Automating security for OT infrastructure can help organizations combat a rising volume of cyber threats in an era when security professionals are in short supply.

Security teams are tasked with the challenge of processing large amounts of operational technology (OT) and IT security telemetry. To make this easier, Swimlane announced a low-code security automation platform to create a centralized system of record and control point.

The platform integrates with other OT security providers, including Nozomi Networks, Dataminr and 1898 & Co, Swimlane says. This allows OT security teams to unify threat detection and response by providing access to intelligence and telemetry from both the OT and IT environments.

"This cyber-physical threat response saves organizations crucial minutes when connecting with staff members who might be affected by a natural disaster, accident, or social unrest, or other types of physical risk," explains Cody Cornell, co-founder and chief strategy officer of Swimlane. 

For example, integrating automation with Nozomi Networks will allow industrial and critical infrastructure security operations teams to maintain continuous asset compliance and mitigate the risks of attacks from combined OT and IT entry points. The Dataminr integration provides automated processes to mitigate physical risks and warn at-risk employees as soon as possible to ensure their safety. And the integration with 1898 & Co allows industrial and critical infrastructure entities to add managed threat detection services that are specifically designed to address OT-specific challenges, Cornell says. That includes detecting both OT and IT-born threats, machine-speed threat validation and scoring, and rapid remediation of threats using OT response methods.

**Turning to Automation as Threats Pile Up**

"Cyber threats have increased in frequency and severity, which will only worsen with time," Cornell notes. "SecOps teams in industrial organizations are regular targets for cyberattacks due to the importance of their systems and infrastructure."

With the limited resources at their disposal, security teams working in organizations that rely on OT struggle to keep up with new threats. The industrial cybersecurity sector has also been attempting to address the OT security skills gap over the past few years.

"The need for security professionals to understand and safeguard cybersecurity and deal with the issues posed by antiquated and unsupported legacy processes and control systems makes the talent shortage in the OT security sector particularly more severe," Cornell adds.

The combination of factors - a cybersecurity skills shortage in OT and an overwhelming amount of OT and IT data and telemetry to analyze - creates a situation that could benefit from automation. In the OT sector, automation could play a critical role in defending against rising cyber threats in a more effective and efficient manner.

Automation has become a must-have technology for security operations: The US Executive Order on Improving the Nation's Cybersecurity from May 2021 highlighted multiple areas where automation should be adopted to manage the ever-increasing volume of threats and talent shortage.

**Going Low-Code to Transcend SOAR**

Legacy security orchestration, automation, and response (SOAR) products have earned a reputation of being rigid and unapproachable for the average security professional, Cornell notes. With security automation at the center, organizations could maximize the productivity of their existing security investments and staff while gaining greater visibility into critical assets, accelerating their response to incidents targeting their critical infrastructure, and improving overall team efficiency.

"Traditionally, OT systems were completely segregated from internet-facing technology," Cornell says.

However, as critical infrastructure operators increasingly seek to carry out digital transformation initiatives, these systems are being modernized and connected to IT systems. The result is an expanded attack surface as previously isolated OT systems, once relatively immune to cyberattacks, are now internet-accessible and high-value targets for threat actors.

"Mission success depends on secure operations, but IT, OT, and IoT assets all have different characteristics, communications, behaviors -- and unique security challenges," Cornell says. "We created this ecosystem to help critical infrastructure operators take defense up a notch and reduce cyber risk with a proactive approach designed to secure their complex ecosystem of IT, OT, and IoT assets."

**Vendors Stepping up Automation Offerings**

Swimlane isn't the only company using automation to ease security pain points while managing security telemetry. Security operations platform ThreatQuotient recently released ThreatQ TDR Orchestrator, which is designed to address industry needs for simpler implementation and more efficient operations.

In June, Snowflake released a tool to help underpin cybersecurity capabilities including SIEM, compliance automation, and vulnerability management. The workload offers customers access to cybersecurity capabilities including SOAR, compliance automation, and vulnerability management through connected applications that run on top of their existing Snowflake environments.

