Intercast May 2024 – What Makes a Great Cyber Consultant

Welcome to the May 2024 edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed.

In This Issue:

• Client Insight: Understanding Is Key
• RSA Conference Highlights
• Giving Up Google
• “Poutine” Scanner Gets Beyond The Mess
• Tiktok Security Debate Rages On
• Best of The Rest

Client Insight: To be a Great Cyber Consultant. Go the Extra Mile to Figure out Your Client.

Interested in becoming a top level Cybersecurty contractor? Here are some simple tips to keep in mind

1. Ask yourself, “Do I have a willingness to Learn the nuances of the org?” A contractor is regularly jumping into new engagements, often at different stages of a project and with different management styles to report into. The most important job is to learn the new environment, and how to navigate it, as soon as possible. Without understanding the dynamic, your technical skills will not be fully utilized.
2. Relationship Building – A consultant needs to create meaningful relationships with co workers very early on into their contract tenure. If people in the organization don’t know you or respect you, they will not be quick to provide you with information you need to get your project(s) completed. Knowing how to get what you need / want is crucial to your success!
3. Be Flexible. Your job as a contractor is to make others lives easier. Often, the scope of the role isn’t entirely presented during the interview and you need to be prepared to say yes to new tasks that arise. If you can do this, you will boast a much longer tenure.
4. Make lives easier. Your job as a consultant is to proactively provide solutions. The more you make others’ lives easier, the longer you will stay around!

Remember, being the technical SME is half the battle. Being the Technical + Organizational SME is what makes you invaluable.

RSA Highlights

The annual RSA Conference in San Francisco earlier this month had the usual flurry of businesses announcing new products and services. Security Week did a great job summarizing each day’s highlights, including announcements from Cisco, Checkmarx and Crowdstrike.

Giving Up Google

The Verge’s David Nield recently wrote a piece on how to delete everything (or at least everything possible) that Google knows about you.

Nield’s piece is helpful and straightforward, with some useful tips about balancing personalization with privacy and security.

“Poutine” Scanner Gets Beyond The Mess

A new security scanner for open source has a name that certainly attracted our attention. “Poutine” was named by Montreal-based Boost Security after the local dish of fries, curds and gravy. The logic is that the dish is a glorious mess, just like many complex open source projects.

The poutine scanner is designed to “detect misconfigurations and vulnerabilities in Build Pipelines” for open source projects, for example GitHub repositories. It also creates a record of build-time dependencies, the idea being to make it easier to track the potential effects of vulnerabilities as and when they become known.

The developers say current lists of known vulnerable components in Build-time dependencies are suspiciously short, so their project should help uncover more zero-day vulnerabilities.

Tiktok Security Debate Rages On

TikTok is to challenge a US law effectively banning it from operating in the country under US ownership. The constitutional challenge may help determine just how much far the government’s powers to maintain cybersecurity really go.

The law means TikTok has until January 19th to either sell to a new owner or be banned from both app stores and “internet hosting services” in the US. Supporters argued it was vital to protect the US from privacy and security risks of the popular app being owned by Chinese-based ByteDance – and the potential reach of the Chinese government.

Almost inevitably, TikTok has challenged the law on constitutional grounds. They say it breaches the First Amendment by restricting communication among users.

Although the bill gives the US President the power to extend the deadline by 90 days, TikTok insists there’s no prospect of selling the business in time and thus the law is effectively a ban of a single business.

Best of The Rest

Here’s our round up of what else you need to know:

• LastPass hit by sophisticated phishing scam: https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-lastpass-staff-to-hack-password-vaults/

•  Russia and Ukraine top Cybercrime Index:https://www.infosecurity-magazine.com/news/russia-ukraine-world-cybercrime/

• Romance scams get scary with real time deepfakes:https://www.wired.com/story/yahoo-boys-real-time-deepfake-scams/

• Ransomware attacks on healthcare giants could change competition law:https://www.wsj.com/articles/lawmakers-address-cyber-risks-in-wake-of-change-healthcare-hack-15c5818e