CYBER
SECURITY ONLINE MAGAZINE
Smart Defenses Jobs & Degrees Artificial Intelligence
MAY 2017
Help make safe, safer. Are you up for the challenge? Learn more at verizon.com/CyberTalent
Verizon is an equal opportunity employer/disability/vet
001000111101010100100010001111101010101001010101010101000101010 010011110101010100100001010101010100101010101000100011101000101 001010010001010100001010101111010101001010101010100011000110110 010001001010101111010100001010101001001010100011010000110110101 001001010101111010100001010101001001010100011010100011110101010 100010001111101010101001010101010101000100101011111000011011010 00010010101011110101000010101010010010101001000111101010100100 100011111010101010010101010101010001010101010011110101010100100 010101111100001101101010001001010101111010100001010101001001010 001000111101010100100010001111101010101001010101010101000101010 010011110101010100100001010101010100101010101000100011101000101 001010010001010100001010101111010101001010101010100011000110110 010001001010101111010100001010101001001010100011010000110110101 001001010101111010100001010101001001010100011010100011110101010 The enemies storming your IT castle have cyber skills, 100010001111101010101001010101010101000100101011111000011011010 not catapults. You need more than strong walls to secure your treasure—intellectual property, customer data 00010010101011110101000010101010010010101001000111101010100100 and sensitive emails. 100011111010101010010101010101010001010101010011110101010100100 010101111100001101101010001001010101111010100001010101001001010 001000111101010100100010001111101010101001010101010101000101010 010011110101010100100001010101010100101010101000100011101000101 001010010001010100001010101111010101001010101010100011000110110
Your business is under siege. Reinforce it with CIS.
Confidence in the Connected World CIS is a non-profit sharing the collective knowledge and real-world experience of our members to fight cyber threats. Our tools and memberships safeguard thousands of organizations in industry, government and academia. → Download the Guide to the First 5 CIS Controls
www.cisecurity.org/first-5-controls
Powerful best practices A prioritized set of 20 cyber best practices protecting organizations from the most pervasive cyber attacks.
Harden your systems—fast Proven hardening guidelines and remediation to secure operating systems, software and networks on premises and in the cloud.
Protecting SLTT governments CIS is home to the Multi-State Information Sharing & Analysis Center, which offers free 24x7 cyber support for U.S. State, Local, Tribal and Territorial (SLTT) government entities.
Follow us on:
CYBER
SECURITY
DEVICE DEFENSE
Best safeguards include attention and diligence
FRIEND OR FOE?
Tips to hack-proof your cellphone’s data
INSIDE JOB
Thwart `back-door’ entries into your home’s networks
VOTER PROTECTION?
Russia’s footprint on 2016 election analyzed
GETTY IMAGES
8 10 12 16 20
DIGITAL ARMOR
Cybersecurity – what it is and its importance
COVER USA TODAY Cybersecurity magazine offers news and information on cybersecurity, including technology, useful tools, trends and advice.
