Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday July 8th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Terry Cutler, head of Montreal’s Cyology Labs. But first a look back at some of the bigger news that happened in the past seven days:
A report from a big insurance broker says the rate of increases in cyber insurance is slowing. Terry and I will look at that. We’ll also examine a report that small and medium-sized businesses are still slow adopting multifactor authentication. And we’ll discuss whether people who want to start a career in cybersecurity should get a university degree or IT certifications — or both.
Someone is selling what they say is stolen data on 1 billion Chinese residents held by the Shanghai police department. If true, that would be data on almost everyone in the country. No one has yet verified the volume of the claimed stolen data. As of the recording of this podcast Shanghai police hadn’t commented.
A Marriott hotel staffer in Baltimore was tricked last month into giving a threat actor access to their computer. The attacker then copied personal and corporate data on that machine. That’s what the international hotel chain told DataBreaches.net this week. The news service quotes Marriott as saying there’s no evidence the attacker got into any other computer. Marriott said it will be notifying more than 300 people about the theft of their information.
Security teams used to looking for signs of the Cobalt Strike beacon in their IT environment as evidence of compromise have another indicator to look for. It’s called Brute Ratel. Like Cobalt Strike, Brute Ratel is a tool used by penetration testers. But Palo Alto Networks warns that threat actors are copying it to help further their cyber attacks.
Finally, American cyber agencies are warning that North Korean-sponsored hackers are using the Maui strain of ransomware to go after hospitals and research institutions in the healthcare sector.
(The following transcript has been edited for clarity. To hear the full discussion play the podcast)
Howard: I want to start with an issue that wasn’t in the headlines this week but is on the minds of cybersecurity leaders, and that’s the shortage of IT staff with cybersecurity skills to fill the needs of organizations.
I thought of this because on Tuesday I came across a Twitter thread started by cybersecurity podcaster Jack Rhysder who recalled that he graduated with a computer science degree from a major university but couldn’t find a job in the field for 10 years. It was only after he earned a certification for a network product from a particular manufacturer that he got a job and his career took off.
Which raises the question: If I want to start a career in cybersecurity, where should I begin? Is a university or college IT or cybersecurity degree enough? Should I also get a certification from Cisco/Microsoft/CompTIA or another source?
Terry Cutler: Here’s my personal experience: A year or two ago I hired an intern They were doing a three-year program in cybersecurity. But they didn’t have the proper skill set to even be employable on day one. And it was very frustrating because when I dug deeper [I found out] They learned from Powerpoint slides for almost three years. How is this possible? They had never even installed Windows 10 or [Linux] Kali. Then we found out things like the teacher is just one chapter ahead of the students. They’re not even in the field. When universities reach out to senior cyber security guys — and I’ve had the privilege of being one of them — a lot of times they don’t have the time to teach because it’s just too time-consuming. That’s exactly why we teach online, because we can update the curriculum whenever we want. Here’s the other challenge: People say they want to go into cyber security, but cyber security is an umbrella term. It’s so huge. Do you want to become a pen tester, an incident responder, a reverse malware engineer, a security architect or a product designer? One of the questions that I often get is where do I even start?
Here’s another thing: If you are not passionate about computers and cybersecurity this field will destroy you. You will burn out if you’re just in it for the money.
If you want to transition from regular IT and want to come into cyber security look for courses like the CompTIA A+, CompTIA Network+ and the ISC2 CISSP program. Those will get you well-rounded. From there you can decide what [or if] you want to specialize in. And If you’re a junior, or if you’re not even in this field yet, definitely apply for internships [while studying]. Your goal here is to try to prove your worth.
One problem is that students are promised hundred-thousand dollars salaries when they come out of school, which is not true … The demand is there, but you need to prove yourself.
Howard: I imagine it’s really hard for an IT leader who wants to hire — or is being forced to hire — a beginner to work solely or mainly on cyber security. I suspect everyone wants a staffer with at least five years of experience, and perhaps justifiably so because this is cybersecurity. Sometimes the fate of the company is on your shoulders. Are those doing the hiring for younger staff too demanding? Or let me put it in a different way: Is there a difference between an entry-level job in IT and an entry level job in cyber security?
Terry: I’ve seen postings looking for the unicorn cyber security expert, and it just makes no sense at all. Going back to the students being promised $100,000 when they come out of school, that number is far from the amount they’ll get. And that’s why they need to follow senior cyber security experts online, take their free courses, and watch their YouTube videos. Because in our videos we share real-life experiences. So if you’re able to assimilate that information you’ll be able to help protect the company you work for right now. The other thing is students should volunteer their time to earn an employer’s trust. It’s really great for folks like us. As an employer, we get solicited all the time and what makes you better than the next guy is gonna be drive and passion. And if you’re able to understand [device and application] auditing and all that kind of stuff then you have a leg up on the other guy. I get a lot of backlash online from students who say they’re never working for free. Pay me the big bucks because cyber security is in demand. But if you’ve got no experience, you’ve got to prove yourself. So I think by sharing your knowledge and applying at places where you can show your value is really going to help.
Howard: How did you start in IT, and what got you into cybersecurity?
Terry: I had a different track. When I graduated from high school I tried to take some college programming courses and hated it. It got to a point where I knew more than a teacher because I’d been passionate about computers since the age of 10. So I dropped out and started going into specialized courses. At the time I want to specialize in Novel technology — Netware and all these things. So I took courses on Novel networks and seven or eight years later I actually worked for Novel as a support engineer. But in 2005 or 2004 I started getting inspired by watching television shows like CIS and Jack Bauer [in 24], and I wondered, ‘How does Chloe O’ Brian break all those IT systems so fast?’ And that’s when I found a course called the certified ethical hacker, where they teach you the same techniques that the bad guys use to break in — except using these skills for good. I was able to convince my boss to send me to Washington to take this course, where I had the privilege of training with the FBI, the NSA and the Navy Seals who were students in my class. And from there I saw the opportunity to share my knowledge with the world. Companies need to know how they’re being hacked into, and individuals need to know how to protect yourself online. By pushing out a lot of content and doing a lot of volunteer work and not charging for things and getting testimonials and building up a personal brand is how I’ve been making influential lists around the world.
Howard: It’s certainly different than when you and I were in high school. Today throughout Canada and the U.S. there are a number of high schools where you can take IT courses. They include a cyber security component, or after school there’s cyber security training that you can take. Governments in both countries support the CyberTitan [in Canada] and CyberPatriot [in the U.S.] high school competitions, so it’s easier for a high school student to gain some IT and cyber security knowledge before they go into college.
Terry: The more you know [the better]. What’s interesting, though, is that because I don’t have a bachelor’s degree in IT or whatever for some employers I can’t be hired [full time] — but I can work as a senior consultant. It’s crazy.
Howard: When you talk to your colleagues about hiring young talent what do they say?
Terry: They think it’s extremely difficult. There are a couple of factors. Obviously the students lack skills. They expect very high pay. But the biggest challenge is [employers know] that there’s absolutely no loyalty, which means the moment you train them up they will jump to the next high-paying job.
Howard: Hey, that’s capitalism. Some experts say in addition to hoping for and wanting some people with IT experience you should look inside your organization for talent. For example, the IT support staff, marketing or communications staff. You can find people who have a number of skills, including communication skills, which are very important. And they’re willing to learn — but the organization has to be willing to put up some resources for training.
Terry: I totally agree with you. But what’s going to happen is once they get trained they typically leave. And that’s why I love to work with consultants, who most of the time run their own businesses. I can switch him up whenever I want, and if I want to can them I just don’t have to call them back.
Howard: Internal training may not cost as much as IT leaders. Last month the ISC2, which runs the Certified Information Systems Security Professional certification, issued the results of a survey of members. Forty-two per cent said that the cost of training and entry-level staffer to the point where they can handle assignments independently would cost less than US$1,000. That’s not very much.
Terry: There’s a double edge sword here. Okay because you can go on training sites like Cybrary and Udacity and there are really decent courses for under $100. But a lot of these courses teach you how to pass an exam. So you can end up with a candidate that has like nine recent certifications but he’s never run a vulnerability scan against a customer’s network. That’s why I love courses like offensive security, where a candidate is put in a simulator and they have to hack into a system within 24 hours in order to pass the exam. If you have certifications like that you’re employable and usable on day one.
Howard: But I think that part of the survey was trying to say it’s not only a matter of pay for your employee to take a course but it’s also the cost of internal training, to be beside someone and to initially help them get on their way. The point is the cost of that sort of training — the time that a manager may take with a young staffer — is not all that much.
Terry: There’s a hidden cost, too. Let’s say this course is five days long. You still have to pay the employee’s salary. So he’s not available to work. He’s in training all week. And a lot of courses happen outside of Canada. There’s travel and lodging costs. It could be a $5,000 course at the end.
Howard: This survey said that certifications are considered by IT pros the most effective method of talent development for entry and junior-level practitioners. That was followed by in-house training, conferences, external training and mentoring.
Terry: I believe it, and the reason is because the experts in the field are the ones building and updating the curriculum on a regular basis. That’s the biggest difference between a certification course and a college or university degree.
Howard: There’s also the fact that those seeking entry level jobs also have to be able to sell themselves to a potential employer.
Terry: This is why building a personal brand comes in very handy. You should be doing this because if you’re able to master communication skills and share your knowledge of what you know in cybersecurity via YouTube or blogs or writing content it’s going to really give you a leg up against the next candidate.
Howard: Let’s talk about now cyber insurance. The cost of coverage has gone up significantly in the past three years, but a report last week from a big insurance broker called Marsh thinks that maybe the rate of increase is slowing. What are you hearing from people who you talk to?
Terry: I’m hearing similar, and that’s because so many firms are failing to even qualify for the insurer’s minimum threshold to protect themselves from a cyber attack. They don’t even have the basics in place.
Howard: But it certainly makes sense for insurance companies to be demanding. You want to get cyber insurance The insurance company wants to lower the odds that it has to pay out claims. So it’s going to be demanding proof that your firm is doing the right things to lower risk.
Terry: Absolutely. There’s a couple things that they’re looking for right away. They want to know if you got antivirus in place, data loss protection technology, DNS filtering, endpoint protection, email security, a firewall, intrusion detection technology in place, event logging, and an incident response plan. For just those pieces alone you’re looking at several full-time employees working in cybersecurity. Otherwise you need automation technologies in place that can help detect things.
Howard: And one of the biggest things cyber insurance companies want to know is if you have multifactor authentication, because it’s been proven that good multifactor authentication is a great way to lower the odds of you being successfully attacked. I raise this because there was a report out this week by the Cyber Readiness Institute, which did a survey of the adoption of multifactor authentication among small and medium businesses. They found that only 46 per cent of small businesses around the world that they surveyed have implemented multifactor authentication. And of them, only 13 per cent require multifactor authentication for employees for most account or application access. What’s going on here?
Terry: What I’m hearing from customers that it’s just too complex to set up. Having this multifactor authentication hinders their workload. They don’t want to log in every couple of minutes or every couple of hours. So a lot of times employees find ways to try and bypass it. The other issue I’m seeing is they don’t have enough help desk staff to handle the amount of calls they’re getting from users with having problems.
Howard: But with multifactor authentication you shouldn’t have to log in [with an extra step] every time. And if you’re an ordinary user your browser is going to store of the [multifactor] credentials. I can understand where things are stricter for IT departments where the type of multifactor authentication used may be with a Yubikey or an RSA key and you’ve got to have it plugged in. Employees who have broad access across the enterprise may have to log in more than others. But generally speaking for most employees you shouldn’t have to log in multiple times a day with MFA.
Terry: But in some of cases that we’ve done, especially in healthcare care, they change the token key frequently so they’ve got to log in at least once a day with the two-step, especially if they’re using a VPN. So that’s where the challenge comes in. They don’t understand that passwords are leaking on the dark web and there’s more than 10 ways to bypass one-step verification. They don’t realize the importance of multifactor authentication until it’s too late.
Howard: So what’s it going to take to get small and medium-sized businesses to take multifactor authentication more seriously — other than the fact that they’re going to get hit over the head if if they want to get cyber insurance?
Terry: There might be regulatory fines at some point [for not having MFA]. But understand there’s no easy button it for cyber security. We’re trying to not make it complex. But there’s no easy way. So it’s a difficult balance between not hindering productivity of the employee and security.