Intercast Staffing – November 2022 Newsletter

Welcome to the November edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to make you a better-informed consultant.

In this edition:

  • Client Insights
  • The Heat Is On
  • Finance Bosses In The Dark On Security
  • Internet of Things May Get Security Boost
  • Red Tape Prompts Rethink
  • Best Of The Rest

Client Insights

Each month we ask our clients what’s on their minds and what it means for candidates. This month we’ve got a host of insights from Global CISO Conference on the theme of cybersecurity and management:

  • Storytelling is actually the most important security skill if you want to make it to top-level management. Understanding how a security problem or solution works is not enough: you need to be able to explain it to non-experts in a relatable way.
  • Infosec leaders come from two main routes: people with business backgrounds who’ve added security skills, and technical professionals who’ve added business skills.
  • With crisis management, simple plans can be the most effective. That’s something the best cybersecurity pros already understand.

Intercast newletter Nov

The Heat Is On

Researchers say thermal imaging cameras could reveal recently-typed passwords. While it’s definitely an approach with few real-world implications, it’s an unintentional reminder of the benefits of long passwords for consumers and employees.

The University of Glasgow researchers behind the “ThermoSecure” study were reportedly intrigued by the falling prices of thermal cameras and got to wondering how a cybercriminal might use them. They explored the idea that fingers heat up keys, with the most recently pressed key being the warmest.

They then developed a machine learning AI – of course! – that could look at a thermal image of a keyboard, spot the likely combinations of key presses, then try to figure out the most likely passwords (along with the likely break between username and password.)

It turned out it absolutely does work, with the minor caveat that you have to somehow take the image within a minute of the user typing the password (and before they type anything else), with the best results coming after just 20 seconds. That suggests the attackers would either need to snatch a device or use hidden cameras, so we’re definitely in ultra-targeted attack territory.

Still, the stats did serve as a useful example of the importance of password length. With the 20-second image, the system correctly guessed six-character passwords every time, falling to a 67 percent pass rate for 16 characters.

Finance Bosses In The Dark On Security

A new survey suggests chief financial officers are over-confident about their company’s cybersecurity. It could mean more work for cybersecurity professionals as and when the finance chiefs get real.

The survey from Kroll found some baffling results. 87 percent of CFOs said they were “highly confident” about their company’s protection even though 61 percent said they’d been hit by three or more “significant” incidents in the previous 18 months.

The CFO beliefs might not be based on reality. The survey found six in 10 did not get regular cyber briefings and almost four in 10 had never had such a briefing.

As Kroll points out, not only is this false confidence a sign that executives may not be in the loop, but it could have consequences for publicly traded companies. Inadequate security, or unfounded claims about how secure a company’s data is, may not be consistent with a company’s duties to stockholders.

The good news is the CFOs suggested cybersecurity spending is on the up – and that’s even before any increased focus when they realize the real levels of risk.

Internet of Things May

Get Security Boost

Lawmakers in Europe will consider proposals to give security a greater focus for the “Internet of Things.” The European Commission has proposed a Cyber Resilience Act covering connected devices. It would affect 27 countries but could have knock-on effects globally.

Under the rules, manufacturers would have to monitor and patch vulnerabilities for at least five years, or the anticipated lifespan of a device if shorter. They’d also have to “actively report exploited vulnerabilities and incidents.” Breaking the rules could mean products are banned from sale or manufacturers face substantial fines. In the most extreme case, a manufacturer could be penalized five percent of global turnover.

The ideas will now be debated by the European Parliament, where some politicians have suggested exemptions or relaxed rules for non-commercial products and software. If they give the plans the thumbs up, each country will need to implement the rules through national laws within two years.

Intercast newletter Nov

Red Tape Prompts Rethink

It’s a different story in India where tough security breach reporting rules may be rethought. The deadline for compliance has already been pushed back after complaints the rules were unworkable for both businesses and officials.

Under the rules, organizations that discover a security incident must report it to India’s Computer Emergency Response Team (CERT-In) within six hours. The problem is that the definition was exceptionally loose, with even port scanning and phishing attempts included. Businesses said that not only would reporting tie up their resources, but they didn’t believe CERT-In would be able to do anything useful with the sheer number of reports they’d receive.While the rules are now in force for large businesses, officials appear to have put off enforcement for small and medium businesses while they consider changes to the requirements.

Best Of The Rest

Here’s our round-up of some of the other stories you need to know about: