Category: #IT/CYBER/TECHNOLOGY

Posted on

The Cybersecurity Canon: Breakpoint

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Breakpoint (2007) by Richard Clarke

In an earlier entry I looked at Richard Clarke’s Cyber War, and this time around I’ll look at how Clarke jams a boatload of cutting edge cybersecurity ideas into this slim, Michael Crichton-esque political thriller. Clarke wrote it in 2007 but set it in the near future of 2012 and when I say there is a boatload of information, I am talking about yacht-sized, not dingy-sized.

The bad guys in this novel execute most of the cyber fantasy attacks against the United States that any group of cybersecurity geeks (including myself) could conjure up after a few beers sitting around a bar at the annual Black Hat / DEFCON conventions in Vegas (incidentally, one of the settings in the book).

Clarke gives us bombings of US beachhead routers on both coasts that reduce inbound and outbound internet traffic to just 10 percent, buffer overflow attacks against a communications satellite that sends it reeling out to space, SCADA attacks that blow up a research institution with a live nuclear reactor and a well-coordinated SCADA attack that takes out all power west of the Mississippi. Of course, in the novel, US government leadership, specifically the Intelligence Community (IC), thinks the Chinese are behind everything and they put all of their efforts into proving it.

All of these “fantasy” attacks are quite possible in the real world and the cybersecurity community has been talking about them for at least the last decade. At Palo Alto Networks, for example, we spend a lot of time looking at SCADA security and the challenges in securing such systems. (One of our experts, Del Rodillas, is speaking on the topic at an ISC-ISAC event on January 22.)

Clarke definitely knows the landscape. Before he retired from government service, he served three different Presidents as the Special Assistant to the President for Global Affairs, the National Coordinator for Security and Counterterrorism and the Special Advisor to the President for Cybersecurity. The political theory behind these acts is known as Escalation Dominance. It is the idea that China, or any government really, would launch some kind of attack against the US that would hurt the country in an effort to prove that they could launch a much larger attack that would really hurt if the US did something that the opposing government did not like.

Why Read It

In the afterword to this novel, Clarke said that it was easier to talk about these issues in a fictional setting then it was to talk about them in dry, academic and political journals. I concur – and that’s one reason why I’ve included novels and “lighter” books in my selections the Cybersecurity Canon. The truth is that many of these things are much more exciting and frightening when splashed across the fictional page.

This is a good read. Clarke’s story races across 10 days in March of 2012 as our heroes, Susan Connor – an agent for the Intelligence Analysis Center (IAC) – and Jim Foley – an ex-marine on loan to the IAC from the NYPD — try to out-think the US Intelligence Apparatus and Law Enforcement community and track down the real culprits behind the Internet attacks. Critics have taken Clarke to task for his wooden characters in the story, but I found that not to be true. I liked his portrayal of the misguided Internet billionaire especially and I liked the way he portrays New York and Boston cops.

The bottom line here is that this is book is a fun political thriller that gets the cybersecurity stuff right. I recommend it.

Posted on

Understanding a Zero Trust Approach to Network Segmentation

Lately you’ve heard us talking a lot about Zero Trust, an architectural approach to enterprise security that uses “never trust, always verify” as its guiding principle.

First proposed by Forrester Research, a Zero Trust approach means there is no default trust for any entity, regardless of what it is and its location on or relative to the corporate network. With Zero Trust boundaries, you’re compartmentalizing different segments of your network. You can protect critical intellectual property, reduce the exposure of vulnerable systems, and prevent the lateral movement of malware throughout your network in a way other segmentation solutions – including the use of VLANs – do not.

True Zero Trust segmentation requires an enterprise security platform that addresses applications, users and content – and that’s exactly what Palo Alto Networks provides through secure access, inspection of all traffic, and advanced threat protection.

We’re pleased to share a range of new resources to help you get started with critical Zero Trust concepts:

  • Our Zero Trust resource page includes detailed discussions of the Zero Trust concept and links to videos, Forrester research and how we address segmentation forPCI compliance.
  • Our Zero Trust whitepaper itemizes the essential criteria and capabilities required of a Zero Trust solution, and also how the Palo Alto Networks next-generation security platform delivers on these requirements.
  • Our upcoming Zero Trust event in New York City, this Thursday, March 27 at 12:00 p.m.EST, will provide guidance on how to implement a Zero Trust model from Forrester Research Vice President and Principal Analyst John Kindervag and Palo Alto Networks technical experts. Register now.

And if you’ll be joining us at Ignite 2014 in Las Vegas next week, we will have several sessions devoted to Zero Trust as part of our Modern Data Centers track. Register now for Ignite if you haven’t already, and we’ll see you there!

