Category: Uncategorized

Searching for your content…
In-Language News
Contact Us
888-776-0942
from 8 AM – 10 PM ET
News provided by
Oct 17, 2022, 12:10 ET
Share this article
Record-setting year for cybersecurity job postings signals need for innovative approaches
WASHINGTON, Oct. 17, 2022 /PRNewswire/ — Employer demand for cybersecurity professionals continues to strain talent availability according to new data from CyberSeek™, the cybersecurity workforce analytics platform developed in partnership by the National Initiative for Cybersecurity Education at NIST, Lightcast and CompTIA. 

For the 12-month period ending in September 2022, employers listed 769,736 openings for cybersecurity positions or jobs requiring cybersecurity skills. Employer demand for cybersecurity workers grew 2.4 times faster than the overall rate across the U.S. economy. Nine of the 10 top months for cybersecurity job postings in the past 10 years have occurred in 2022.
"The data should compel us to double-down on efforts to raise awareness of cybersecurity career opportunities."
“The data should compel us to double-down on efforts to raise awareness of cybersecurity career opportunities to youth and adults, especially during Cybersecurity Career Awareness Week which is an international campaign to inspire individuals to explore the variety of types of cybersecurity-related roles that are needed in both the public and private sectors,” said Rodney Petersen, Director of the National Initiative for Cybersecurity Education (NICE).

Despite a slight pullback in hiring activity in the most recent months from the record volumes of earlier this year, total cybersecurity job postings for Q3 2022 tracked 30% higher than the same period in 2021 and 68% higher than 2020. The supply-demand ratio¹ held steady at 65, indicating approximately 65 cybersecurity workers in the labor market – the vast majority already employed, for every 100 cybersecurity job postings.
The new CyberSeek data shows that requirements for cybersecurity skills for specific occupations have increased dramatically in the last 12 months. The cybersecurity profession continues to expand into specialized fields, such as penetration tester and threat analyst. There is a similar expansion of cybersecurity skills requirements in adjacent positions such as auditor (+336%), software developer (+87%), cloud architect (+83%) and technical support engineer (+48%).
“The CyberSeek data reaffirms the critical importance of feeder roles and thinking more creatively about on-ramps and career pathways,” said Ron Culler, vice president cyber learning officer, CompTIA. “It is clear from the CyberSeek data that cybersecurity’s importance and impact reaches all levels of the tech workforce. We see this trend continuing and are committed to ensuring that cybersecurity professionals are prepared for the current and future challenges this will bring.”
“Demand for cybersecurity talent has been accelerating for years, and employers are showing no signs of taking their foot off the gas,” said Will Markow, vice president of applied research at Lightcast. “That’s why it is more important than ever to build robust talent pipelines to ensure a safer digital world. We can’t accept leaving holes in our cybersecurity defenses simply because we don’t have enough trained workers to plug them.”
In addition to comprehensive data on the supply and demand of cybersecurity workers at the national, state and metro levels, CyberSeek features an interactive career pathway that shows key jobs within cybersecurity, common transition opportunities between them, and detailed information about the salaries, credentials, and skillsets associated with each role. To provide actionable next steps CyberSeek provides a training provider tab for users to connect directly to organizations providing training, education and industry-recognized certifications. Visit www.cyberseek.org to learn more. For information about the project partners NICE, Lightcast and CompTIA, please see the project partner page on the CyberSeek site.
¹ A comparison of the number of available cybersecurity workers relative to employer demand in a particular location, displayed as a percentage.
Media Contact
Steven Ostrowski
CompTIA
[email protected] 
+1 630-678-8468
SOURCE CyberSeek
More news releases in similar topics
Cision Distribution 888-776-0942
from 8 AM – 9 PM ET

source

With each passing year, the cybersecurity threat landscape continues to worsen. That reality makes cybersecurity analysts some of the most sought-after technology professionals in the world. And there are nowhere near enough of them to meet the demand. At last count, there were over 3.5 million unfilled cybersecurity jobs worldwide — and that number is still growing.
The situation means that it’s a great time to become a cybersecurity analyst. What’s more, the skyrocketing demand means it’s possible to start a lucrative freelance career in the field and take complete control over your professional future. Here’s a start-to-finish guide on how to do exactly that.
The first step on the path to becoming a freelance cybersecurity analyst is to acquire the necessary skills. For those without an existing technology background, the best place to start is with a cybersecurity bootcamp. They’re designed to get newcomers up to speed with basic cybersecurity concepts and skills in the shortest possible time.
A great place to start your search for the right course is Bootcamps.org. They maintain an active directory of both free and paid bootcamp programs in a variety of technology fields, including cybersecurity. Depending on your preexisting familiarity with computing concepts, you may also wish to enroll in a more generalized computing bootcamp to get started.
Your goal is to emerge from these programs with a working knowledge of the following concepts:
The next thing you’ll need to do is to earn one or more cybersecurity certifications to demonstrate your abilities to would-be employers. The best approach is to begin with a general cybersecurity certification. You can always earn a more specialized certification later in your career after you gain experience and figure out which aspects of the job you excel at. The most popular general cybersecurity certifications include:
Earning any one of the above certifications will give you the credentials you need to qualify for thousands of already-existing open positions. At the time of this writing, there are over 200,000 active job listings for holders of the above certifications on LinkedIn, Indeed, and Simply Hired alone. In other words — you’ll be ready to join the ranks of professional cybersecurity analysts the moment you’ve earned one of them.
Even though it’s possible to get some cybersecurity analyst jobs with nothing but the right certifications and an artfully-worded resume — that will only get you so far. Although it’s reasonable to take on an entry-level cybersecurity position to gain some experience at this stage, there are also some other strategies you can use to speed up the process.
One of them is to explore resources like TryHackMe.com. It’s a site with real-world hacking simulations that you can use to get some hands-on experience with the kinds of situations you’ll face as a cybersecurity analyst. It’s an excellent way to build some experience without any risk.
Another strategy you should consider is to attend as many hackathons as you can. Those will give you a front-row seat to see how the best of the best in cybersecurity approach their work. And, they make for excellent networking opportunities that you’ll need to prepare yourself to go freelance later.
At this stage, you should also set yourself up with accounts on all of the major cloud providers like Google, Amazon AWS, and Microsoft Azure. This will allow you to build technology stacks on each platform and familiarize yourself with their settings and features. The majority of businesses in the world today have at least some exposure to one or more of those platforms. Understanding them from a cybersecurity perspective will improve your marketability as a freelance cybersecurity analyst.
When you feel comfortable enough in your skill set and experience level to consider transitioning into freelance roles, you should start small. This means taking on some paid cybersecurity jobs through sites like Fiverr and Upwork. You should begin by offering your services in specific areas that your existing experience supports. So, if you feel comfortable conducting penetration testing of a particular app or platform, start there.
The idea is for you to establish yourself as a reliable service provider on those sites. Although it may not seem like you’re getting far — after all, freelance sites aren’t where the real money is — you’ll be building up a reputation for quality work. When you’ve done that, you can parlay that reputation into more lucrative work.
Once you’ve got enough experience and have a solid resume of small freelance cybersecurity jobs under your belt, you’ll be ready to turn your hard work into a standalone freelance business. The first step toward doing that is to think up a business name. You’ll want a name that’s not already in use, with an available domain name to match. When you have one, reserve the domain name and register for a tax ID with the relevant authorities where you’re planning to work.
Next, you’ll want to design a website to serve as a calling card for your business. Since you’ll be marketing your skills and reputation as a cybersecurity analyst, the site doesn’t need to be anything more than a professional-looking portal with your business name, basic information, and contact details. You can choose a ready-made template if you don’t have the design skills to do the job yourself.
Then, you’ll want to set up your home office with everything you’ll need to work full-time. This means having a dedicated comfortable space with a desk and computer, and all of the relevant office supplies. It’s also a good idea to sign up for a business phone app so you’ll have a professional communications system for your customers to contact you.
At this point, you’re ready to begin soliciting work as a freelance cybersecurity analyst. This is the time when all of the networking you’ve done through hackathons and other events, as well as through your freelance portal jobs, will pay off. You should begin by crafting an announcement of your new business to send out to all of the contacts you’ve collected.
As you do this, be sure to let everyone know exactly what types of cybersecurity jobs you’re equipped to handle. You should also make it clear how potential clients can contact you and request quotes for your services. If you’ve done everything right, you should start to get inquiries in short order. From there, all you have to do is your best work — and it won’t be long until you have enough steady customers that you can quit your day job and go freelance for good.
The simple fact is, the sheer volume of open cybersecurity jobs — and the countless more that will appear in the next few years — make your odds of success as a freelance cybersecurity analyst quite high. As long as you’re competent, confident, and willing to continue to learn your trade as you work, you’ll never run out of opportunities. Your reward for all of that is a well-paid career with a schedule that you control — and doesn’t that sound like a dream come true?
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

