Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Hacktivists from Anonymous and from a presumed Islamic extremist group targeted a variety of online gaming services.
Services are up and running again after a denial of service took down Sony’s PlayStation Network for much of Sunday, coinciding with a bomb threat on American Airlines flight 362, which carried John Smedley, president of Sony Online Entertainment. The threats caused the airline to divert the flight.
Other online gaming services — including Microsoft’s XBox Live, Eve Online, and the services that host World of Warcraft and Diablo III — also experienced disruptions. The culprits seem to be hacktivists, but just which hacktivists is unclear, because several are trying to take credit for the attack, citing different motives.
One group, Lizard Squad, took credit for the attacks and presented two motives on Twitter. One tweet Sunday morning said that Sony “aren’t spending the waves of cash they obtain on their customers’ PSN service. End the greed.” A subsequent tweet stated, “Kuffar [non-believers] don’t get to play videogames until bombing of the ISIL [Islamic State of Iraq and the Levant] stops.” The account made many references to the Islamic extremist group ISIS.
On Sunday afternoon, Lizard Squad also tweeted the cryptic message “.@AmericanAir We have been receiving reports that @j_smedley’s plane #362 from DFW to SAN has explosives on-board, please look into this.”
The group tweeted at Smedley with the hashtag #PrayForFlight362 and a video from 2001 of a plane crashing into the World Trade Center.
On a separate account, a hacker associated with Anonymous claimed responsibility for the attack, showing screen shots to prove the work and stating that the attack was launched to highlight vulnerabilities in the PlayStation Network.
Microsoft confirmed that some customers were experiencing disruptions. However, it seems that Lizard Squad found that Microsoft’s XBox Live network was sturdier than Sony’s. The group tweeted Monday, “Microsoft props to you for giving us a challenge, good work. Sony, smh [shaking my head].”
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law — a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.
One of the latest breaches to hit the news took place at Community Health Systems (CHS), affecting an estimated 4.5 million patients. According to principal security consultant and founder of TrustedSec, David Kennedy, the initial attack vector was through the infamous OpenSSL “heartbleed” vulnerability that led to the compromise of the information.
What is especially noteworthy about this particular attack is its impact on the healthcare community. Major data breaches such as the one at Target last year put the spotlight on how retailers need to do a better job at guarding our sensitive financial information from cyber criminals. However, a May 2014 study by BitSight Technologies rated healthcare and pharmaceutical companies even worse than retailers in terms of security performance.
BitSight compared the performance of finance, utilities, retail, and healthcare groups within the S&P 500 from April 2013 through March 2014. Overall, healthcare companies scored lowest, at about 660 on a scale of 250 to 900. Not only did the healthcare sector have the most security problems, but companies also took the longest to fix the problems—on average 5.3 days, according to the report.
The importance of a strong vulnerability management and patching program is well documented but, as with all 0-day vulnerabilities, there is a period of time in which a patch is not available to fix the problem. So, what could CHS have done differently in this case?
As this rapidly evolving industry faces increasing challenges to keep personal health information protected, there is a need to ensure that knowledgeable security and privacy practitioners are in place to protect this sensitive information. Without knowing the specifics of the information security program in place at CHS, it is hard to come up with short and/or long term recommendations. Although I believe it is safe to assume that CHS could have used more “eyes on target” during that critical time block from when the “heartbleed” vulnerability was initially discovered and reported to when a patch was available for rollout. Thus, to help address the short term need, it is critical for all companies to analyze their current monitoring and detection programs and make sure the right people, processes, and tools are in place.
Longer term, we need to come up with a better way to quickly determine the cyber posture of an organization – and not just those from the healthcare sector. Through the use of a scoring method, the BitSight study provided an efficient and effective approach to help compare organizations against one another – similar to how a business runs credit checks before consumers can open a banking account, take out a car or home loan, or even get a job. While this method would require the creation of standards and additional work to implement, it’s an idea worth considering.
With more than half of 2014 behind us, it’s that time of the year where we look at IT certifications standings in real world IT. The right certifications can help earn tech workers premium pay or land the job they’ve been aspiring to. That’s why knowing what is “hot” with employers is important when considering your professional development.
