Cybersecurity Apprentice Program: A CyberStart JumpStart

My student employment/apprentice/intern program (or whatever you want to call it) needed a jumpstart and frankly, so does the cybersecurity workforce at large. I’m not entirely sure how to begin this post because there is just so much to say. So, let’s just start with some problem statements. If you just want to read more about what we are doing at Stony Brook to establish a cybersecurity apprentice program, just skip this section all together and head straight to the next subheading.


The Problem(s):

  1. We’ve all read the headlines. CYBERSECURITY WORKFORCE SHORTAGE BY THE MILLIONS. While this is not an exaggeration, it is worth expounding a bit. According to the 2018 (ISC)² workforce study, that shortage is close to 3 million globally, but over 2 million of those job vacancies are in the Asia-Pacific region. So, what is the situation closer to home? The same study tells us that ~500,000 of those vacancies are in the U.S. Ok, so we definitely have a problem as an industry. Can cybersecurity practitioners do anything to directly help the cybersecurity workforce shortage?
  2. Women are one of the groups significantly underrepresented within the cybersecurity profession. That is an understatement. You have no doubt heard the statistic that only 10-11% of cybersecurity positions are held by women. The aforementioned workforce study published one of the highest percentages I have seen to date…24%. Even if that number is accurate, it’s too low. Way too low. If our field represented the relative percentage of humanity it should be closer to 50/50 male/female. How can we attract underrepresented groups, such as women, to a career in cybersecurity?
  3. Hiring students to work within an information security department is not a new concept. Not by a long shot. Some of my esteemed colleagues have thriving and impressive cybersecurity internship programs already. For most higher ed CISOs and industry partners however, finding students with the right qualities and the fortitude to make a meaningful contribution to a real cybersecurity department can be challenging. Many students I’ve spoken to do not have the right expectation when they interview for a job with us. They imagine days filled with malware analysis, Wireshark and Metasploit. It’s not that we don’t do those things, but we do many other things too, like security awareness efforts and policy writing. While I would love to pay a student to play with Wireshark and ask us questions, my small team does not have time to stop their operational responsibilities for extended periods of time to educate their curious minds. How can we find students that have realistic expectations and the right qualities to be successful within an ‘all hands on deck’ cybersecurity department?
  4. There is no shortage of action on any given day, which is true throughout most of academia due to our diverse and unique computing requirements. Having a relatively small team means we are extremely busy all of the time. While this also makes it an ideal place for a student to get a wide range of hands-on cybersecurity experience, it introduces a unique barrier as well. It takes a significant work effort to begin and sustain a thriving internship/apprentice program within our department, and to do so with our existing staff level would cause very serious responsibilities to suffer, and the resultant increase in risk to our organization is not a tradeoff we can afford to accept. How can we start a meaningful, mutually beneficial program with only a reasonable amount of work effort?
  5. An alarmingly increasing number of CISOs tell me that they do not like to hire new graduates with cybersecurity degrees. Anecdotally speaking, they are having great success with new hires from a diversity of academic backgrounds, such as psychology and the humanities, for example. Sadly, many in the workforce today do not consider a cybersecurity career unless they have a so-callled “relevant” degree or computer science background. I can’t tell you how many students I talk to that are shocked when I tell them my programming experience is limited to “VCR” and “ALARM CLOCK.” (Yes, I do know what a for loop is, but never used one to accomplish anything useful aside from printing “Hello World” an infinite amount of times). How can we we attract cybersecurity talent from groups with non-STEM, academic backgrounds and work experience?
  6. When we have hired students, their gap in knowledge for even the most basic information technology concepts are lacking. With little or no real world IT experience, many did not truly understand how things like DNS and DHCP worked. Active Directory? Forget it. In my mind, an entry-level cybersecurity position is not an entry-level position. By the time we filled in all of those gaps for our student hires, it would be graduation time and we didn’t even get to the security part. How could we onboard a student in an expedient manner, without sacrificing too much of our staff’s limited time?

The Solution(s)…maybe:

What if there was a fun, online game that we could offer to all current college students that increases security awareness for all who play? What if this same game required no prior technical knowledge, and it could help players prove that they have the essential qualities to be successful in a cybersecurity role? What if there was an associated online course that taught core information technology fundamentals, and then layered on associated security concepts?

