Tag Archives: security

Filling the Cybersecurity Talent Pool

I seem to see a new article weekly raising the alarm about the number of unfilled cybersecurity jobs. A 2015 report from (ISC)2 projects the shortfall to rise to 1.5 million worldwide by 2020. A recent Harvard Business Review article highlighted the gap in the number of skilled cybersecurity professionals and offered some insight into how we can bridge that gap through educational programs and by hiring non-traditional employees. My aim with this post is to start a dialogue on creative ways to attract fresh minds and new faces to the field.

Traits

First of all, what traits are most desired in a security professional? I would submit that a strong sense of curiosity is important. Those creating hacks and spreading malware are certainly curious about how much trouble they can cause so it stands to reason that those tasked with detecting intrusions should also be curious. The next question is are people born curious or can it be learned? The authors of a 2015 Fast Company article suggest that we are all born curious but many lose their sense of curiosity, and it can be regained through discipline.

It is also important to have a keen sense of patterns. I believe that everyone seeks out patterns in order to make sense of chaos but some have an innate sense of irregularities that others cannot see. As pointed out in the Harvard Business Review article, machine learning is augmenting that pattern searching and discovery but it will still take human intelligence to find security anomalies.

Education

In order to train and retain more cybersecurity professionals we are going to have to change our thinking on where they come from. They don’t necessarily all come with a four year computer science degree in their pocket. Some do have that credential to be sure and they excel in the field, but we are going to have to cast a wider net in order to fill the gap. When I think of the traits of curiosity and pattern recognition I think of trained musicians. Is it possible that someone could be a security expert during the day and a musician at night or vice versa? Do we need to look closer at how we match up hobbies and vocations? Can the lines be blurred between the two?

Harvard offers an eight week introductory online course in cybersecurity through HarvardX. This is one of several online courses that allow a prospective professional to test the waters. This is a great way to match up potential security enthusiasts with information on the field. A graduate of this course may decide to go on and take advanced courses either online or at a nearby college training center. This will hopefully lead to certifications and a job offer in the field. As employers facing a skills shortage, it is important to be flexible in who we seek and how we view their academic and professional background. Perhaps expanded internships are in order for the right candidate.

Thoughts

These ideas can apply to other fields facing employee shortages but I think it is important to stay flexible on who we view as potential hires. If we continue to look at a narrow pool of candidates this gap is only going to grow. Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Regulating The Internet

With the latest terrorist attacks in London there are renewed calls for regulating the internet in order to prevent the spread of extremist views. British Prime Minister Theresa May said recently, “We cannot allow this ideology the safe space it needs to breed – yet that is precisely what the internet, and the big companies that provide internet-based services, provide.” My goal for this blog post is to open a dialog on how the internet could or should be regulated. By regulating the internet, would we be regulating free speech? Would it just spawn an alternate internet, or would it fuel the dark web that already exists? What kind of international cooperation would it take to actually pull this off and hopefully stop the spread and growth of terrorism?

International Cooperation

Theresa May recently also said, “We need to work with allied democratic governments to reach international agreements to regulate cyberspace to prevent the spread of extremist and terrorism planning.” I believe that will be one of the largest hurdles to overcome if we are to provide any internet policing. The European Union can’t even agree on next steps so it may be impossible to get countries around the world to cooperate. Britain recently passed the Investigatory Powers Act which gives British security the ability to view and monitor all internet connections made within the country. It also binds internet providers to make connection and browsing records available to various British agencies. If this is truly going to be successful it will take a lot of expertise to sift through all that data to find nuggets that could help stop the spread of terrorism. It’s one thing to gather the information, another to make sense of it and detect important patterns. That will take a combination of software applications and technical expertise.

Free Speech

At the heart of it the internet is a communications medium just like the telephone and postal mail. Governments have long had the ability to tap into phone conversations or monitor mail as they try to anticipate and stop nefarious plots. These older mediums carry commercial as well as personal messages, as does the internet. The big difference is the fact that the internet is much faster and has the ability to broadcast a one-to-many message, in some cases to millions spread around the world. It is also searchable, meaning that if people want to align themselves to a particular ideology they can easily find like-minded individuals and activities that support their ideology. This is a whole new world and it is going to take new thinking and not just new regulatory powers. New proposed powers border on free speech infringement, which is near and dear to many. How do we establish that line between free expression and intentional malice?

Thoughts

If we truly want to regulate the internet, we need clear, unbiased thinking, technical expertise, and hardware and software technologies. We need to understand the line between freedoms and potential threats and tread that line carefully. Most of all it is going to take a lot of international cooperation to develop a strategy that will work for everyone.

What are your thoughts? Is it even possible to regulate the internet or is it too late? Is it possible to monitor internet traffic and patterns without infringing on basic privacy rights? Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

The Face of Cyber Security

Conceptual image of a closed padlock on a digital field.A New Form of Hacking

The WannaCry malware attack has me thinking about cyber security and my exposure. I have at least one system in my home that is vulnerable to this attack and still needs to be patched. Fortunately it has been turned off for the last few weeks. Aside from my personal exposure, I have been researching efforts to fight and predict attacks. This blog post is dedicated to the security community and the fine work they do to stay in front of attacks like WannaCry.

Spy Vs. Spy

The latest attack was an example of ransomware, which promises to release the hold on a particular computer in return for compensation. In this case the ransom was the equivalent of $300 in bitcoins. The malware spread to computers in Europe and Asia until an analyst known as MalwareTech discovered a kill switch and disabled the attack, at least temporarily. MalwareTech and other analysts are constantly evaluating new threats and disabling them often before they propagate and cause widespread damage.

Vigilante Hacking

With the proliferation of Internet of Things (IoT) devices, hacking has gone beyond traditional computers and spread to unsecured devices. Since IoT devices are by default connected to the internet and come with their own address, they are vulnerable to attack. Hackers attempt (and sometimes succeed) to control a device through security holes. To combat this, applications such as Mirai were designed to act like malware but actually close security holes, at least temporarily. Technically, since the virus is spread without prior notification, it is still an example of hacking and therefore illegal. This is an example of “white hat” hackers versus “black hat.”

Predictive Cyber Security

I have written before about predictive analysis in conjunction with machine learning and AI. Using advanced algorithms, researchers are developing applications that can predict attacks based on patterns and previous system activity. With this information they can sometimes stop an attack before it breaches an organization’s defenses. Ideally this would stop every attack before it starts, but the algorithms are imperfect. With experience, these programs should combat most threats in the future.

Thoughts

Cyber security is complicated and as quickly as analysts spot vulnerabilities, hackers are there to exploit those holes. There is a need for trained security analysts to build and maintain defenses in our automated world. It is hard to turn over control to robots and automated manufacturing systems and self-driving cars when a security breach could leave us helpless. Certified security experts are needed to watch over our increasingly sophisticated computing ecosystem, as the recent attacks have shown. Do you think your organization is doing all it can to protect itself? Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Artificial Intelligence Applications

Artificial intelligence (AI) will continue to contribute to innovations this year. I think some industries will embrace the change and some will resist for various reasons, including job displacement and trust. Our world is changing already in terms of the tasks that computers take on. Let’s examine some of the ways that AI will change how we work in 2017 and beyond.

Definitions

AI is simply a set of cognitive tasks that can be handled by a computer. Some AI functions incorporate vision and robotics but do not necessarily resemble Arnold Schwarzenegger’s dangerous “Terminator” character. Think of the hundreds of decisions that you make every day and which of those decisions could be best made by a computer, thus freeing you up for more creative and innovative tasks. Another term associated with AI is machine learning. That is the ability of a computer to learn from past cognitive decisions and make corrective choices, similar to how we learn from our mistakes and change our thinking in order to produce a better outcome.

Security

In a recent InformationWeek article, the author is hopeful that AI advances will help solve a skills shortage in the cyber security field. Right now, computers are used to gather data on threats and potential threats to weed out erroneous information and help security professionals formulate a mitigation strategy. In the future, the computer will also be left to formulate and institute the threat response as well as gather the initial data. Far from displacing security personnel, it will free them up to work on higher level tasks such as business continuity and refining the data collected and filtered. In this case, AI provides another pair of hands but security professionals will continue to be in as high demand as they are now.

Automotive Applications

One of the AI applications I am most excited about is automotive. I have written about this in the past and there have been some real breakthroughs recently. One practical application of AI is Ford’s new Pro Trailer Backup Assist. I cannot back up a trailer to save my life; I was denied that gene when I was born. Somehow the trailer appears at my side whenever I try to back into a spot. With backup assist, the driver removes their hands from the steering wheel completely and backs up by using a small knob on the dash. Turn the knob to the right and the trailer moves to the right. This is just the opposite of trying to use the steering wheel and certainly much more intuitive. This is an example of machine learning using vision and computing algorithms. Another even more radical example is the upcoming autonomous vehicle. These vehicles make constant decisions based on sensor input from around the vehicle to safely transport a passenger.

Danger Zones

Robots using machine learning differ from simple drones in that they make independent decisions based on past experience. A drone is controlled by a human operator and cannot function independently. An example of independent robot development is CHIMP from Carnegie Mellon University. CHIMP will be used in industrial application and for search and rescue when the situation is too dangerous for humans. It makes decisions based on instructions, experience, and multiple sensor input.

Thoughts

These are just a few AI applications, with a lot more to come. Are there tasks or decisions that you would just as soon leave to a computer? Do you trust the systems to make those decisions? This is a brave new world and it will take a leap of faith before some of these developments become completely commercialized. Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

The Risk and Security of Connected Healthcare Devices

Photo of a pile of pills and medical devices.A recent Forrester Research report highlighted the security risks of connected healthcare devices and some of the implications of lax policies of manufacturers and care providers. This brings to mind for me all kinds of doomsday scenarios so I want to highlight some of the best practices in the report. These apply to the healthcare industry and other businesses.

Internet of Things

Part of the allure of the internet of things (IoT) is that many devices can be connected, including medical devices. In a recent article, author Yash Mehta highlighted some connected and potentially connected devices. On the list are monitoring devices which allow patients to be at home instead of a hospital. He also mentions companies that are developing edible IoT “smart” pills that will help monitor health issues and medication. This is an area where I would want the tightest security.

Steps for Security Planning

Start from the inside when thinking about security. Is everyone in your organization following best practices? Are you requiring passwords be changed regularly? Is everyone following this requirement or have they developed a workaround? Are there any shared accounts with a shared password? One of the biggest security holes has to do with social engineering. A hacker will pretend to be someone trustworthy to secure passwords or entrance into secure systems, then launch a widespread attack. Make sure everyone in your organization is educated and prepared for such an attempt.

Verify that the new devices have security built in from the manufacturer. This applies to health care IoT and other connected devices. It is hard to build security with no foundation. Push manufacturers to install a minimum level of threat protection in every device.

It is necessary to separate device information from actual customer details. In the case of health care, that means storing data collected from the connected device in a separate data structure than the patient data. In a retail establishment this means storing credit card information away from personally identifiable information such as customer name and address. The two can be linked via a separate ID but it should be difficult for a hacker to connect the two sources of information.

Thoughts

It is exciting to think of all of the possibilities with IoT devices but it is sobering to contemplate the security risks. All of us must consider and mitigate the risks, either as consumers or as part of an IT team building the tightest security possible. IoT devices are coming. Are you ready?

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Pokemon Go and the Future of Augmented Reality

Photograph of a smart phone screen with an active Pokemon Go game.Augmented reality took a big leap forward this month with the release of Pokemon Go from Niantic Labs and partner Nintendo. This game has become very popular and has drawn praise and criticism from different groups. Many are excited about getting players young and old out of the house, but some are concerned about the potential security problems when the lines are blurred between the virtual and real worlds. Personally, I am fascinated by the social implications of this technology and its potential benefits in gaming and extended professional scenarios.

Pokemon Go

Pokemon Go requires players to chase Pokemon cartoon characters in the real world using a smart phone. It uses the smartphone camera and clock to overlay one of 151 characters in real places such as the city, the beach, the forest or in buildings. The player must collect these characters wherever they may be. Water characters can only be collected near waterways and night fairies can only be collected at night. The game has become so popular that Darwin police in Northern Australia have alerted players that they do not need to come into the police station to catch a particular character:

For those budding Pokemon Trainers out there using Pokemon Go — whilst the Darwin Police Station may feature as a Pokestop, please be advised that you don’t actually have to step inside in order to gain the pokeballs. It’s also a good idea to look up, away from your phone and both ways before crossing the street. That Sandshrew isn’t going anywhere fast. Stay safe and catch ’em all!

This is not the first augmented reality game, but so far it’s the most popular. Niantic released a similar game called Ingress in 2015. Pokemon Go uses the same database of features and is basically Ingress using Nintendo characters.

Recent History

Niantic Labs was a Google creation but spun off last fall during the Alphabet restructuring. The original intent by Google was to build things on top of the incredible mapping technology that they already have. Think about Google Maps, Google Earth, and Google Street View. They have a comprehensive database of geo coordinates, so it makes sense to augment (no pun intended) that work with a game. This is a great example of an innovation extension.

My Interest

I have seen similar application research recently in the field of education. The premise is that if young people could be enticed to go to a park or a museum or into the forest, they could learn about the features of that location and earn tokens at the same time. Basically, this is the gamification of nature or history. I have written about this topic before, but I am all in favor of enticing people to go outdoors, whether to search for cartoon characters or for solitude away from the stress and distractions of everyday life.

Thoughts

Games like Pokemon Go could be the first of many popular augmented reality games. While there are still some bugs to be worked out, the technology is promising. Have you played Pokemon Go? Do you think this is a passing fad or the beginning of a new reality? Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Customer Data: The New Capital

Fingerprint weighted against a dollar sign.Sports Authority, a retail chain of sporting goods stores, recently filed for bankruptcy and sold off all of their assets. One of the highest bids was for their name, e-commerce site and customer data, bought by rival Dick’s Sporting Goods for $15 million. In contrast, a package of several store leases went for only $8 million and naming rights to Sports Authority Field, also known as Mile High Stadium, home of the Denver Broncos, is still on the auction block. It appears that customer information is the new desired capital, but what does that say about our privacy and the use of our personal information? Is it truly for sale to the highest bidder? Did we actually agree to that?

Privacy Policies

The Sports Authority privacy policy states, “We may transfer your personal information in the event of a corporate sale, merger, acquisition, dissolution or similar event.” Information collected and stored at the Sports Authority website includes full name, street address, e-mail address, telephone number, credit card number, and credit card expiration date. This is not unique to Sports Authority; other online retailers collect the same information and include a similar caveat in their privacy policies. It is up to the consumer to read and understand that clause and decide whether it is worth the risk.

Relationships

When signing up for rewards programs I agree to hand over my personal information, regardless of whether I read the privacy policy or not, but I expect our relationship to end if the company is dissolved. In the case of Sports Authority, my intended relationship was with them and not with Dick’s Sporting Goods or someone else. Is there a step in the process that lets me break off the deal should I not want to be solicited by the highest bidder?

Thoughts

With value on customer data comes responsibility to customers who have disclosed their information and expect at least a minimum of privacy and discretion. Privacy advocates are watching these developments closely. They are concerned that the new owners will not adhere to the original privacy agreement and will use the customer information in ways not originally agreed upon.

Let me know your thoughts on buying and selling customer information. It is not a new idea. I have received solicitations from car dealers for years based on information available from the division of motor vehicles. What is new is how easy it is to collect, buy, and sell this information and the amount of associated customer information collected, which can be put up for sale to the highest bidder.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Brexit and the Technology Industry

Puzzle with the national flag of great Britain and European Union on a world map background.The recent decision by Britain to exit the European Union (Brexit) has people asking a lot of questions. Some analysts are pondering British technology regulations and the state of the technology industry post European Union. There are surprising implications that perhaps have not been considered but probably would not have made a difference in the vote.

Silicon Roundabout

An area in East London has been dubbed Silicon Roundabout for the concentration of high-tech firms, particularly start-ups. In a 2013 Guardian article, director of Twilio Europe James Parton cites reasons for locating a hub in London, “…London was a natural choice for our first office outside of the U.S. Language, accessibility to rest of Europe, a vibrant start-up ecosystem, the financial market, talent and flexible business conditions were all contributing factors.” Other areas of Britain have attracted high-tech heavyweights and start-ups alike.

With Brexit, some of those desirable qualities could disappear. Accessibility to the single EU market is in jeopardy, which could result in less than favorable trade arrangements and higher tariffs for companies operating in an independent Britain. A recent BBC article suggests that Berlin, for example, will actively court those tech start-ups and venture capitalists that have been pouring money into Britain. In making her pitch, Cordelia Yzer, Berlin Senator for Commerce and Technology, said, “They are welcome, their talent is more than welcome. It’s a great place to live and we also speak English. Berlin is a place where their dreams can come true.”

High Finance

Another potential issue for tech firms in Britain is access to capital. Start-ups in particular, but all tech firms in general, are capital-intensive operations mainly used for talent and equipment. A recent Reuters article reports that Standard and Poors and Fitch Rating recently dropped their credit rating for the country. This could make it harder or more expensive for companies to borrow capital for expansion or for a start-up. These companies could consider other EU centers such as Berlin or Paris, where funds are less expensive.

Data Privacy

The EU and the U.S. are working on the latest changes to their data privacy agreement. The EU has some of the toughest privacy laws in the world with Germany and France leading the charge in areas such as “the right to be forgotten,” which require companies such as Google to erase all internet history of an individual upon their request. Britain has pushed for less stringent regulations but it remains to be seen whether they will still abide by the EU-U.S. data privacy agreement. That brings up the question of whether data flowing through Britain will still adhere to those standards, or will it be less secure?

Thoughts

The exit is still being planned, though EU countries are pushing to get it done sooner rather than later. With the separation come questions for high-tech companies and consumers. These will be sorted out over time and I will be watching the developments with interest. Can you think of any tech benefits or drawbacks to a post-EU Britain? Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Careers in Technology: Threat Intelligence

A silhouette of a hacker with a black hat in a suit enters a hallway with walls textured with random letters 3D illustration backdoor conceptI recently came across an interesting New York Times article highlighting the field of threat intelligence. Gartner expects the market for this security service to reach $1 billion next year, up from $255 million in 2013. Surely there must be job opportunities for the person with the right preparation, education, and credentials. I did more research into this technology career and came up with some interesting prospects.

Making Lemonade out of Lemons

In the article, the author cited a case of a family welding shop in Wisconsin that ran a small server for tracking orders, billings and suppliers. Their server was hacked, and they were totally unaware until a Silicon Valley security firm contacted them. The firm noticed that it had become a proxy to get to other vulnerable servers, some from very large companies. The security firm left the server in place but now closely monitors the traffic going in and out of it and can preemptively warn clients when they have been breached or are about to be compromised. Threat intelligence is really about being proactive, as opposed to reactive, and monitoring security issues or paying others to monitor them for you.

Education

For education in this field, it is best to pursue the Certified Information Systems Security Professional designation. This training is available through self study, on-site or online training which prepares you for the mandatory tests. There is even a “CISSP For Dummies” book but I am not sure I would trust my network to someone who chose that route to learn the business.

In addition to the CISSP, there are specialized courses in threat intelligence to augment the CISSP training and certification. These courses take you beyond basic intrusion detection and teach you how to battle persistent threats and how to programmatically counter these threats.

Jobs

There are jobs available in private industry for security firms that do threat intelligence and sell that information to clients. Many major corporations want to build in-house expertise in this area in order to fend off hackers and protect proprietary information. There are also government jobs available from agencies trying to get the upper hand on security threats. This expertise might have prevented the breach of the Democratic National Committee that I mentioned in last week’s blog.

Thoughts

Network and system security is becoming more critical as some of our most valuable assets are the data we store about customers, new products, proprietary processes, and partner agreements. It is essential for firms and agencies to do all they can to protect that data. That means now moving from a reactive approach to the proactive and systematic method offered by the new field of threat intelligence.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Watergate 2016: The Evolution of Technology

Stylized photo of a hooded hacker at a laptop.The political season in the U.S. is now in full swing and I had to smile at a recent article about a security breach of a Democratic National Committee server and the  alleged theft of background information on the Republican candidate, Donald Trump. For a moment I thought I had slipped back to 1972 when a break-in and attempted wiretap occurred at the Watergate hotel and office complex where the Democratic Committee was headquartered. The more things change, the more they stay the same. In this case though, the technology has evolved from breaking, entering, and wiretapping to sophisticated digital entry to specific servers. Let’s take a look at the evolution of technology in terms of security.

1972

I followed the Watergate scandal closely even though I was only a teenager. Members of the “committee to re-elect the president” were found to have masterminded a break in into the Watergate office building to plant wiretaps on the phones of key members of the Democratic Committee. Several players were indicted and sentenced to prison and President Nixon eventually resigned under suspicion of having authorized the break-in and for keeping secret recordings. When the Watergate burglars were caught, they were found with:

“… at least two sophisticated devices capable of picking up and transmitting all talk, including telephone conversations. In addition, police found lock-picks and door jimmies, almost $2,300 in cash, most of it in $100 bills with the serial numbers in sequence.

The men also had with them one walkie-talkie, a short wave receiver that could pick up police calls, 40 rolls of unexposed film, two 35 millimeter cameras and three pen-sized tear gas guns.”

2016

Fast forward almost 45 years and consider the modern tools of the burglary/cyber espionage trade. No longer is it necessary to even be near a physical building; a lucrative break-in can be done from anywhere. As of this writing, it is believed that hackers linked to the Russian government broke into the Democratic National Committee servers, presumably while in Russia. Whether that can ever be substantiated or whether the individuals behind the break-in will ever be brought to justice is doubtful. Part of the hacking ethos is to cover digital tracks through multiple systems and connections so as to mask the hacker’s identity.

Thoughts

Catching five burglars with wiretapping equipment in an office building was a piece of cake compared to what law enforcement faces today. The stakes are higher in terms of the information stores that we keep and the break-in methods are much more sophisticated. The tools needed to track and prevent a strike are complicated and require advanced education and skills. As long as we continue to have security breaches, both in politics and business, organizations of all types will seek qualified professionals. The more things change, the more they stay the same.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.