Earlier in the year, Sophos acquired SOC.OS, a spinoff company of BAE Systems Digital Intelligence with a software-as-a-service (SaaS) solution for automating the monitoring and triaging the growing volume of data and alerts across organizations.

Swimlane Introduces Low-Code, Automation Approach to OT Security

BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims.

A dangerous new malware loader with features for determining whether it's on a business system or a personal computer has begun rapidly infecting systems worldwide over the past few months.

Researchers at VMware Carbon Black are tracking the threat, dubbed BatLoader, and say its operators are using the dropper to distribute a variety of malware tools including a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on victim systems. The threat actor's tactic has been to host the malware on compromised websites and lure users to those sites using search engine optimization (SEO) poisoning methods.

**Living Off the Land**

BatLoader relies heavily on batch and PowerShell scripts to gain an initial foothold on a victim machine and to download other malware onto it. This has made the campaign hard to detect and block, especially in the early stages, analysts from VMware Carbon Black's managed detection and response (MDR) team said in a report released on Nov. 14.

VMware said its Carbon Black MDR team had observed 43 successful infections in the last 90 days, in addition to numerous other unsuccessful attempts where a victim downloaded the initial infection file but did not execute it. Nine of the victims were organizations in the business services sector, seven were financial services companies, and five were in manufacturing. Other victims included organizations in the education, retail, IT, and healthcare sectors.

On Nov. 9, eSentire said its threat-hunting team had observed BatLoader's operator luring victims to websites masquerading as download pages for popular business software such as LogMeIn, Zoom, TeamViewer, and AnyDesk. The threat actor distributed links to these websites via ads that showed up prominently in search engine results when users searched for any of these software products.

The security vendor said that in one late October incident, an eSentire customer arrived at a fake LogMeIn download page and downloaded a Windows installer that, among other things, profiles the system and uses the information to retrieve a second-stage payload.

"What makes BatLoader interesting is that it has logic built into it that determines if the victim computer is a personal computer or a corporate computer," says Keegan Keplinger, research and reporting lead with eSentire’s TRU research team. "It then drops the type of malware appropriate for the situation."

**Selective Payload Delivery**

For example, if BatLoader hits a personal computer, it downloads Ursnif banking malware and the Vidar information stealer. If it hits a domain-joined or corporate computer, it downloads Cobalt Strike and the Syncro remote monitoring and management tool, in addition to the banking Trojan and information stealer.

"If BatLoader lands on a personal computer, it will proceed with fraud, infostealing, and banking-based payloads like Ursnif," Keegan says. "If BatLoader detects that it's in an organizational environment, it will proceed with intrusion tools like Cobalt Strike and Syncro."

Keegan says eSentire has observed "a lot" of recent cyberattacks involving BatLoader. Most of the attacks are opportunistic and hit anyone looking for trusted and popular free software tools. 

"To get in front of organizations, BatLoader leverages poisoned ads so that when employees look for trusted free software, like LogMeIn and Zoom, they instead land on sites controlled by attackers, delivering BatLoader."

**Overlaps With Conti, ZLoader**

VMware Carbon Black said that while there are several aspects of the BatLoader campaign that are unique, there are also several attributes of the attack chain that have a resemblance with the Conti ransomware operation. 

The overlaps include an IP address that the Conti group used in a campaign leveraging the Log4j vulnerability, and the use of a remote management tool called Atera that Conti has used in previous operations. 

In addition to the similarities with Conti, BatLoader also has several overlaps with Zloader, a banking Trojan that appears derived from the Zeus banking Trojan of the early 2000s, the security vendor said. The biggest similarities there include the use of SEO poisoning to lure victims to malware-laden websites, the use of Windows Installer for establishing an initial foothold and the use of PowerShell, batch scripts, and other native OS binaries during the attack chain.

Mandiant was the first to report on BatLoader. In a blog post in February, the security vendor reported observing a threat actor using "free productivity apps installation" and "free software development tools installation" themes as SEO keywords to lure users to download sites. 