Do I have your attention? As it turns out, that game does exist and so does the associated course, SANS CyberStart Essentials. In my opinion, CyberStart Essentials has the potential to onboard many thousands of future cybersecurity professionals, and fill-in knowledge gaps for thousands of existing professionals. I just didn’t know about either until Alan Paller, the founder of SANS, reached out to me and agreed to partner with Stony Brook University as a proof of concept that the game could be used effectively within the higher education space. It was almost a year ago today, as he was on his way to RSA 2018 to do his annual keynote and I am writing this article sitting in an airport on my way home from RSA 2019. In between those two bookends in the stream of time, some other higher education CISOs helped us brainstorm on a coherent approach in a one day in-person workshop, and their collective wisdom and insight was priceless. Early on in this endeavor, Mandy Galante joined SANS full-time as the CyberStart Program Manager, and she has been working with us tirelessly to ensure the platform is conducive to our use case. While we are only about halfway through our proof of concept at SBU, here is what we are doing:

  1. As part of Cybersecurity Awareness Month in October 2018, we advertised this exciting new online game via our career center, social media posts, and online postings. We even had a pizza party, complete with dim lighting and techno music. It did not take much effort to generate interest in this program; students were fascinated by it. We stressed these key themes:
    1. No prior technical experience required.
    2. Play to find out if you are an extraordinary problem solver.
    3. If you do well, you could win access to additional online training and potentially a paid apprenticeship with our team.

      CyberStart Pizza Party

      CyberStart Pizza Party

  2. Players first tried an abbreviated version of the game that was free and could be anonymously accessed on the Internet. In fact, it was this version they played during our October pizza party. If they didn’t like it, there was no need to continue. If they wanted access to the full version, they had to request access via a simple online form. We validated their request by asking them what their favorite challenge was and why. We received over 250 requests and issued those students registration codes for the full version of the game.
  3. The players played…and played…and played. In fact, it was easy to see from the scoring that while some players opened the game, played it once, and stopped, many others – more than 50 of our 250 players – kept playing and earned an invite to the next phase of the program.
  4. The high scorers were invited to a celebratory lunch and an exclusive online collaboration space (the start of a cybersecurity club perhaps?), and officially qualified to compete for a student apprentice position with our department in the coming months. We will be using this group as our exclusive candidate pool. These students also won scholarships to the associated online course, CyberStart Essentials.

    CyberStart Celebratory Lunch

  5. We will be reviewing the scores and the CyberStart Essentials completion percentages, and then invite a subset of the top 50 or so students to interview for up to three student apprentice positions within our Information Security team this coming May. The first thing our new hires will do is complete the CyberStart Essentials course. We then hope they will spend at least two years with us as student apprentices as they get hands-on, practical experience. We also hope they will choose to pursue a career in cybersecurity. Time will tell.

So, will this program address some or all of the challenges I listed at the outset of this article? I can’t be sure yet, but I can tell you this: it has already increased security awareness within our student body, and it has created a buzz around campus, catching the attention of non-STEM as well as STEM students. And I am excited about our future apprentice hires this Spring/Summer. Since my scope as CISO has recently expanded to include Stony Brook Medicine, we might be able to hire more apprentices than I initially thought. Most importantly, in addition to complementing our small team, this might be a way to make a real difference across the country if this model is copied at other campuses. It’s truly win-win for everyone involved.

So far, I have no doubt that CyberStart is going to be just the JumpStart we were looking for.

Thanks for reading and don’t forget to subscribe.

Insert Catchy Ransomware Headline Here

Why is the internet so fascinated by ransomware? Is it because ransomware is attacking our precious data? Is it simply a threat that the average person can understand and therefore makes it newsworthy and headline rich? Is it because ransomware is so profitable and morphing into a mature business model? Or is it just a fascination with so-called evil genius? After all, everybody loves to hate a good super villain…until they come to visit YOU.

