Month: March 2018

SEATTLE, WA – Feb. 13, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released Using Blockchain Technology to Secure Internet of Things, a new white paper which explores the capabilities of blockchain technology in facilitating and improving the security of the internet of things (IoT).

Authored by the CSA’s Internet of Things (IoT) and Blockchain/Distributed Ledger Technology Working Groups, the paper highlights various features that should be considered when securing connected devices using blockchain technology. The document provides a high-level overview of blockchain technology, and then outlines a set of architectural patterns that enable blockchain to be used as a technology to secure IoT capabilities. It also offers specific use-case examples of blockchain for IoT security.

“Organizations on the forefront of implementing IoT are understandably encountering challenges in identifying appropriate security technologies that are capable of mitigating the unique threats that IoT presents,” said Brian Russell, chair of the CSA IoT Working Group. “We hope this document will inspire business leaders and developers embracing the blockchain opportunity to extend the capabilities of this technology to secure the internet of things.”

The report addresses two technologies with different maturity levels:

• Blockchain: A technology enabler that supports rapidly evolving cryptocurrencies such as BitCoin, Ethereum, Litecoin, Dash and hundreds more. Blockchain’s success as a foundation for cryptocurrencies has spawned new research aimed at securing systems and technologies using the distributed ledger. Most initiatives in the business context are limited to prototypes that serve mostly to master the intricacies of this complex technology. Current applications only scrape the surface of their possible uses.
• Internet of Things: A fast-maturing set of technologies that support the transformation of business and mission processes. The IoT is the inter-networking of physical devices such as connected vehicles, smart buildings, industrial control systems, drone and robotics systems and other items embedded with electronics, software, sensors, actuators and network connectivity that enable these objects to exchange data. The IoT has reached varying levels of maturity across sectors such as consumer, transportation, energy, healthcare, manufacturing, retail and financial.

“The IoT is having a major impact on how many companies conduct business and people go about their daily lives. However, security has become a stumbling block to widespread adoption or implementation. Luckily, blockchain holds great promise for securing connected devices and systems,” said Sabri Khemissa, co-chair for the Blockchain/Distributed Ledger Technology Working Group and the lead author of the paper. “This research should serve as a roadmap to implementing technology that will push the dial forward in securing IoT.”

The CSA IoT Working Group focuses on understanding the relevant use cases for IoT deployments and defining actionable guidance for security practitioners to secure their implementations. The Blockchain/Distributed Ledger Technology Working Group works to produce useful content to educate different industries on blockchain and its proper use, as well as define blockchain security and compliance requirements based upon different industries and use cases.

Individuals interested in becoming involved in the future research and initiatives of either group are invited to do so by visiting the Internet of Things WG join page and the Blockchain/Distributed Ledger WG join page.

The Using Blockchain Technology to Secure Internet of Things white paper is a free resource from the CSA and is available at https://cloudsecurityalliance.org/download/using-blockchain-technology-to-secure-the-internet-of-things.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Every year, (ISC)² and The Centre for Cyber Safety and Education award a range of scholarships to individuals pursuing, or planning to pursue a degree in cybersecurity or information security.

Addressing the cybersecurity skills gap

The aim of these initiatives are to help bridge the cybersecurity workforce skills gap – which our research predicts to reach a 1.8 million shortfall in the next four years – and improve diversity within the profession; by providing future information security professionals with Undergraduate, Graduate or Women’s scholarships to assist them in preparing for their rewarding career in this vital sector.

How the scholarship program has evolved

The program started in 2005, awarding four graduates $12,500 each towards an advanced degree in the sector. The scheme was initially part of (ISC)²’s “Year of the Information Security Professional” program, designed to create additional awareness of the profession and encourage high-quality new entrants into the field.

From 2005 through to 2010, the program grew, distributing between three and six awards each year; with the early scholarships being focused on graduate students conducting research in cybersecurity.

Last year however, 48 scholarships out of the 1000 plus who applied were rewarded; and today up to $125,000 is available across the varying scholarships – indicating a real growth and popularity in the scheme. Back in 2011, 28 applications were received, with the number of submissions growing but staying around the 60 – 70 mark each year. Though 2016 saw the real turning point, with over 500 applications being received, and of course last year where the scheme received its record number of submissions yet.

