Author Archives: Hailey Carlson

The 2016 Presidential Candidates & Their Views on Cybersecurity

The 2016 Presidential Candidates & Their Views on Cybersecurity

No matter which side you might fall on, we all can agree that this has been by far one of the most interesting political seasons to say the least.

As chaotic and controversial as this election has been though, it is all finally dwindling down next Tuesday, November 8th, as we will finally find out who will be our next President of the United States. This election is one of the most important yet and it will surely go down in history as one that has been the basis for many discussions and disputes in the homes of Americans. Among the many issues discussed, cybersecurity has been a major talking point at many of this year’s debates and campaign rallies. Millennials have even weighed in saying that a candidate’s position on cybersecurity is an important issue to them.

Being a technology-related topic, this is one of the newer issues that candidates must weigh in on that has not been involved in many previous elections. Because of this, many people may have questions surrounding this topic. To help answer some of these questions, below is more information on each of the candidates’ views on cybersecurity as well as their plans of attack, should they be elected.

Hillary Clinton

801556209

Former Secretary of State and 2016 Democratic Presidential candidate, Hillary Rodham Clinton, encompasses her cybersecurity plan under her more broad national security goals. Clinton focuses her plan on combating what she claims to be foreign threats from countries including China and Russia, though she recognizes that there are domestic threats as well. She sees that cybersecurity will be of great importance if she were to be elected, saying, “[Cybersecurity is] one of the most important challenges the next president is going to face…” Clinton promises to stay ahead of cyber-threats, saying, “Our country will outpace this rapidly changing threat, maintain strong protections against unwarranted government or corporate surveillance, and ensure American companies are the most competitive in the world.” Clinton has outlined a few preliminary steps that would be crucial to her cybersecurity plans, and consequently, her overall nation security plan as well:

 

  1. Promote cybersecurity by building upon the U.S. Cybersecurity National Action Plan and upgrading government-wide cybersecurity.
  2. Safeguard the free flow of information across borders to find alignment in national data privacy laws and protect data flows between countries.
  3. Protect online privacy and security through bringing together cybersecurity and public safety communities to work together on solutions that address law enforcement needs while preserving individual privacy and security.

 

Donald Trump

801556188

Well-known business man and former television producer/host turned politician, Donald J. Trump, is the 2016 Republican Presidential nominee. Similar to his Democratic rival, he believes that the threat of cybersecurity is not only real, but needs to be dealt with swiftly and with extreme precision. His overall view on the issue is well summarized when he says, “The scope of our cybersecurity problem is enormous. Our government, our businesses, our trade secrets and our citizens’ most sensitive information are all facing constant cyber-attacks.” During a campaign event in early October, Trump said that if he did become President, “…improving cybersecurity will be an immediate and top priority for my administration.” Though the candidates both agree that cybersecurity is a major threat, like most things, Donald Trump has a different view on how to handle it than Hillary Clinton:

 

  1. Order an immediate review of all U.S. cyber defenses and vulnerabilities by a Cyber Review Team of individuals from the military, law enforcement, and the private sector and have this Review Team provide specific recommendations for safeguarding different entities with the best defense technologies tailored to the likely threats.
  2. Establish detailed protocols and mandatory cyber awareness training for all government employees while remaining current on various cyber-attacks.
  3. Instruct the U.S. Department of Justice to create Joint Task Forces throughout the U.S. to coordinate Federal, State, and local law enforcement responses to cyber threats.
  4. Develop the offensive cyber capabilities needed to deter attacks by state and non-state actors and, if necessary, to respond appropriately to attack.

Third-Party Candidates

The third party candidates also competing to become POTUS this year include Libertarian candidate, Gary Johnson, and Green party candidate, Jill Stein. Though the two have not participated in the televised Presidential debates, they each have a stance on cybersecurity. Johnson claims that he would have as little federal government control on the Internet as possible, having “criticized the Patriot Act and cybersecurity legislation for allowing the government access into the lives of private citizens.” Jill Stein says that were she elected, she would plan to negotiate an international treaty banning cyberwarfare with the nation’s overall security in mind.

Go Vote!

vote-counts

Regardless of your stance in this political race, make sure that you exercise your right to vote! No matter which issues matter most to you, Americans throughout history have fought for us all to have the freedom to participate in this political process, and it is extremely important for each individual to go out and vote in this election in order to have his or her voice heard!

As Franklin D. Roosevelt once said, “Nobody will ever deprive the American people of the right to vote except the American people themselves and the only way they could do this is by not voting.”

 

Hailey R. Carlson | Axiom Cyber Solutions | 11/03/2016

Image source (pre-edit)

The Internet of Things Security: Hacking Healthcare

The Internet of Things Security: Hacking Healthcare

One of the greatest technological achievements to date by far is the creation of the Internet. Not only did its emergence shake the entire world, effectively changing almost every aspect of our lives, but it has connected us all not only as a nation, but as a globe. Starting out with computers the size of walls and evolving to the laptops and smartphones of today, the Internet has become involved in more things than most had ever imagined. The most recent and rapidly-expanding Internet-related development is what is known as the Internet of Things.

The Internet of Things (IoT) is a term coined in 1999 by Kevin Ashton, executive director of the Auto-ID Center, that is used today to describe the network of physical devices which are embedded with technology that enables them to collect and exchange data via the Internet. Devices connected through IoT are commonly referred to as “smart devices” or “connected devices,” and they include a wide-range of numerous items, ranging from baby monitors, to cars, to kitchen appliances, and even light bulbs. Anything connected to the Internet falls under this broad category of the Internet of Things, so it is safe to say that IoT affects more areas of our lives than we may have once thought.

While it is an incredible feat that so many different and unique things are now connected via the Internet, IoT can also be an incredibly dangerous thing.

IoT Vulnerabilities, Real World Threats

As we have come to know all too well, when it comes to the Internet, anything that can be hacked, will be hacked. And while it may be an inconvenience to have your favorite social media site shut down because of a cyber-attack, or a major setback for a company’s image if they experience a data breach caused by phishing, IoT threats are different because they can have real-life, physical repercussions–a far greater and more lethal risk than any other cyber-threat.

Last year, hackers were able to remotely hack into a Jeep Cherokee’s Wi-Fi-enabled entertainment system, giving them access to the entire car–including its dashboard functions, brakes, and the car’s transmission. From across the country, these hackers were able to play with the car’s various features including the air conditioning and sound systems, and then suddenly, these hackers were able to cut the car’s transmission as it was going 70 mph down a major highway. While these ‘hackers’ were actually just researchers, Charlie Miller and Chris Valasek, testing their car-hacking research on a well-aware driver, the thought that in a similar situation, the Internet of Things could possibly be used by malicious actors to hurt or even kill a driver or other unsuspecting victims is terrifying to say the least.

IoT threats in the Healthcare Industry

Car hacking is not the only real-world, physical threat driven by IoT, as the healthcare industry has found a few IoT-related vulnerabilities of its own.

As more and more modern medical devices are being developed, they are adding to the collection of connected devices encompassed by IoT; however, many healthcare professionals have found that with these more advanced devices, comes more advanced cyber-threats as well.

One of the most recent and notable of these is the threat to Johnson & Johnson’s Animas One Touch Ping insulin pump. This insulin pump is special in that it is equipped with a remote control so that users do not need to remove their clothing to give themselves a dose of insulin. The problem with this is that the wireless connection between the remote and the pump is unencrypted, and consequently, highly vulnerable. Because of this, the pump can be hacked within a 25-foot radius of the user, and with the right radio equipment, a hacker can take control of the pump and trigger unauthorized insulin injections.

Not only does this threaten a specific device, but in some cases, it gives hackers access to the entire hospitals’ system. Similar to the car hacking instance, this not only poses immediate cyber-threats, but it could have deadly repercussions, as different diabetes patients need varying levels of insulin at different times. A malicious person could hack into these insecure devices and literally kill someone, so it is time that the healthcare industry started taking medical device IoT security more seriously.

IoT Security Tips for Healthcare

The IoT threats detailed above were caused primarily through security issues. The issue? There were no security defenses put in place to protect against any sort of attack. This is a serious problem and though it will take further research to make IoT security air-tight, a few tips to help enhance healthcare security for IoT medical devices include:

  • Conducting a secure boot–A secure boot is making sure that when a device is turned on, none of its configurations have been modified. This step helps to ensure that no tampering took places while the device was not in use.
  • Utilizing encryption–As we saw with the Johnson & Johnson insulin pump, a lack of encryption left patients lives literally in the hands of hackers. Encryption is an essential step that makes it that much harder for cyber-criminals to attack.
  • Implement authentication for devices–If authentication is used, device access is limited and device-to-device communication undergoes intense scrutiny. This makes it more difficult for a security flaw to go unnoticed.
  • Educate patients and staff–Though it affects such a huge portion of our lives, 87% of people have not even heard the term ‘Internet of Things.’ Education is really the greatest tool we have in our arsenal, so it is important to inform patients and staff of the very real risks of IoT security.

Security threats such as these make the Internet of Things seem like a terrible thing, but this advancement in technology is an excellent way to keep us all connected through items we would have never thought possible. Though this may be the case, it is important for these devices to be well-secured so that we can truly enjoy our connectivity.

Hailey R. Carlson | Axiom Cyber Solutions | 10/28/2016

Image Source

Password Security: The Most Basic and Essential Cybersecurity Defense

Password Security: The Most Basic and Essential Cybersecurity Defense

National Cyber Security Awareness Month (NCSAM) is being recognized for the thirteenth year in a row this October, and with this anniversary comes the reminder that enhanced cybersecurity defenses are necessary for everyone from large, multinational corporations all the way down to families and individuals. The overall theme of the month is that cybersecurity is our shared responsibilitymeaning that it is not just the duty of IT professionals or CEOs to be cyber aware, but it is all of our collective obligation to act as a cohesive unit in the fight against cyber crime.

Many people become overwhelmed with the amount of information they are supposed to remember surrounding cybersecurity–“don’t click on this type of link,” “watch out for this sign of malware,” and so many more–but these issues cannot even begin to be addressed until we refine the most basic and essential cybersecurity measure of them all: strong password security. 

At this point in our technological age, everyone is well aware of passwords being of significant importance when it comes to safety and security on the Internet; though most may agree with this sentiment in theory, many are not implementing this idea in practice, despite being well-aware of the consequences.

The Myspace data breach from earlier this year left 360 million accounts’ passwords exposed on the Internet. Despite this massive amount of personal information now out there in the open, many people did not feel the same way about this breach as they might a breach of another website, primarily due to the fact that they had not visited the site since the prominence of Facebook and Twitter came about. Though many people may not have accessed that site in quite some time, some still use their Myspace password or one similar to it as passwords for other websites. Consequently, these dormant accounts with poorly secured passwords have left people vulnerable to a plethora of other attacks. Password security is an area of cybersecurity that needs to be taken much more seriously in order to avoid these types of threats.

Secure Password Tips

The average person today has a whopping 22 passwords just for their professional data, and that does not even include their personal information like social media and private email accounts. ‘Password hygiene’ is the active implementation of password security best practices and some tips to make keep your password hygiene squeaky clean include:

  • Do not use the same password for different accounts–Three-quarters of consumers use ‘repeat passwords’ across multiple platforms. When they do this, if one account is compromised, they leave all other accounts protected by the same password exposed to further attack.
  • Change your passwords often–By leaving passwords stagnant rather than changing them regularly, it is that much easier for hackers and other cyber criminals to guess your password and give them access to your personal information. Forty-seven percent of people are securing their financial accounts online with passwords that have not been changed in five years, and this is extremely dangerous. In addition to changing your own passwords often for both professional and personal accounts, it is important for employers to avoid using default passwords when setting up accounts for new employees. Default passwords give criminals an open, unsecured door into your entire enterprise.
  • Never give out your password to anyone–When you share your password with even one other person, you are exposing your accounts that much further to cyber criminals. By being solely responsible for your own data, you can contribute to the NCSAM philosophy of security being our shared responsibility by being personally accountable for your own data.
  • Do not use easy to guess words or phrases in your password–Though you may sincerely love your dog or favorite band, it is important to be aware of what information people know about you that they can use to guess your password. Though you should not blatantly use ‘dictionary words,’ this idea can be a good jumping off point for coming up with more complex passwords. One way to do this is by being liberal about character substitutions, such as replacing “o” with “0,” “e” with “3,” or “i” with !.”
  • When possible, utilize sites’ multi-factor authentication–Most websites now use two-factor authentication where there is not only a password used to protect your account, but also a one time code you enter in to verify your identity. This simple step takes a few minutes at most and can make a huge difference in your personal cybersecurity defense.
  • Use a password manager to make remembering passwords simple–A big complaint by most of us is that there are just so many passwords to remember across the different areas of our lives, and it can be very difficult to remember all of these when they are also meant to be intricate and hard for hackers to guess. One way to ease this burden is by utilizing a password manager. A password manager is generally a free database that you can download to your computer (often coupled with a smartphone application option) where you can store all of your passwords. When this is used, you only have to remember one complex password rather than your entire catalog of password information.

One of the biggest fallacies people believe surrounding cyber crime is “It won’t happen to me,” when in reality, it is likely that this will not be the case. A major philosophy of many cyber experts is that it is not a matter of if we will all be attacked online, but when. While this is a rather daunting thought, there are ways which we can lessen these chances, the most basic of which being securing our passwords. By coming together and taking this small step, we can be more accountable for our presence online as a whole, sharing the struggle of cybersecurity as our shared responsibility.

Hailey R. Carlson | Axiom Cyber Solutions | 10/21/2016

Image Source

Cybersecurity Fatigue: Overwhelmed by Online Security Issues

Cybersecurity Fatigue: Overwhelmed by Online Security Issues

No matter what side of the political fence you fall on, you are probably exhausted by now with the constant 24-hour a day news cycle bombarding us all with ads for politicians on both the local and national scale. While this is a fairly common occurrence, as we experience this feeling every few years, many people are feeling a similar weariness which has not been seen before when it comes to cybersecurity.

A new study published by the National Institute of Standards and Technology in partnership with the Institute of Electrical and Electronics Engineers has found that over 94% of people between the ages of 20 to 60 years old feel “overwhelmed and bombarded, and tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues.” This exhaustion leads to many people flat out ignoring security warnings, while others tend to grow worn out by security updates and the ever-expanding grocery list of passwords which they must remember. These experiences of high levels of fatigue coupled with many of the respondents’ claims of not knowing anyone who has been attacked and being skeptical of an attack on themselves as well, leads to people throwing security and safety measures out the window, putting themselves and the companies they work for in danger of attack.

What websites can do to ease security fatigue

While many times it is recommended that users do something to combat security issues and cyber-crimes, this is exactly what is leading to their fatigue. Because of this, the study says websites and online services needed to do a better job of coordinating how they approach security to lighten the load on users. A few ways which they can achieve this are by:

  1. Limiting the number of security decisions users need to make
  2. Making it simple for users to choose the right security action
  3. Designing for consistent decision making whenever possible

These are some of the best ways we can combat security fatigue at the source, but one of the biggest issues raised from the study not resolved by these steps is that of password security.

Password security fatigue, solved

Many people in the study claimed that not only having to have different, intricate, and long passwords for each site was stressful, but trying to remember them all actually made them simply resort to the poor practice of using the same one for all sites. The average number of passwords per person today is 22 compared to just one not that many years ago, so it is easy to see how people can get overwhelmed when it comes to password security. The study says that you are not supposed to remember all of your passwords, however, rather you should use a computer password manager which can store everything for you and even generate new, complex passwords, saving you even more time. With this, you only need to remember one password and then you have access to all others. KeePass is just one of the many password managers out there that is free, easy-to-install, and gets the job done. By simplifying password security, we can ease the stress put on ourselves by security fatigue.

What companies can do to ease security fatigue

In addition to websites and users, companies have a significant role when it comes to easing user security fatigue. There will continuously be a new variant of ransomware, a more intricate phishing scam, or some other threat posed to companies and their employees. With all of these threats imposing themselves on employees constantly, companies need to have clear, specific guidelines to show users what to do in the event they become exhausted by implementing cybersecurity best practices. By clearly going over what to do in various situations with set ‘plans of attack’, companies can prepare their employees by instilling good cybersecurity habits in them. “If safe behavior becomes habitual, then when we feel swamped by the craziness of the online world we will at least fall back into habits that have been designed to protect us, rather than put us at greater risk,” says the reports’ co-author Mary Theofanos.