I’ve been in the tech industry for 25 years, almost all in cybersecurity. I’ve held security leadership positions for well over a decade, including the 18 months as head of security for an API platform with more than 20 million users.
I’ve had a successful career in information security, and I’ve done it without a college degree.
I’m just not convinced of the value of a degree for cybersecurity jobs. To be sure, some who go to school before embarking on cybersecurity careers may benefit from the education and training. But many others merely find themselves saddled with student debt, just to learn material that’s often outdated or may not even be relevant to the job.
At the end of the day, with enough passion, raw intelligence, and hard work, anyone can be a successful cybersecurity professional, whether they have a degree or lack a background in IT and computer science.
Cybersecurity hiring historically has focused on a narrow candidate pool — people with the usual academic credentials, job experience, security certifications, and specific technical security skill sets. But as the demand for cybersecurity professionals keeps increasing, it is clear that the industry must get more creative in the hunt for talent.
The question on every CISO’s mind is how. Here are four ideas.
Mandating at least a bachelor’s degree for a cybersecurity job (or any tech industry job, for that matter) is obsolete thinking. Skills and personality traits like desire, curiosity, love of learning, calmness under pressure, and ambition are what really matter.
I go back to my own experience. I gave community college a try, because it’s what was expected, but I was never a good student because I wasn’t interested in the material.
My college turned out to be my first computer job where I spent time on the help desk, as a desktop engineer, as a systems engineer, and eventually left as a network engineer. What I learned during my four years there gave me the foundational knowledge to move to the next job/level.
I loved all technology and wanted to learn as much as I could but couldn’t decide if I wanted to be on the network or systems side. I wound up in security because it was an area that allowed me to get involved in all aspects of tech.
Now, years later, I lead a combined security and IT operations team with more than 30 members, focusing on building a modern security program that supports the needs of a fast-growing business.
Instead of chasing unicorns, companies should mine not only other areas of the IT department but completely different parts of the business for people with adjacent skills that could make them great cybersecurity pros.
Someone with a librarian’s background, for example, could bring the strong detail orientation needed for security compliance work. A former military member may possess the grace under fire needed for hectic work in the security operations center (SOC).
Looking harder at candidates who don’t fit the typical cybersecurity specialist mold necessitates a more aggressive move toward upskilling and reskilling existing employees. And beyond its benefit as a source of talent, looking inward rather than outward for help also could provide protection against the threat of recession and possible hiring freezes. Which leads to our third point…
If someone has the natural skills to succeed in cybersecurity but has never even seen a SOC, who cares? Skills can be taught. That’s why cybersecurity training sessions and boot camps exist.
Companies should invest in formalized training programs for individuals with nontraditional security backgrounds. They should be trained upfront and continually provided with additional training opportunities just like the rest of your team.
The beauty of DevOps and DevSecOps is that they shift some security responsibility from dedicated security teams in operations to the development side, with the idea being that security should be baked in throughout the application development process.
This provides a fresh opportunity for more people throughout the organization to take on roles as security champions, security ambassadors, security advocates — pick your term. And it lessens the pressure on companies to hire for security team positions and increases the incentive to get creative in looking internally for these champions.
By following these four steps, companies can find people who have the aptitude and passion for security and who can be made into top notch professionals with a little bit of training and mentoring.
The industry has been doing the same thing over and over — hunting for the usual suspects — and it’s time for new approaches.
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

By Jess Weatherbed
If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.
T-Mobile has revealed the company’s second major breach in less than two years, admitting that a hacker was able to obtain customer data, including names, birth dates, and phone numbers, from 37 million accounts. The telecom giant said in a regulatory filing on Thursday that it currently believes the attacker first retrieved data around November 25th, 2022, through one of its APIs.
T-Mobile says it detected malicious activity on January 5th and that the attacker had access to the exploited API for over a month. The company says it traced the source of the malicious activity and fixed the API exploit within a day of the detection. T-Mobile says the API used by the hacker did not allow access to data that contained any social security numbers, credit card information, government ID numbers, passwords, PINs, or financial information.
T-Mobile has begun notifying customers whose information may have been obtained
In a announcing the breach, T-Mobile omitted that the breach impacted 37 million accounts and that it had gone undetected for over a month. Instead, the statement expressed the company had “shut it down within 24 hours” as soon as its teams had identified the issue. T-Mobile has started to notify customers whose information may have been obtained in the breach.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time,” the company said in the filing. “There is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”
T-Mobile has disclosed eight hacks since 2018, with previous breaches exposing customer call records in January 2021, credit application data in August 2021, and an “unknown actor” accessing customer info and executing SIM-swapping attacks in December 2021. In April last year, the hacking group Lapsus$ stole T-Mobile’s source code after purchasing employees’ credentials online.
/ Sign up for Verge Deals to get deals on products we’ve tested sent to your inbox daily.
The Verge is a vox media network
© 2023 Vox Media, LLC. All Rights Reserved