And it was in 2011 – in a concerted effort to address the fact that women are underrepresented in the profession –  the women’s scholarships were created. Females also have made up 73% of scholarship recipients to date, with nearly $200,000 being presented since the program commenced.

Successful recipients across the program have hailed from all corners of the globe too, including United Kingdom, Iraq, Estonia, Cameroon, Nigeria, South Korea, India, Jamaica, Australia, Canada and more.

If you’re interested in applying, or know someone who might be, read on for details on the individual initiatives:

Undergraduate Scholarships

Aspiring information security professionals have the opportunity to ease some of their educational financial burden with the (ISC)² Information Security Scholarship, offering undergraduate students studying information security from $1,000 to $5,000 per recipient. To be eligible, your GPA must be at least 3.3 on a 4.0 scale (or an analogous rank based on a comparable scale). Additionally, you can apply if you are a citizen from any country and studying in any country, either on a full time or part time course; whether it’s online or on-campus. For more details on eligibility and how to apply, see the official (ISC)² undergraduate scholarships page.

Graduate Scholarships

Graduate students often need funding to conduct special research projects or assistance with tuition and fees; and the (ISC)² Graduate Scholarship Program helps grad students achieve those goals.  Graduate applicants may be awarded between $1,000 and $5,000 each. To be eligible, your GPA must be at least 3.5 on a 4.0 scale (or an analogous rank based on a comparable scale). Please note, if you have just been accepted to Graduate School, or are just beginning classes, you will use the final cumulative GPA from your undergraduate degree transcript to meet the criteria. Additionally, you can apply if you are a citizen from any country and studying in any country, either on a full time or part time course; whether it’s online or on-campus. For more details on eligibility and how to apply, see the official (ISC)² graduate cybersecurity scholarships page.

The deadline for the Undergraduates scholarships is 15 March 2018, and for Graduates, it’s 17 April 2018.

Learn more and apply via the Center’s website  and for email enquiries: scholarships@isc2.org

[(ISC)² Blog]

Even though 85% of cybersecurity professionals would consider new job opportunities, it’s getting harder for employers to attract and retain qualified candidates. There just aren’t enough experienced cybersecurity workers to hire, and those already employed are constantly being wooed by recruiters.

Only 15% of currently employed cybersecurity workers are planning to stay put, according to recently completed (ISC)² research. Among the rest, 14% are actively looking for a new job and 75% are open to opportunities. This means we will likely see a hubbub of activity in the cybersecurity job market throughout 2018.

Employers face an uphill battle. You not only have to try to find skilled candidates in a very limited pool, but also do whatever you can within reason to retain your current cybersecurity workers. Success on both fronts requires a deep understanding of what’s important to cybersecurity workers. What are they looking for in an employer? And what does it take to keep them happy?

What They Value

The study offers valuable clues about what matters to cybersecurity professionals. It’s clear they aren’t motivated by salary, but then they don’t need to be. Since demand for their services is so high, attractive compensation is a given. But what they really value comes through loud and clear in the research:

• They want to be heard, with 68% of respondents saying they want the C-suite to take their security views seriously.
• 62% prefer a company with well-defined ownership of cybersecurity responsibilities.
• 59% view employee cybersecurity training and investments in emerging security technologies as priorities.

Cybersecurity professionals also don’t want to be evaluated by managers on whether they stop a breach. Rather, they believe these criteria are more relevant:

1. How quickly they respond to a breach
2. How efficiently they handle remediation
3. Employee awareness levels

Daily Contacts

Understanding the mindset of cybersecurity workers is critical to the success of any recruiting effort. Cybersecurity pros are very attuned to the needs and demands of their work, and they look for clues in job descriptions about whether the employer understands cybersecurity. Descriptions that are too vague or demand too much get a pass.

Employers need to get this right because recruiters contact these folks constantly. Almost half (46%) of them are contacted weekly by recruiters, even if they aren’t looking for a job. Nearly a third (31%) of those in an active job search are contacted weekly.

For many, overtures from recruiters happen daily; one out of five (21%) study participants receive at least one recruiting contact daily. And 38% of those actively seeking new employment are contacted multiple times each day.

Be Upfront

Despite the huge challenge employers face, there is a silver lining: More than half of cybersecurity jobseekers (54%) are willing to work where a breach has already occurred – an indication they’re confident in their ability to help organizations improve their security.

