Skip Brewer is the Computer Security Manager at the Elk Grove Unified School District, a position he took after several years in the IT industry. Given that experience, he was a little skeptical about cyber competitions when one of his teachers approached him about using a school computer lab to start a team.

“The first year I refused because I didn’t want kids on my network hacking,” Brewer said.

After seeing CyberPatriot in action, however, Brewer quickly realized that CyberPatriot was exactly the opposite of his original notion. He quickly signed on to help the district’s teams as a mentor and watched the program double in size.

Not only does Brewer serve as a coach and a mentor, but he also actively recruits other IT professionals to give back by becoming involved with cyber competitions in their areas.

Both coaches and mentors play integral roles in cyber competitions. Coaches serve as team leaders and provide both logistical and emotional support to the students. They do not need to have technical experience — that’s where mentors come in.

Mentors provide technical expertise about specifics aspects of the cyber competition, such as configuring accounts or securing systems. In other words, they worry about the technical details so coaches don’t have to.

Brewer said serving as a team’s sole mentor can be a substantial time commitment and require a broader set of expertise than one person typically has.

“I’ve been encouraging coaches to find multiple mentors who might come in once a month or once every few months,” Brewer said. “No one person is going to have all the expertise you need, and it opens up the pool of candidates to those who might not be available on a weekly basis.”

Brewer recently spoke about cyber competitions at the Educational Technology Professional Association conference, where he tried to dispel the myth that cyber competitions are all about hacking. Despite the success of CyberPatriot and other programs,

“I talked to people all week who have any involvement in technology and encouraged them to reach out and assist their schools who have cyber teams or want to start them,” Brewer said. “There’s still a misconception out there about what the program is. It’s not teaching kids how to hack; it’s quite the opposite.”

Brewer is also involved with efforts to make cyber competitions a full-fledged sport at the Elk Grove Unified School District. He believes that giving esports the same recognition as traditional sports will help build enthusiasm and increase participation.

Cindy Lascola, co-coordinator of the Design and Technology Academy (DATA) at Monterey Trail High School, met Brewer 20 years ago when he began visiting her classes to talk with students about how to stay safe online. He also serves as an adviser to 11th-grade DATA students and received DATA’s Partner of the Year Award.

Brewer approached Lascola about participating in CyberPatriot, and she quickly found that it would be a good fit for DATA students who were interested in engineering, computer science, architecture, and related fields.

“Skip is a wonderful mentor, speaker, coach and inspirational leader to our students,” Lascola said. “DATA Cyber is a model program thanks to Skip’s the coaching and leadership.”

He’s fortunate to have the support of Elk Grove’s administration, which allows him to spend one afternoon per week working with the CyberPatriot students. He put in his own time, too, but the dedicated time during the week makes being a mentor and a coach much easier to schedule.

“I really encourage leaders in other districts to make the investment with the kids,” Brewer said.  “Helping kids learn this stuff and compete is making an investment in their education and their futures.”

 

Originally Posted On: cyware.com

  • Twitter allowed a scammer to post a PayPal phishing scam as a promoted tweet on its social networking site.
  • The phishing page asked visitors to login to their accounts and verify their details to win new year gifts.

On 1, January 2018, a PayPal phishing scam was posted in Twitter as a promoted tweet targeting users’ financial data through a lucky draw scam. The scam said, to be in with a chance of winning, you must log in to your accounts and verify your details.

The phishing scam from @PayPalChristm promoted a new year sweepstake event. While it didn’t explicitly say what the prizes were, the poster holds images of a new car and an iPhone.

Clues hinting a scam

The phishing scam left behind few minor clues that confirmed it to be a fake scam.

  • The URL misspelled ‘PayPal’ as ‘PayPall’
  • The Twitter account that posted the phishing scam had less than 100 followers.
  • The image on the promoted tweet wasn’t coinciding and consistent with PayPal’s distinctive branding.
  • Upon clicking the phishing link, users will be redirected to a page which did not have HTTPS and URL. However, the page appeared to look like a legitimate PayPal site.

Mathew Hughes, a journalist from Liverpool, England logged in with fake login credentials. Upon login, the page redirected to another legitimate looking page which asked to confirm payment card details such as debit/credit card holder name, card number, card expiry date, CSC number, and billing address.

This confirms that the PayPal phishing scam is not just keen on accessing PayPal accounts but also aims in targeting victims’ financial details and sensitive information. This kind of scams are becoming popular and are using promoted tweets as a part of their campaigns.

