Friday 22 January 2021

Data Loss Prevention: Artificial Intelligence vs. Human Insight

The cybersecurity landscape continues to evolve as cybercriminals become ever more sophisticated, and digital security tools accelerate to mitigate the risks as much as possible. 2020 presented even more opportunities for hackers to strike, for example, using email phishing scams such as purporting to be authentic PPE providers, or from HMRC to dupe unsuspecting victims. More recently we have seen how phishers are now using the vaccine rollout to trick people into paying for fake vaccines. 

Artificial Intelligence and Machine Learning have been heralded as innovative technologies to help thwart evolving exploits and are a key part of any cybersecurity arsenal. But AI is not necessarily the right tool for every job. Humans are still able to perform intricate decision making far better than machines, especially when it comes to determining what data is safe to send outside of the organisation. As such, relying on AI for this decision making can cause issues, or worse, lead to leaked data if the AI is not mature enough to fully grasp what is sensitive and what is not. So where can AI play an effective part in a cyber defence strategy and where can it present challenges to the user? Oliver Paterson, Product Expert VIPRE Security Awareness Training and SafeSend, explains.

Spotting Similarities
One of the primary challenges for AI to mitigate the risk from accidental insider breaches is being able to spot similarities between documents or knowing if it is ok to send a particular document to a specific person. Company templates such as invoices appear to be very similar each time they are sent, with minor differences that typically, Machine Learning and AI fail to pick up. The technology will register the document as it usually would, despite there being very few differences in the numbers or words used, and would typically allow the user to send the attachment. Whereas in this example, a human would know which invoice or sales quote should be sent to which customer or prospect.

Deploying AI for this purpose in a large corporation would likely only stop a small proportion of emails from being sent. But even when the AI detects an issue to flag, it will alert the administration team rather than the user. This is because if the AI believes that the email shouldn’t be sent, it doesn’t want the user to override it and send the email anyway. This can therefore become an additional burden for the admin team and cause frustration for the user at the same time.

Data Storage
AI can also be very data-intensive when used for this defence strategy. This is due to the fact that in this setup, every email must be sent to an external system, off-site, to be analysed. Especially for industries that deal with highly sensitive information, the fact that their data is going somewhere else to be scanned is a concern. Moreover, with Machine Learning, the technology has to keep a part of this sensitive information in order to learn rules from it and use it again and again, to make an accurate decision the next time. Given the Machine Learning nature of these types of solutions, they cannot work straight off the shelf, but have a learning phase that lasts a few months, and therefore cannot provide instant security controls.

Understandably, a lot of companies, especially at enterprise-level, are not comfortable with their sensitive data being sent elsewhere. The last thing they want is it being stored off-site, even if it is just for analysis. AI, therefore, adds an unnecessary and unwanted element of risk to sensitive material.

The Role of AI in Cybersecurity
AI does have a critical role to play in many elements of a business’ cyber defence strategy. Antivirus technology, for example, operates a strict ‘yes or no’ policy as to whether a file is potentially malicious or not. It’s not subjective, through a strict level of parameters, something is either considered a threat or not. The AI can quickly determine whether it’s going to crash the device, lock the machine, take down the network and as such, it is either removed or allowed. It is important to note that VIPRE uses AI and ML as key components in their email and endpoint security services for example as part of their email security attachment sandboxing solution where an email attachment is opened and tested by AI in an isolated environment away from a customer’s network.

So while AI might not be an ideal method for preventing accidental data leakage through email, it does have an important part to play in specific areas such as virus detection, sandboxing and threat analysis.

With so much reliance on email within business practices, accidental data leakage is an inevitable risk. The implications of reputational impact, compliance breach and associated financial damage can be devastating. A cyber-aware culture with continuous training is essential, and so is the right technology. Providing a technology that alerts users when they are potentially about to make a mistake – either by sending an email to the wrong person or sharing sensitive data about the company, its customers or staff – not only minimises errors, it helps to create a better email culture. Mistakes are easily made in a fast-paced, pressured working environment – especially with the increase in home working not providing the immediate peer review that many are used to. But rather than leaving this responsibility to Artificial Intelligence, this type of technology, combined with trained human insight, can enable users to make more informed decisions about the nature and legitimacy of their email before acting on it. Ultimately, supporting organisations to mitigate against this high-risk element of business, and reinforcing compliance credentials through a cyber-aware culture

Tuesday 5 January 2021

The Top Cybersecurity Certifications in 2021

What are the Most Valued Cybersecurity Certifications in 2021?
This is an important question for employers, recruiters, seasoned security professionals, and especially for those planning a cybersecurity career. The Information Security Careers Network (ISCN) recently surveyed its LinkedIn community of over 90,000 members about the 50 leading cybersecurity industry certifications and courses. The results of which have been compiled into the following definitive top ten list of the most desired cybersecurity certifications in 2021.

CyberSecurity Certificates in High Demand by Employers
The Top Ten CyberSecurity Certificates and Courses

10. SANS Penetration Testing Courses
The selection of penetration testing courses and certifications offered by the SANS Institute are well regarded for helping both beginners and experts alike to increase technical cybersecurity expertise and paygrades. The SANS/GIAC Penetration Tester (GPEN)
9. Cybersecurity or Information Security University Degree
A cybersecurity or information security university degree is recommended for those looking to 'jumpstart' into a cybersecurity career, and for those seeking senior management and leadership roles as a career goal. However, most cybersecurity professionals surveyed by ISCN did not rate a degree as valuable to building up a ‘real world’ experience within dedicated junior security roles.

First or second class cybersecurity themed degrees with work experience (i.e. a sandwich course) from a reputable university can help a candidate's CV stand out from the crowd, but don't expect to walk straight into senior security professional roles without building up years of in-role experience.

The Times Higher Educational guide provides a list of the top universities offering computer science degrees.

8. Certified Cloud Security Professional (CCSP) by ISC2
Despite dropping a couple places from last year's ISCN survey, the Certified Cloud Security Professional (CSSP) from ISC2 remains popular among survey respondents, with 15% of them stating their intention to complete the course within the next 12-24 months.  

The popularity of CSSP has grown due to the migration from on-premise IT to cloud computing systems in recent years, with organisations short of expert security resources to help secure the cloud services which they are now highly dependent upon. 

CSSP is suitable for mid to advanced-level professionals involved with information security, IT architecture, governance, web and cloud security engineering, risk and compliance, as well as IT auditing. CCSP credential holders are competent in the following six domains:
  • Architectural Concepts and Design Requirements
  • Cloud Data Security
  • Cloud Platform and Infrastructure Security
  • Cloud Application Security
  • Operations
  • Legal and Compliance
Aside from the passing the CCSP exam, to achieve the certification, ISC2 requires information security professionals have a minimum of 5 years of work experience, including a minimum of 1 year of cloud security experience and 3 years of information security experience

7. CompTIA Security+
CompTIA Security+ is considered one of the best introductory security qualifications, suited for those taking their first steps in building a cybersecurity career.  As a globally recognised security certification, holding the CompTIA Security+ certification demonstrates knowledge of the baseline skills necessary to perform core security roles and functions. 

CompTIA Security+ provides a good platform to build an IT security career, useful for gaining junior security roles to help buildup all-important in-role experience and serves as a good foundation in taking on the more advanced topics found on the elite security certifications. 26% of survey respondents praised CompTIA Security+ relevance to real-world scenarios.

6. Certified Chief Information Security Officer (CCISO) by EC-Council
Increasing in popularity in recent years is the Certified Chief Information Security Officer (CCISO) by the EC-Council, which is suitable for those seeking to be promoted into senior managerial, leadership, and executive-level positions. 
33% of cybersecurity professionals stated that this course is one of the best for equipping participants to succeed in managerial positions. 

CCISO is considered the industry-leading CISO role training course. To achieve this certification, five years of experience is required in each of the course's five domains, along with passing the CCISO exam.
  1. Governance and Risk Management
  2. Information Security Controls, Compliance, and Audit Management
  3. Security Program Management and Operations
  4. Information Security Core Competencies
  5. Strategic Planning, Finance, Procurement, Vendor Management
5. Cisco Certified Network Professional (CCNP) Security
The Cisco Certified Network Professional certification (CCNP) Security remains a network security certification desired by employers, with 23% of surveyed respondents citing CCNP Security as a certification in demand. As a professional technical certification, Cisco's CCNP requires the passing of a core exam and a 'concentration exam' of your choice.

4. Certified Ethical Hacker (CEH) by EC-Council
EC-Council’s Certified Ethical Hacker (CEH) qualification consistently ranks near the top of security accreditations which are in highest demand within the security industry. The CEH course teaches practically on how to use the latest commercial-grade hacking tools, techniques, and methodologies to ethically and lawfully hack organisations.

The CEH online training course covers 18 security domains, comprehensively covering over 270 attack methods and technologies, while the certification requires passing a four-hour 125 exams questions the course domains, technologies, and hacking techniques.  Achieving CEH certification will open the door to financially lucrative and in high demand penetration tester roles, so little surprise that 21% of respondents stated their intent take CEH course within the next 12-24 months.

The EC-Council also provides following well-valued courses and certifications which didn't quite make it into this top ten.
3. Certified Information Security Manager (CISM) by ISACA
As its title suggests, the Certified Information Security Manager (CISM) by ISACA is suited for security management roles and is one of the most respected certifications within the security industry.  The CISM is not suited for beginners, a minimum of five years dedicated in role cybersecurity \ information security experience is required to take the course. 

The CISM course is designed for security managers, so has a strong focus on governance, strategy, and policies, which are split across four subject matter domains:
  1. Information Security Governance (24%)
  2. Information Risk Management (30%)
  3. Information Security Program Development and Management (27%)
  4. Information Security Incident Management (19%)
According to a 2020 salary study by Forbes, CISM was 3rd place overall with an impressive annual salary of £110,000 ($148,622 USD), which was the highest dedicated security certification listed by the study.

2. PWK OSCP by Offensive Security

As an online ethical hacking course, it is self-paced and introduces penetration testing tools and techniques through hands-on experiences. PEN-200 trains not only the skills but also the mindset required to be a successful penetration tester. Students who complete the course and pass the exam earn the Offensive Security Certified Professional (OSCP) certification.

The course was ranked highly in the survey results.  Cybersecurity professionals said the course provided strong relevance to the ‘real world’, ranking the OSCP qualification in second place in terms of how much it was ‘in-demand’ by employers.

1. Certified Information Security Professional (CISSP) by ISC2
The ISC2 Certified Information Systems Security Professional (CISSP) remains the security certification in the greatest demand within the security industry. A whopping 72% of those surveyed said the CISSP certification was in the most in-demand by employers.

CISSP is a longstanding and globally well-respected information security professional certification. Like the CISM, the CISSP is not aimed at beginners. The certification requires 5 years of information security in role experience, or 4 years if you hold a cyber / information security-related degree. 

The CISSP three-hour exam of 100 to 150 questions has proven notoriously difficult to pass for some because the CISSP course covers a very broad spectrum of information security disciplines, which are split across eight domains.  

The CISSP 8 domains are:
  1. Security and Risk Management (15%)
  2. Asset Security (10%)
  3. Security Architecture and Engineering (13%)
  4. Communication and Network Security (13%)
  5. Identity and Access Management (IAM) (13%)
  6. Security Assessment and Testing (12%)
  7. Security Operations (13%)
  8. Software Development Security (11%)
ISC2 also offer several CISSP 'concentrations' courses and exams for those holding the CISSP accreditation, which demonstrates an advanced knowledge in specific areas of security. While CISSP concentrations tend not to be specifically sorted by employers in job ads, CISSP concentrations can help you to stand out from the crowd as a specific security subject matter expert.

For those nearer the start of their cybersecurity career journey, ISC2 offer the Associate of ISC2, as a gateway towards achieving the CISSP.

Let us know your top ten in the comments.

Survey data for this post is kindly provided by the Information Security Careers Network (ISCN).

Friday 1 January 2021

Cyber Security Roundup for January 2021

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, December 2020.

A suspected nation-state sophisticated cyber-attack of SolarWinds which led to the distribution of a tainted version the SolarWinds Orion network monitoring tool, compromising their customers, dominated the cyber headlines in mid-December 2020.  This was not only one of the most significant cyberattacks of 2020 but perhaps of all time. The United States news media reported the Pentagon, US intelligence agencies, nuclear labs, the Commerce, Justice, Treasury and Homeland Security departments, and several utilities were all compromised by the attack. For the full details of the SolarWinds cyber-attack see my article Sunburst: SolarWinds Orion Compromise Overview

Two other cyberattacks are possibly linked to the SolarWinds hack was also reported, the cyber-theft of sophisticated hacking tools from cybersecurity firm FireEye, a nation-state actor is suspected to be responsible. And the United States National Security Agency (NSA) advised a VMware security vulnerability was being exploited by Russian state-sponsored actors.

Amidst the steady stream of COVID-19 and Brexit news reports, yet another significant ransomware and cyber-extortion attack briefly made UK headlines. Hackers stole confidential records, including patient photos, from UK cosmetic surgery chain 'The Hospital Group', and threatening to publish patient's 'before and after' photos. The UK cosmetic surgery firm, which has a long history of celebrity endorsements, confirmed it was the victim of a ransomware attack, and that it had informed the UK's Information Commissioner's Office about their loss of personal data.

Spotify users had their passwords reset after security researchers alerted the music streaming platform of a leaky database which held the credentials of up to 350,000 Spotify users, which could have been part of a credential stuffing campaign. Security researchers at Avast reported 3 million devices may have been infected with malware hidden within 28 third-party Google Chrome and Microsoft Edge extensions.

A McAfee report said $1 Trillion was lost to cybercrime in 2020, and companies remained unprepared for cyberattacks in 2021.

Stay safe and secure.