Security fatigue in America is a real thing and it is a major threat to the future of cybersecurity. By websites, companies, and users coming together to try and ease this process, hopefully, we can make the online world a little more safe and a little less overwhelming.

Hailey R. Carlson | Axiom Cyber Solutions | 10/14/2016

Image Source

National Cyber Security Awareness Month: Our Shared Responsibility

National Cyber Security Awareness Month: Our Shared Responsibility

From data breaches affecting multi-million dollar corporations to ransomware targeted at the health-care industry to the real-life repercussions of insulin pump hacking, cybersecurity threats are everywhere. Emphasized by both the current President and both major political party nominees as well as the director of the FBI, it is apparent that cybersecurity is a serious concern for the nation.

Because of these impending threats, it is important for awareness of cybersecurity to be a nationwide occurrence. This October marks the thirteenth year of celebrating National Cyber Security Awareness Month (NCSAM). Created by the National Cyber Security Alliance (NCSA) in collaboration with the Department of Homeland Security’s National Cyber Security Division (NCSD), the observance of this month has grown both in popularity and in importance.

In addition to being the thirteenth year of the month’s observance, it is also the sixth year of the STOP. THINK. CONNECT. campaign. This campaign is a movement to promote simple cyber-awareness for all individuals which they can use every single time they access the Internet. The steps are quite clear:

STOP: make sure security measures are in place. THINK: about the consequences of your actions and behaviors online. CONNECT: and enjoy the Internet.

The STOP. THINK. CONNECT. campaign is the focus for the first week of National Cyber Security Awareness Month, with the subsequent weeks’ topics including harboring a cybersecurity culture in the workplace, recognizing and combating threats, examining the future of tech and IT security, as well as emphasizing the importance of critical infrastructure. While it is important for individuals to be cyber-aware, it is equally if not more important for businesses to know their risks as well.

All Businesses Need Cybersecurity

Different things come to people’s minds when they think about cybersecurity in relation to business. For some, they think of the statistics surrounding small-to-medium-sized businesses such as how 71% of cyber attacks target SMBs. For others, the data breaches of major corporations such as Target and Sony come to mind. In reality, all of these entities have a dire need for cybersecurity. There is no silver bullet when it comes to securing cyber defenses, however, so it is important for companies of all sizes to put in place multiple layers of protection against threats. Some key precautions that need to be implemented regardless of size or industry of a business include:

  1. Anti-virus Protection—Utilizing an anti-virus software is one of the most basic ways to protect a company’s computers and system. A strong anti-virus software is necessary in order to detect and remove viruses before they harm your system.
  2. Firewall ImplementationUse of a firewall helps secure your network from cyber attacks by preventing them from accessing your system in the first place. Though there are both software and hardware options when it comes to firewalls, for businesses, it is recommended that hardware firewalls, especially Next-Generation Firewalls, be used since these protect whole systems compared to their software cousins that only protect the individual computer on which they are installed.
  3. Network Monitoring—Network monitoring, be it performed internally or provided externally through a cybersecurity partner, is a crucial aspect of cybersecurity defense. This service notifies the network administrator of any oddities such as intrusion detection and overloaded servers, which can help them to fix these issues quickly. Simply setting up cybersecurity will not be enough, these defenses need to be monitored often so that a company knows where its weaknesses lie.
  4. Employee Education—While employees are often a company’s greatest asset, they can also be its greatest cybersecurity threat. Malicious actors do make up a large portion of the threat, however, a major, fixable component is a lack of employee knowledge. The easiest way to fix this is to have company-wide training on various cyber-threats including phishing, able to trick nearly a third of employees, as well as ransomware threats. These two cybercrimes are the most egregious according to the FBI and are increasingly becoming their focus in the fight against cybercriminals, so it is especially important to educate employees in these areas. By educating employees, a company can both strengthen their cybersecurity defenses, as well as empower their employees to be more accountable for their behavior online.

Our Shared Responsibility

The major theme with National Cyber Security Awareness Month is the idea of a collective accountability when it comes to cybersecurity defenses. We are all connected through the Internet, and because of this, the NCSA emphasizes that it is our shared responsibility to protect this shared resource. This sentiment cannot be better summarized than by the following quote,

No individual, business or government entity is solely responsible for securing the Internet. Everyone has a role in securing their part of cyberspace, including the devices and networks they use. Individual actions have a collective impact and when we use the Internet safely, we make it more secure for everyone. If each of us does our part—implementing stronger security practices, raising community awareness, educating young people or training employees—together we will be a digital society safer and more resistant from attacks and more resilient if an attack occurs.

If you would like to find out more about National Cyber Security Awareness Month, please visit https://staysafeonline.org/ncsam/ to learn more about how you can get involved. If you would like to enhance your own cybersecurity defenses, regardless of the size of your company, please contact Axiom Cyber Solutions to see how our managed cyber solutions can help you get and stay secure.

Hailey R. Carlson | Axiom Cyber Solutions | 10/07/2016

Image Source

The FBI’s New Stance on Ransomware

The FBI’s New Stance on Ransomware

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money, or ransom, is paid. Though now primarily known by this definition as a cybercrime, ransomware has been around since before the internet gained its popularity. The first instance of the threat occurring in 1989 was actually via postal mail and it was known as AIDs Trojan. This original variant spread via floppy disks and involved sending $189 to a post office box in Panama as payment for the ransom. Since then, the threat has grown drastically with the flourishing of the internet, not only in its complexity but in its reach as well.

