Tag Archive for Security

| August 9, 2018
Comments Off on The Truth About Cyber Security Jobs

The Truth About Cyber Security Jobs

The Truth About Cyber Security JobsSites like Monster and CSO.com are predicting a massive wave of new cyber security jobs. Some industry pundits claim there will be up to 3.5 million unfilled cybersecurity positions by 2021. Despite this euphoria. a recent survey by Computer Economics found that security staffing is declining despite security being a top priority for organizations.  The research firm’s annual IT Spending and Staffing Benchmarks study found that after two years of increases, IT security personnel have declined as a percentage of total IT staff.

Cyber Security staff members declined

The Computer Economics report found that IT security staff members declined to 2.9% of the total IT staff in 2018. This is on par with the percentage in 2016, It is down slightly from 2017. Previously, the ratio was stable from 2013-2015 at 2.6%.

IT Security Staffing Ratios

Computer Economics – IT Security Staffing Ratios

A net 75% of organizations that responded to the survey are increasing their spending on security. However, the researchers found that increases in spending do not necessarily lead to headcount growth. Improved technology continues to allow IT staff to be more productive.

Technologies reduce IT security staff count

Major growth areas in IT security include using artificial intelligence (PDF) and machine learning to track anomalies before humans can detect them. Other technologies reducing the IT security staff are Software-defined networking, better awareness around application development to ensure better security from the start. The reduction of in-house infrastructure due to software as a service (SaaS) and the public cloud also contributes to staff numbers holding steady.

However, despite these trends, the need for increased and improved security may eventually lead to increases in security staffing, especially as cloud usage decreases the need for other types of in-house IT support personnel.

In the presser announcing their new report, David Wagner, vice president of research at Computer Economics said, I’d still expect to see slow and steady increases over the next few years, But it is unlikely we will see major jumps. Beyond the efficiency aspects, it is still difficult to find skilled IT security personnel. We’ve seen it before that when a job requires skills that are difficult to find, technology is quickly built to fill in the gaps.

In the face of these challenges, IT executives must ensure that their IT organizations have the proper skills to respond to the latest security threats. For instance, IT security experts are realizing that intrusion-prevention measures must be complemented by the ability to quickly detect an intrusion, stop it from spreading, and remediate it. Privacy must also be top of mind, in the wake of the European Union enacting the General Data Protection Regulation.

rb-

Based on these findings, it seems likely that the cybersecurity boom just went bust. For those who still want to try o change careers into cybersecurity, take a look at the Cybersecurity Supply/Demand Heat Map from CyberSeek. This tool could help you make some good decisions about how to crack the hiring game. According to CyberSeek data, there is an over 500% over-supply of CompTIA Security+ credential holders in metro Detroit. As one would expect, the CISSP credential has the most demand and has a shortage of holders.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| June 17, 2018
Comments Off on What is SS7?

What is SS7?

What is SS7?– Updated 10/25/2018 – The NYT is reporting that China and Russia are spying on Trump via his unsecured iPhone. NYT says that though intercepted calls, likely related to SS7 the Chinese have pieced together a list of the people with whom Mr. Trump regularly speaks in hopes of using them to influence the president, the officials said. Among those on the list are Stephen A. Schwarzman, the Blackstone Group CEO, and Steve Wynn, the former Las Vegas casino magnate.

Trump uses unsecure cell phoneA number of outlets are speculating that the Chinese are using the known SS7 flaw to spy on the president’s iPhone.  I have written about the problems with SS7 a number of times since 2016 and now the chicken has come home to roost.

Trump recently bragged that he gave the North Korean dictator his personal cell number. If that is true, he has created a major national security exposureKarsten Nohl, chief scientist at the firm Security Research Labs, who researches cell network attacks told Wired,  “Absolutely that is a problem.” He says hackers can abuse flaws in Signaling System 7 to listen in on someone’s phone calls, intercept their text messages, and track their location.

North Korean intelligence isn't already tracking Trump's phonesIf North Korean intelligence isn’t already tracking Trump’s phones through malware, a direct phone number could give them a way in. The SS7 attacks can give hackers relatively easy access to calls and texts, and location data. Wired points out that North Korea has proven itself as an adversary willing to hack and manipulate systems around the world for its financial or intelligence gain—it was responsible both for the 2014 hack of Sony and 2017’s WannaCry ransomware outbreak – SS7 hacking is likely no exception.