That’s good for employers to know. Just remember to be upfront about your security situation and show you’re willing to listen to new ideas. Get this right, and the likelihood of attracting a skilled, experienced cybersecurity professional is much higher.

[(ISC)² Blog]

Early in my career, I had the opportunity to work with big retailers and non-profit organizations around the promised land of EDI protocol (Electronic Data Interchange, for those too young to have seen this acronym). The expectation in the industry was that, thanks to a common set of industry layouts adopted by both manufacturers and retailers, all transactions like purchase orders, confirmation of shipments, acknowledgment of receipt of merchandise, and payment of invoices, would be streamlined and automated.

When we see the outcome in retrospect, we understand that the aim for a perfect set of common layouts for flat files that would be sent from one computer to other, over dedicated communication channels, to be fed into a translator that would, eventually, create the purchase order or shipment notice in the recipient’s mainframe, required long negotiations between powerful stakeholders. As a result, new technologies totally bypassed this effort that had been running for more than 30 years, without becoming a mainstream protocol in the e-commerce era.

I mention this example of a too-late definition of standards because of recent efforts triggered by the Central Bank of Mexico to create a common database of all fund transfers in foreign currency performed by banks in the country. The aim seems to be a central repository built by all participant banks, feeding their own funds transfer transactions, to eventually allow those banks to query this database in order to understand the risk profile of any particular client that has performed funds transfers in any other bank.

This goal is ambitious and logistically complex. Being a regulator of the banking system in the country, the Central Bank of Mexico can define the rules as needed and then require all banks to comply with these definitions. But the analogy I provided in relation to EDI protocol comes immediately to mind, and I foresee the following issues:

1. The central bank has defined a standard layout based on the data elements that would be relevant to create the initial repository for its own regulatory purposes.
2. The banks will have to build interfaces from their existing funds transfer systems with this new platform.
3. The central bank may require additional fields in the future; if so, all banks will have to rush to adjust their existing interface, and then run additional processes to fill the missing data in the central repository.
4. There is no incentive for the banks to implement the required applications and infrastructure.
5. When rules are established around types of relevant queries needed to determine a risk profile, some large banks may then identify additional information that would make sense to add to the repository, impacting all other participant banks.
6. The storage and computing power needed to track all funds transfer transactions across the entire banking system will overwhelm the central bank’s computing capacity, leading to delays in the queries. This would eventually require more taxpayer money to buy or rent additional infrastructure.

This seems to be a perfect use case for a Know-Your-Customer (KYC)/Anti-Money Laundering (AML) blockchain project. Of course, most of you understand that blockchain technology is the foundation of bitcoin and other cryptocurrencies. Instead of focusing on the idea of actual payments made with cryptocurrencies, I’d like to highlight the fact that blockchain technology can provide the perfect tool to develop a distributed ledger of funds transfers, spread across the computing power of participant banks in the system.

Here are the incentives for all:

1. Banks’ computing power is larger. Spreading the calculation of crypto-tokens representing the funds transfers across the system can be spread over the computing power of all banks that want to participate in the system.
2. Crypto-tokens would be simple. We are not talking here about creating money but “crypto-tokens” that represent real funds transfer transactions occurring in the system, linked to a different type of crypto-token that represents the client performing the transactions.
3. Banks have incentive for participation. Every time that a bank converts a funds transfer transaction into a crypto-transaction linked to a crypto-client, using its own computing power, it will receive a “crypto-token” as payment. These crypto-tokens will be the key for the banks to perform queries to the database (see below).
4. Queries to the common database will be paid with crypto-tokens. Every time a bank wants to perform a query to determine what kind of transactions a particular client has performed in the system, it will pay using the crypto-tokens received as payment for linking crypto-transactions to crypto-clients.
5. Bank privacy is preserved. Do I need to say more?

As regulators start creating laws to put some ground rules on the table for digital transformation, they could be participants in initiatives like the one I’m putting on the table today.

Author’s note: Jose Angel Arias has started and led several technology and business consulting companies over his 30-year career. In addition of having been an angel investor himself, as head of Grupo Consult he participated in TechBA’s business acceleration programs in Austin and Madrid. He transitioned his career to lead the Global Innovation Group in Softtek for four years. He is currently Technology Audit Director with a global financial services company. He has been a member of ISACA and a Certified Information Systems Auditor (CISA) since 2003.

Jose Angel Arias, CISA, Technology Audit Director

[ISACA Now Blog]