In the meantime, check out a recent video with John Kindervag and I discussing Zero Trust and what it means for customers:

[Source: Palo Alto Networks Research Center]

Posted on

Palo Alto Networks and Cyvera: Delivering a Next-Generation Enterprise Security Platform

Nine years ago, we forever changed the network security industry with the introduction of the next-generation firewall. This breakthrough architecture brought unparalleled control through the safe enablement of applications, and exceptional levels of protection by blocking all known threats operating across a multitude of different vectors. Two years ago, we again changed the industry with the introduction of WildFire and a next-generation threat cloud that focused on detecting and defending against the most advanced, unknown threats. With over 16,000 customers, our strategy and leadership position are firmly set.

With today’s announcement of our intent to acquire Cyvera, we are turning the page and looking to once again disrupt the security industry. Attackers are absolutely having their way with the endpoint. Traditional signature-only or detection-only defenses are simply ineffective at blocking advanced attacks. Together with Cyvera, we have something to say about that.

The composition of today’s cyber attacks typically involves three stages: identify a new vulnerability, employ a technique to exploit that vulnerability, and use that vulnerability to then launch malware and ultimately take control of the endpoint. Each year, there are thousands of new vulnerabilities emerge. And with millions of new malware instances found each year that increasingly are capable of evading existing controls, traditional security approaches simply aren’t effective. A new approach is required. One that doesn’t rely on post-breach forensics alone or remediation performed by expensive consultants.

Cyvera is an absolute standout. They’ve come up with a completely different approach: one that will forever change the endpoint security industry. While there is a limitless supply of vulnerabilities and malware, attackers are relegated to the use of a small number of techniques they can employ to exploit those vulnerabilities. In fact, there are a few dozen techniques today that can be used with an average of 2-4 new techniques added each year. Cyvera’s approach is simple: understand the techniques then employ a series of roadblocks and traps to prevent an attacker from successfully exploiting that vulnerability. Cyvera’s approach has been so powerful that they’ve successfully stopped every published zero-day attack since they first began deploying their product.

The combination of Cyvera, our next-generation firewall, and our next-generation threat cloud represents the most innovative, integrated, and automated enterprise security platform in the market. As we bring this acquisition to a close we look forward to sharing many more details with you. Our two companies have had a longstanding relationship that’s only going to grow as we bring our technologies together to offer the most effective approach to protecting you from the most advanced cyber attacks.

[Source]: http://media.paloaltonetworks.com/lp/endpoint-security/index.html

Posted on

5 Reasons Security Certifications Matter

There’s a lot of buzz around how certs aren’t important. I’m calling BS, and here’s why.

As thousands of cybersecurity professionals converge in San Francisco at the RSA Conference, I thought I would throw my two cents in on the certification debate. To wit, there’s a lot of buzz about the assertion that softer analytics skills matter more than certifications. I’ve even heard people say some security certs detract from a resume.

You know the No. 1 attribute of people claiming security certifications don’t matter? They don’t have any. In my years of experience placing security pros in good jobs, it’s that simple. Having the right certifications matters, and here’s why.

1.  You will make more money. The 682 IT security professionals responding to the security cut of InformationWeek’s 2013 U.S. IT Salary Survey are unequivocal: Security staffers holding any security certification (CISSP, CISA, CISM) average $101,000 in total compensation vs. $87,000 for those with no certs. For managers, the spread is $130,000 vs. $121,000. Do you really need another reason?

 

 

 

 

2. Certs show your commitment to the security field. I know you’re serious about cybersecurity as a career, otherwise you wouldn’t be reading this. But how will a hiring manager know?  Easy — by scanning resumes to see which applicants are committed enough that they’re willing to spend free time studying and doing homework, often paying for the privilege out of their own pockets. Just 44% of security staffers and 49% of managers in the salary survey expected to get certification reimbursement.

Most of us were not Jeff Spicoli, but admit it, we hated homework as kids. We couldn’t wait to grow up so we could spend our free time (and cash) doing just about anything else. I know a person who burned a full week of vacation and paid for lodging to obtain his Cloud Security certification.  As an employer and a hiring manager, that tells me he wants to become better. He’s the type of security professional that any company would be fortunate to have.

3. Certs make you more attractive to potential employers. Building on the above, obtaining a security certification shows you respect the industry and take pride in your profession. That kind of attitude is contagious. Moreover, it shows you’re smart enough to know what you don’t know and look to improve. It takes gumption to acknowledge that there are areas of one’s professional experience that could use a boost. Team members see this, and it rubs off.

All that adds up to a great employee. That hiring managers get this is a no-brainer. In a side-by-side comparison of otherwise equal candidates, most prefer the one with certs. Don’t take my word for it — check out the ISC2 Global Information Security Workforce Study. It concluded that almost 70% of respondents view certs as a reliable indicator of competency when hiring, and almost half require certification.

[If you realize that mobile security means more than ensuring users don’t download malware-bearing games from the Android store, take our 2014 survey and enter to win a 32 GB Kindle Fire HDX.]