Ransomware is not cool graphic

The Ransomizer at www.ransomizer.com

Here is the shortlist of things you should know about this topic if you’d like to get up to speed quickly:

Dilbert comic strip

Dilbert Comic for 1996-02-06 by Scott Adams http://dilbert.com/strip/1996-02-06 via @Dilbert_Daily

  • Once you pay the ransom and get your data back, you still have a mess to clean up. They are still in your system and you must fully eradicate the attacker from your environment. Easier said than done.
  • Some mature ransomware operations have technical support available, so if you are having trouble paying the ransom you can call for assistance and the call center will walk you through it. Yes, it’s true.
  • There are cloud ransomware solutions out there so if an attacker doesn’t want to go through the trouble of building their own solution, they can buy ransomware as a service. Krebs blogged about it recently and the commercial they posted on YouTube is quite persuasive! (Yes, I just blogged about a blog.)

  • If you work for an organization that deals with protected health information (PHI) and HIPAA, the U.S. Department of Health and Human Services (HHS) removed some ambiguity regarding whether or not ransomware is considered to be a breach: “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.” Read all about it.

Some cyber security practitioners and thought leaders got together recently to talk about the 7 most dangerous new attack techniques, and of course ransomware was on the list. Ed Skoudis asked, “How much would you pay to turn on your heat?” Many of us, other than me of course, have internet connected thermostats that could potentially be held hostage in this way. This is a theoretical scenario today, but the thought of this one gives me the chills (pun intended).

Another noteworthy gem from Ed is regarding what to do if you find yourself held hostage by a digital ransom that for some reason or another you have no choice but to pay. He made a point to remind us that it is a negotiation. So, don’t assume they know who you are or who you work for in the event that they encrypted your data. Assume they don’t know anything about you or the data and try to convince them you are simply an individual that wants to restore those precious shopping lists and pictures of your grandchildren, even if you did just lose access to your entire customer database <ouch>. If they don’t know you work for a fortune 100 company, don’t volunteer that information. You may be able to convince them you are a grandparent with a fixed income and they *might* even accept a lower ransom. In New York we haggle for a better price on just about everything. Why shouldn’t we do the same for our stolen data?

In conclusion…don’t get ransomware in the first place if you can avoid it. It might be intriguing, but some things are better off observed from afar.

Thanks for reading and don’t forget to subscribe.

Educause Guest Blog: Think Before You Speak

Hello All:

In honor of cyber security month 2016, Educause allowed me to be a guest blogger once again for their Security Matters blog.

Read it Here: Think Before You Speak: Effectively Share Risk Across the Organization

There are some other great articles published this week as well, including one written by SANS’ Lance Spitzner.

Thanks for checking it out!

Catchy Headlines and the Pokemon Go non-Controversy

IMG_5472Imagine my surprise when reading headline after headline last night that proclaimed from the rooftops, “Pokemon Go App Can Read Your Emails!” and similar.

Users who were downloading this Apple iOS game were surprised to learn that the permissions it requested to Gmail when logging in included full access to their account, yet it was still downloaded FIVE MILLION times.

I was ready to get on my soapbox about paying attention to the permissions of every app you install, not letting your children install apps unattended, and the need for app developers to get it together, when I read this…

Pokemon Go was Never Able to Read Your Emails 

Soooooooooooo, as it turns out, the message users received was not accurate. In this case, although it did claim to have “full account access,” this term did not actually mean FULL account access. So is there any lesson to be learned or is this a pointless blog post?

Yes, and maybe. We should always be wary of any app that requests “full account access” or full access to anything regardless of what it means! So my soapbox lessons still apply. More specifically, pay attention to the permissions of every app you install, don’t let your children (30 and under) install apps unattended and app makers need to get it together! I digress.

Another important thing to check from time to time is what currently has access to your account. If you are a Gmail user, you can go to “My Account–>Connected apps & sites.” You may be surprised to see what is listed there. Remove the items you no longer use.

connectedapps

In a similar vein, have you checked who is authorized to charge you via Paypal lately? It accumulates over the years. Check the list by clicking on the “Settings Gear –> Payments –> Preaproved Payments.” I am always surprised to find vendors listed that I approved for a single purchase in that list, and subscriptions that I cancelled many years ago. Clean it up before someone cleans out your bank account.

paypal

OH! And if you’re not a vendor, don’t do this voluntarily…

paypal2

In summary, from Pokemon to Paypal, be careful out there. Have a good day!

