeat

Drills should happen monthly, quarterly and double during the holiday season. After all, what’s more enticing than a gift card during the shopping season? Security-savvy reactions aren’t built in a day; they become a part of the culture, a practiced reaction to inbox items that look and smell “phishy.”

4. Market Your Plan to Management and Teams

Gone are the days when droning through a stale slide deck will satisfy a training requirement. People learn in a variety of ways; if you want employees to remember and adhere to your plan, it needs to be engaging. Those in charge of security awareness training would be wise to reach, frame and connect their content with the target audience, a practice known as role-based training, to fit each role’s specific risk factors and likely attack scenarios.

Training needs to be memorable and interactive, so don’t skimp on quizzes, visual reminders, mock phishing campaigns and even companywide giveaways. There’s nothing like a security reminder on a new thermal cup. A spoonful of sugar is a small price to pay to boost organizationwide security awareness.

5. Evaluate Your Plan, Then Evaluate Again

An unexamined plan isn’t worth practicing. Training must be systematic to yield results. Simulate relevant attack scenarios that may affect the organization as authentically as possible and collect the stats on response times and accuracy. Do it again in a quarter, in a month or at random. Crunch the numbers and compare the results. Are employee responses improving? If not, how can the program be improved?

Remember to systematically return to the first step in this approach: assess your environment. In addition to internal review, an outside set of professional eyes on your network to perform periodic penetration testing can help expose previously undiscovered vulnerabilities. Criminal phishing methodologies and the ways by which they target employees are evolving every day, and a good IR plan should too.

Empower Your Users to Adapt to Evolving Threats

The need to establish a corporate culture of cyber awareness has become an accepted tenet of digital enterprise security. To help online safety become second nature across the organization, employees must be able to recognize the sparks of all kinds of scams and learn to react appropriately. Employers, in turn, must give their users the resources they need to continuously adapt to evolving threats and act as a protective layer that can help avoid losses from a cyber emergency.

The post Why You Should Practice and Drill to Prepare for a Cyber Emergency appeared first on Security Intelligence.

Les entreprises dénoncent l’irresponsabilité des États vis-à-vis des cyber-guerres | Renseignements Stratégiques, Investigations & Intelligence Economique

scoop.it - Les spécialistes en cyber-sécurité appellent les États à reconnaître qu’internet est devenu un terrain de guerre et à prendre leurs responsabilités pour sécuriser les entreprises et les populations s…


Tweeted by @Expert_IE_ https://twitter.com/Expert_IE_/status/1051776003641671681

Young Saudi coders prepare for the future

arabnews.com - DUBAI: Millions of Arab coders are refining their digital skills to take on the future through a program aimed at strengthening their technological expertise. Udacity partnered with the Prince Mohamm…


Tweeted by @MshAllh_theBook https://twitter.com/MshAllh_theBook/status/1051415153395294208

Were Millennials Born for a Career in Cybersecurity?

Have you ever struggled to explain your job as a cybersecurity professional to a curious friend or neighbor? Sadly, you’re not alone.

According to Raytheon, more than half of millennials believe they have an idea of what it means to have a career in cybersecurity. Still, they don’t fully understand the vast array of work that is done, the skills that are needed or the real career opportunities that exist in this expanding industry. In fact, they typically believe that a computer science or engineering degree is required to work in cybersecurity.

According to the same report, millennials want careers that involve problem-solving, management, data analysis, communication or software programming. So why don’t know that the cybersecurity field boasts all of these characteristics? One big reason: a simple lack of awareness. This, combined with the vast cybersecurity skills gap, is the reason why the theme for week two of National Cyber Security Awareness Month (NCSAM) 2018 is “Educating for a Career in Cybersecurity.”

Training the Next Generation of Cyber Defenders

This week — and throughout the year — the National Initiative for Cybersecurity Education (NICE) is striving to raise awareness among the next generation of potential cybersecurity professionals as a starting point to building stronger defenses. From high school to higher education, there are many ways to educate young people about the field of cybersecurity as they consider their career options.

Read “Voices of Security” to learn how today’s cyber heroes launched their security careers

Is there a student or young professional in your life who you think would succeed in the security field? The NICE Cybersecurity Workforce Framework is a great resource for information about the skills needed for a career in cybersecurity. The NICE Framework establishes a taxonomy of cybersecurity work regardless of where or for whom the work is performed. Providing a truly comprehensive look at the industry, the framework is intended for use in the public, private and academic sectors. And if you’re not ready to delve into the full read, this simple one-pager will get you started.

Now’s the Time to Launch a Career in Cybersecurity

Planning out your own career — or helping a mentee plan his or hers — is no easy task. We know the vast array of opportunities in cybersecurity can be overwhelming, but don’t let that stop you. All interested students or young professionals have to do is choose a place to start. NCSAM 2018 is the perfect time to enroll in an introductory course; take advantage of free online courses, such as those provided by Hacker Highschool; or attend a cybersecurity seminar such as those offered regularly by IBM.

Start your cybersecurity journey this October, and you could very well end up like IBM’s Bridgette Pepper. Bridgette started out studying political science and is currently a program manager at IBM Security. Today, Bridgette is deeply involved in outreach efforts to build cybersecurity career awareness among young people.

To learn more about careers in cybersecurity, be sure to check out what’s happening across the U.S. during National Cybersecurity Career Awareness Week from Nov. 12–17.

The post Were Millennials Born for a Career in Cybersecurity? appeared first on Security Intelligence.

How to Land an Entry-Level Cybersecurity Job

Now is an exciting time to work in cybersecurity. Not only is the demand for security professionals still very strong, but young workers seeking an entry-level cybersecurity job have more information at their disposal than ever before. This information can help them show potential employers the value they can bring to an organization.

The field is still fresh and rapidly evolving, so a career started today could go anywhere in the years to come. Given this volatility, how can aspiring security professionals identify the right career path for them and get started today?

Use the Workforce Framework

One key source of information for those on the security job market can be found at the National Initiative for Cybersecurity Education (NICE), an effort led by the National Institute of Standards and Technology (NIST) to address the cybersecurity talent shortage. The program offers an invaluable tool called the NICE Cybersecurity Workforce Framework (NCWF).

The NCWF, also known as NIST Special Publication 800-181, describes all the various fields under the broader cybersecurity umbrella and groups all security activities into seven categories:

  1. Securely Provision (SP)
  2. Operate and Maintain (OM)
  3. Oversee and Govern (OV)
  4. Protect and Defend (PR)
  5. Analyze (AN)
  6. Collect and Operate (CO)
  7. Investigate (IN)

Within each category are specialty areas — 33 in total — such as risk management, knowledge management and executive cyber leadership, to name a few. The NCWF also specifies what knowledge, skills and abilities (KSAs) are required for each task and supports keyword searches across all of its attributes, including categories, work roles and, of course, KSAs. This can help you contextualize your experience and interests within potential pathways in a security career.

Explore Career Paths and Market Conditions

CyberSeek was launched in late 2016 to provide “detailed, actionable data about supply and demand in the cybersecurity job market.” The site features an interactive heat map of cybersecurity job supply and demand nationwide, as well as by state.

Another useful feature of CyberSeek is the Cybersecurity Career Pathway tool, which allows applicants to explore how five “feeder roles” can lead them to various entry-level cybersecurity jobs from which they can escalate to midlevel jobs and, eventually, advanced cybersecurity work. The feeder roles can be thought of as five domains of expertise:

  1. Networking
  2. Software development
  3. Systems engineering
  4. Financial and risk analysis
  5. Security intelligence

Review Common Entry-Level Cybersecurity Jobs

As with many fields, there is no official set of titles that clearly indicates an entry-level cybersecurity position. One reason for this gap is that the U.S. Bureau of Labor Statistics (BLS) only recently started to track cybersecurity roles separately from networking roles in its May 2017 “Occupational Employment Statistics” report.

However, by reviewing the NCWF, we can get some idea of common entry-level positions within its defined “specialty areas.”

Information Security Analyst

Because it is tracked by the BLS, this title is one of the most widely used to describe entry-level jobs in cybersecurity. However, the same title can also be found to describe midlevel positions, which can lead to confusion, so it’s important to review the specific qualifications and responsibilities detailed in each listing.

According to the BLS, information security analysts “plan, implement, upgrade, or monitor security measures for the protection of computer networks and information.” They are usually employed by the security function and can be internally facing (working for other security personnel) or externally facing (working for business units).

Junior Penetration Tester

A penetration tester is someone who is hired by a client to bypass or defeat security controls. From the client’s perspective, the pen tester will evaluate the organization’s defenses and report actual or potential weaknesses found along the way, thus giving the client a chance to fix those before a real attacker finds their way in.

The pen tester must have strong knowledge of the types of systems they’re going after, not only to grasp the many ways to compromise those systems, but also to avoid impacting or damaging them since many will be actual production systems. Pen testers usually specialize in specific system types, such as networks, web applications and mobile applications.

Meet the IBM X-Force Red Interns

Network and Computer Systems Administrators

Historically, this is has been a common career from which to transition into cybersecurity. The role primarily focuses on keeping networks functional and often includes security-related activities, such as monitoring access logs, implementing and verifying network-based backups, and tending to security measures to protect the network and detect or investigate activity.

Demonstrate Your Worth — Before You Apply

While there are many openings for qualified candidates, job seekers still need to demonstrate that they are not only qualified, but ultimately the best person for the role. Demonstrating value starts years before filling out a job application.

That means planning your next moves while still taking courses. I’ve heard many chief information security officers (CISOs) tell job seekers to highlight what they’ve done outside of the classroom, how they pushed themselves to learn new techniques, how they developed a home lab to explore various tools and scenarios, etc.

However, budding professionals should be careful not to spend all their time staring at a screen to learn a new tool. Most cybersecurity professions today include a heavy dose of interactions with multiple facets of an organization, including with people whose focus isn’t technology. Job seekers should practice their soft skills, such as thinking critically and communicating effectively to various target audiences.

Overall, cybersecurity career pathways are still so new and diverse that they are bound to continue shifting over time. It’s impossible to know exactly how you might grow into each role that you will take on in your lifetime, but setting goals now can help you get started blazing your own trail.

The post How to Land an Entry-Level Cybersecurity Job appeared first on Security Intelligence.

Campus Student Employment Office

sece.its.hawaii.edu - Job Search Keywords: Campus: UH ManoaUH HiloUH West OahuUH Maui CollegeHawaii CCHonolulu CCKapiolani CCKauai CCLeeward CCWindward CC Island: OahuHawaiiKauaiLanaiMauiMolokaiOther Category: Accounting/…


Tweeted by @UHMCareerCenter https://twitter.com/UHMCareerCenter/status/1049932734288863232

C&ESAR

european-cyber-week.eu - Les récentes avancées en intelligence artificielle (IA) et en particulier en apprentissage (Machine Learning) promettent de révolutionner de nombreux domaines. La cybersécurité, au sens large (logici…


Tweeted by @ExcellenceCyber https://twitter.com/ExcellenceCyber/status/1049627698321088512

La Cyber Guerre et Paix entre la Russie et les occidentaux | Renseignements Stratégiques, Investigations & Intelligence Economique

scoop.it - Les défis de la Cyber guerre froide ce soir ? Mais est-on armé pour ça ? S'il y a Cyber Guerre, il peut y avoir une Cyber Paix ? Et pourquoi pas des Cybers casques bleus ? Puis le reportage nous emmè…


Tweeted by @Expert_IE_ https://twitter.com/Expert_IE_/status/1049607201621504000

Cybersecurity Skills Aren’t Just for Security Professionals Anymore

The famous poet Ralph Waldo Emerson once said, “Skill to do comes of doing.” In other words, hands-on experience matters.

I’ve seen this wisdom at play in both my personal and professional lives. Personally, when racing sports cars, it’s all about seat time — gaining the experience needed, learning and seeking out areas for improvement, and getting better over time. The same goes for cybersecurity skills. It’s all about practice, learning from mistakes and repetition.

Those of us in IT and security sometimes take for granted the average person’s internet behaviors and tendencies and how they can impact overall business risk. Likewise, the average user doesn’t always realize just how much the little things they do — or don’t do — can add up and contribute to the organization’s overall level of IT-related risk. That’s why we need to do what we can to impart our knowledge to users in positive ways so they can become part of the solution rather than remaining part of the problem.

Why Everyone Needs Basic Cybersecurity Skills

Many IT and security professionals pride themselves on their complexity, portraying a situation in which computer security is this magical and mysterious art that only those working in the field truly understand. And yet this really is not the case — almost everything related to security is painfully simple. We all make choices on a day-to-day basis that do one of two things: They either bring us closer to a secure and resilient state or push us away from those goals.

There are many everyday habits security professionals typically practice that can be translated and extended to nontechnical users to improve security across the board. Some habits I’ve observed in this area include:

  • Choosing complex, unique passphrases to use not just for critical work systems, but also for everyday websites, and mobile apps;
  • Deciding not to use business-related login credentials — especially passphrases — on nonbusiness websites and applications;
  • Being careful while accessing the same accounts across various devices, including potentially vulnerable systems at home and public computers at the library or in hotels that can expose business login credentials, virtual private network (VPN) connections and information assets;
  • Thinking about the long-term consequences of clicking “no” or “later” when prompted to install software updates;
  • Stopping to ponder what website privacy policies and end user license agreements (EULA) are saying when signing up for new accounts or installing software that can otherwise create unnecessary exposures;
  • Installing software on workstations and mobile devices and considering the potential impact on the network, internet connection and information assets;
  • Thinking critically about which links to click, which websites to browse and which emails to forward;
  • Being smart about the wireless networks you connect to when out and about;
  • Choosing to properly hide or otherwise secure laptops and mobile devices when commuting and traveling; and
  • Paying attention to the headlines regarding security breaches, what’s taking place after the incidents and what the consequences are for everyone involved.

Security leaders should share these tips with users during regular security awareness initiatives and training efforts. Regardless of how well-documented your policies are or how intelligent you think your users are, you can never assume that people will know what to do when an incident occurs, nor can you be sure they’ll always make good decisions. That’s why cybersecurity skills training must be conducted over and over again.

Improve Your Organization’s Security, One Step at a Time

Real security change is often brought about by an outside impetus. If we keep doing what we’ve always done, we’ll keep getting the same results. It’s on all of us — not just IT and security professionals, but employees, executive management and everyone in between — to ensure that our day-to-day behaviors are not creating barriers to better security. Check your assumptions about security and think about the little things you do on a daily basis that may seem trivial, but are actually crucial to security.

It’s critical for organizations to have everyone connecting the dots and following the concept of relentless incrementalism — a little bit every day, time and again. That means getting more information, getting better information and sharing wisdom when it should be shared. Never assume or taking things for granted. Situational awareness means seeing things others don’t see — or even bother to think about because they think IT is taking care of things. All of it works together to change behavior for the greater good of the business. Whether you realize it or not, everything counts.

Listen to the podcast

The post Cybersecurity Skills Aren’t Just for Security Professionals Anymore appeared first on Security Intelligence.

Ep. 110 – From SECTF to Pro SE with Whitney and Rachel

So many times we get asked how can you become a professional social engineer.  This month we talk to two amazing women who where never in the industry, took a huge risk and it paid off.  Join us in this fascinating conversation with Whitney Maxwell and Rachel Tobac. Oct 8, 2018

Contents

Download

Ep. 110 – From SECTF to Pro SE with Whitney and Rachel

Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form!

Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music

And check out a schedule for all our training at Social-Engineer.Com

Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 110 – From SECTF to Pro SE with Whitney and Rachel appeared first on Security Through Education.

Will Chromebooks Someday Threaten Windows?

"There are signs that Chromebooks are a bigger long-term threat to Microsoft than you might imagine," reports ITWorld, arguing that "long term, they'll likely be a serious competitor." The reason? Chromebooks sell big in education. They've unseated the Mac in schools. Two years ago, for the first time, Chromebooks outsold Macs in schools. Schools are a great market for Google, but Chromebooks are also Trojan horses. Children and teens use them for schoolwork and more. And when they get Chromebooks, they also get free subscriptions to Google's G suite of apps. If kids grow up using G Suite and Chromebooks, there's a reasonable chance they'll use them when they get older. Where I live, in Cambridge, Mass., the public Cambridge Rindge and Latin High School gives out free Chromebooks to every one of the more than 2,000 teens in the school, in a bid to close the digital divide between families who can afford to buy computers for their children and those who can't... Cambridge isn't unique. According to a 2017 article in The New York Times, "More than half the nation's primary- and secondary-school students -- more than 30 million children -- use Google education apps like Gmail and Docs... And Chromebooks, Google-powered laptops that initially struggled to find a purpose, are now a powerhouse in America's schools. Today they account for more than half the mobile devices shipped to schools...." When students graduate, Google makes it easy for them to move all their mail and documents from their school accounts to their personal accounts. And schools sometimes even act as inadvertent salespeople for Google. The Times reports that some schools tell graduating seniors to move all their documents from their school to their personal accounts... The upshot of all this? Windows hardware continues to rule in enterprises. But Chromebooks may one day prove a serious competitor, as students make their way into the workforce.

Read more of this story at Slashdot.

Fallece Monsterrat Caballé

scherzo.es - 06-X-2018.- La soprano Montserrat Caballé ha muerto a los 85 años la madrugada de este sábado en el Hospital Sant Pau de Barcelona. La cantante, cuyo estado de salud era delicado, se encontraba ingre…


Tweeted by @en_riqueiglesia https://twitter.com/en_riqueiglesia/status/1048496596365791232

Muere Montserrat Caballé

rtve.es - La soprano Montserrat Caballé ha muerto a los 85 años la madrugada de este sábado en el Hospital Sant Pau de Barcelona, según ha avanzado la agencia Europa Press y han confirmado a TVE fuentes hospit…


Tweeted by @OMGSOYJUNIOR https://twitter.com/OMGSOYJUNIOR/status/1048482250877063168

National Cyber Security Awareness Month: What’s New for 2018?

Today marks the first day of National Cyber Security Awareness Month (NCSAM), a collaborative effort that began in 2004 as part of a joint campaign of the National Cyber Security Alliance and the U.S. Department of Homeland Security (DHS).

This year, NCSAM focuses on internet security as a shared responsibility among consumers, businesses and the cyber workforce. Let’s take a look back at the year in cybersecurity and preview what NCSAM 2018 has in store.

Looking Back on Cybersecurity in 2018

It’s been a year of transition for cybersecurity professionals and attackers alike. As noted by Forbes, cybersecurity spending in the U.S. could reach $66 billion by the end of 2018. Globally, that number will likely reach close to $100 billion by the end of the year. Total breaches are down from 2017, but attackers are changing tactics: Where servers and workstations once took priority, threat actors are now directly targeting mobile applications and users to breach networks and compromise data.

It’s also worth noting that the rate of cryptojacking scams increased by 141 percent in the past year, according to Trend Micro. And, just like in 2017, human error remains a top concern for companies: A recent CA Technologies survey found that 90 percent of organizations feel vulnerable to malicious or accidental insider attacks.

National Cyber Security Awareness Month: Week by Week

NCSAM 2018 aims to “shine a spotlight on the critical need to build a strong, cyber secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected.” The month is divided into four week-long themes, described in more detail below.

Week 1 (Oct. 1–5): Make Your Home a Haven for Online Safety

The first week’s theme addresses cybersecurity practices in the home. Parents and caregivers teach children how to safely cross the street and avoid strangers who might cause them harm, but digital safety is often seen as less pressing. The problem is that today’s children must navigate a digital world filled with streaming content, mobile devices and on-demand access.

According to Pew Research, 77 percent of Americans now own a smartphone, nearly 75 percent own a desktop or laptop computer, and around 50 percent own tablets. Including cybersecurity as part of mainstream education is critical to nurture the next generation of tech-savvy adults.