source

Getty Images/iStockphoto
The need for cybersecurity professionals has never been greater. Given the ever-expanding roles of technology, data and AI in the enterprise, the need to protect, detect and remediate against cyber attacks is of existential importance across every sector.
At the same time, organizations of all kinds are grappling with the much-discussed cybersecurity talent shortage. A wide variety of opportunities abound, and the field needs a diverse array of talents and skills.
As an aspiring or current practitioner weighing possible career options, consider the following eight cybersecurity roles.
Seniority: Entry-level to midlevel
The security administrator is an operational role overseeing an organization’s security on a day-to-day basis and troubleshooting and triaging problems as they arise. Typical tasks might include the following:
Seniority: Entry-level to senior-level
The security operations center (SOC) analyst role involves uncovering potential cyber attacks by monitoring for unusual digital activity. SOC analysts use traditional log monitoring, as well as more advanced AI-based tools, that alert to suspicious behavior.
Many cybersecurity professionals’ first jobs are in the SOC, and an entry-level analyst could go on to hold any number of positions in the field.
While junior SOC analysts’ responsibilities are operational in nature — reviewing and processing alerts from security tools to weed out false alarms and escalate potential red flags — senior SOC analysts shoulder more advanced responsibilities. These might include the following:
Regardless of seniority, a SOC analyst needs an eye for detail, the ability to troubleshoot and an interest in threat research.
Seniority: Entry-level to senior-level
As the term suggests, digital or computer forensics involves retroactively investigating confirmed security incidents, such as data breaches. Digital forensic engineers — also known by titles such as cyber forensic investigators and computer forensic analysts — seek to uncover and understand the scope of attacks, who perpetrated them and how.
A digital forensic engineer’s responsibilities may include the following:
To be successful in this role, a digital forensic engineer must have the following:
While many digital forensic engineer, analyst and investigator roles require significant experience, related entry-level positions do exist. In some cases, for example, junior technicians may need only a bachelor’s degree and relevant technical skills to get started in digital forensics.
Seniority: Entry-level to senior-level
The IT auditing role involves evaluating an organization’s security practices and technological infrastructure to assess the following:
After assessing an organization’s risk profile, an IT auditor makes formal recommendations for improvement to key stakeholders. Other key responsibilities of an IT auditor include developing, implementing and updating the audit framework.
IT auditors need strong interpersonal skills and the ability to build relationships across their organizations; the ability to interpret and implement security frameworks; and an interest in meeting regulatory requirements effectively and efficiently.
Seniority: Midlevel to senior-level
The application security engineering role focuses on protecting an organization’s applications from attackers throughout the software development lifecycle and the application lifecycle. Appsec engineers may work in standalone teams or as integrated members of DevSecOps teams.
An appsec engineering position typically involves the following:
Today’s appsec engineers may also oversee API security and recommend best security practices for third-party application use.
Seniority: Midlevel to senior-level
Network security engineers aim to minimize network security vulnerabilities without sacrificing uptime. They need technical skills, the ability to troubleshoot problems as they arise and extensive knowledge of common and emerging cyber threats.
A network security engineer’s responsibilities typically include the following:
Today’s network security engineers may manage infrastructure in traditional on-premises, cloud or hybrid environments.
Seniority: Midlevel to senior-level
Also known as ethical hackers, pen testers work to proactively uncover enterprises’ security vulnerabilities by modeling attacker behavior. Pen testers try to breach networks and systems by exploiting known and unknown technical vulnerabilities and by engaging in social engineering. Their goal is to uncover security weaknesses before malicious hackers do.
Necessary skills include the following:
Pen testers may work for dedicated in-house teams or for third-party firms that serve multiple organizations.
Seniority: Senior-level
The security architect role overlooks the entire security posture of an organization. It includes the following responsibilities:
For security architects who are managers — leading teams of security engineers — people and communication skills are also important.
Part of: Getting started in cybersecurity
Cybersecurity needs new talent now more than ever, but landing that first job without a computer science degree can still be difficult. Here are five tips for getting in the door.
Cybersecurity is an exciting and increasingly important field with a wealth of career opportunities. Explore eight cybersecurity roles and the skills, talent and experience required.
Resumes help candidates leave an impression on potential employers. But did you know one resume often isn’t enough? Learn this and other tips for creating a cybersecurity resume.
It’s difficult to navigate a career in cybersecurity, especially with all the varying roles. A veteran CISO offers advice on how to find your niche in the security industry.
Cisco Viptela SD-WAN integration with Cisco+ Secure Connect brings cloud-based security to remote workers and easier …
Extreme Networks extends its SD-WAN network fabric to the edge to unify wired, wireless and WAN networking for simpler network …
Hybrid access as a service from a startup helped a global company secure optimized connectivity over home broadband connections. …
Technology products remain a mixed inflationary bag as server prices increase, storage costs decline and equipment delivery lead …
In its pursuit of big tech companies, the FTC theorizes their dominance is based on acquisition of nascent companies — a theory …
Two upcoming Supreme Court cases could significantly change how Section 230, which protects social media platforms from liability…
Internet Explorer mode lets users view legacy IE websites not supported by other browsers, which can increase productivity and …
Implementing MDM in BYOD environments isn’t easy. IT should communicate with end users to set expectations about what personal …
Dell joined Microsoft in cutting 5% of its workforce due to slowing PC sales. The company said the action will better position it…
Workloads with rigid latency, bandwidth, availability or integration requirements tend to perform better — and cost less — if …
Utilities and manufacturers are examples of industries using distributed cloud computing in private facilities to collect and …
If your cloud-based workloads and applications need to move back on premises, you’ll need a plan. Start your reverse migration …
Only days away from the eyes of the comms world turning to Barcelona, comms tech firms team with leading Spanish operator to demo…
UK’s leading telco switches on dedicated internet of things frameworks for businesses across the UK, allowing them to keep smart …
People are interested in STEM careers but many feel underqualified, while some don’t even know what counts as a STEM job, IBM …
All Rights Reserved, Copyright 2000 – 2023, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information

source

Cyber Security Market Report 2022: Sector to Reach $657.02 Billion by 2030 at a 12.8% CAGR  Yahoo Finance
source

Tony Fyler
@more__hybrid
fyler@hybrid.co
Make sure your passwords are secure when you log in.
Nearly 35,000 Paypal users are being contacted after the company suffered a major data breach.
Unlike the recent high-profile ransomware attacks on organizations like The Guardian newspaper and the UK’s Royal Mail, the Paypal attack was significantly more mechanistic in nature. It appears to have been an automated attack, with bots using credential lists to carry out credential stuffing attacks, which “successfully” left users’ personal data exposed for the harvesting.
Credential stuffing attacks are particularly artless affairs – they’re more or less literally a guessing game where bots run the numbers constantly until or unless they’re detected and stopped, or until they hit the correct username and password combinations. It’s worth saying though that the bots rarely start from a clear blue sky – usually, they have lists of pairs to try, which in themselves are sourced from previous data leaks or breaches.
If you continually re-use the same username and password for several online accounts, credential stuffers are your personal Hell – which is why every cybersecurity awareness training course should come with a section on the importance of using something like a password manager, to disincentivize password re-use and make this kind of attack significantly more difficult to carry out.
If you’ve made lots of Paypal transactions in the last handful of days though, don’t panic – the Paypal data breach took place over two days in early December – December 6-8 in fact.
Paypal said nothing.
The company knew it had happened more or less immediately, and took steps to mitigate the attack.
It still said nothing.
By December 20^th, practically a calendar month ago, Paypal had completed its own investigation, confirming that over 30,000 accounts had been accessed using perfectly accurate, valid credentials, garnered by the credential stuffing bot attack method.
It took until January 19^th for Paypal to start writing to users whose credentials were compromised in early December. During the 48 hours of the attack, hackers had access to users’ full names, dates of birth, postal addresses, social security numbers, and tax identification numbers. It’s entirely possible they also had access to the credit and debit card details linked to nearly 35,000 users’ Paypal accounts.
PayPal says it took “timely action” to block the unauthorized access to its users’ accounts, but that rather misses the point. If the hackers had access for anything up to 48 hours, they probably still have all the details, which can be sold on or used for their own nefarious purposes.
The notification asserts that the attackers have not attempted — or at least did not manage to perform — any transactions from the PayPal accounts to which they had access.
That’s hardly surprising – if you suddenly gain access to someone’s home address, social security number, and potentially the details of several credit cards, you’re not about to blow it buying a yacht via Paypal. The reward from such an attack tends to come from the data sale value, rather than the direct use of the credentials.
It took the e-payment site almost a full calendar month to begin the process of notifying its users of the extent of the breach.
Now, as a result of Paypal’s admittedly swift action to lock out the hackers using the legitimate credentials to gain access to the user data, affected users will be required to change their passwords immediately, and will receive two years of free identity monitoring from Equifax.
That’s useful inasmuch as the details taken could be fraudulently used for all sorts of financing and the identity monitoring can help prevent such uses, but the question of why Paypal delayed its notification process for a full month remains one that should be of concern not just to the victims of this attack, but to potential victims everywhere – which is all of us.
The Guardian ransomware hack, which compromised the details of staff at one of the UK’s most-read newspapers, was not confirmed by the paper as being a ransomware attack until three weeks later – and then by email to all the staff whose details had been breached.
In the UK’s Royal Mail ransomware attack, the organization publicly quibbled about whether it was a ransomware attack even though it had received a ransom note.
Now Paypal, one of the world’s leading e-payment systems, has waited almost a full month between concluding its own investigation into a data breach and beginning the process of alerting the compromised users to the breach.
The recent dumping of thousands of Twitter users’ data onto hacker forums for free – after there were significant attempts to monetize the sale of the data — is another case where the gap between a breach and the affected users becoming significantly aware of the breach could be argued to be far too long.
The corporate culture of keeping breaches under wraps until either they have been dealt with or until the immediate threat appears to have passed clearly serves the potential victims extremely poorly.
It follows a tradition in software companies, where bugs are not widely reported until there’s a viable solution or patch to them, thereby minimizing the public panic and mistrust of everyday personal – and business – software. There’s an argument that this is valid, although a more rapid bug reporting process would normalize the understanding of quite how often software is released with bugs, errors or weaknesses still intact, and allow buyers to choose their next software package more carefully.
But when their staff or their users have their data exposed to hackers, companies would seem to have a moral, if in no sense a legal responsibility, to let people know as soon as possible, so that the chances of their details being used for criminal purposes are minimized.
In the case of the Paypal data breach, the company is focusing strongly on getting users to employ strong and different passwords (usually at least 12 characters in length, an increase from the 8 of recent years), and adopting multi-factor authentication to make these attacks harder to successfully carry out.
While this is all sound cybersecurity advice, it should not overshadow the delayed notification normality in the corporate culture around data breaches.
 
Tony Fyler
@more__hybrid
fyler@hybrid.co
17 February 2023
16 February 2023
16 February 2023