"This initial BatLoader compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization," Mandiant said. The attackers used every stage to set up the next phase of the attack chain using tools such as PowerShell, Msiexec.exe, and Mshta.exe to evade detection.

Researchers Sound Alarm on Dangerous BatLoader Malware Dropper

An international counter-ransomware task force has been announced by Australian authorities following the recent Optus and Medibank data breaches.

Australian authorities have announced a new offensive against cybercrime, standing up a a joint operation between the Australian Federal Police and the Australian Signals Directorate to disrupt cybercriminal operations. 

The move comes after two headline-making breaches against Australian companies Optus and Medibank. The task force will collect information about cyber threats and identify targets with the potential to inflict harm on Australian national interests, according to the announcement about the new offensive cybercrime strategy. 

"This operation will collect intelligence and identify ring-leaders, networks and infrastructure in order to disrupt and stop their operations — regardless of where they are," a statement from the Australian Attorney General explained about the new ransomware task force. "It sends an important message to criminals and hackers intending to do harm — Australia will fight back."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Australia Declares War on Cybercrime Syndicates

Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.

Security teams running unpatched, Internet-connected Zimbra Collaboration Suites (ZCS) should just go ahead and assume compromise, and take immediate detection and response action.

That's according to a new alert issued by the Cybersecurity and Infrastructure Security Agency, which flagged active Zimbra exploits for CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, which are being chained with CVE-2022-37042, and CVE-2022-30333. The attacks lead to remote code execution and access to the Zimbra platform.

The result could be quite risky when it comes to shielding sensitive information and preventing email-based follow-on threats: ZCS is a suite of business communications services that includes an email server and a Web client for accessing messages via the cloud.

CISA, along with the Multi-State Information Sharing and Analysis Center (MS-ISAC), provided detection details and indicators of compromise (IoCs) to help security teams.

"Cyber-threat actors may be targeting unpatched ZCS instances in both government and private sector networks," according to a Zimbra advisory.

CISA and the MS-ISAC strongly urged users and administrators to apply the guidance in the Recommendations section of this Cybersecurity Advisory to help secure their organization's systems against malicious cyberactivity.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Unpatched Zimbra Platforms Are Probably Compromised, CISA Says

Data-deletion service's patent covers removing personal information such as geolocation, biometrics, and phone records from a vehicle by using a user-computing device

**ATLANTA, Nov. 14, 2022 /PRNewswire/** — Privacy4Cars, the first privacy-tech company focused on solving the privacy and security issues posed by vehicle data to protect consumers and automotive businesses, announced today that it has secured a new patent, further expanding its patent coverage for removing privacy information from a vehicle by using a user computing device. This patent grant marks the fourth patent that the U.S. Patent & Trademark Office has awarded to Privacy4Cars in the past three years and provides further evidence that the company is the leading innovator in the vehicle data privacy and security field.

Since its launch in 2018, Privacy4Cars has emerged as the industry standard across auto finance companies (including captives, national and regional banks, auto lenders, and credit unions), fleets and fleet management companies, and franchised and independent dealerships. Many of today's top companies in the automotive space — including the three largest OEM's captives — have adopted the data-deletion service powered by the Privacy4Cars platform, and a growing number of industry associations have begun speaking out about the need to clear personal information from cars, and tapping Privacy4Cars as a resource to educate members.

"Used vehicles are akin to large, unencrypted hard drives full of consumers' sensitive Personal Information, including identifiers, geolocation, biometrics, and phone records," said Andrea Amico, CEO and founder of Privacy4Cars. "This creates service, reputation, and increasingly major regulatory challenges, including the obligations companies face under the new Safeguards Rule (coming into effect on Dec. 9, 2022) and a host of existing and new state laws. At the same time, federal and local agencies are increasingly concerned about the personal information vehicles capture and store — which is driving more and more auto businesses to look for reliable solutions to simply and effectively delete data from vehicles while creating by design detailed compliance logs that prove their efforts," he continued. "This new patent demonstrates Privacy4Cars' commitment to meet the growing compliance and service needs of our partners. Privacy4Cars has established itself as the clear leader in the vehicle privacy space and companies increasingly recognize the superior efficiency, effectiveness, and compliance outcomes our proprietary solution offers, making Privacy4Cars the only obvious choice".