Ransomware has attacked millions of victims across a multitude of industries with education, healthcare, and government among some of the most highly targeted sectors. Instances of the cyber-threat have increased by over 53% in the past 12 months, with projections set to rise even more significantly by the end of 2016. Not only have ransomware scam artists been able to infect millions of people’s computers and hold their files for ransom, often after encrypting them, but they have made a lot of money doing so. Last year alone, the cyber threat brought in upwards of $325 million for cybercriminals, and it appears as though their paydays are growing in number and in ransom amount paid. Evolving from the checks sent to that P.O. box in Panama to difficult-to-trace bitcoin transactions that are so predominant in ransomware today, the threat and its multiple different creators are getting harder and harder to stop.

Throughout the years, there have been varying opinions on how to handle this cyber-crime. Of course you don’t want to fund cybercriminals’ vacations by paying the ransom, but you also need to regain access to your precious files that mean so much to your business. What do you do in this case? Well the FBI has come out with a clear stance on what they think needs to be done in order to stop, or at least slow down, ransomware in its tracks.

Contradictory to their opinion last year where they encouraged companies to just pay the ransom in order to regain access to important files that were encrypted by ransomware variants including Cryptolocker, Cryptowall and other malware, the FBI now says that you should not pay the ransom and you should report any instance of the cybercrime to them directly. This change of heart on the matter was not made lightly. The FBI’s goal in all of this is to be able to better assess the magnitude of the threat that ransomware poses. In a public service announcement on September 15th, 2016, the FBI explains why they are asking for ransomware victims’ help:

“Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims.”

While reporting an incident will help the FBI be able to keep track of the number of ransomware attacks out there, they are looking for some specific data that will be of extreme help in finding these ransomware scam artists. Here are some specifics that the FBI is looking for:

  1. Date of Infection
  2. Ransomware Variant (identified on the ransom page or by the encrypted file extension)
  3. Victim Company Information (industry type, business size, etc.)
  4. How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
  5. Requested Ransom Amount
  6. Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
  7. Ransom Amount Paid (if any)
  8. Overall Losses Associated with a Ransomware Infection (including the ransom amount, if paid)
  9. Victim Impact Statement

While the FBI is eager to receive all of these reports in an attempt to stop the cyber-crime, in its September 15th PSA, the FBI also stresses the importance of strong cyber-defenses in order to avoid the threat in the first place. A few common key elements to this security include the installation of a secure firewall and regularly backing up data. If you find that you are the victim of ransomware, please contact the FBI immediately and provide them with as much of the information above as possible. If you would like to prepare your defenses against such an attack, please contact Axiom Cyber Solutions to learn more about how to get and stay protected. Our patented ransomware algorithm and team of managed cybersecurity experts will make sure you and your business are taken care of.

Hailey Carlson | Axiom Cyber Solutions | 9/30/2016

Cybersecurity Skills Gap: Will it improve or widen further?

Cybersecurity Skills Gap: Will it improve or widen further?

There is a fast approaching shortage of workers in the workforce across a multitude of industries—and while many think of the healthcare industry as being the most threatened by this shortage as there has been a recent lack of future qualified nurses, there is an alarm being sounded by the cybersecurity industry for fear of the same thing happening within it as well. As the number of cyber threats facing internet users globally increases daily, so does the demand for qualified individuals to combat these risks. While demand for cybersecurity jobs is expected to grow by 53% over the next two years, there are not enough adequately qualified people expected to be available to fill all of these positions. This is what is known as the cybersecurity skills gap.

As of March of 2015, there were more than 209,000 cybersecurity jobs in the US that went unfilled and the number has grown drastically since then. Most experts believe this to be caused by a lack of interest by future workers, meaning that not only is there a lack of attention towards this industry among college-aged students who are not picking cyber-related majors such as Computer Information Systems and Computer Science, but K-12 children as well. In an attempt to increase interest, there are programs such as STEM (science, technology, engineering, and math) that are designed to peak a young tech guru’s curiosity about the possibility of pursuing a career in the IT industry. While some may be interested in a career in cybersecurity, not everyone who tries is adequately qualified for the position which they are applying; for this reason, experts in the field are divided on whether or not the cybersecurity skills gap will improve or be widened further.

Will the gap improve or widen further?

Experts are torn on their opinions as to whether or not the cybersecurity skills gap will be improved or widened in the coming years.

Those who believe that there is no hope for the industry’s workforce to improve argue that while many people may be applying for IT jobs, they are not properly qualified for these positions. Sixty-seven percent of IT professionals do not have any certification that would make them qualified for their jobs—they must simply learn while they are on the job. These naysayers also argue that most of the executives that prioritize cybersecurity are only CIOs and senior IT leaders, prioritizing the threat about 73% compared with CEOs and CTOs who reportedly only consider security approximately 55% of the time on average between the two positions. The experts on this side of the issue believe that if these high ranking executives don’t take the threats that face their companies seriously, how can the gap be improved properly?

Those who believe that the gap will be decreased have two main approaches to improving the industry’s lacking workforce. First, is a people-centric approach that focuses on training our next generation of workers in cybersecurity skills. This requires teamwork between industry professionals and higher education establishments who must not only share the responsibility, but are required to have a cohesive action plan. In May of 2016, IBM security professionals volunteered their time to teach at the University of Warwick to discuss things like security solution design processes as well as endpoint security among others. By educating those interested in a career in IT, the gap will surely be lessened over time.

The second approach that supporters of the skills gap being closed might utilize, primarily as a backup plan (for now), is the use of cybersecurity robot workers. This approach is a little bit less conventional because though it fulfills the needs of companies to have qualified workers, it negatively impacts unemployment rates, so many experts favor the people-centered approach over this one.

Important Cybersecurity Skills Needed

There are many traits that a qualified cybersecurity professional should have, but among the most important of these are (1) intrusion detection, (2) secure software development, and (3) attack mitigation. These are the three essential skills that will aid the cybersecurity industry in lessening the gap in qualified workers. “These skills were in greater demand than softer skills, such as the ability to collaborate, manage a team, or communicate effectively,” reports a researcher with the Center for Strategic and International Studies. While this may contradict what some people have previously thought, knowledge of these three main skills will ensure properly educated workers are placed in positions for which they are appropriately capable of fulfilling.

Because of its unpredictability, it is hard to say just exactly who will be right about the cybersecurity skills gap; however, peaking young people’s interest early and utilizing team work to bring together higher educators as well as industry giants might help for this gap to be lessened in the near future. If you are interested in a career in IT, visit us at https://axiomcyber.com/ to learn more about a small-business-centered cybersecurity career.

Hailey R. Carlson | Axiom Cyber Solutions | 9/23/2016

Image Source

S.T.E.M Careers: Growing Towards the Future

S.T.E.M Careers: Growing Towards the Future

S.T.E.M. Education

Many people have heard of the STEM program but not everyone knows exactly what it entails. STEM is a curriculum based on the idea of educating students in four specific and critical areas — science, technology, engineering, and math — however, STEM does not separate these subjects to be taught individually, rather they are integrated into a cohesive program that teaches the subjects together as compliments to one another. One key point that the program is praised for is its use of real-world applications to train these students for their future careers — making it one of the most successful programs resulting in some of the best-prepared students facing the workforce upon graduation.

More often than not58, people think of high school or even college as the starting point for such technical and complex education to begin, but many schools have incorporated STEM into classes to some degree from kindergarten on up through high school! Of course, it is much more basic at the lower grades, but by including it in the curriculum in students’ education from the beginning and adding to it incrementally as they grow, students will be much more interested in the subjects included in STEM. In addition to this, they will be able to notice the correlation between these subjects, which will possibly result in higher numbers of these individuals choosing STEM-related careers. As you can see to the left, 58% of people currently working in STEM decided on this career path prior to graduating high school, meaning that early teaching is critical in creating future workers interested in STEM.

 

S.T.E.M. Careers

STEM is the second fastest-growing industry, second only to healthcare, with an expected 8.6 million jobs available in the field by 2018. Not only are graduates of STEM-related majors some of the highest paid young professionals right out of college, but they also get those high-paying jobs rather quickly following graduation. While these facts may be enticing, it is important for individuals to know about some of the potential successful careers they could have in their main area of interest when it comes to STEM.

Science & Engineering

Science and engineering careers are the most related when it comes to the workforce and make up 6 of the top 10 careers in STEM including civil engineering, environmental engineering technology, nuclear engineering technology, computer engineering (also related to technology), petroleum technology, and marine sciences. Among the requirements for these careers are strong problem solving skills, chemistry, basic math skills, and deductive and mathematical reasoning.

Mathematics

Mathematics itself, while an integral element in each of these careers, is not well represented in this top 10 list, making up only one of the listed STEM jobs. Despite this face, Mathematics encompasses a multitude of industries such as statistics, actuarial sciences, economics, and more that differentiate it from its fellow STEM categories. Required skills for mathematically related jobs include deductive and mathematical reasoning, problem solving skills, and facility with numbers. If you love numbers and are interested in STEM, this might be the career path for you.

While science, engineering, and mathematics combine to make up the majority of the top jobs in STEM, technology is one of the fastest growing of these already rapidly rising industries and it affects its STEM counterparts significantly.

Technology

Advancements in existing technology, like smart-phones and computers, as well as the development of new technologies, such as IoT devices and connected car security, make it very apparent that a career in technology has a bright outlook for the future. Jobs are becoming much more technical now and require a better understanding of technology, so STEM programs have been more heavily emphasizing this segment of STEM in recent years.

Of Monster’s top 10 most valuable STEM careers, there are four related to technology: computer and information services, computer engineering (also related to engineering), computer programming, and the #1 most valuable STEM career: information technology. For these careers, there are multiple job titles including Information Security Analyst, Computer Systems Analyst, and Web Developer, among others. These jobs not only require knowledge of the latest technology, high analytical and developmental skills, and logical thinking, but a person seeking one of these jobs must be goal-oriented, passionate, and dedicated to advancing technology and growing the industry as he or she rises throughout a career in tech.

A common misconception about STEM is that it is all about the technical and analytical side of these complex careers, but STEM workers are also creators, innovators, and ground-breakers for the futures of each of their industries. Another fallacy surrounding STEM is that a student must receive traditional training and education in order to gain a successful career in STEM; however, there are alternative ways into a career in these fields.

Alternative Routes to a career in STEM

Many people may look at the training and schooling necessary to attain a STEM-related degree and think that it is not affordable for them or the resources necessary to achieve such certifications required for their future careers are out of reach; however, there are companies out there that try and alleviate these fears by offering alternative routes for those individuals who are interested in a career in technology, but choose to go a different route to get there.

Axiom had the privilege earlier this year to work with IT Works, a Tech Impact program that offers free, immersive IT training to young adults– motivated high school graduates, age 18-26 years old, who have not yet completed a Bachelor’s degree. As part of the 16-week training program, an IT Works student named William Lewis, completed a 5-week internship with Axiom and you can read about his experience interning for Axiom through IT Works here. A career in STEM is not necessarily about going to the highest ranked technology school, but being motivated enough to find your own way to where you want to be in your career, with them help of some companies out there who can get you where you’re headed.

Why S.T.E.M.?

In case you’re still on the fence as to whether or not STEM education and careers are important, the National Science Foundation has this to say on the subject:

“In the 21st century, scientific and technological innovations have become increasingly important as we face the benefits and challenges of both globalization and a knowledge-based economy. To succeed in this new information-based and highly technological society, students need to develop their capabilities in STEM to levels much beyond what was considered acceptable in the past.”

With such a revolution in science, technology, engineering, and mathematics, the modern world is in great need of such advanced, pioneering minds as those interested in having an impact on these crucial subjects.

If you’re interested in learning more about STEM careers, please contact Axiom at https://www.axiomcyber.com/ to speak to one of our IT professionals about a career in tech. If you are in need of a different route of gaining technological experience and qualifications, please visit http://techimpact.org/ to learn more about their available programs for innovative and motivated individuals.

Hailey R. Carlson | Axiom Cyber Solutions | 9/16/2016

Image Source

Don’t Get Baited by Phishing Scams

Don’t Get Baited by Phishing Scams

It seems that every day there is another company being hit with a new phishing scam—PayPal and Dropbox being some of the more notable of the recent victims. Because it is all over the news, we assume that we know exactly what phishing is; but do we really?

What it is & How it works

phishing-attacks

Phishing is a scam where cyber-criminals, sometimes referred to as ‘phishers’, impersonate seemingly trustworthy sources in order to send out electronic communication to their contacts (usually customers) in order to do one of two things: (a) to steal credentials and personally identifiable information (PII) from employees and clients, or (b) to infect the computer or company system with malware. The way they are able to do this is a systematic process that includes planning, setup, attack, and collection.

  1. Planning. First, phishers determine which businesses they want to target and how to get their email address list. This is usually by either stealing information from the social media accounts of finance and HR employees from networks such as LinkedIn, or by guessing employee email addresses, which they then use to infiltrate the company. It is easy for hackers to guess some employee emails if the company uses the standard formatting of ‘firstname.lastname@companyname.com.’ While this is easy for employees to remember, it is also easy for phishers to guess.
  2. Setup. Once they have decided their targeted businesses, phishers determine their delivery method for the scam. Most of the time this is through email, however the PayPal phishing scam is an example of one that uses social media as a means of tricking customers. Two fraudulent Twitter accounts were made to appear as though they were legitimate customer service accounts with an urgent message for users of the site. Targets have been lured into entering their PayPal credentials into the seemingly legitimate, but fake pop-up page. This gives these cyber-criminals the information they need to steal PII from the users as well as transfer funds out of their PayPal accounts straight into the scammers’ pockets.
  3. Attack. This is the stage that most people think of when they think of a phishing attack. This is where the phishing message is actually sent out via whichever means the scammer previously chose, again, appearing to be from a reputable source.
  4. Collection or Infection. Not everyone will click on the phishing message, however, 39% of employees click on emails that they originally believe to be suspicious. Those who do end up taking the bait by either clicking on a link in an email or entering in their information into a pop-up, unfortunately have their information recorded by the phishers who can then use this information for their own personal gain. The collection of information is the goal for one type of phishing scam, but as mentioned above, there are some phishing scams whose goals are to infect the computers or systems of the affected individuals. Ransomware, one of 2016’s hottest cyber-threats, is a very popular malware to be included in a phishing scam–now included in 93% of the phishing emails sent out.

How to Identify a Phishing Message

email-computer

Before any company can protect against a phishing scam, they must first be able to identify one. Here are a few telltale signs that can help you determine a phishing email from a legitimate one (note that these are also included in a previously Axiom blog article on phishing, Gone Phishing: Who’s really on the other end of the line?).

  1. Links- The best way for a hacker to access your information is by making you come to him. Many links in suspicious emails can be verified by hovering your mouse over it; if the link is taking you to an .exe file for example, do not click on it, as these have been known to be the source of various malicious software in other cyber crime situations.
  2.  Threats– When there is a threat in an email, such as forcefully taking down an account or being fined if you do not take instant action, this is usually an indicator of phishing. This can come in the form of both email and phone solicitation and threats are easily identifiable by the request of immediate action or otherwise facing the hacker’s consequences.
  3. Posing as a popular company- Seeing a familiar logo or name on an email or other electronic communication can give you a false sense of security that what you are receiving is a legitimate connection from an accredited company. An indicator that a message is phishing is when the hacker includes the company title in a way that is slightly different from the actual company name (i.e. Twitter Co. instead of Twitter Inc.). Also, if you regularly get emails from a reliable company and you receive one that looks different than usual, this is a sign that it may be a phishing scam.
  4. Spelling and Grammatical errors- If there are clear spelling or grammatical errors throughout the email, it is obvious that this email was not carefully looked over by a member of an authentic company and is likely phishing. This not only includes spelling and grammatical errors, but also when key parts of an email, such as the subject line or a signature, are missing or strangely worded.

How your company can combat phishing, Employee Education

employee-education

Now that we know how to identify a phishing scam, it is important to take the proper steps in protecting businesses everywhere from this type of threat. Companies are the primary targets of phishing attacks, and consequently, they need to amp up their cybersecurity defenses in preparation for combating phishing threats. While employees are some of a company’s greatest assets, they are also the greatest threat to its cyber-defenses. This is why employee education is the most important defense against phishing.

  1. Educate employees—Informing your employees of the indicators listed above will help them to be able to identify a phishing threat.
  2. Take care to assess emails—Encourage your employees to take the time to assess an email before clicking on it or any embedded links it make include. Michele Fincher of Social Engineer, Inc. says, “Adding a couple of seconds on to what you normally do when you receive an email will go a long way (toward safety).”
  3. Utilize checks and balances—Utilizing checks and balances can help to prevent what is known as spear phishing—when hackers pretend to be executives emailing upper level employees in order to gain access to valuable information like financial numbers, wire transfers, and employee information. By having multiple people needed to sign off on something, it is likely that the scam will be caught among them.
  4. When in doubt, ask—Let your employees know that if they are questioning an email, they should ask someone else before clicking on it. It is better to be safe than sorry, and most of the time, if they are questioning it, it is likely a fraudulent email.

If you believe an electronic communication to be malicious or suspicious, do not open it, delete it, and report the incident to your IT department. For small businesses that may not have an IT department or think that cybersecurity is out of reach for your company’s budget, please go to www.axiomcyber.com to learn more about our affordable managed cybersecurity solutions and how we can help your business get and stay secure.

Hailey R. Carlson | Axiom Cyber Solutions | 9/9/2016

Image Source

Protect Your Kids When They Go Online

Protect Your Kids When They Go Online

Children today are amazingly advanced when it comes to technology. They are able to navigate tablets with ease—from flipping through photos to watching surprise egg videos on YouTube, kids have adapted to know exactly how to use your smartphone, tablet, or other electronic devices. In Figure 1, it is apparent that children’s competency levels in regards to tablet functions alone are extremely high—some of which they can do completely unassisted. With their high capability levels as well as the threats the internet poses to them, it is important to ensure they are using these devices safely.

Figure 1_Parents

Figure 1: Dubit/University of Sheffield Tablet Use Competence February 2015

As a parent, there are many conversations you’ll have with your child at some point in his or her life. And while some may be more uncomfortable than others, most all of these conversations are necessary and important to your child’s safety and overall well-being. One of the most important of these conversations, and one of the discussions that parents in general do not have much experience in delivering because of its newness, is on cybersecurity.

There are multiple topics of discussion surrounding cybersecurity safety because unfortunately, there are so many threats to people of all ages today. However, there are some key points to keep in mind when battling cybersecurity risks including device safety, web filtering and monitoring, as well as knowing about specific threats like online predators.

Device Safety

As mentioned above, toddlers and other children can navigate electronic devices with surprising ease. While this is incredible, kids do not necessarily know the threats that using these devices can pose and it is important that parents educate them and take action against these threats.

One way to combat this is by turning your devices into safe mode when children are using them. Most tablets and phones have a safe mode including Android and Apple, where you can restrict the apps, internet usage, and even length of time the device can be used in an attempt to help protect your child. By restricting what they have access to in the settings of a device, your children will be protected without you having to sit there and monitor their device usage in person. Parents have too much to juggle, and cannot always be right there with their child while he or she is using this type of device.

In addition to these measures, it is important for you to talk to your child about why they cannot access certain features on their devices. Explaining the reasons why something is not safe rather than just stating that it is in fact dangerous will help your child better understand the preventative actions you’ve taken as well as remind them to keep safety in mind when using electronic devices.

Web Filtering & Monitoring

Whether they are using tablets, phones, or some other devices, if your kids have access to the internet they are exposed to an unimaginable amount of threats. Malware and phishing are especially rampant cyber-threats for people of all ages and children often have a hard time deciphering between legitimate and fake links while online.

The internet in general is pretty scary and malicious for people of any age, let alone children. Merely misspelling a word can send you to a completely wrong address that you never intended on visiting. One way to help protect your children’s online usage is to set up parental controls through web filtering applications such as OpenDNS which gives you the ability to decide which sites your child can and cannot access. By taking this simple measure, you can stop your child from accessing websites that may have inappropriate or malicious information on them.

In addition to setting up filtering defenses, monitoring your child’s internet usage is important as well. For some children who are a little bit older, there are things like homework and social media that they use daily on the internet. But how do you know if they are doing what they are supposed to be doing while online?

One simple way is to check their internet history. While this is an effective way to see where your child has been looking online, there are some tech savvy teens and tweens that may be able to figure out how to clear their histories. In this case, you can also use a monitoring software such as SafetyWeb or SocialShield which will give you a detailed list of where your kids have gone while surfing the net.

Again, communication is key here. Talking your child about the dangers of going to unfamiliar sites as well as possibly letting them know you are monitoring their online activity will keep your child aware of their actions online and remind them of the safety threats that you are trying to protect them from.

Cyber experts tell their kids, in regards to social media security, that once they’ve posted something online, it can never truly be deleted. This helps to remind children to be careful about what they are saying. In the same vein, with regards to cyber-bullying and ‘trolling,’ they tell their children not to say anything online that they would not say face-to-face. Oftentimes, the somewhat anonymity of the internet can bring out the cruelest words from even the nicest people, so reminding your children that their words still have meaning even if they are posted online is a very important conversation to have.

Online Predators

Unfortunately, even with all of these defenses set in place, there are malicious online predators who are actively trying to get to children of all ages. Twenty-five percent of children online have been exposed to unwanted pornographic material and only 25% of children who are exposed to this type of material notify an adult about the situation.

While this is the scariest cyber-threat of them all that your children might face, this crime really only has one defense. Education. This is where the talking really needs to be serious because if predators can somehow get passed your defenses, your child needs to know how to deal with this. Let your child know that it is okay to talk to an adult about any online situation that makes them uncomfortable. In addition, make sure they know not to put out any of their important information online. This information, otherwise known as personally identifiable information, can lead these bad people directly to your child’s computer—or worse, straight to your home.

While there is no surefire way to make sure your child is safe from the bad guys on the internet, talking to them, setting up what defenses you can, and making sure that you all are keeping up to date on current threats can help to strengthen the open dialogue needed to keep families safe from the threats that the internet poses.

Hailey R. Carlson | Axiom Cyber Solutions | 9/1/2016

Image Source