source

By Cyrus Vance Jr.
Baker McKenzie partner Cyrus Vance, the former Manhattan District Attorney, analyzes some high-profile cyber attacks and offers advice to governments and companies on how to combat digital crimes against industry and agencies.
Last month, San Francisco’s Bay Area Rapid Transit, California’s largest transit system, suffered a ransomware attack that exposed highly sensitive data from the agency’s own police department.
Vice Society, the prolific ransomware group that claimed responsibility for the attack, stole everything from master employee lists to crime lab reports and made them public, putting lives at risk. This was just the latest in a long list of cyber attacks targeting transit systems and national infrastructure, and it certainly won’t be the last.
During my 12 years as Manhattan District Attorney, I witnessed the harmful effects of cybersecurity threats. Cybercrime in New York City impacts massive financial institutions, retailers, and infrastructure providers every day. These entities are attractive targets of cybercriminals, whether for financial or political reasons.
When an organization is attacked, it’s hard to know the source—could it be a nation state, a cybercrime group, or someone from within the organization? Nation-state actors and their proxies are constantly re-branding and re-inventing to avoid detection.
That said, though nation-state actors tend to cause the most damage, over 80% of cyberattacks are carried out by private actors.
Beyond the financial risk to businesses and individuals, cybercrime is a grave threat to our national security, with critical infrastructure targeted more and more every day.
Every zero-day exploit—a vulnerability in a system that has no known fix—represents an opportunity for an enemy to intercept sensitive communications, steal valuable intellectual property, and cripple the systems that keep us safe: power, water, nuclear, hospitals, and more.
Cyber crime is not just about extracting money or data. These attacks diminish trust in our most important institutions and sow fear and uncertainty, which is one of the principal goals of our adversaries.
A look at some of the biggest cyber events of 2022 drives this home. There has been an explosion of digital extortion. Hacking ransomware group Lapsus$ leaked sensitive data from victims including the world’s leading technology companies.
Costa Rica’s government was brought to a standstill by Conti ransomware, linked to Russia. Thefts from blockchain businesses grew exponentially in the last year, with staggering losses. Last March, North Korea-linked Lazarus stole $540 million in cryptocurrency from Ronin, a popular blockchain platform.
Organizations and industries with little tolerance for downtime continue to be hit hard because bad actors target those that are most likely to pay. Last June, a Massachusetts-based health-care company announced a breach affecting the health data of 2 million people.
In the wake of the pandemic, manufacturing is now the most-targeted industry—supply chain demand means that businesses can’t afford to be offline, even if every bit of data is backed up.
Unfortunately, the current cybersecurity forecast favors criminals and state-sponsored actors over the ability of jurisdictions and businesses to fight them. We’re not prepared for attacks or the aftermath that inevitably follows.
A recent Baker McKenzie survey found that lawsuits over cybersecurity and data breaches were the number-one litigation risk concern for senior legal counsel inside large corporations globally.
Though federal agencies are laser-focused on preventing a cyberattack that results in a nuclear disaster or a nationwide power outage, state and local governments also need to take a hard look at their ability to respond to a serious cyber event.
We need creative thinking and engagement at every level to address the cyber threat problem as the crisis that it is.
When I was still DA, I asked intelligence experts in the NYPD what would happen if we were hit with an attack on, for example, our water sources. Was there a plan?
The answer made painfully clear that we had work to do: there was no plan A and there certainly wasn’t a plan B. In the event of a serious attack on critical infrastructure, no one was coming to save us. New York would have to save itself.
So we got to work. We convened a public/private task force, including infrastructure providers, law enforcement, intelligence, and nonprofits. We trained first responders to manage a cyberattack, with the support of—among others—IBM and its training facility in Massachusetts.
Five years in, the NYC Cyber Critical Services and Infrastructure Project has its own dedicated command center and a diverse membership of almost 300 professionals from health care, tech, government, and other sectors.
When the Colonial Pipeline attack hit, the NYPD’s Intelligence Bureau quickly leveraged CCSI’s “team of teams” to spread the word throughout member organizations and made sure that infrastructure providers were scouring their networks for similar attacks.
There is work still to do, but New York has proven that this model works and can be replicated across the country, at relatively little cost and quickly. For states and cities that are less-resourced than New York City, that is hugely important. They don’t have the luxury of time to achieve higher cybersecurity and resiliency for critical infrastructure. They need it now.
Collective security efforts are critical to our security. If we are going to have any chance of defending ourselves against significant cyber threats—the type of attacks that can take out a power grid or a hospital—we need to work together.
The US led the way in developing the internet and today is home to the best and most innovative technology companies in the world. We now need to show the same leadership in securing it.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for Us: Author Guidelines
Cyrus Vance Jr. is a partner and global chair of Baker McKenzie’s cybersecurity practice. Prior to joining Baker McKenzie, he served three consecutive four-year terms as Manhattan District Attorney.
To read more articles log in.
Learn more about a Bloomberg Law subscription.

source

College students are often easy targets for cyber criminals and campus leaders should educate new students about the dangers starting day one.
Photo: momius, Adobe Stock
Most college students are too busy with their studies and social lives to worry about issues like online privacy and cybersecurity. Unfortunately, this means that the majority of college students aren’t protecting their personal information online, even as they spend more and more time using digital tools for their classes.
Students might not think that their information is valuable. After all, most students are budgeting as best they can to minimize the debt they’ll have after they graduate. However, that doesn’t mean college students aren’t targets for hackers. Universities need to help students understand the importance of keeping their personal information safe so that they don’t become victims of cybercrime.
It might seem strange that cybercriminals would want to steal the personal information of a college student. After all, college students aren’t likely to have a lot of money or much of a credit history, so it might seem like targeting students would be a waste of time.
Even if they don’t have much in the way of assets, college students have a lot to offer a criminal looking for an easy target. College students aren’t focused on cybersecurity and might not be familiar with the tactics hackers use to steal data. Because they don’t consider themselves attractive targets, they don’t take the necessary precautions to protect their information.
There are other factors that make college students targets for hackers as well. A limited credit history might not seem like a good thing, but to someone who is trying to illegally use someone else’s credit, this “clean slate” can be a positive.
Younger people are used to sharing personal information on social media and often don’t know what types of information they shouldn’t share publicly. They also have lots of connected devices and potential vulnerabilities for hackers to exploit.
Hackers have a variety of goals when it comes to cybercrime. Identity theft is a common problem for people of all ages, but college students are a group that can be especially vulnerable. Cybercriminals steal someone’s identity to impersonate them, generally so they can open accounts in their name, use their credit, and gain financially.
Unlike cyberterrorism, which is more likely to strike large institutions, including universities, cybercrime affecting individuals like college students is on a small scale. However, the impact of crimes like identity theft, malware, and phishing (getting someone to click on a malicious link) can be significant, affecting the victim’s credit, financial health, ability to open new accounts, and privacy.
It’s not always possible to prevent cybercrime from taking place. Hackers are smart, and they are always evolving their techniques to beat the latest cybersecurity measures and antivirus software.
However, there are some techniques that college students should use to protect their personal data. It’s important to educate college students on these key cybersecurity measures so they can prevent becoming the victim of a virtual attack.
This is advice that’s given over and over again: students should use strong passwords and avoid using the same password for multiple sites. Although it might sound like the most obvious piece of advice about cybersecurity, most people don’t follow it, leaving themselves vulnerable through multiple accounts. Password managers can help students ensure that their password behavior is cybersecurity-approved.
Two-factor authentication, which requires two forms of verification for a successful login (such as a password and a code sent to a phone or email address), helps to ensure that someone is who they say they are.
If someone tries to remotely access a student’s data, two-factor authentication should notify the student that a login attempt has been made. This not only helps protect the account and keep it secure, but it also gives students information about any unauthorized login attempts, sometimes with the location of the attempt.
Public wi-fi can be a source of vulnerability for college students. They should understand the risks of using unsecured networks, as well as strategies for protecting their privacy when using these networks.
Students on a budget might already be in the habit of checking their financial accounts, but not always. Frequent monitoring of bank accounts, investment accounts, and other financial accounts can help students spot fraud and other evidence of a cybercrime right away. This can help law enforcement hold the criminals responsible and reduce harm to the victim.
If something feels “off” to a student, such as an email they receive, they should know to follow their instincts and approach the situation with healthy suspicion. Cybercriminals can be very clever in hiding their activities. It’s always better for students to be safe than sorry!
Many students don’t worry at all when they leave their laptop at a library table for a few minutes so they can use the restroom. Unfortunately, not having physical control of a device can easily lead to data theft, even during a short period of time. People can quickly gain access to sensitive data this way and use it maliciously.
Students should understand the importance of maintaining physical control of their devices at all times, whether they’re at a party or hosting one; whether they’re at a coffee shop or the library and just need to briefly step away from their devices.
Simple cybersecurity protocols aren’t hard to implement. The harder part is getting students to take cybersecurity seriously.
Most students know in theory that protecting personal data online is important. However, they might be so convinced that they won’t be a target of cybercrime that they brush off cybersecurity advice, especially when they are busy with school and social obligations. It’s easy to feel like crime is something that happens to other people — but when students don’t take any precautions, they become “other people” and regret that they didn’t take cybersecurity more seriously.
Start talking about cybersecurity from day one with new students. Including information in your welcome materials about the why and how of protecting their online data can help increase awareness and get students thinking about the issue. It’s also critical to provide information on what students should do if they think they’ve been hacked.
It’s important to keep the issue of cybersecurity top-of-mind for students throughout their college career so they can learn good habits and skills to protect themselves today, tomorrow, and for the rest of their lives.
Sarah Daren has been a consultant for startups in multiple industries including health and wellness, wearable technology, nursing, and education.
Note: The views expressed by guest bloggers and contributors are those of the authors and do not necessarily represent the views of, and should not be attributed to, Campus Safety.
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.


Δ
In this webinar, attendees will learn the observable behaviors people exhibit as they head down a path of violence so we can help prevent the preventable.
This discussion will help participants analyze, understand, and assess their own program effectiveness.
Follow Us On
Ⓒ 2023 Emerald X, LLC. All rights reserved.

source

By Cynthia Brumfield
CSO |
Cybercrime is a growing scourge that transcends borders, spreading across the boundaries of virtually all the world’s nearly 200 nation-states. From ransomware attacks to rampant cryptocurrency theft, criminal exploitation of borderless digital systems threatens global economic security and the political welfare of all countries.
Now, the United Nations has a major initiative to develop a new and more inclusive approach to addressing cybercrime. This revised global approach could spark new laws worldwide to battle cybercrime more effectively. However, concerns over the scope of the emerging international convention and its possible threats to free speech, privacy, and cybersecurity research, among other issues, have emerged following the recent release of early drafts of the new convention.
On December 27, 2019, the United Nations General Assembly adopted a resolution to counter the use of information and communications technologies for criminal purposes. Through the resolution, the General Assembly established an open-ended ad hoc intergovernmental committee of experts from all countries to create the cybercrime convention, which will be voted on by the General Assembly at its 78th session starting in September.
This convention will supplement a convention on cybercrime developed in the 1990s and signed in Budapest in 2001, commonly referred to as the Budapest Cybercrime Convention. The Budapest Convention resulted in the first international treaty to define crimes committed via the internet and other computer networks. It went into effect in 2004, with updates adopted since then, most recently in 2022.
Sixty-seven countries ratified the Budapest Convention, with two additional countries, Ireland and South Africa, signing the convention but not ratifying it. The ad hoc committee aims to create a new cybercrime convention that is more widely adopted and influential than the Budapest Convention.
“The US and lots of other like-minded countries have been saying that we have the Budapest Convention on Cybercrime,” Chris Painter, president of the Global Forum on Cyber Expertise Foundation and the former top cyber diplomat for the US, tells CSO. “That’s great. But a number of countries, led by Russia and China, said they wanted a new UN convention since they weren’t part of the original negotiation of the Budapest Convention. So, the US and others said, ‘Okay, we’ll fully participate.’”
A new convention would enable “us to more swiftly, in a more modern manner, exchange information to pursue and bring to justice those who abuse computer systems,” Ambassador Deborah McCarthy, US lead negotiator on the Ad Hoc Committee for the Department of State, tells CSO. “This makes it truly global.”
Due to the tight timeframe to meet the September deadline, the working groups assigned to hammer out the new convention presented compilations of draft texts of the proposals at the fourth session of the Ad Hoc Committee in Vienna that concluded on January 20.
The critical characteristic of any new cybercrime convention is that it could, when implemented, have the same force as federal legislation, Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation (EFF), told attendees at this year’s Shmoocon conference. EFF, along with Painter’s group and more than 74 digital and human rights organizations, are participating in the Ad Hoc Committee’s discussions at the encouragement of committee chair, HE Ms. Faouzia Boumaiza Mebarki of Algeria, to get views of “non-governmental organizations, civil society organizations, academic institutions, and the private sector.”
Because of this force of law, treaties resulting from conventions can “short circuit” the political process. “We have seen some bad policies come through the treaty process and then get adopted here in the states,” Opsahl said. For example, the Digital Millennium Copyright Act (DMCA), “which we’re not really big fans of,” mandated that US copyright law comply with two treaties established World Intellectual Property Organization (WIPO).
From Painter’s perspective, the fundamental questions in the current negotiations center on what’s in and out of the convention’s scope. “Those are the two things we’re dealing with, and they’re both difficult issues. The US, the EU, and others have been pretty clear that they think it should be restricted to real cybercrimes. There might be a couple of exceptions like child exploitation or things like that, but not every crime that may be cyber-enabled [should be included] because that’s everything; that would be every crime.”
Ambassador McCarthy underscores Painter’s point, emphasizing the cybercrime nature of the convention more broadly, saying, “This is not about cybersecurity, it is not about internet governance, it’s not about covering speech crimes or terrorism. Our aims are not broad; they’re quite narrow.” Likewise, when it comes to some countries’ goals of including a range of cyber-enabled crimes, “If you add all the cyber-enabled crimes that a number of countries would like to have, they touch on freedom of expression and freedom in general,” she says. “And we do not want to see that in this instrument.”
“It’s a very long treaty,” EFF’s Opsahl said at Shmoocon. “It covers a lot of things. It would be best if it is limited to cybercrime.”
The drafts released at the fourth session in Vienna point to a range of provisions that go far beyond the strict parameters of cybercrime, suggesting room for improvement before the US and its like-minded allies could agree to a new convention.
The first area for improvement is in the area of civil disputes, such as violating a site’s terms of service, “which should not be a crime,” Opsahl said. However, many of the ways that the cybercrime provisions are being written “could certainly have an interpretation that unlawful conduct would include contract violations. They should make it clear in the statute, in these proposed articles, that this is not going to be criminalizing civil disputes.”
Another area to watch out for is clarifying the nature of intent when it comes to provisions that criminalize “the serious and unlawful hindering of the functioning” of a computer system. “Intent is that difference between finding a vulnerability, proving it up, and helping the world with that information, and going, and exploiting it,” according to Opsahl.
Painter agrees, saying “you don’t punish researchers. As lawyers say, you actually have to have mens rea or mental state for these crimes, and not if you engineer something, suddenly you’re liable.”
Perhaps most concerning are the draft sections that criminalize the content of speech, such as extremism or terrorism. “Many countries who will be signatories to this treaty use similar language to strike down dissent and say that anyone who’s opposing the regime is spreading sedition is spreading strife and hatred,” said Opsahl. “This has been used far too often to endanger rights. There are no agreed international definitions of what these kinds of terms mean.”
“What is cyber terrorism?” Painter asks. “What does that mean? To Russia, it might mean someone disagreeing with Putin. The Chinese representative reportedly said in one of the meetings that he wanted to introduce a substantive crime about disinformation, but he was talking about people spreading rumors about natural disasters or the pandemic.”
“Terrorism is handled in other fora, violent extremism is handled in multiple fora,” McCarthy says. “This particular instrument is not appropriate for these things that are being handled in other fora. If you try to incorporate all these other things on which there is sometimes no final agreement, it goes beyond being a crime instrument, and the process will never conclude.”
Despite these and other thorny issues, McCarthy says she is heartened at how the process has brought “more people under the tent” and how only a handful of countries have a list of demands that would threaten the acceptance of a new convention. She has faith in the caliber of the policy people and practitioners on the US team, which includes experts from the Department of Justice.
During a fifth session in April, small subgroups of the ad hoc committee will tackle “the difficult things that we ran into on the fourth session,” she says. In addition, the teams will continue negotiating between sessions. “There’s a broad desire to have something tight and nimble.”
The crunch time will come before the sixth session in late August, by which time the committee chair will have produced what is called the zero draft or the last draft version of the convention. “So, there’s not a lot of time,” says McCarthy.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source