Thanks for reading and don’t forget to subscribe.

Quoted by CSOOnline: Keeping your kids safe along with your network

One of my comments regarding BYOD was quoted in an online slideshow on CSO Online. My comment is on slide 3. Pretty cool! It’s an interesting and concise article on a complex topic. I’m not just saying that because I was quoted…

Keeping your kids safe along with your network

The article’s author, Josh Fruhlinger, has a bunch of similar slideshow formatted articles on various topics. Be sure to check those out as well.

Thanks for reading and don’t forget to subscribe.

Free Tech Support? NO WAY?! No, really, no way.

A coworker received the below pop-up while using Google Chrome.

virus-scannerBeing the helpful guy that I am, I made the phone call for him and did a little bit of recon at the same time. Here’s the good news…sort of. They hung up on me twice when I told them I was using a work computer. It seems they are only interested in personally owned computers. Good news if you are an IT guy/gal, bad news for Grandma.

Here’s some more bad news…they were using a legitimate service, support.me to connect remotely. This is bad because it looks safe and wholesome to an unsuspecting victim. Plus, it likely has legitimate uses on your network, which means it may be hard to globally block.

Also, the approach of letting people call them, is very effective. After all, if you are initiating the conversation, you already have your guard down. This is a really good social engineering tactic. Bait the victim, but let them “think” that they initiated the transaction. On the other hand, if you receive a phone call out of the clear blue from someone with a foreign accent telling you that your computer is infected with a virus, well, that’s a harder sell. Still, it’s not uncommon for members of our campus community to receive calls from “Microsoft” and “Google.” Sometimes, they are just looking for an IP address to target from the outside. “Hello, we are trying to fix your copier. Can you please tell me what the IP address is?” If you ever get an unsolicited call like that, just tell them it is 265.548.175.15. The geeks out there will get why that IP is safe to share.

Interestingly, they didn’t have me connect to that website through my browser. They had to me go to Start –> Run and then type “hh web” which opened an “HTML Help” window.

html_helpFrom there, you can press that little yellow question mark at the top left of the box and choose “jump to url.” I would imagine that they do this to bypass browser security and plug-ins. Pretty clever, I suppose. The rest of the call consisted of him trying to get me to type in the session code to allow him remote access to my computer. I just could not get it right…

What was the end game? I’m not sure. Clearly they would have charged me to “clean” my computer, although I was assured repeatedly that the diagnosis would be free. Would they then steal that credit card number altogether? Install additional malware to ensure my credentials are uploaded to the grasp of an excited hacker? Probably yes and yes, but for today, I’m fine being in the dark on that!

Have any of your coworkers or family members fallen victim to this scam? Share the details in the comments below.

Thanks for reading and don’t forget to subscribe.

Linux Security: No Room For Cockiness

Hello All. Today, I am very happy to share with you a post written by a guest blog writer, Shawn Powers. Shawn has been teaching IT for more than a decade. His specialties are Linux, Chef, and integrating multiple platforms for larger networks. Early in his career, he started a Cisco Academy for a local school district where he taught networking (CCNA & CompTIA A+) to high school students. He has a passion for teaching others, and his enthusiasm comes through in his courses. He is an associate editor for Linux Journal and instructor for CBT Nuggets.

Linux Security: No Room For Cockiness, By Shawn Powers

https://themmindset.files.wordpress.com/2011/04/windows_vs_linux.jpg

                  https://themmindset.files.wordpress.com/2011/04/windows_vs_linux.jpg

One of the biggest selling points for using Linux is its inherent security advantage. Some people claim it’s due to a better modular security structure in its design. Others claim it’s compromised less often because it’s not targeted as much. I think the truth lies somewhere in the middle. Wherever you think Linux has an edge, the worst thing a system administrator can do is depend on the percentages game and assume a Linux system is invulnerable.

A Linux server is not invulnerable.

Even if Linux itself is secure, the applications installed on top of the operating system might not be. One prime example is the Code Red worm that affected Apache web servers. It didn’t matter that Linux system was secure. After an application with elevated privilege got compromised, the system was done for.

What does this mean for the person in charge of Linux Security? Several things.

1) Keep your system updated.

We make fun of Windows users for the hundreds of security updates that need to be installed on a regular basis. Truth be told, Linux systems have just as many updates! Yes, some are feature changes, but on most systems there is a special “security” channel in the update mechanism that is crucial to keep up to date. Don’t wait for a security problem before installing those updates. Make them a part of your regular routine.

http://www.libertycolumns.com/images/os-updates-windows-mac-linux.jpg

                http://www.libertycolumns.com/images/os-updates-windows-mac-linux.jpg

2) Don’t install services you don’t intend to use.

When you’re setting up a server, whether it’s a virtual machine, bare metal, or a cloud instance, don’t install services unless you actually need to use them. If you’re not going to host web pages on your MySQL server, don’t install Apache on it! Not only are services more vectors for compromise; if you don’t use them, you’re less likely to notice if they fall behind in updates. An idle Apache server is just as vulnerable as an active one. Install what you need, but no more.

3) Firewalls are your friend.

There was a time somewhere between Windows XP and Windows Vista where the first thing I did on a desktop system was turn off the firewall. It seems like the built in firewalling system on Windows was so flaky, that it broke more than it solved. That’s not the case anymore with Windows, and it’s absolutely not the case with Linux. Whether you’re using a GUI tool, or the super simple “Uncomplicated FireWall” (UFW) in Ubuntu from the command line, use a firewall! And like with the applications you install, only open the ports you need, and no more.

Linux security is generally rock solid, and is fairly easy to maintain. One of the biggest problems Linux system administrators face is the tendency to neglect updates. So take security seriously, and Linux will be painless to keep safe. Leave it on its own, and hackers will happily check for vulnerabilities on your behalf!

-Author, Shawn Powers

(images and formatting added by Matthew Nappi)

 

Do you agree with Shawn’s viewpoint on Linux security? Is there anything else you would add to this list? Let us know in the comments below.

Thanks for reading and don’t forget to subscribe.

Credit Card Skimmers Close to Home?

Do you have an alarm system? If you do, did you get one before or after your neighbor was robbed? Few of us are proactive enough to get one without something hitting close to home.

These are the thoughts that came to mind when I saw this:

pic2

That, my friends, is a gas pump. Do you notice anything strange about it.  Look a little bit closer:

security tape on credit card swipe

That security tape is similar to the plastic seal on a bottle of Diet Pepsi. If broken, do not drink! In other words, that tape was put on the credit card swipe of this gas pump as a detective control to identify tampering, like the installation of a skimmer device for example. I won’t name the particular gas station I was at, but it’s green and white about 5 miles from the University. And I have several of their toy trucks in my office. I know that doesn’t narrow it down much, so please don’t try to pull out the geo-location data embedded in the above photos. In actuality, they should be commended for putting something like this in place, but it begs the question…was this proactive or reactive? Things that make you go hmmmm….

That’s why I like credit cards and debit cards that offer $0 liability protection. Combine one of those with Apple Pay, and you’re in pretty good shape. Of course, cash will always be king.

Have you ever had a run-in with a credit card skimmer? If so, where?

Thanks for reading and don’t forget to subscribe.

UPDATE 5/20/15: To be fair, I noticed that this particular chain of gas stations has security tape on their pumps at most locations I’ve visited… So I guess there IS a possibility they are being proactive, or had a bad experience at a subset of locations and then deployed the tape widely. Things that make you go hmmm…

REVIEW: CSI: Cyber

http://en.wikipedia.org/wiki/CSI:_Cyber#mediaviewer/File:CSI-Cyber-Logo.jpg

http://en.wikipedia.org/wiki/CSI:_Cyber#mediaviewer/File:CSI-Cyber-Logo.jpg

This week was the beginning of a new CSI television series, CSI: Cyber. I am not a CSI fan by nature. In fact, I’m not a big fan of television dramas at all. I try to like them. I really do, but it’s hard for me to get passed mediocre acting and low budget explosions. However, I had to give CSI: Cyber a chance. After all, it promised to deliver on a theme that is near and dear to me, cyber security. Did it deliver?

