December 2022 – Recruitment is an Art
In this edition:
- Meet the Team
- Attention! Military Vets Targeted By Cyber Firms
- No Days Off For Cyber Attackers
- ‘Safe Harbor’ Could Boost Security
- The Pyramid of Pain
- Best Of The Rest
Meet the Team
For the latest in our occasion series, we fired some quick questions at Intercast account manager Jerome Turkalj:
What drew you to cybersecurity?
Initially, it was the sheer size and ever-growing landscape. After some more research, I could see this industry was only going to continue growing, and that this was a viable long-term career path.
What would surprise people about your work?
That we have no work targets, yet we have continued to double our business each year for the last 5 years due to the fact we are self-motivated and genuinely take pride in our work
What’s the biggest tip you have for candidates that they might not think about?
Go to conferences, meet people, and learn about what is relevant in the industry today and for the future.
What are the most important qualities for a candidate beyond technical knowledge and ability?
What’s the most surprising thing a client has asked for when searching for a candidate?
Finding someone with little to no cyber experience.
Do you think of recruiting as more of a science or an art?
Definitely an art in my opinion.
What’s the one thing clients are looking for in candidates that people might not expect?
Passion for security. Someone that continues to perfect their craft outside of work.
Attention! Military Vets Targeted By Cyber Firms
The UK’s SC Media has a fascinating look at a surprising source of new talent to fill vacancies in the cyber security sector. It cites experts who say the former military staff could be ideal recruits.
It seems they often bring a range of both personality traits and specific skills that make the transition easier. This includes qualities such as lateral thinking, teamwork, and being open to ongoing training, plus experience with wider concepts of security and attack vectors.
In the UK at least, they often have the added bonus of already holding particular security clearances, meaning it’s a quicker process to get them working on securing sensitive information such as government agency data.
Beyond the specifics of military staff, it’s also a thought-provoking example of the way personality traits and “soft skills” can be just as important to cyber recruitment as specific technical qualifications and experience.
No Days Off For Cyber Attackers
A survey suggests weekends and holidays are still a major weak point in cybersecurity defenses, with the importance of the human element being exposed all too often.
Cybereason surveyed 1,200 cybersecurity professionals and found four in ten companies still have dramatic reductions in security staff outside of traditional office hours. In some cases, security staff levels drop by up to 70 percent at these times.
Attackers are well aware of the pattern and it seems many deliberately target such periods for attacks such as ransomware. Their logic is that not only are they more likely to succeed with the attack itself, but they’ll have longer to exploit their breach. This can even create a domino effect by making it more likely the damage is severe enough that companies feel greater pressure to pay the ransom.
How (and whether) companies respond to this pattern remains to be seen. It could mean hiring more “out of hours” staff, or it could mean greater use of real-time monitoring and alert systems.
‘Safe Harbor’ Could Boost Security
A “bug bounty platform” is encouraging businesses to sign up for a standard policy to protect ethical hackers who discover and report bugs.
HackerOne says that while many firms have a safe harbor program, security researchers often struggle to keep track of which firms operate which policies. That can be a deterrent to ethical hacking, even when rewards are on offer for discovering security vulnerabilities.
The “Gold Standard Safe Harbor” program encourages businesses to sign up for a standard policy. They’ll display a participation badge on their sites and there’ll also be a searchable database of participants. GitLab and Yahoo are among the initial adoptees.
The program uses a “short, broad, easily-understood” statement that researchers acting in good faith should not face legal action or liability over their work. It also stresses the principle that safe harbor protection cannot be withdrawn retroactively.
The Pyramid of Pain
Writer David Tidmarsh has an interesting piece on what’s now a “golden oldie” concept of cybersecurity. Back in 2013, David J Bianco came up with the Pyramid of Pain, which organizes attack details into six layers.
Perhaps counterintuitively, the pain in this model isn’t about the victim or the damage an attacker does. Instead, it’s about information that victims and security teams can discover about an attack to help them either identify the attacker or compromise the attack.
Ranked from least to most “painful” for the attacker if exposed, the details are:
- Hash values
- IP addresses
- Domain names
- Network artifacts/host artifacts
- Tools used
- Tactics, techniques and procedures
The last of these is the most interesting proposition: the idea that spotting the way somebody carries out an attack is more likely to expose them than finding specific details about where they do it from.
Nine years is a long time in cybersecurity, so there’s some debate to be had about how relevant the ranking is today, but it’s certainly still a useful thought exercise.
Best Of The Rest
Here’s our round-up of some of the other stories you need to know about:
- Small business cybersecurity is reportedly the “Achilles heel” of the US economy: https://www.bbc.co.uk/news/
- Data regulator launches cybersecurity incident dashboard, but are quarterly updates really enough?: https://www.abi.org.uk/news/
blog-articles/2022/11/why-the- icos-new-data-security- incidents-dashboard-matters- to-cyber-insurers/
- US government working on security quality labels for IoT gadgets: https://www.theregister.com/
2022/10/20/biden_ administration_iot_security_ labels/
- Business data found on “wiped” used hard drives: https://todaysconveyancer.co.
uk/cybersecurity-forensic- analysis-reveals-dangers- inadequate-data-disposal/
- Harvard Business Review warns CEOs that board members need to be cyber-savvy: https://hbr.org/2022/11/is-