Week 2 (Oct. 8–12): Millions of Rewarding Jobs — Educating for a Career in Cybersecurity

The growing cybersecurity skills gap continues to challenge organizations, with 69 percent of businesses saying they’re under-resourced because they can’t find enough qualified IT staff to fill expanding security departments.

Week two of NCSAM focuses on “ways to motivate parents, teachers and counselors to learn more about the field and how to best inspire students and others to seek highly fulfilling cybersecurity careers.” To put it simply, demand exists and training is getting better; now it’s a matter of cultivating student interest.

Week 3 (Oct. 15–19): It’s Everyone’s Job to Ensure Online Safety at Work

As noted above, employees are a top cybersecurity risk for many organizations. According to Verizon’s “2018 Protected Health Information Data Breach Report (PHIDBR),” 58 percent of healthcare data loss incidents from 2016 to 2017 involved insiders. While many of these insider threats are accidental — users may inadvertently click on phishing links or access unsecured sites via personal devices on corporate networks — the results are no less damaging.

Week three aims to help users fuse cybersecurity across their work and personal lives and emphasizes the shared responsibility of employees to help manage risk and improve resilience.

Week 4 (Oct. 22–26): Safeguarding the Nation’s Critical Infrastructure

The last week of National Cyber Security Awareness Month will focus on protecting the country’s critical infrastructure, since disruptions to systems that provide power, water, health services or other crucial resources “can have significant and even catastrophic consequences for our nation.”

The increasing use of internet-facing industrial control system (ICSs) has already put many organizations at risk of malware and other cyberthreats. The final week of NCSAM will highlight the roles users can play in keeping infrastructure safe, leading the transition into November’s Critical Infrastructure Security and Resilience Month.

Even after October ends, NCSAM encourages companies and consumers to actively engage with cybersecurity topics by using tools available through the STOP. THINK. CONNECT. campaign or leveraging EDUCAUSE’s NCSAM Resource Kit, which includes planning guides, posters and international support links. To address the critical role of humans in cybersecurity, the National Cyber Security Alliance recommended using free employee training resources from partners such as ESET.

We’re All in This Together

This past year saw attackers taking advantage of the growing cybersecurity skills gap to infect devices with cryptojacking malware, spam users with macro-enabled phishing emails and hijack poorly protected Internet of Things (IoT) devices to create powerful botnets. NCSAM 2018 recognizes the critical need to encourage and train the next generation of security professionals by teaching them cyber skills early, demonstrating the value of information security jobs and shoring up the shared responsibility of cybersecurity in the workplace. Finally, NCSAM considers the evolving impact of national infrastructure attacks and how the public at large can help mitigate potential threats.

This year’s overarching cybersecurity theme is clear: We’re all in this together, and we can’t do it alone. Effective defense demands a team effort where employees, enterprises and end users alike recognize their shared role in reducing cybersecurity risks.

The post National Cyber Security Awareness Month: What’s New for 2018? appeared first on Security Intelligence.

Partnerstroka Tech Support Scam Preys on Users With New Browser Locking Tactic

A large tech support scam operation called Partnerstroka recently targeted unsuspecting users with a new browser locking technique.

Security researchers at Malwarebytes Labs regularly monitor threat actors using malvertising and other techniques to expose users to a tech support scam. The latest campaign stood out for its incorporation of a browser lock specific to Google Chrome that hijacked the user’s cursor, turned it into an invisible square box and displayed a low-resolution image of a cursor, according to the researchers. It also relocated mouse clicks to somewhere else on the page without the user’s knowledge, preventing victims from closing the scam.

The infrastructure of the campaign relied on dozens of Gmail accounts, each of which was tied to anywhere from a few to several thousand .club domains that abused the GoDaddy registrar/hosting platform. In total, the researchers detected more than 16,000 malicious domains associated with the campaign, but the actual number could be much higher.

How Much Can a Tech Support Scam Cost?

These findings come amid a rise in tech support scams around the world. In 2017, Microsoft received 153,000 reports from customers who fell victim to a tech support scam, a 24 percent increase from the previous year. Of those victims, 15 percent lost between $200–$400, and the technology giant received one report of a victim losing more than $100,000 to a tech support scammer in December 2017.

Furthermore, the Better Business Bureau tracked 41,435 scam complaints received by the Federal Bureau of Investigation (FBI) and Federal Trade Commission (FTC) last year. Those complaints related to more than $21 million lost to tech support scams in just the first nine months of 2017, and that’s only counting reported crimes.

Combat Scams Through Education and Awareness

The IBM X-Force Exchange threat alert associated with this scam advised security teams to keep operating systems and antivirus tools up to date. Organizations should also scan their environments for the specific indicators of compromise (IoCs) uncovered by Malwarebytes Labs.

When it comes to tech support scams specifically, security experts recommend regularly educating users about cyberthreats and training employees to be skeptical about any unsolicited communications, whether online or over the phone.

Sources: Malwarebytes Labs, Microsoft, Better Business Bureau

The post Partnerstroka Tech Support Scam Preys on Users With New Browser Locking Tactic appeared first on Security Intelligence.

Chegg Resets Passwords After Data Breach That Affected 40 Million Users

For all students out there using EasyBib, it’s time to reset your account passwords at Chegg. Reportedly, Chegg reset the

Chegg Resets Passwords After Data Breach That Affected 40 Million Users on Latest Hacking News.

APAC Secure Webinars | (ISC)²

isc2.org - Become a Sponsor: (ISC)² APAC is dedicated to delivering educational content of the highest quality through our Secure Webinar Series. You are invited to partner and sponsor webinars with us as an al…


Tweeted by @ISC2APAC https://twitter.com/ISC2APAC/status/1045599046063312896

Séminaire national des réservistes « cyber » à la DGGN | Gendarmerie nationale | Renseignements Stratégiques, Investigations & Intelligence Economique

scoop.it - Le lundi 24 septembre, le général de brigade Olivier Kim, chef du commandement aux réserves de la gendarmerie, a accueilli près de 130 réservistes "cyber", citoyens ou opérationnels de toutes armes, …


Tweeted by @Expert_IE_ https://twitter.com/Expert_IE_/status/1044903925835595777

El nuevo sistema de verificación de L’Oréal para luchar contra el fraude del influencer marketing | Marketing Directo

marketingdirecto.com - L'Oréal introduce un sistema de verificación en tres pasos dirigido a limpiar el ecosistema del influencer marketing del fraude, cada vez más preocupante. Ningún tipo de marketing está totalmente exe…


Tweeted by @inova3 https://twitter.com/inova3/status/1044137539928551424

Las marcas han alimentado (después de medianoche) a la bestia del fraude en el influencer marketing | Marketing Directo

marketingdirecto.com - El fraude en el influencer marketing ha sido alimentado por las propias marcas, haciendo incidencia más en el número de seguidores que en la calidad. El influencer marketing es una de las estrategias…


Tweeted by @jhernanper https://twitter.com/jhernanper/status/1043246040449732611

How Blockchain Will Come To Campus

forbes.com - Senior Vice President, IBM Global Industries, Platforms and Blockchain Bridget van Kralingen speaks during the forum Digitalization and the New Gilded Age at the World Bank/IMF spring meetings on Wed…


Tweeted by @mbnsolutions https://twitter.com/mbnsolutions/status/1043037941277188096

Rice University Says Middle-Class And Low-Income Students Won’t Have To Pay Tuition

Rice University is "dramatically expanding" its financial aid offerings, promising full scholarships to undergrads whose families have income under $130,000. NPR reports: The school says it wants to reduce student debt -- and make it easier for students from low-income families to attend. "Talent deserves opportunity," Rice President David Leebron said while announcing the plan on Tuesday. The full scholarships are earmarked for students whose families have income between $65,000 and $130,000. Below that level, the university will not only cover tuition but also provide grants to cover students' room and board, along with any other fees. Another part of the program will help students whose family income surpasses the maximum: If their family's income is between $130,000 and $200,000, they can still get grants covering at least half of their tuition.

Read more of this story at Slashdot.