September 2023 – Cybersecurity Fresher

Welcome to the September edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed.

  • Client Insight: Getting Into Cyber Without A Tech Background
  • Current Openings + Recent Hiring Projects Supported
  • Upcoming Cyber Events
  • Money Talks: Exec Pay Linked To Cybersecurity
  • Hackers Target Security Researchers
  • Chrome To Alert Users To Risky Extensions
  • Remote Desktop Protocol A Major Target

Client Insight:

Each month we ask our clients what’s on their mind to find out more about what’s important in the industry. This month, we’ve spoken to several people who’ve all been asked the same question: “How do I get into cyber with no experience?” Here’s our three-step suggestion for a response that will engage rather than deter the cybersecurity pros of tomorrow:

  • Figure out specifically which areas of cyber security interest and appeal to you. The NICE Framework is a great starting point: Using the NICE Framework
  • Find cyber bootcamps from trusted members of your network. The choice can be overwhelming so personal recommendations count for a lot.
  • Don’t assume that having a technical background is a must-have to enter the field. Consider the many non-technical roles including Training + Awareness, Incident Communications, Business Analyst, Data Scientist, etc.
  • HUSTLE. If you are lacking in the experience department you should be compensating by networking, applying and emailing hiring managers and agencies directly!


Money Talks: Exec Pay Linked To Cybersecurity

Leading businesses have found the simplest approach may work to make chief executives take cybersecurity seriously. The Wall Street Journal reports that nine Fortune 100 companies now use cybersecurity metrics when deciding executive officer bonuses. Just five years ago no Fortune 100 company did so.

Advocates of the strategy say it ensures buy-in at the very top for security measures compared with simply treating it as a tech department issue. It’s also a way to acknowledge the financial damage that a major breach causes, a figure that naturally doesn’t show up in the books when cybersecurity works as planned.

Companies have historically found that taking the opposite approach, financially punishing executives after a costly breach, doesn’t have much long-term effect. The main drawback to cybersecurity-linked bonuses seems to be figuring out which metrics make sense, particularly putting realistic limits on what a CEO can and can’t do to alter risks.


Hackers Target Security Researchers

We often think of cybersecurity firms as protecting potential victims, but such companies are increasingly becoming targets themselves. Robert Lee of Dragos is among those telling the Financial Times that hackers have gone after them to deter their efforts.

It’s not just a case of trying to breach a security company’s networks: some attacks have been more personal. They include sending funeral flowers as a warning, mailing drugs to home addresses to create legal headaches, and even phoning in false reports of armed home invasion so that SWAT teams raid the victim’s home.

One source notes the creative attacks are likely the work of younger criminals
who aren’t working on behalf of intelligence agencies or military groups that prefer more disciplined and traditional cyberattacks. Although the victims don’t appear to be deterred by the tactics, some say they’ve made a deliberate choice to concentrate on producing technical reports about breaches rather than focusing on individual hackers

Chrome To Alert Users To Risky Extensions

Chrome’s dominant user base makes it a prime target for cyberattacks, with third-party extensions adding an extra layer of risk. Google says the browser will now explicitly warn users of potentially dangerous extensions.

The warnings will appear in three situations:

  • The developer has unpublished the extension.
  • Google has removed the extension from the Chrome Web Store for a
    policy violation.
  • The extension has been labelled as malware.

However, the warnings won’t necessarily appear as soon as one of the criteria is triggered. Instead, developers will get a grace period where appropriate to fix any problems. Users can choose to do nothing and keep the extension in place. If they do remove it, they won’t be able to reinstall it if it’s no longer in the Chrome Web Store. It’s much the same approach as Google takes to Android where apps remain on devices even after it’s banned them from the Play Store. It’s a difficult balancing act between user freedom and security and one where Google takes a very different approach to Apple.

Remote Desktop Protocol A Major Target

Sophos claims Remote Desktop Protocol was involved in 95% of cyberattacks in the first half of this year, up from 77% in the same period last year. However, RDP is arguably more of a tool than a weapon. Attackers used RDP solely to gain external access in one percent of cases, while 77 percent of the time they used it for “internal access and lateral movement” after already breaching a network.

In 16 percent of cases they used it for both external and internal access. That’s still too high for Sophos, which concluded that “the very presence of an RDP port open to the internet at large is simply bad risk management, and no amount of system hardening will mitigate it.” Sophos’s “Active Adversary Report”  also found that compromised credentials have overtaken vulnerability exploits as the leading key factor in attacks. It noted that it’s worsened by businesses not using multi factor authentication.

Best of the rest

Here’s our round-up of some of the other stories you need to know about: