Subscribe: Apple Podcasts | Google Podcasts | Spotify | Stitcher | Email | TuneIn | RSS
McAfee Survey Finds IT at Cybersecurity Fault Most
President Trump Signs EO to Bolster Federal Digital Security Workforce
A MYSTERIOUS HACKER GROUP IS ON A SUPPLY CHAIN HIJACKING SPREE
Transcript:
[00:00:00] Hello folks it is Friday, May 3rd 20. And here is today’s security news first. [00:00:06][6.0]
[00:00:06] Let’s start with security Boulevard dot com from Michael Vizard. The title is McAfee survey finds I.T. at cybersecurity fault. Most first things first that headline terrible I clicked it because it said Mac Freeman intrigued me to try to figure what the hell he’s talking about. So here it is. This week McAfee published a survey they conducted of 700 professionals working in organizations with over 1000 employees entitled Grand Theft data too. All right if you’ve been in the industry long enough you know what these reports are going to boil down to right. They’re going to try and sell you something at the end of the day. But what I want to bring up what is interesting about this report is something that hasn’t come up before but is probably 100 percent spot on the report finds 52 percent of respondents claim I.T. is at fault when data leakage event occurs versus twenty-nine percent who say business operations. So essentially what they’re saying all these I.T. professionals is that more often than not it’s the I.T. professional fault and it’s not the user which is common in this industry it’s extremely common to try and blame the user for our issues right. One of the reasons that this number is higher is that there is more opportunity for an I.T. professional to mess something up. All it takes is one misconfigured server. Right. And then there you go. You may have a back door open and boom daily. Right. So this you know this directly speaks to you here all the time people process technology right for sort of you know the people part of the thing. We you know we know what we’ve got to do there. It’s all about training and building these people up to make sure they have the right skill sets. But if they don’t have the right processes in place to help them then you know they’re screwed. All right. So I think that’s it here. You know this article goes on to talk about CASB and EDR tools all of which are things that McAfee would love to sell you let’s move on from there. [00:02:05][118.8]
[00:02:06] Speaking of people process and technology the next one big one coming to the White House today. This is from trip wire dot com. Although you could find this probably anywhere it’s coming on CNN Fox News all over the place. President Trump science EO to bolster federal digital security workforce. This one by David Bissonnette. So President Trump is signing an executive order on America’s cybersecurity workforce. So they realize that there is a skills gap within the cybersecurity workforce whether it be in the federal government or even in the public sector so they’re doing a few things. Obviously, this is more about the federal government. They are going to develop a digital security rotational program within 90 days. This platform for purpose is to enable federal 18 digital security practitioners to receive temporary assignments in the Department of Homeland Security and vice versa thereby facilitating the exchange of knowledge training and experiences. So this is something that gets talked about in good practice all the time within a security organization is that you should be rotating people around nine times out of ten it never happens. So this is the White House making that happen for these folks. So I mean this, in my opinion, nothing but good can come from this 90 days to create that program and make a sustainable program seems a bit far fetched. But you know more power to them see if they can get it done if done correctly this can do a lot of good for that that the cyber is the federal cybersecurity workforce. And this is not just is the which is pretty interesting. I’m curious to see with where this goes is called the President’s Cup cybersecurity competition which is going to be not just for government employees but also it sounds like they’re going to let third-party contractors that are in the cybersecurity space compete in this as well so they’re talking about you know cash prizes days off which if you’ve never been in the military or the federal government that’s a thing they award you with the day you know a week off or whatever. I’d rather have the cash personally and then another thing they’re doing which is not listen to this article but as you know some I saw in another one I read was that they’re also going to start doing some programs where they’re going to award Elementary in junior high teachers for their accomplishments and cybersecurity education which I think is great start them young right. I mean this industry is new enough now that this quote-unquote cybersecurity that most the people that are in their prime if you will. This is stuff that came about when they were late in high school or college right. It didn’t necessarily exist at that time. And those that have been around for quite a while they started out as I.T. folks. They were not cybersecurity quote unquote people. So I think this is good stuff. I really hope this works out. I’m rooting for it should be good. We’ll see what happens. [00:04:58][171.8]
[00:05:00] Next. This is a long article on I’ll give you a quick recap of it. Some things I pulled out that I thought were interesting but go read this-this is a sort of an expose a. This is from Wired dot com and mysterious hacker group is on supply is on a supply chain hacking hijacking spree by Andy Greenberg. Yeah, I guess they’re mysterious but you’re gonna know the name either known as barium shadow hammer shadow pad a pad or wicked Panda. So that right there wicked panda should give you an idea of where these folks are based. So these are the folks that will be blamed for hijacking the software update stuff from a Seuss and then also this S.S. cleaner tool issue. And so one of their attacks their tactic here is sort of a spray and pray tactic where use harkens back to the Russian submarine force back in the day where they didn’t necessarily aim they just shot as much as they could to hope to hit something and take something else out. Right. So that’s sort of what’s going on here with their attacks is they’re just spraying it everywhere collecting the data see what they have that looks interesting and then going after that. So it’s an I mean it’s a tactic that has worked in the past and many different things not just cybersecurity submarine warfare as well. And then in the article, they interviewed some folks and you know they claim to say that if they were to try and deploy a ransomware sort of like not pet. Yeah, it would be even more destructive around the world. So I don’t necessarily disagree at the I’d like to dig into that a bit more before I really get into that some of this. Those are the three articles for the day. [00:06:40][100.7]
[00:06:41] One last thing a quick update with the other day we talked about the ICS security stuff with California and Utah. Well apparently there’s some more information has come out. It’s still a little fuzzy here but there was a denial of service attack but no service was disrupted. No, no service or production was disrupted. So why that report was filed. We’re still kind of unsure I guess within the organizations in these states. Everybody’s pointing fingers say hey we didn’t do it. Did you guys do it? Who filed this thing where did it come from. So there’s some question as to what happened here but it appears that there was a denial of service and there was no disruption to service or production. So I think all’s well that ends well and that one there is clearly some process and procedure issue that they’ve got to figure out there. All right folks thank you. It is Friday, May 3rd and this is security on the bayou. Everybody have a wonderful weekend. We will talk again on Monday. [00:06:41][0.0]
Be First to Comment