Every quarter Foote Partners compiles their data in the IT Skills Demand and Pay Trends Report, and they speak with over 2600 employers to bridge the disconnect between job titles, job content and compensation. Read on to find out where the heat is in regards to IT certifications, salaries, and employer needs.
“Generally speaking, the market is responding to anything that has to do with architecture,” says David Foote, co-founder, chief analyst and research officer with Foote Partners. These items are in demand, and employers are willing to pay a premium for them. In fact, all three of these IT certifications made it into Foote Partner’s highest paying IT certifications. TOGAF9, for example, has increased 25 percent in the last 6 months.
Amazon is the heavy in the cloud wars right now, and as a result, “skills pay” for these certifications are on the rise. AWS Certified Solutions Architect – Professional is another new entry to Foote Partners research, and already it’s made the highest paying IT certification list.
“These have just been added to our list. Amazon is hot right now. So many companies have adopted that [Amazon Cloud] solution,” says Foote.
VMware cloud certifications are all pretty hot right now. Premium pay for VCDX increased 28.6 percent in the last 12 months, while VCP-Cloud also saw a premium pay increase of 12.5 percent over the last year.
While there hasn’t been significant growth over the last year, recipients of the VCAP-CID certification are receiving 8-13 percent of base pay salary as a “skills pay” premium from employers.
Microsoft has a lot of muscle in the certification arena, and its flexing it on a big push for Azure. Foote says this certification is something to consider should you find your organization migrating to Hyper-V.
“This certification is being elevated by the push they’re giving to Azure. There’s so much Microsoft out there, and they are migrating to Hyper-V,” says Foote.
The PMI-ACP tied for number three on the highest paying IT certifications. It’s currently receiving an 11 to 15 percent skills premium pay, and according to Foote’s predictions, that is likely to increase as demand for everything agile increases, not just agile project management. “We will introduce Certified Scrum Master next quarter, and that will be on our hot list for certain because it addresses the demand for agile skills,” says Foote.
Another newcomer to the list of highest paying IT certifications, SixSigma is making its move, and it’s hot according to Foote, who says, “There is no standard certification body for Six Sigma, but instead many certification services are offered by various associations. But that doesn’t negate the fact that it’s a not certification to have.”
Master BlackBelt grew 9.1 percent in value in last 3 months, and the Black Belt gained 12.5 percent in the same period.
It’s no secret as to why the next two certifications have made the list; security is on everyone’s mind these days with each day bringing another news story of a major data breach.
In fact, EC-Council’s Computer Hacking Forensic Investigator certification, a new entry to the highest paying IT certification list, gained an astounding 66.7 percent over the 12 months.
In 2014, any talk of hot security certifications has to include CSSLP. In the last 3 months, it’s grown 17 percent, and in the last 12 months there has been a 40 percent growth in premium pay. It’s also tied for number two on Foote Partner’s highest paying IT certifications list.
The Professional: Data Scientist has only been recently included in Foote Partner’s research. In the time they have been tracking this cert, it’s hit the top of the highest paying IT certifications, coming in tied for number 5. “We just added this to our Skills Pay Index because people were asking for it. It includes a pretty tough lab/practicum where you have to really do the stuff, not simply complete a written test,” says Foote.
Number six on the list of highest paying certifications is Certified Developer for Apache Hadoop. Hadoop development and big data are both areas increasing in demand as organizations use them to simplify processes, decrease time to production, and gain a competitive advantage.
Another data certification, the CCDE is hot according to Foote, but not according to the numbers. It hasn’t made any significant gains over the last 12 months but there is a reason. The CCDE is hot Foote says, “…specifically for companies moving network functions to virtualization, migrating to cloud, doing SDN, etc.”
Highest paying IT certification premiums
For those who are most interested in which IT certifications are paying the most with employers, here’s a comprehensive list. These certifications round out the top three. It’s also worth noting that CWNP, AWS Certified Solutions Architect – Professional, Cloudera Certified Professional: Data Scientist, EMC Data Science Associate, Certified Computer Examiner, EC-Council Computer Hacking Forensic Investigator, GIAC Certified Penetration Tester, and TOGAF 9 all are new to Foote Partner’s list of highest paying IT certifications for 2014.