To start on a positive note, I thought the technology aspects of the show were only moderately exaggerated, so kudos for that. I think it’s a positive thing that they are highlighting real world consequences of hacker activity. It is not a harmless pastime or a victimless crime. This show can potentially serve as a nationwide public awareness campaign. Hopefully, they will work in some useful reminders for viewers, like the importance of antivirus and the like, rather than simply inciting FUD (fear, uncertainty and doubt).

http://commons.wikimedia.org/wiki/File%3AMBP36_-_Digital_Video_Baby_Monitor_MBP36.jpg

http://commons.wikimedia.org/wiki/File%3AMBP36_-_Digital_Video_Baby_Monitor_MBP36.jpg

With that said, the first episode was named Kidnapping 2.0, making reference to the next generation of kidnapping that incorporates hacking into internet connected baby monitors. The “baby auction” plot may be farfetched, but the idea of some weirdo hacking into your baby monitor is one based on fact. It happens, and for that reason I advise my friends to avoid buying an internet connected baby monitor unless they really have a need for it. Even the ones without Wi-Fi are relatively easy to access, but you need to be in physical proximity to the camera.

I thought the title of the episode, Kidnapping 2.0, was appropriate because they kidnapped one hour of my life with no remorse. The casting choice is just unreal. Lil’ Bow Wow is a rhyming hacker being rehabbed by the FBI. To quote my wife, “STRIKE 1.” The action star of the show is none other than the star of Dawson’s Creek, James Vanderbeek. I never thought I would live to see Dawson kick down a door, but network television has blown my mind yet again. The “best white hat hacker” in the world is a stereotypical “heavyset” gentleman and at one point the FBI director tells his staff that they can “go home to their parents basements.” Really? LOL.

All things considered, I will probably watch this show again. Not because it was a good show, but I find the random technical references extremely entertaining. I love how the writers jam technical jargon into sentences that do not require it at all. It’s just hilarious. And I find the security talk extremely entertaining. There is nothing better than hearing acronyms explained by bad actors. Unfortunately, I doubt the mildly entertained IT crowd can keep this series afloat for very long.

In any case, if you’re looking for a mediocre drama with a mixture of technical chatter and law enforcement, you’ve found it! I will let it record on my DVR and from time to time I’ll check out an episode. More so for a laugh than a thrill, but at the end of the day it served its purpose of entertainment…for one reason or another.

Note to Producers: This show can still be saved by adding a key guest star or two. Namely, Jack Bauer or Liam Neeson (he has a very particular set of skills).

Did you catch the first episode? Tell me what you thought in the comments below.

Thanks for reading and don’t forget to subscribe.

 

Educause Security Professionals Conference – Proposal Accepted

virtual

I am excited to share that I will be presenting at the 2015 Educause Security Professionals Conference by means of an online-only session.  It will take place on May 5th from 9:15-10:15 AM.  Although I am not a complete stranger to public speaking, this will be my first presentation at Educause and my very first online presentation.  It should be an adventure!

Title:  Good Enough Security: When is it good enough?

Session Abstract:  While many security professionals focus on “best” practices, in many cases “good enough” security would suffice for deflecting the majority of threats.  In an effort to maintain a balanced viewpoint and avoid becoming myopic regarding security requirements, it is important that we come to terms with what level of security is “good enough” within the culture of higher education.  Join us for an interactive, spirited and subjective discussion regarding what level of security is “good enough” in areas such as password complexity and change requirements, network architecture, endpoint security, and many other specific scenarios.

Session Participant Engagement Strategies:  After a brief discussion surrounding the selfish herd principal and why risk based “good enough” security should not be discounted, I will present various multiple choice examples and scenarios.  Each participant will vote on what option they feel is “good enough” by means of live polling via the internet.  After voting is completed, I will offer my own perspective / experience and then go through each choice one by one.  As time allows, advocates for each option will have the opportunity to justify their choice and others will have the opportunity to express why they disagree.  The intention is to stimulate a meaningful discussion and help participants reach a reasonable viewpoint regarding what configurations, standards and designs are likely “good enough.”

What do you think of the session topic?  Do you have any ideas regarding what I should cover during this session?  Any strong opinions regarding what is “good enough security” in the environments you support or work in?  Are there security measures you have encountered that seem unnecessary or overkill? 

Share your thoughts in the comments below and don’t forget to subscribe!