4. Certs jump out when robots and spiders crawl resumes. Most, if not all, resume reviews begin with an electronic search. The HR pro types in some keywords and voila. I know from experience that people conducting keyword searches typically begin narrowly and expand only if early results fail. “Narrowly” means entering in a comprehensive (read: long) list of keywords, and I guarantee that at least one certification will be among them. If your resume includes those magic letters, it will always help you get on the fast-track through the electronic screening process.

Plus, the InformationWeek security salary survey shows you’ll be in the minority if you don’t have any certifications.

 

 

 

 

5. You become a member of a club. While it might not be as glamorous as joining Bushwood Country Club, earning a certification grants you membership to an exclusive club. This association affords you the opportunity to network with like-minded individuals, share information, and gain ongoing knowledge. You can attend conferences, webinars, and have access to information provided only to members. Again, a career win/win for you and your employer.

Now, before leaving an angry comment, I am not implying that you are not serious, a great team player, and worthy of a job if you don’t have security certification(s). We all know a certification is not more important than experience. But the two combined is a powerful and delicious combination. Peanut butter is great on its own. Add jelly and it’s irresistible to hiring managers.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mark Aiello is President of Cyber 360 Solutions, a cyber-security professional services and staffing firm headquartered in Boston. Cyber 360 Solutions is a division of Staffing 360 Solutions, a publicly listed company in the global staffing sector engaged in the acquisition of domestic and international staffing organizations with operations in the United States, Europe, and India. Previously, Mark was founder and CEO of The Revolution Group and secureRevGroup.

[Source: InformationWeek]

Posted on

20 Technology Certifications That Are Paying Off

Summary: Certifications ranging from software lifecycle management to cloud and database architecture to project management are hot skill areas for the year ahead.

The U.S. Census Bureau recently released estimates that more than one in four of the working-age population has obtained a professional certification, license or educational certificate apart from a post-secondary degree awarded by a college or university. For managers and professionals in the fast-changing digital and tech economy, certifications may be the only way to keep skills current and relevant. Areas in hot demand right now — such as data science and analysis, cloud development, and open-source scripting languages — were not even around five years ago.

Certifications and accreditations are delivering positive results for both IT professionals and their employers. Foote Partners released its latest estimates of pay and premium rates for a range of IT skills, and finds that IT professionals with certifications are continuing to see an edge in their compensation. The trend continues upward in the aftermath of the economic trough of 2008-2010.

Extra pay specifically awarded to talented IT professionals for 354 noncertified IT skills and 296 IT certifications—also known as ‘skills premiums’— increased in the fourth quarter of 2013, the consultancy finds.  “It is only the third time since 2010 that both certified and noncertified skills categories have recorded pay gains in the same calendar quarter, the result of the reversal of a long running slump in market values for certifications dating back to 2006,” the consultancy observes.

The skills premium index has been tracking more than 2,500 North American employers and 150,000 IT professionals since 1999.

The top gainers in the last quarter include the following certification categories:

  • Systems Administration/Engineering certifications: +2.5% (in market value)
  • Information Security certifications: +2.0%
  • Database certifications: +1.2%
  • Networking & Communications certifications: +1.2%
  • Architecture/Project Management/Process certifications: +1.0%
  • Applications Development/Programming Lang. certifications: +0.9%

Here are the top 20 certifications that Foote predicts will continue to increase in value during the first half of 2014:

  1. Certified Secure Software Lifecycle Professional (CSSLP)
  2. CWNP/Certified Wireless Network Expert
  3. GIAC Certified Forensics Analyst (GCFA)
  4. GIAC Certified Penetration Tester (GPEN)
  5. GIAC Web Application Penetration Tester (GWAPT)
  6. HP ASE Cloud Architect V2
  7. HP/Master ASE–Data Center and Cloud ArchitectV1
  8. Information Systems Security Engineering Professional (ISSEP/CISSP)
  9. InfoSys Security Architecture Professional (ISSAP/CISSP)
  10. Microsoft Certified Solutions Master(all)
  11. Open Group Certified Architect (Open CA)
  12. Open Group Master Architect
  13. Oracle Certified Professional, MySQL 5 Developer
  14. Oracle Certified Expert MySQL 5.1 Cluster Database Administrator
  15. Oracle Certified Professional MySQL 5 Database Administrator
  16. PMI Risk Management Professional
  17. PMI Agile Certified Practitioner (PMI-ACP)
  18. Red Hat Certified Architect (RHCA)
  19. Teradata 12 Certified Enterprise Architect
  20. VMware Certified Design Expert – Cloud (VCDX-Cloud)

About 

Joe McKendrick is an author, consultant and speaker specializing in trends and developments shaping the technology industry.

[Source: ZDNet]

English
English
Exit mobile version