Originally Posted On: techrepublic.com

Learn why it’s critical to resolve trust issues and promote collaboration between your cybersecurity and network teams.

One might expect people on different teams of a company’s IT department to be on the same page and have a certain amount of work-related trust for each other. It seems that neither “being on the same page” nor “interdepartmental trust” are always the case.

That conclusion was part of the data culled from a BlueCat Networks sponsored International Data Group (IDG) survey. Here are some additional results:

  • Over 65% of those responding to the survey indicated their company has experienced two or more cybersecurity events; and
  • Only 38% of the survey participants believe their organization is capable of defending against a cybersecurity event.

The survey’s report does not mince words as to why. “Business investments in network operations and cybersecurity may be shortchanged if the teams responsible for those areas aren’t collaborating,” mentions the report A House Divided: The Cost of Dysfunction between Network and Cybersecurity Teams. “The study shows eighty-six percent of organizations surveyed have suffered repercussions, including increased security breaches and data loss, due to lack of collaboration between these teams.”

As to the lack of collaboration, BlueCat Network’s Mathew Chase adds:

“Network and cybersecurity teams are often battling the wrong adversary: each other. Their strained relationship results in additional challenges and angst when they should be defending the organization as a cohesive team.”

The report’s authors suggest that lack of collaboration was responsible for the following:

  • Slow response to security events (34%)
  • Finger-pointing (33%)
  • Increase in security breaches/data loss (32%)
  • Loss of productivity (28%)
  • Service downtime (27%)
  • Inability to determine the root cause of security events (26%)
  • Increased costs (26%)

Interdepartmental dysfunction

The IDG/BlueCat report next dives into what’s working and what’s dysfunctional. The report’s authors surmise that network policy and threat analysis are typically the cybersecurity team’s responsibility, while ownership of other aspects, such as threat detection, are less concrete.

“Fifty percent of those surveyed by IDG indicated that conflicting objectives are the greatest obstacle to making that trust between teams happen,” explains the report. “Only a small percentage of survey respondents say the two teams share primary responsibility in the areas of policy enforcement, event prevention, threat detection, and event mitigation.”

The report indicates that not understanding who is responsible for what leads to the following:

  • 55% of the survey respondents believe there is a high level of mistrust between cybersecurity and network teams; and
  • 43% of network and 58% of cybersecurity professionals feel their counterparts do not understand their role.

SEE: A winning strategy for cybersecurity (ZDNet special report) |Download the report as a PDF (TechRepublic)

Network visibility

The answer appears to be allowing the cybersecurity team complete access to the network. “The percentage of survey participants reporting a high level of trust between teams more than doubles at organizations providing complete visibility to cybersecurity staff,” the report mentions. “Similarly, when the cybersecurity team has complete visibility, organizations have a higher level of confidence that they are well equipped to protect the network from future cybersecurity attacks.”

Besides resolving trust issues and promoting collaboration, there are the following additional benefits:

  • Both teams have greater confidence that team members understand what’s happening on the network;
  • Each team’s activity will complement, not overlap or interfere, with the other team’s efforts; and
  • Respondents (55%) believe integrating the teams will allow a faster, more-efficient response to security events.

“There is a lot of eye-opening on both sides of the fence,” says Michael Harris, CEO of BlueCat. “Organizations need both visibility into critical network infrastructure and a controlled, real-time view for cybersecurity.”

DNS is also common ground

The research team from IDG and BlueCat stressed the importance of DNS as a way to improve collaboration. “When set up in a unified way, DNS represents a data source that provides shared visibility; it is also pervasive across the network, which allows it to exact control over activity,” explains the report’s authors.

Survey respondents felt improving their organization’s DNS infrastructure will help:

  • Improve network management and controls;
  • Allow DNS data-mining for threats; and
  • Increase agility as well as automation.

“DNS has always been in the hacker’s toolbox for mapping and disrupting organizations,” notes BlueCat Network’s Mathew Chase. “Organizations need to make the shift towards using DNS as skillfully as their adversaries in order to protect against and respond to threats across the enterprise.”

Note: A total of 200 qualified North-American respondents participated in the survey. Respondents were required to be employed in a network (data wired, wireless, voice, etc.) or a cybersecurity (IT/network security/cybersecurity) role at a company with 5,000 or more employees. Senior management, mid-management, and analyst level roles are equally represented. All qualified respondents are involved in the purchase and integration of cybersecurity technology.

Originally Posted On: bizjournals.com

Hack attacks are evolving all the time, but 2019 will be a breakout year for a number of new and emerging attacks.

While many businesses today still struggle with run-of-the-mill threats like phishing and un-patched software, they need to brace themselves for a wave of sophisticated hacks which will rely on new techniques to steal money and information and damage reputations.

Some of these threats, like “credential stuffing,” are already under way, as was witnessed in the recent attack on Dunkin’ Donuts’ DD Perks rewards program. Others, like “soundloggers,” are still in the early stages but will become more widespread in the coming months and years.

Here are six new cyber threats businesses need to watch out for.

1) Digital card skimmers

Alternately known as “formgrabbing,” or “formjacking,” this is a scripting attack that targets online transactions. The digital card skimmer steals the customer’s payment and personal information right out of the online shopping cart (or checkout form) before the order has even been submitted.

Small-business and retailer websites may be compromised directly or through a third-party service or plug-in, as was the case with Shopper Approved, a widely-used rating service.

These attacks are highly profitable and will increase significantly next year.

2) Brand extortion

Cyber extortion has been gaining ground for years, first with DDoS (distributed denial-of-service) attacks, then with ransomware, and more recently with elaborate sextortion scams. But the newest version of extortion-based attacks uses fake online accounts, from Yelp to Twitter, to threaten the reputation of a company or brand.

Imagine hundreds of negative online reviews, tweets and Facebook posts rolling out continually for days, weeks or months, and all of them aimed at your company. Hackers are able to mass-produce this type of “review bombing,” or negative campaign, with the use of bots and other automated tools. This is what recently happened to CheapAir, when a group called STD Company threatened to destroy its reputation unless they were paid off.

Businesses’ online reputations are vulnerable to these attacks, and more companies will find themselves targeted next year.

3) Credential stuffing

The past seven years have seen an unprecedented wave of large-scale corporate data breaches, from the 2013 Target hack to the recent Marriott disaster. These breaches have filled the dark web with an enormous cache of stolen usernames and passwords — and it is setting the stage for a new kind of password attack known as “credential stuffing.”

Instead of trying to “crack,” or guess, the password through brute-forcing, credential stuffing uses a database of real usernames and passwords (taken from prior data breaches) which are then tested en masse against many other websites and online services until they find a match.

Since most people reuse their logins and passwords across multiple accounts, including their work email, these attacks are extremely risky for businesses. Credential stuffing was recently used on Dunkin’ Donuts and HSBC, and it will become even more prevalent next year.

4) Sophisticated mobile attacks 

Smartphones are increasingly vital for hackers to gain access to as more people switch to mobile banking and mobile-based two-factor authentication and as mobile phones evolve into the remote controls of our daily connected lives.

SMS phishing attacks will grow more intense next year (like the new “cardless ATM” scam) since these are an easy way to steal credentials via phone. Hackers will combine other tricks, like combosquatting and typosquatting, to make it harder for users to spot malicious links sent via text. But other attacks, like fake apps, will continue to pick up as well, and of particular concern here is the “overlay attack,” which can be highly effective at stealing mobile banking credentials.

5) Sound-based attacks

The rise of virtual assistants and voice biometrics is creating new opportunities for hackers.

As the voice is increasingly used to authenticate financial accounts and other services, in addition to controlling devices like mobile phones and smart speakers, hackers will be more aggressive at trying to use sound-focused attacks to hit their targets.

These attacks will range from voiceprint identity theft to subliminal malware that commandeers virtual assistants and “soundloggers” which can figure out a password by the sounds a person makes when typing it on the keyboard.

6) Smart malware

It’s hard enough for the average small business to prevent an attack from off-the-shelf malware like Zeus and DarkComet, but just wait until malware starts to think for itself.

New technologies like machine learning and artificial intelligence are dramatically enhancing the range and destructive power of future malware attacks. Don’t expect to see Terminator-style killer viruses, but instead viruses that are able to mutate themselves to adapt to different environments, hunt down specific employees in a network and avoid detection by hiding in legitimate computer programs or tweaking their “signatures.”

Open source AI models already exist which hackers can use to do this. Attackers also have access to “malware-as-a-service” and malware “kit” offerings online which can aid in these attacks. To demonstrate just how real this risk is, IBM recently unveiled an AI-malware prototype called DeepLocker, which is based off of these publicly available tools.

Security advice

Since attackers will become more advanced in the coming year, it is critical for SMBs to focus just as much on post-breach damage control as they do on prevention.

To limit the damage of an eventual breach, SMBs need to practice employee “access control” religiously, segment the network, back up crucial data and have an emergency contact sheet ready so you know exactly who to call when the worst happens. For businesses with a lot of financial or customer data exposure, a cyber insurance policy is also a must.

Prevention should include robust anti-malware and firewalls, a strong password policy, two-factor authentication, “whitelisting” emails for key executives like the CFO and passing the buck for customer passwords and payment information to more secure third-party services.

Jason Glassberg is co-founder of Casaba Security (www.casaba.com), a cybersecurity and ethical hacking firm that advises businesses ranging from startups to Fortune 100s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.

Originally Posted On: forbes.com

How many times have you endured a dry-as-dust PowerPoint presentation or clicked through a tired e-learning course only to realize, despite hours of ‘teaching,’ you remember virtually nothing? It’s easy to blame yourself when this happens; you may feel guilty or even harbor doubts about your ability to retain knowledge. Don’t. There’s a good chance that the material simply wasn’t practical, engaging or relevant enough – flaws magnified when you are spoken at, instead of with, in a stale classroom environment.

I am not suggesting school-style learning should be outlawed, as it certainly has its merits. But some subjects, particularly those with a large technical element, demand a more innovative approach. Without doubt, cybersecurity falls into this category – something I first observed while delivering GCHQ’s Cyber Summer School. It was evident that people enjoyed completing practical exercises requiring analytical thinking and problem solving. It was also clear that when people had fun, they learned more.

And increased cyber learning is something every workforce can benefit from. Security is no longer handled by a select few while others do as they digitally please; it is the responsibility of everyone in an organization. In fact, every employee should have some degree of cyber training, and this is something that kept me thinking during those summer months with GCHQ. To transform a workforce, you first must engage it – and when it comes to cybersecurity, there’s no better way to do this than gamification.

Despite its name, gamification is not strictly about games. It is the act of taking something already in existence – a website or application, for instance – and increasing engagement using game mechanics, such as reward and competition. It works because those mechanics are addictive and yield excellent results in a learning environment. Typical gamified exercises such as capture-the-flags and hackathons also double up as great team-building activities owing to their social nature. A recent study by McAfee found 96% of organizations that hold such events report tangible benefits. They can even help in the search for hidden talent, with many self-taught or uncertified participants using such exercises to prove their worth.

Several elements make gamified solutions effective, not least social features that encourage competition in a lightweight manner, such as a leaderboard. Humans are also known to crave the simplicity exhibited in games like Bejeweled. As outlined by Erin Hoffman on Gamasutra, Bejeweled’s addictive elements are simple: the game is easy to understand and access, it presents a clear problem with a clear solution, and the results of actions create consequences with intermittent reward. Simple design techniques, including the use of specific shapes and colors, can also keep us coming back for more. (You like those little red badges on your iPhone, right?)

So, game mechanics obviously compel people to act. And when that action is improving the way we learn, such mechanics are a force for good. Learners who are satisfied by their education, who understand their work and gain a sense of accomplishment from it, will of course perform better.

Making experiences more engaging this way is not a new concept. In 2012, US pharmacy Omnicare introduced gamification to its IT service desk and achieved a 100% participation rate. That same year, American software corporation Autodesk used it to raise its trial usage by 40%. This year, TalentLMS’s Gamification at Work survey found 85% of employees would spend more time on software that was gamified, while 87% agreed gamification made them more productive. Clearly, it works.

Applying gamification to cyber training is a no-brainer – especially when considering it can be largely automated. Training in anything must occur often to be effective, and nowhere is this truer than in cyber, where learning must be consistent to combat constantly evolving threats. Using automated, gamified solutions, employees can upskill on their own terms, without need for disruption to company operations. This doesn’t only save time and money; it also allows for greater training frequency and, in turn, greater learning. And with 77% of senior security managers agreeing their organization would be safer if it used gamification more, it is surely time for more businesses to take heed.

I’m the CEO and founder of Immersive Labs. As an ex-GCHQ trainer, I’m on a mission to help global organisations address the shortage in cyber security skills from receptionist to CEO through enterprising solutions such as the Immersive Labs platform. Through my work…MORE