FBI Is Trying to Recruit Hackers to Become Cyber Special Agents

The Federal Bureau of Investigation is trying to recruit hackers to become cyber special agents to combat cyber terrorism, espionage, and other threats to the United States (emphasis added):

The number of resumes submitted as a direct result of the bureau’s presence at the conference was not readily available. (The story will be updated with those figures if and when we get them.)

Last year, the FBI recruited more than 1,500 special agents with cyber expertise, according to data from the bureau’s human resources department.

However, the hacker and cybersecurity communities are still wary of the federal government. This fact was clear during the Q&A portions of many of the talks and presentations featuring government representatives.

FBI Director James Comey alluded to some of these worries during a talk in January at the International Conference on Cyber Security.

“There is a wind blowing that I worry has blown what is a healthy skepticism of government power … to a cynicism so that people don’t want to be with us anymore,” he said. “We’ve got to do our best to speak into that wind to try to explain how we’re using our authorities in government.”

Having a presence at Black Hat and other similar venues is part of the FBI’s push to overcome this reality.

NICE Plans to Address the Critical Cyber Security Skills Shortage

There is a critical shortage of cyber security professionals with the right skills in the United States but the National Initiative For Cybersecurity Education plans to fix this issue:

In the United States, one way in which the federal government has addressed this problem is NICE, the National Initiative For Cybersecurity Education. And one of the ways in which NICE seeks to promote cybersecurity education and workforce development is with a two-day annual conference. In 2015, the NICE conference is being held in November, in San Diego, and you can find the details here. If you or your organization are involved in cybersecurity education and workforce development then you might want to consider not only attending NICE 2015, but also sharing your knowledge, experiences, lessons learned, and so on. The Call for Proposals is still open.

The cybersecurity education and workforce deficit has been discussed several times here on We Live Security, for example during the RSA conference. I certainly believe there is an urgent need to train more people in this field and foster cybersecurity as a career choice for students who are still in school. For example, the annual Cyber Boot Camp that ESET facilitates in San Diego every year is targeted directly at this problem.

Germany’s Cyber Security Law Isn’t Working Because of Ambiguity

Germany passed a new cyber security law earlier this summer but it apparently is not working well because of the ambiguity legalese wields (emphasis added):

This summer, Germany adopted a new law, known in German as the IT-Sicherheitsgesetz, to regulate cybersecurity practices in the country. The law requires a range of critical German industries establish a minimal set of security measures, prove they’ve implemented them by conducting security audits, identify a point of contact for IT-security incidents and measures, and report severe hacking incidents to the federal IT-security agency, the BSI (Bundesamt für Sicherheit in der Informationstechnik). Failure to comply will result in sanctions and penalties. Specific regulations apply to the telecommunications sector, which has to deploy state of the art protection technologies and inform their customers if they have been compromised. Other tailored regulations apply to nuclear energy companies, which have to abide by a higher security standard. Roughly 2000 companies are subject to the new law.

The government sought private sector input early on in the process of conceptualizing the law—adhering to the silly idea of multistakeholderism—but it hasn’t been helpful in heading off conflict. German critical infrastructure operators have been very confrontational and offered little support. Despite some compromises from the Ministry of the Interior, which drafted the law, German industry continues to disagree with most of its contents.

First, there are very few details to clarify what is meant by “minimal set of security measures” and “state of the art security technology.” The vagueness of the text is somewhat understandable. Whenever ministries prescribed concrete technologies and detailed standards in the past, they were mostly outdated when the law was finally enacted (or soon after that), so some form of vagueness prevents this. But vagueness is inherently problematic. Having government set open standards limits market innovation as security companies will develop products to narrowly meet the standards without considering alternatives that could improve cybersecurity. Moreover, the IT security industry is still immature. It is impossible to test and verify a product’s ultimate effectiveness and efficiency, leading to vendors promising a broad variety of silver bullet cybersecurity solutions—a promise that hardly lasts longer than the first two hours of deployment.

Will HITRUST Certification Improve Health Care Cyber Security?

The health care industry is seeing its fair share of cyber attacks these days and is concerned about the need for an industry-wide baseline set of security controls. In order to accomplish this goal, the HITRUST certification is designed to improve health care cyber security by providing a basic framework to work from (emphasis added):

The certification will provide outside assurance to covered entities, but also be a plus for vendor partners, according to Ray Biondo, chief information security officer at HCSC, the largest customer-owned health insurance company in the United States.

“I want to make sure as an industry we don’t all go out and try to get minimum security requirements from each of these vendors and do it separately because it drives up costs for all of us, it’s inconsistent and it’s getting the vendors themselves bent out of shape,” he said. “Every time they try to sell their product or implement their solution to us or anybody else, they have to go through the same process over and over again. It’s very cumbersome.”

Adding some standardization to the process as an industry “will guarantee me that you’re at least meeting a minimum level of maturity with these common controls to protect your organization from a security breach,” he said. “These controls will not stop a hacker if they really want to get in, but if you can demonstrate you’re at least taking the necessary steps to increase your maturity level, our comfort level with doing business with you will greatly improve.”

Without such standards, he said, his company has to audit them individually.

“We’re in an awkward position. A lot of the companies that give us these solutions are as open to attack as anybody else, so it’s not just health care, it’s even the security suppliers. As an industry, we have to rally together to protect ourselves. I think this is the fastest, most efficient way to move that forward,” he said.

Even amid the growing prevalence of health care breaches, however, he said business associates are pushing back on making the certification mandatory.

Managing the security practices of business associates is a lot like herding cats. Add in a few offshore outsourcers who handle tasks such as medical transcription, coding and billing, and the scenario becomes even more complicated. Tennessee-based Cogent Healthcare learned that the hard way in 2013 when information was exposed on 32,000 patients when the firewall was down at an India-based transcription service.

Cyber Security Professionals Proclaim the Usefulness of Crowdsourcing Cyber Security

One of the reasons why the US government is keen to pass cyber security information sharing legislation (forget the fact that its actually a surveillance bill) is that it recognizes how useful it to learn lessons others have had to endure. This is the standard US government modus operandi for everything it does. So it should come as no surprise to see many industry cyber security professionals proclaim the usefulness of crowdsourcing cyber security (emphasis added):

Consumer healthcare products provider Johnson & Johnson is also a big believer in security crowdsourcing. “Our company gathers intelligence feeds from various sources, internal and external,” says Mary Chaney, director of worldwide information security at Johnson & Johnson.

That includes its relationship with the Healthcare and Public Health Information Sharing and Analysis Center (NH-ISAC), which works to improve the resilience of the nation’s critical infrastructure against physical and cyber security threats.

Led by the healthcare industry, NH-ISAC is recognized by such entities as the U.S. Department of Health and Human Services, Health Sector-Coordinating Council, U.S. Department of Homeland Security, National Institute of Standards & Technology, as well as law enforcement agencies.

“Internally, we seek to engage physical, social media relations and other groups that are ‘listening’ for different types of information about the company but could offer insight on things that have a cybersecurity impact,” Chaney says.

The company has an Intelligence and Trending group within its Security Operations Center, whose sole responsibility is to gather intelligence sources and determine how incoming data might apply to Johnson & Johnson’s environment.

Every CIO Can Learn About Cyber Security Threats From These Four Recent High-Profile Hacks

Every CIO in every company around the globe needs to be educated about current cyber security threats and can really learn a lot from these four recent high-profile hacks (emphasis added):

Keeping one step ahead of hackers is no easy task for IT security executives. There are so many ingenious hacker ploys, shady tricks and nefarious techniques to compromise your data, it might seem like no company could ever keep up. Cybercrime is clearly on the rise, and CIO have plenty of reasons to be anxious.

Four recent high-profile hacks demonstrate that cybercriminals are breaching networks, stealing data and using social engineering to trick employees. We asked several security experts to weigh in on these cases, how they occurred and what CIOs should do to reduce the likelihood of a similar compromise. Hint: it’s more than just installing a new firewall and insisting that employees use antivirus apps.

1. OPM data breach

This high-profile data breach is disconcerting because the Office of Personnel Management (OPM) handles security clearances and background checks for federal employees. At last count, 21.5 million government employee records were stolen. Most reports indicate that the OPM hack occurred because of a lack of basic security infrastructure precautions. A former subcontractor stole the data while doing background checks, according to both the public hearings on the breach and to data security expert Alan Kessler.

Indian Government Deploying “Hack-Proof Communication Network”

India is rolling out what it calls a “hack-proof communication network” so government agencies may communicate and collaborate in a secure environment (emphasis added):

The central government will soon unveil a secure information-sharing network for top government officials and agencies.

Now, the exchange of confidential information among officials and agencies will only happen through this network, which cannot be hacked or intercepted. State-run telecom operator MTNL will manage the network.

In the first phase, the secured dedicated communications network (SDCN) will be launched in Delhi with 5,000 lines connected through a fibre-optic network, according to a senior official in the ministry of communications and IT.

“After a successful launch of secured communication lines in Delhi, the network will be expanded across India. This will also mean phasing out of RAX (restricted access exchange) phones from the country, which are currently being used by ministers and bureaucrats for communication, but are prone to risks,” an official in the IT ministry said.

Breathtaking Journey Through Los Angeles

This video by Ian Wood is a breathtaking journey through Los Angeles and is filled with visuals you have likely never seen even if you’ve lived or visited this lovely city. I found myself wondering where some of the locations were filmed more than once while watching.

While I really enjoy living in Tokyo, Los Angeles will always have a special place in my heart.

If you love Los Angeles or just admire beautifully presented imagery, this video is a must watch.

We Need to School the Presidential Hopefuls on Cyber Security So They Make Informed Policy Decisions

In the run up to the 2016 Presidential election, both Democrats and Republicans alike are talking about cyber security. However, it is painfully obvious they are just restating talking points and do not understand cyber security at all. This is why it is important for us professionals to school the presidential hopefuls on cyber security so they make informed policy decisions (emphasis added):

Referencing breaches from China and Russia, last month Hillary Clinton said that cybersecurity legislation “doesn’t go far enough” to defend the United States. 2016 GOP hopeful Mike Huckabee called on Obama to carry out a cyberattack against China in response to the Office of Personnel Management hack, while Senators Charles Schumer and Lindsey Graham urged the International Monetary Fund to punish the country financially.

Then just last week during the GOP debate, Carly Fiorina called for companies to pull down the “cyberwalls” that stop governments from accessing customer data, and Senator Ted Cruz said that state-sponsored hacks amount to acts of cyberwar.

As these discussions heat up, it’s more important than ever that mainstream politicians actually understand what they’re talking about. Here is a quick primer on what anyone running in the US Presidency race really should know when it comes to cybersecurity.

Although I do not disagree with the premise, I really wonder how much a difference it will actually make long-term. Politicians are motivated by money, and lobbyists will do whatever they can to sell their wares to ignorant politicians, even if it means passing terrible laws.

General Services Administration Is Looking for Industry Comments on a Proposed Cyber Security SIN

The US General Services Administration is looking for industry comments on a proposed cyber security special item number (SIN) to somewhat ease the already extremely painful acquisition process:

The General Services Administration is considering adding a special item number (SIN) for cybersecurity and information assurance (CyberIA) to IT Schedule 70, making it easier for agencies to buy security tools and services and giving vendors a central place to offer their wares.

GSA released a request for information on Aug. 12 asking for feedback on a CyberIA SIN, primarily from the companies whose product and services would be listed there.

The idea for a cybersecurity SIN has been kicking around GSA for some time, though the CyberIA RFI came sooner than expected, with officials originally unsure if the process would get started this year.

Recent incidents — including two high-profile breaches at the Office of Personnel Management — prompted GSA to move ahead with the proposed SIN.

“GSA believes the CyberIA products and services market is sufficiently mature for this SIN to attract both vendors and government buyers,” according to the RFI.