The telecom industry and U.S.government have done very little to plug the SS7 hole. Senator Ron Wyden, a Democrat from Oregon and a senior member of the Senate Select Committee on Intelligence, has been tracking the SS7 issue for several years. He has sent letters to FCC Chairman Ajit Pai, asking for answers on SS7 security and details about how many network providers have been breached through SS7. Mr. Wyden wrote, “I’ve spent the past year fighting to reveal what a terrible job the telephone companies and FCC are doing at protecting Americans from being spied on, tracked, or scammed.”

Attackers used SS7 to get customer dataFCC Chairman Ajit Pai

Mr. Wyden said he had been told by a big-name mobile network that malicious attackers are believed to have used SS7 to obtain US customer data. DHS confirmed reports of “nefarious” types leveraging SS7 to spy on American citizens by targeting their calls, text messages, and other information.

So what is SS7?

The Signaling System 7 (SS7) network is fundamental to cellphones operations, but its security design relies entirely on trust. The protocol does not authenticate messages; anyone with access to SS7 can send a routing message, and the network will make it. Now as SS7 network operators are opening the SS7 network to third-party access, vulnerabilities are being exposed and attacked initially by governments and now criminals.

Since 1975, over 800 telecommunications companies around the world use SS7 to ensure their networks interoperate. SearchNetworking.com defines the Signaling System 7 (SS7) as an international telecommunications standard that describes how network elements in a public switched telephone network (PSTN) exchange information over a digital signaling network.

SS7 control messages

SS7 control messages contain routing, congestion, and authentication information.

  • SS7 routing deals with: How do I send a call to 313-555-1234?
  • Congestion – What to do if the route to a network point is crowded.
  • Authentication – Confirms that the caller is a valid subscriber and lets the call set up continue.

They explain that SS7 consists of a set of reserved or dedicated channels known as signaling links. There are three kinds of network points signaling points:

  • Service Switching Points (SSPs) originate or terminate a call and communicate with SCPs to determine how to route a call or set up and manage some special feature.
  • Signal Transfer Points (STPs) are packet switches that route traffic on the SS7 network.
  • Service Control Points (SCPs) SCPs and STPs are usually mated so that service can continue if one network point fails.

Cell phonesSS7 out-of-band signaling (control) information travels on a separate, dedicated 56 or 64 Kbps channel and not within the same channel as the telephone call. Historically, the signaling for a telephone call has used the same voice circuit that the telephone call traveled on. Using SS7, telephone calls can be set up more efficiently and special services such as call forwarding and wireless roaming service are easier to add and manage. SS7 is used for:

  • Setting up and managing the connection for a call,
  • Tearing down the connection when the call is complete
  • Billing,
  • Managing features such as:
    • call forwarding,
    • calling party name and number display,
    • three-way calling,
    • Toll-free (800 and 888) and toll (900) calls
    • 911 emergency service calls in the US, and,
    • Other Intelligent Network (IN) services.
  • Wireless as well as wireline call service including:
    • Mobile telephone subscriber authentication,
    • Personal communication service (PCS) and,
    • Roaming,
    • SMS messages.

Within SS7, SMS messages are sent on the same channels and infrastructure as SS7 uses to control the core of the telephone networks.

When an SMS message is sent from an SMS-capable cell phone, the message is handled no differently than a normal call setup: it moves from the cell phone to a base station to a Mobile Switching Center (MSC).

SMS messageFrom the mobile switching center, the SMS message moves inside the SS7 network to the Short Messaging Service Center (SMSC), a standard part of the network. The SMSC queries the Home Location Register (HLR) to find out where the recipient of the message is and whether he or she is switched on to receive a message. If not, the SMSC stores the message until it can be delivered.

Mobile Switching Center (MSC) — The MSC is the equivalent of the local switch inside the mobile network. It provides very similar services to a switch, but uses virtual circuits over radio channels instead of physical voice circuits. One variation on the MSC is the Gateway Mobile Switching Center (GMSC) which routes calls into and out of the network and will not have phones locally registered.

Visitor Location Register (VLR) — The VLR is the database attached to an MSC that keeps track of all the phones currently “registered” to it, informing other nodes of status changes, and checking authentication information.

Short Message Service Center (SMSC) —The SMSC is the clearinghouse for SMS messages on an SS7 network and provides store-and-forward services.

Home Location Register (HLR) — HLR is a core database that keeps track of subscribers. It contains information on the current account status and provides authorization information for billing. When a call or SMS is trying to reach a subscriber, this is the node that is queried to find out where in the network that subscriber actually is.

SS7 Architecture

rb-

Mr. Nohl told Motherboard SS7 is, “probably the weakest link in our digital protection chain.” CTIA, the telecom lobbying arm, denies there is a problem with SS7. CTIA told DHS that the SS7 flaws are “perceived shortcomings.” They also said that talking about SS7 attacks is “unhelpful.” CTIA, practicing “security through obscurity,” claimed that talking about the issues may help hackers. 

This is a mess. Contact your senator and representative in D.C. and tell them to support Senator Wyden, efforts to force the FCC to deal with the SS7 flaws. 

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| April 30, 2018
Comments Off on ATM Jackpotting

ATM Jackpotting

ATM JackpottingThe U.S. Secret Service has warned (PDF) financial institutions of logical (jackpot) attacks on Automated Teller Machines (ATMs). These ATM attacks originated in Mexico and have spread to the US. These jackpotting attacks are an industry-wide issue and as one vendor stated, are “a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The attack mode involves a series of steps to defeat the ATM’s existing security mechanisms and the authorization process for setting the communication within the ATM. Internal communications are used when computer components like the mainboard or the hard disk have to be exchanged for legitimate reasons.

Description of an ATM attack

Automated Teller Machines (ATMs)In a Jackpotting attack, the criminal gains access to the internal infrastructure of the terminal to infect the ATM PC or by completely exchanging the hard disk (HDD). There are a number of steps the attacker has to take for this type of attack:

  1. The top of the ATM must be opened.
  2. The original hard disk of the ATM is removed and replaced by another hard disk, which the attackers have loaded with an unauthorized and/or stolen image of ATM platform software.
  3. In order to pair this new hard drive with the dispenser, the dispenser communication needs to be reset, which is only allowed when the safe door is open. A cable in the ATM is unplugged to fool the machine into allowing the crooks to add their bogus hard drive to the ATM.
  4. A dedicated button inside the safe needs to be pressed and held to start the dispenser communication. The crooks insert an extension into existing gaps next to the presenter to depress the button. CCTV footage has shown that criminals use an industrial endoscope to complete the taskATM's

In other Jackpotting attacks, portions of a third-party multi-vendor application software stack to drive ATM components are used. Brian Krebs at Krebs on Security reports that Secret Service issued a warning that organized criminal gangs have been attacking stand-alone ATMs in the United States using “Ploutus.D,” an advanced strain of jackpotting malware first spotted in 2013.

Mr. Krebs also reports that “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM. Once this is complete, fraudsters own the ATM and it will appear Out of Service to potential customers according to the confidential Secret Service alert. At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.

In previous Ploutus.D attacks, the ATM Dispensed at a rate of 40 bills every 23 secondscontinuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

Specific Guidance and Recommendations

The most common forms of logical attack against ATMs are “Black Box” and “Offline Malware”. The steps to minimize the risks to ATMs are the same as any other enterprise device.

  1. Make sure firmware and software are current with the latest updates, are important protections to mitigate the impact of Black Box attacks. Four out of five cash machines still run Win XP or Win XP Embedded. The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to at least Windows 7 to defeat this specific type of attack.
  2. Use secure hard drive encryption protections against Offline Malware
  3. Use a secure BIOS remote control app to lock the ATM BIOS configuration and protect the configuration with a password.
  4. Deploying an application whitelisting solution.
  5. Limit Physical Access to the ATM:
    • Use appropriate locking mechanisms to secure the head compartment of the ATM.
    • Control access to areas used by staff to service the ATM.
    • Implement two-factor authentication (2FA) controls for service technicians.
  6. Set up secure monitoring
  7. Use the most secure configuration of encrypted communications. In cases where the complete hard disk is being exchanged, encrypted communications between ATM PC and dispenser protect against the attack.
    • Ensure proper hardening and real-time monitoring of security-relevant hardware and software events.
    • Investigate suspicious activities like deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser. Monitor unexpected opening of the top hat compartment of the ATM.

rb-

Followers of the Bach Seat know how to secure their PCs, I have written about securing PCs many times here. So the question is why not ATMs? Research says that consumers go into the branch less every year. The experts say that by 2022 customers will visit a branch only 4 times a year. In many cases, ATMs are the bank’s surrogates for most cash transactions. It makes sense to get it right.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| April 24, 2018
Comments Off on Barracuda Networks Has Been Bought

Barracuda Networks Has Been Bought

Barracuda Networks Has Been BoughtWhile the massive Equifax data breach is still fresh in everyone’s minds and the cybersecurity workforce is expected to be short nearly 2 million people. IT security expenditures to top $1 Trillion by 2022. Private equity giant Thoma Bravo, LLC has jumped back into the IT security market with both feet. Barracuda Networks has been bought by the private equity firm in a deal that’s valued at $1.6 billion.

BarracudaBarracuda (CUDA) sells appliance and cloud-based cybersecurity and data protection services. Clients include; Boeing, Microsoft and the U.S. Department of Defense. Barracuda says it has over 150,000 customers. Upon the close of the transaction, Barracuda will operate as a privately held company.

Barracuda Networks has been bought

Barracuda Network was founded in Ann Arbor, Michigan in 2003. From Ann Arbor, it raised at least $46 million in venture funding prior to its IPO. CUDA went public on the New York Stock Exchange in November 2013, pricing its IPO at $18. Barracuda acquired Yosemite Technologies in 2009 to expand its offerings into the storage market.

Barracuda NexGen FirewallBarracuda continued to innovate in the run-up to its acquisition. eWeek reports that in March 2017, Barracuda debuted new data backup and recovery capabilities for VMware and Microsoft virtual machines. In June 2017 Barracuda announced its new Sentinel service. The service uses artificial intelligence (AI) and container-based technologies to improve email security.

Barracuda also enhanced its network security products and services in 2017. eWeek reported in November that the company expanded the cloud capabilities for its Web Application Firewall (WAF) and NexGen Firewall products. The new capabilities include usage-based billing for the NextGen firewall running in the Amazon Web Services (AWS) cloud. The firewall included automated configuration capabilities for the WAF, thanks to an integration with the Puppet DevOps tool.

CEO BJ Jenkins commented on the transaction, “We will continue Barracuda’s tradition of delivering easy-to-use, full-featured solutions that can be deployed in the way that makes sense for our customers.

Thoma Bravo

Thoma Bravo is a Chicago-based private equity firm with $17 billion under management. Their appetite for IT firms is rather broad. Some of it’s most notable purchases have been:

  • Thoma Bravo is a Chicago-based private equity firmSeptember 2014 – $2.4 billion purchase of Detroit-based Compuware.
  • December 2014 – $3.6 billion acquisition of Riverbed.
  • In October 2015, they teamed up with Silver Lake to buy IT infrastructure management vendor SolarWinds for $4.5 billion.
  • April 2017 – Purchased a minority stake in the freshly re-spun McAfee.
  • June 2017 they purchased Remote Monitoring and Management (RMM), IT security management vendor Continuum.

Their portfolio has included brands such as; Bomgar, Digicert, Digital Insight, Dynatrace, Hyland Software, Imprivata, iPipeline, Nintex, PlanView, Qlik, SailPoint, and SonicWall.

Thoma Bravo has resold many of its holdings in recent years.

TechCrunch notes that private equity firms began more aggressively buying up software companies last year. The thinking seems to be they can generate reliable returns from such investments. The biggest take-private deals lately include:

  • Marketo, a marketing software maker. Went public in 2013 and was taken private again by Vista Equity Partners in 2017 for $1.79 billion in cash;
  • The sale of event-management company Cvent last year to Vista Equity Partners in a $1.65 billion deal.
  • Cybersecurity risk-monitoring platform SecurityScorecard raised $27.5 million from the VC arms of Google, Nokia, and Intel.

Other notable IT security equity funding recipients include; Attivo NetworksDarktrace, and SentinelOne.

Investopedia speculates that Thoma Bravo is paying a pretty high premium for Barracuda. CUDA now trades at 139 times earnings and 4 times sales. But under private management, its products will likely be integrated with the firm’s other software products to generate synergies.

CRN notes that being a privately owned company will give Barracuda a stronger ability to chart its own destiny. They will not have to “tap-dance to the Wall Street music,” Michael Knight, president and chief technology officer at solution provider Encore Technology Group, Greenville, S.C., said. He hopes Thoma Bravo’s infusion of capital will enable Barracuda to continue driving its public cloud business, a more solidified SD-WAN toolset, and more integrated endpoint security protection.

Rb-

I have used Barracuda products at past jobs. Including their SPAM-Email firewall appliances and their cloud-based backup up system. The pricing was adequate. Renewals were easy. The email firewalls were really robust and almost set and forget.

The few times when I needed tech support, it was available in Ann Arbor, Michigan. Barracuda, founded in Ann Arbor, was one of the early believers in the area as a high-tech hub. Barracuda has plans to spend  $2.3 million on the expansion of its operations center in the former Borders Books offices at 317 Maynard Street. The expansion will add 115 new jobs in downtown Ann Arbor over the next four years. I hope that after Barracuda Networks has been bought by Thoma Bravo, the deal does not have a “Chainsaw Al” that will kill that growth.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| April 16, 2018
Comments Off on DUO Expands Into Detroit

DUO Expands Into Detroit

-Updated 08/02/2018 – Lumbering behemoth Cisco (CSCO) is buying Duo for $2.35B in cash. Hopefully, it will go better for Duo, Ann Arbor and Detroit than Cisco’s other purchase Flip and Linksys.

DUO Expands Into DetroitThe Ann Arbor Michigan-based cybersecurity tech company DUO Security continues to grow. The start-up has grown so much that they are moving part of their operation from Ann Arbor to Detroit Michigan. MLive reports that DUO will move 30 staff members into a shared workspace at Bamboo Detroit in the Madison Building at 1420 Washington Blvd. Employees moving to Detroit include those working in Duo’s engineering, information services, and product teams, the statement said.

DUO SecurityAt least 350 of Duo’s 500 employees work at Michigan locations, including two in Ann Arbor, where the company was founded in 2010. Duo Security CEO and co-founder Dug Song told MLive, “We are exploring options for how we continue to grow, but we’re committed to Michigan … We intend to stay here in Ann Arbor.”

To better support, its customer base Duo Security plans to expand its Detroit footprint by the end of 2018. The cybersecurity firm plans to occupy a 9,000-square-foot suite on the Madison Building’s sixth floor. DUO’s customer base includes over 10,000 companies like Facebook (PDF), Etsy, Toyota, the University of Michigan, Yelp, and Zillow.

Duo’s software-as-a-service (SaaS) secures more than 300 million logins a month. Xconomy Detroit explains that the heart of Duo’s business-to-business technology is two-factor authentication (2FA). 2FA is a method of confirming the identity of a user by sending a code to the user’s device, usually their phone. Duo’s software can also check the health of its customers’ devices, and block access to those deemed risky.

Jon Oberheide, Duo’s co-founder and CTO, told Xconomy, the Duo platform ensures that only trusted users and devices can access protected applications. Implementation of the system takes less than a week for 75% of Duo’s customers. Mr. Oberheide explains why DUO is so successful,

An organization’s physical perimeter used to be its four walls, but that has really dissolved with VPNs (virtual private networks). You have some people using their own devices, some using company devices, and people working in different locations. A security program in that environment looks really different—it becomes really important to protect single log-ins.

CEO Song told MLive the move is an opportunity to build on Detroit’s history of innovation,

Detroit MichiganDetroit has always moved the world, both in body and soul, through its industry and art … We are proud to help invest in the historic resurgence of Detroit, excited to learn and grow together, and committed to a success much greater than ourselves.

Duo currently sponsors events like Detroit Startup Week and Techweek Detroit. They plan to continue their tech advocacy with new programs like Tech Talks featuring local and global experts.

rb-

I like what DUO is doing in Michigan. We use their product and it works great! We have been using DUO for over 2 years now. I get very little push back from 3rd party vendors when I require them to use DUO to log in remotely.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

 

Category: Uncategorized | Tags: , , , , , , , , , , ,
« Older Entries   Recent Entries »