Privacy4Cars' newly awarded U.S. Patent No. 11,494,514 expands the scope of patent protection for the vehicle data privacy and security innovations of Privacy4Cars' U.S. Patent No. 11,256,827, U.S. Patent No. 11,157,648 and U.S. Patent No. 11,113,415. The new patent covers the use of a user computing device to remove privacy information from a vehicle and to create feedback about the information removal activity, including deletion logs for use in legal compliance applications.

Privacy4Cars is currently available in the US, Canada, UK, EU, Middle East, India, and Australia, and plans to further expand its geographical reach to address the growing number of countries that have comprehensive privacy and data security laws. Privacy4Cars is available to consumers as a free-to-download app, and to businesses as a subscription service. Businesses can use Privacy4Cars' stand-alone app or choose to integrate Privacy4Cars' Software Development Kit to easily embed its patented data deletion solution as a feature inside their own apps.

For more information about Privacy4Cars, please visit: https://privacy4cars.com.

**ABOUT PRIVACY4CARS**

Privacy4Cars is the first and only technology company focused on identifying and resolving data privacy issues across the automotive ecosystem. Our mission, Driving Privacy, means offering a suite of services to expand protections for individuals and companies alike, by focusing on privacy, safety, security, and compliance. Privacy4Cars' patented solution helps users quickly and confidently clear vehicle users' personal information (phone numbers, call logs, location history, garage door codes, and more) while building compliance records. For more information, please visit: https://privacy4cars.com/

**SOUR****CE:** Privacy4Cars

Privacy4Cars Secures Fourth Patent to Remove Privacy Information From Vehicles and Create Compliance Logs

Designation recognizes highest caliber of information security.

**PLEASANTON, Calif., Nov. 14, 2022 /PRNewswire/** — Avatier, the industry leader in identity and access management, today announced it has received ISO 27001:2013 certification for its Information Security Management System (ISMS).

ISO 27001:2013 is an information security standard published by the International Organization for Standardization (ISO), the world's largest developer of voluntary international standards, and the International Electrotechnical Commission (IEC). Avatier's certification was issued by A-LIGN, an independent and accredited certification body based in the United States, on the successful completion of a formal audit process. This certification is evidence that Avatier has met rigorous international standards in ensuring the confidentiality, integrity, and availability of the Avatier Identity Anywhere platform.

Avatier develops identity management and governance platforms that enable organizations to scale faster, innovate quicker and embrace change more securely. Avatier's identity access management (IAM) and identity governance and administration (IGA) solutions do not require client software, so management is in real-time across any platform, such as Google Chrome, Microsoft Teams, or iOS and Android.

"This certification demonstrates Avatier's continued commitment to information security at every level and ensures our customers that the security of their data and information has been addressed, implemented, and properly controlled in all areas of their organization," said Jeremy Russeau, Avatier CISO.

**About Avatier Corporation**

Avatier is the Identity Management company of the future with innovative solutions for today. Avatier develops a "state of the art" identity management platform enabling workforce collaboration resulting in better customer experiences and increased revenue. The company's Identity Anywhere platform uses container technology, providing maximum flexibility, scalability and security in a platform-independent and portable solution that future-proofs your investment. Avatier's identity management and access governance solutions make the world's largest organizations more secure and productive in the shortest time at the lowest costs. Avatier brings all your back-office business applications and employee assets together and manages them as one.

For more information, visit www.avatier.com.

**SOURCE:** Avatier

Avatier Achieves ISO 27001 Certification for its Information Security Management System

Quantum computing's a clear threat to encryption, and post-quantum crypto means adding new cryptography to hardware and software without being disruptive.

There is a potential dark side to quantum computing, one that is a threat to how we secure data. Back in 1994, Peter Shor developed an algorithm for factoring large numbers using a quantum computer, which could be used to break encryption. Today, RSA encryption relies on the difficulty a classical computer has with such factorization. With Shor's algorithm in mind, nation-states and nefarious actors started harvesting data packets, dreaming of a future where they would be able to decrypt those packets using a fault-tolerant quantum computer.

Currently, there are about three dozen quantum computers in the cloud. These quantum computers are error-prone and lack enough quantum bits (qubits) to run Shor's algorithm against RSA encryption. Some experts claim quantum computing will not be a threat for at least 30 years. However, those claims may be based upon outdated information and there is evidence that quantum computing will have the power to crack encryption sooner than we thought.

**Identifying Quantum Threats**

The day is coming when a quantum threat (Y2Q) to encryption becomes a reality. Y2Q proves similar to a combination of the Y2K bug and the 2014 Heartbleed attack, where it will affect almost every system on the planet and severely affect data in motion.

Y2Q affects two types of general cryptography: symmetric and asymmetric. Symmetric encryption is used for data at rest and functions like a locked box with a key. Shor's algorithm cannot attack symmetric encryption ciphers such as AES, however Grover's search algorithm can weaken it. To combat Y2Q in this situation, we can increase the symmetric key size and make it even more difficult to attack via brute force.

Data in motion on a network is protected by asymmetric encryption, which is commonly called public key cryptography, and its most prevalent example is via a cipher known as RSA. RSA is vulnerable to Shor's algorithm, allowing a quantum computer to reverse private keys and read messages. Blockchain also uses a type of public key encryption called ECC, which means the crypto economy is also threatened by quantum computing.

Preparing for Y2Q begins with conducting a post-quantum crypto (PQC) agility assessment. Crypto agility is the ability to introduce new cryptography to an organization's hardware and software without being disruptive to infrastructure. However, identifying those primary threats is not easy. It is a matter of determining what ciphers are used throughout an organization, including in third-party hardware and software. Further complicating the process is that some elements may not have a path forward for post-quantum cryptography.

**Exploring the PQC Threat and Timeline**

It may be too late to protect certain types of data. Mosca's theorem states that you must add the number of years it takes your organization to migrate to new cryptographic standards and primitives to the shelf life of your secret. For example, three years to migrate plus a regulatory requirement of 10 years of maintenance would equal 13 years.

Using the implementation example of Shor's algorithm called Toffoli-based modular multiplication, we can estimate that quantum computers will have enough power (high-fidelity qubits) to crack encryption by the end of this decade.

However, the quantum world is constantly making observations on its denizens, including qubits, which causes them to decohere and become "classical" or unable to compute with quantum algorithms. System builders must account for this noise and resolve engineering challenges to make qubits near perfect with 99.99% fidelity. We also need to run error correction, which requires sacrificing some physical qubits to create a logical, error-corrected qubit.

Qubit growth can be accelerated by using a few modest-size, quality quantum computers that work together using a technology called interconnect, which allows quantum computers to entangle qubits to behave as one quantum computer. If we get interconnect right, we could take, say, four 1,100-qubit quantum computers and instantly have a 4,400-qubit machine capable of doing damage to encryption.

IBM has a grim prediction that it will take 1,000 physical qubits to yield one error-corrected qubit. However, IonQ thinks it is closer to 16 to 1. An estimate between those two extremes indicates that if we get close to 1 million physical qubits this decade, we will quickly surpass current predictions.

NIST is aware of the looming threat and has been working to develop a new standard of PQC with ciphers to replace RSA. We expect a new standard by the end of 2024.

In May 2022, the White House released the National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. That memo has action demands on federal entities to be taken after NIST finalizes the new standard.

We can expect regulators and other industries in the private sector to mirror these expectations closely. Simply put, organizations must become crypto-agile and introduce hybrid PQC solutions for today's most critical data flows.

Quantum Cryptography Apocalypse: A Timeline and Action Plan

Solutions that allow businesses to reduce complexity, develop and deploy applications and APIs, and protect those applications and APIs are no fairy tale.

Once upon a time, enterprise applications were deployed and delivered on-premises or in data centers. Managing the life cycle of these applications was not simple, though in time we learned. We also learned over time how to instrument the environment to collect telemetry data and use that data to monitor the applications for security and fraud threats.

Just when we had a handle on that model, things started changing. New environments, such as cloud, multicloud, edge, and hybrid started emerging. Groups such as AppDev, DevOps, SecOps, and NetOps that had learned how to manage in the traditional enterprise environment now found themselves needing to learn how to manage in a variety of environments. Each of these environments has its own technology stacks, controls, policies, processes, and procedures — not to mention the different skill sets and personnel required to manage, operate, and maintain these different environments.

These changes introduce a few marked challenges in managing the life cycle of applications and securing them:

*   Difficulty managing and securing environments due to increased complexity (multiple complex environments).
*   Difficulty deploying and managing applications and APIs across environments.
*   Difficulty protecting those applications and APIs from security and fraud threats.

For many businesses, these challenges have quickly introduced a variety of problems. Maintaining a team large and well-trained enough to successfully manage, operate, and maintain these environments is difficult for all but the largest enterprises. Managing, operating, and maintaining technology infrastructure, security stacks, and fraud technologies across environments has become prohibitively expensive.

Complexity is the enemy of security — adequately protecting applications and APIs has been hampered by the unruly mess that infrastructure has become. And enforcing consistent and effective controls, policies, processes, and procedures across environments has become nearly impossible.

Given these challenges, how can organizations:

1.  Reduce complexity?
2.  Develop and deploy applications and APIs anywhere at the speed the business requires?
3.  Protect applications and APIs from security and fraud threats?

Thankfully, businesses — even those that are not the largest of enterprises — now have some viable options. In other words, despite the words I used to start this piece, addressing these challenges is not a fairy tale. There are some solutions that allow businesses to achieve the three goals mentioned above.

**1\. Reducing Complexity**

As environments have grown more complex, a whole family of solutions has arisen around abstracting and simplifying the complexities of hybrid and multicloud environments. Businesses can now leverage options that will allow them to more easily manage technology stacks, manage controls and policies across environments, manage application development and deployment, instrument the environment to collect telemetry data, and monitor the environment for security, compliance, and fraud purposes.

These solutions generally abstract away the complexities of individual environments and provide businesses with an easy-to-use central console where they can leverage various components to build the workflows they need while satisfying necessary requirements. These solutions most often handle the translation and mapping from the logical components and workflows that the organization sets up to the physical implementations across various environments.

Having one centralized location in which technology, controls, policies, applications, APIs, telemetry, and other aspects of the infrastructure can be viewed, modified, audited, monitored, and reviewed gives businesses huge value when it comes to managing, operating, and maintaining complex, modern infrastructures.

**2\. Developing and Deploying Applications and APIs Anywhere at Speed**

Each year, more revenue moves to digital channels. As this happens, businesses need to remain competitive in a rapidly changing marketplace. An important part of remaining competitive is being able to deploy applications and APIs at the speed the business requires. Doing so requires having a good handle on the development life cycle across a variety of environments.

As environments have grown more complex, so has managing the life cycle of applications and APIs. Given this, it is not surprising that a crop of solutions has arisen around simplifying and managing the development and deployment of applications and APIs across multiple complex environments. Leveraging a solution that simplifies and standardizes the development and deployment of applications and APIs across a variety of environments can help businesses keep up with the demanding pace of the marketplace. This, in turn, allows businesses to be more competitive and to avoid losing revenue because they can't meet customer needs in the digital channels.

**3\. Protecting Applications and APIs From Threats**

As environments have grown more complex, so has protecting applications and APIs from security and fraud threats. It is logical, then, that solutions designed to facilitate API discovery, application and API protection, anti-bot/anti-automation across multiple complex environments have become popular of late.

First off, before we can protect our applications and APIs, we need to know what they are and where they are. Despite our best efforts to control and monitor the development and deployment life cycle, cases of infrastructure, applications, and APIs are always popping up without the knowledge or support of IT and security. It is because of this that discovery is so important.

Assuming we have a decent handle on what applications and APIs we have and where they are, we can move to focusing on protecting those applications and APIs from security and fraud threats. This includes protecting them from fraud/business logic abuse, unauthorized access, breaches, theft of PII or other sensitive data, and automated attacks.

This level of protection was difficult enough in the days of the enterprise network. With the complexity of today's environments, it has become even more difficult. This is another area in which businesses can look for solutions to help them discover their applications and APIs and protect them from a variety of threats.

The infrastructure complexities that modern businesses need to contend with are no laughing matter. That said, there are solutions that allow businesses to reduce complexity, develop and deploy applications and APIs anywhere at the speed the business requires, and protect those applications and APIs from security and fraud threats. It is no longer a fairy tale.

How APIs and Applications Can Live Happily Ever After

Military veterans tend to have the kind of skills that would make them effective cybersecurity professionals, but making the transition is not that easy.

Organizations are struggling to fill cybersecurity positions. That may be because they aren't utilizing security staff efficiently and so they need more people. It could also just be that the increase in threats means there is more work to be done. For whatever reason, organizations are casting a wider net to find talented and skilled professionals to staff up their security teams, and they are increasingly courting former military personnel.

"The level of training these individuals receive to protect our most critical infrastructure and carry out cyber operations against our adversaries goes far beyond most private sector offerings and is highly transferable to a career in the private sector," Carl Wright, chief commercial officer at AttackIQ, told Dark Reading earlier this year.

As an employee group, veterans exhibit characteristics that make them particularly well-suited for the cybersecurity workforce, the National Institute for Standards and Technology wrote in a special publication (SP1500-16) on helping veterans transition into private IT sector roles. "Their military experience has provided them with years of cybersecurity experience in 'live fire' scenarios, working on systems comparable to those found in the civilian work environment," according to the document. Veterans already possessing security clearances will also be very attractive as job candidates.

They may also have the requisite security certifications. Vendor-neutral certifications are particularly ubiquitous among military personnel, according to the most recent Cybersecurity Workforce Study from (ISC)2.

However, many veterans find making that switch from the military to private sector can be difficult. Veteran-hiring initiatives exist, both inside and outside of industry, but many of these programs are not discovered until too late, NIST said. "Veterans may not find information about these programs, may not see how their military experience translates to job-readiness in the private sector, or may need assistance in gaining certifications necessary to qualify for some private-sector cybersecurity roles," NIST said.

Veterans who did not work in cybersecurity while in the military still have valuable skills that they bring to the field, however. The military emphasizes teamwork, adaptability, and responsibility, all traits that security professionals need to have. Military personnel are also trained in careful decision-making even under extreme pressure using the available information. For example, Josh Smith, a cybersecurity analyst at Nuspire, told Dark Reading earlier this year how the same skills he relied on in the US Navy to ingest data, analyze what was received, disseminate the information to appropriate parties, and take action based on the findings translate to cybersecurity roles.

Earlier this year, the White House National Cyber Workforce and Education Summit issued a call to action to increase cybersecurity education and training opportunities. One of the announcements was to encourage more apprenticeship programs to help develop and train the cybersecurity workforce. In the months since, there have been a number of initiatives from cybersecurity organizations, including SANS Institute.

Many colleges and universities have training programs specifically to give veterans hands-on experience in various areas. Cybersecurity training platform Cybrary said this week it is partnering with VetSec, a community of over 3,300 veterans working in or transitioning into cybersecurity, and TechVets, a bridge service for moving veterans, service leavers, reservists, and their families into IT careers.

Private companies are partnering with veterans' organizations as well. For example, consulting giant Accenture offers a military veteran technology program, as does networking titan Cisco. Microsoft Software and Systems Academy (MSSA) was created to provide transitioning service members and veterans with career skills needed in the modern tech industry. Arctic Wolf, for example, works with the Department of Defense's SkillBridge program to provide a path to reentry into the workforce for those leaving the military.

Such efforts seem to be paying off. According to the US Department of Labor, unemployment among veterans is running nearly a full percentage point below the general population; in October 2022, only 2.7% of veterans were unemployed, compared to 3.6% overall.

Why Cybersecurity Should Highlight Veteran-Hiring Programs

Pretty much every aspect of the effort to create easy-to-understand labels for Internet-of-Things (IoT) products is up in the air, according to participants in the process.

The effort to create informative labels to give buyers insight into the cybersecurity of connected devices continues to advance, but very slowly, according to technology firms and the US government.

Last week, Google published a blog post outlining the company's stance on what should be included in product labels for Internet of Things (IoT) devices. It described five principles that should guide the industry, including a minimum security baseline, adherence to international standards, and allowing the label to change as knowledge of the security landscape changes. The need for a statement focusing on basics highlights the slow paces at which the standards are being developed.

One reason that IoT cybersecurity labelling standards are in their "early stages" is because the Internet of Things includes a massive number of products and categories, says Dave Kleidermacher, vice president of engineering for Android Security & Privacy at Google.

"Simplification of IoT security remains a challenge that the industry continues to work on," he says. "This is largely due to the fact that IoT has a broad spectrum of product categories like light bulbs and smart displays, which have very different levels of required security."

Google's published statement comes two weeks after the White House called together technologists from government and private industry for a summit on the progress in IoT labeling, and more than a year after the US National Institute of Standards and Technology (NIST) held its "Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software," an effort to create IoT product labels that communicate the security state of applications and connected devices.

Both meetings were striving to deliver on the Biden administration's May 2021 "Executive Order on Improving the Nation's Cybersecurity," which mandates developing standards. The goal of the latest meeting was to continue progress toward a nutrition label or an Energy Star-like system that speaks to the security of any connected device, the Biden administration said in a statement.

"\[The\] dialogue focused on how to best implement a national cybersecurity labeling program, drive improved security standards for Internet-enabled devices, and generate a globally recognized label," the White House said in an Oct. 20 statement. "Government and industry leaders discussed the importance of a trusted program to increase security across consumer devices that connect to the Internet by equipping devices with easily recognized labels to help consumers make more informed cybersecurity choices."

**No to Printed Labels, Yes to International Standards**

Progress is slow, Google stated in its blog post. Almost all of the details of IoT product labeling are up in the air, including "the definition of labeling, what labeling needs to convey in terms of security and privacy, where the label should reside, and how to achieve consumer acceptance."

Printed labels should be avoided, because security is ever-changing, and any label would only document a point in the past, Kleidermacher says.

"Labels need to be digital," he says. "Because the security posture of a device can change in a matter of days, providing a printed label could inadvertently hurt the user by providing potentially stale information or lead a consumer to buy a device which is no longer safe."

Google pointed to security label specifications being created by the IoT-focused Connectivity Standards Alliance (CSA) and the GSM Association, a mobile device industry group, as potential starting places.

"Being able to offer helpful, useful information to allow consumers to enable better purchase decisions is the core of the consensus building around IoT security labeling," Kleidermacher says. "The rest is still very much up for debate, including how the label should look — that is, binary or multi-level — where it should reside, and what the label should include."

**Binary Labels Get NIST's Nod**

One area of disagreement is whether labels should be binary — yes, a product meets standards, or no, it does not — or allow for a spectrum of cybersecurity ratings. In its final draft of its "Recommended Criteria for Cybersecurity Labeling for Consumer IoT Products," NIST recommended in September a binary label for the baseline standard. In a statement published in October, the Biden administration committed to quickly develop the standards for labeling of "the most common, and often most at-risk, technologies — routers and home cameras."

Google's Kleidermacher noted that the binary approach deviates from multitiered labeling schemes adopted in other countries, such as Singapore. The company hopes that the United States and other countries can work through industry alliances to create a standard global approach for attesting to cybersecurity.

"Because these organizations bridge industry and policy makers, we hope that this could help drive speedy adoption through collaboration, coordination, and the sharing of ideas," he says. "Many countries have already started mandating minimum security baselines through regulation efforts, so it is imperative that the United States participate in international discussions to create coherent, interoperable standards."

Source

DARKReading