October was national cybersecurity awareness month. on October 11, 2018, WITI Orange County hosted a cybercrime event at Zillow Group
facility located in Irvine.
Lenka Vanek, senior director of software engineering at Quest, moderated an all-female panel consisting of Erika Voss, head of information security, risk, and compliance at Zillow, Jeannie Warner security manager at WhiteHat Security, and Lauren Walson, sales manager at Darktrace. While cybersecurity is a hot trendy topic, the women panelists were no slouches having over 10 years in the cyber security field. Their amazing (horror) stories made this event an early Halloween.
The internet has a lot of information available on 'how to set up' your cybersecurity. This recap is more about takeaways. Tidbits of information that is not necessarily written in a training manual anywhere.
Approach your security strategy by 'context of the risk.'
Namely, what is the crown jewels of your company? Protect those first. For example: If your company is a bank, protecting how transactions are performed is one of your crown jewels. Pokémon Go cares about the uptime availability of their website. The United States government does not care if their public website goes down.
In building your security strategy, ask your CEO, "Do you want to BE the news?" or "Do you want to be IN the news?"
Is the cloud secured? AWS? Google? Azure?
Yes, in fact, they are probably more secured compared to your servers. Networks can be secured.
The panelists did not appear to be worried about hackers. So what is the threat that keeps them up at night? Humans.
Personal attacks where humans share information via email. There is phishing, passwords on sticky notes, family knowing your work system password, whistleblowers, or others. It was noted other issues like DNS and certificate transparencies are still tricky, but humans are a good bulk of today's security woes.
The Panama Papers leaked 100 times more information than WikiLeaks. Over 2.6 Terabytes of data (or 11+ million documents) were leaked from Mossack Fonseca, a Panamanian law firm that specializes in helping people anonymously set up offshore shell companies in nations with lower taxes to protect their financial assets covering transactions.
The leak came from "John Doe," stating 'Income equality is one of the defining issues of our time.' John Doe's information spanned from the 60s through 2016.
The latest hack attacks are focused on system weaknesses found with human interaction.
It is estimated that by 2020, there will be over 5 billion IoT devices. New IoT devices (e.g. baby monitors, security cameras, house lights, ovens temperature settings, refrigerators, etc.) are going to market without security considerations. With the proliferation of IoT, personal convenience is outweighing personal security. IoT devices typically communicate using a technology called Bluetooth. Did you know that Bluetooth has a known attack method called bluesnarfing? Check your smartphone right now, is your Bluetooth on? We were warned by the panelists to TURN IT OFF.
The panelists shared stories raising awareness of bluesnarfing. Nothing is safe. How much of a gambler are you? It is not a question of whether you will be hacked. It's a question of 'when.' As mentioned prior, it is a convenience factor. Our panelists still have their Bluetooth apps turned on even knowing about bluesnarfing.
Don't forget about USB drives. Not only can one download information from your PC onto a USB drive easily, but a USB drive may also contain malware or ransomware 'bugs.' Just by connecting a USB to your machine, you may contaminate your machine. Companies are no longer allowing connectivity with USB drives. Darktrace is one of those companies that does not allow USB drive usage. If you get ransomware. What is the advice? Just pay it if you don't have a backup. Chalk it up to lessons learned.
Even after 10 years of cybersecurity attacks, the most simple attack methods still work. Sophisticated attack methods get blocked (over time). The panelists felt we are failing our communities by not educating consumers on cybercrime and to NOT click on suspicious emails.
How do you tell your 80-year-old parents, not to click on the Medicare email? It looked important. How do you decrease the number of cybercrimes? The suggestion: someone famous, like Oprah, getting on the cybersecurity crime bandwagon to educate the community at large.
Are there other areas of exposure for cyber attacks?
Yes, the new frontier is the front door through web applications attacks. How secure is your business web application? Developers may have built unintentional 'backdoors' that expose their application to vulnerabilities. Companies like WhiteHat Security examine your web applications for exposure and make recommendations for code cleanup to reduce risk. Security is a non-functional requirement that needs to be in all application development specifications.
Does the new GDPR (General Data Protection Regulation) implement May 25, 2018, in Europe have any effect on security?
Yes, we will see more and more precedence being set defining what is private information and what is public information. If your company is in retail and already PCI DSS compliant (PCI =Payment Card industry; DSS =Data Security Standards), then your company is well on its way to being GDPR compliant. How easy is it steal your life information from your Facebook account for a stranger to open a new credit card account in your name?
Another note on privacy and your smartphone. If you ever do international travel, you do not have to give your password to your unlock your smartphone to security, however, if you use your fingerprint to unlock your phone, security can force you to unlock your smartphone as fingerprints are not testimonial.
How easy is it for a woman to get a job in cybersecurity? According to our panelists, security is not hard.
Can you read? Are you trustable? Do you have a passion or interest in security to become a 'threat analyst'? Security folks are straight shooters. A spade is a spade. Yes, the CISSP (Certified Information Systems Security Professional) certification is a six-hour exam.
One of our panelists mentioned she failed the CISSP test the first time as she did not study. Is it worth it? Yes, security analyst salaries have a 'premium markup' above developer salaries right now. Tell people what you want. Raise your hand. Nothing is gender related.
In closing, one of our panelists offered to LinkedIn with attendees to mentor and coach any woman interested in becoming security analysts. She mentors 12 'bad-ass' women.
One can also lean in and learn more about cybersecurity by finding materials at the Grace Hopper institute or check out the free security training classes on Groupon.
A special shout out to our sponsors who we cannot thank enough for helping us with this event. The Zillow Group who houses a portfolio of the largest and most vibrant real estate and home-related brands on the web and mobile. You might recognize some of their portfolio: Zillow®,Trulia®,StreetEasy®,RealEstate.com.
And a shout out to CyberArk
who is the global leader in privileged access security space protecting data, infrastructure, and assets across the enterprise, in the cloud and throughout the DevOps pipeline.
CyberArk delivers the industry's most complete solution to reducing the risk created by privileged credentials and secrets. The company is trusted by the world's leading organizations, including more than 50% of the Fortune 100 to protect against external attackers and malicious insiders.