The year 2014 has been dubbed “The Year of the Cyberattacks” before it even reached the halfway point, with aftershocks fromHeartbleed still being felt weeks later. But did you know that attacks and bugs like Heartbleed are often 100 percent preventable? Simply put, best IT practices can create red flags before damage can be done. But, when humans are involved, laziness and shortcuts can lead to missed security steps. Technology, of course, is programmed and designed by humans, so the possibility forhuman error in technology is everywhere.
And it is not just human fault here, but also the technology. This is a two-pronged fork. According to security expert Richard Kenner, programs should never read from the same place in memory where they were written. That is security safety 101, but that is exactly what happened with Heartbleed. It has already been estimated that millions of dollars are being paid out by enterprises affected by Heartbleed, but what lessons can be learned from this?
Technology: Not as cutting edge as you think
Kenner points out that the programming language involved in Heartbleed is more than 40 years old; and even though new languages have been developed (and are arguably safer), that doesn’t mean they have been adopted. In addition to keeping up with languages and improving upon them, best practices simply were not followed in order to stop Heartbleed. There is technology available that ensures programs meet key properties (like that pesky reading from memory writing issue), but most companies fail to utilize it.
“The program that contained the Heartbleed bug did exactly that and an attempt to prove that it didn’t would have quickly found the bug, as would the use of certain tools that also detect this type of error,” says Kenner.
There are also other best practices, such as ensuring that security services do not transmit private information like passwords, usernames or identifiers. That sounds like a given, but it is (unfortunately) common practice.
Moving forward
Lessons to be learned from Heartbleed include: Creating safer passwords, changing them regularly and only using one password per web site. Additionally, web sites need to make better use of one-time passwords, which can be annoying but can prevent information from being hacked.
I advise using client certificates, even if they are a bother to acquire, because they are proof that you really are who you say you are. Many of these precautions can take a little extra time, and time is notoriously what many professionals do not have.
Perhaps the biggest flaw that led to the Heartbleed outbreak is that only a small handful of executives, far from experts in technology and security, were put in charge. They had full plates, they did not understand what was at stake, and they too easily put this task on the back burner.
When a small group of people assumes someone else is taking care of things that open up a world of vulnerability. It all comes back to proper management at every level and better communication between IT and the rest of the staff to make sure everyone is on the same page.
Data breaches and cyberattacks are becoming more and more common, causing many organizations to increase their spending on cybersecurity. But even with an increased security budget, cyberattacks continue to put important business systems at risk. To help overcome this problem, US President Obama issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, calling for the creation of a voluntary, risk-based framework for improving cybersecurity. In response to the EO, the National Institute of Standards and Technology (NIST) led the development of the Cybersecurity Framework (CSF). Input from industry, such as owners and operators of critical infrastructure, was a significant part of the development. Many organizations recommended ISACA’s COBIT as a good example of a cross-sector security framework and guideline that is technology neutral and addresses cyber risks. Since its release, organizations have been able to use the CSF to help them implement security measures. The new ISACA guide on Implementing the NIST Cybersecurity Framework helps organizations in this process by describing how to use existing ISACA methods to effectively implement the CSF.
As a participant in the development of the CSF, ISACA helped incorporate key principles from the COBIT framework. Since these COBIT principles are embedded in the Cybersecurity Framework, organizations can use COBIT processes to seamlessly and effectively implement the CSF. Though the CSF does not recommend specific methods to meet the intended objectives, the ISACA guide acts as an extension to the CSF, providing recommended methods for applying CSF concepts. Specifically, the ISACA guide aligns to each CSF step, and provides organizations with COBIT activities and processes that can be used when implementing the CSF. Additionally, ISACA provides a toolkit containing templates for planning, assessing and recording CSF activities. Because the COBIT processes suggested in the ISACA guide have been proven through years of ISACA success, this approach provides organizations with an effective, measurable way to implement the CSF, and improve their cybersecurity program.
As directed by the EO, the CSF provides a prioritized, flexible and cost-effective approach to address cybersecurity. Applying that framework using proven ISACA methods will help you enable your enterprise to achieve effective governance and management, which benefits its stakeholders.