4 cyberSECURITY
COVER ILLUSTRATION BY JERALD COUNCIL, GETTY IMAGES
Contents MAY 2017
24 28 32 36 40
EDITORIAL DIRECTOR Jeanette Barrett-Stokes jbstokes@usatoday.com
HOSTAGE SITUATION
CREATIVE DIRECTOR Jerald Council jcouncil@usatoday.com
Ransomware threatens your data and your wallet
MANAGING EDITOR Michelle Washington mjwashington@usatoday.com EDITORS Patricia Kime Elizabeth Neus Sara Schwartz Tracy L. Scott Debbie Williams
NOW HIRING
Help wanted postings for cyber-related jobs are plentiful
DESIGNERS Miranda Pellicano Gina Toole Saunders Lisa M. Zilka
CYBER DEGREES
INTERNS Antoinette D’Addario Rosalie Haizlett
Schools meeting demand for future crimefighters
CONTRIBUTING WRITERS Matt Alderton, Brian Barth, Mary Helen Berg, Brittany Shoot ADVERTISING VP, ADVERTISING Patrick Burke | (703) 854-5914 pburke@usatoday.com
ARTIFICIAL INTELLIGENCE
IBM’s Watson for Cyber Security takes on hackers
ACCOUNT DIRECTOR Justine Madden | (703) 854-5444 jmadden@usatoday.com FINANCE BILLING COORDINATOR Julie Marco
DAMAGE CONTROL
Public and private sectors remain on the offensive
FOLLOW US ON TWITTER
@usatodaymags
This is a product of
FOLLOW US ON INSTAGRAM
@usatodaymags
Without limiting the rights under copyright reserved herein, no part of this publication may be reproduced, stored in or reproduced in a retrieval system, or transmitted, in any form, or by means electronic, mechanical, photocopying, recording or otherwise without the written consent of USA TODAY. The editors and publisher are not responsible for any unsolicited materials. PUBLISHED IN THE USA
5
University of West Florida Securing your future, protecting our world. As the region’s hub for cybersecurity, the University of West Florida Center for Cybersecurity is propelling, promoting and expanding cybersecurity innovation and practice locally, nationally and globally through education, research and partnerships. Designated as a National Center of Academic Excellence in Cyber Defense Education by the National Security Agency and Department of Homeland Security, we’re bridging the gap between the real world and the cyber world. As the NSA-DHS CAE Regional Resource Center for the Southeast, UWF provides leadership to advance cyber defense education among colleges and universities in the Southeast. Learn more at uwf.edu/cybersecurity.
JUST BECAUSE YOU CAN TALK ABOUT IT, DOESN’T MEAN YOU CAN DO IT. The same is true with cyber security. Properly protecting and defending your organization requires deep technical skill. While most training programs are based on lecture and discussion, Cybersecurity Nexus™ (CSX) training is focused on practical, hands-on application and is conducted in a live network environment. And our CSX Practitioner certification tests and verifies your technical performance, not just your ability to answer questions. Because when it comes to protecting your organization, it’s not about what you know, it’s about what you can do. Visit www.isaca.org/csxcybersecurity for more information.
CYBERSECURITY
OVERVIEW
This Federal Trade Commission video explains what steps you should take if your personal information is exposed by a cyberattack.
Cyberintelligence
It’s a common term that encompasses many things, but what exactly does “cybersecurity” mean? Here’s what you need to know. B Y M AT T A L D E RT O N
8 cyberSECURITY
WHAT IS CYBERSECURITY? Cybersecurity is a digital suit of armor that protects individuals and companies from crimes perpetrated over the Internet. It encompasses hardware, software and best practices (e.g., antivirus programs, password protection, encryption, firewalls) that defend computers, mobile devices, networks and data from people trying to maliciously attack, damage or access them without permission. Everything from the password you use to unlock your cellphone to the chip implanted in your debit card are cybersecurity measures in place to help protect you.
GETTY IMAGES; FEDERAL TRADE COMMISSION
T
echnology is a tool you can use to share photos, find the perfect recipe, plan a vacation, map your morning run, pay bills, trade a stock, shop or binge-watch your favorite TV show. It can help you find a job, obtain a degree or meet your soul mate. But in the wrong hands, this tool can become a weapon, serving as a gateway for nefarious criminals to invade your life. Enter cybersecurity.
MS Cyber and Information Security DSc Cybersecurity
The stakes have never been higher. From protecting consumer privacy to preventing international incidents, cybersecurity is the single biggest issue facing IT today. Quite simply, there are too many threats. And, too few experts. At Capitol Technology University, we’re changing that. Capitol was one of the first schools to be designated a Center of Academic Excellence-Cyber Defense (CAE-CD). When you choose one of our cybersecurity graduate programs, you’ll benefit from: Top-notch professors — and a curriculum that includes professional competencies specified by the NSA and Dept. of Homeland Security. Interactive online classes — innovative real-time remote learning that helps you balance work and family. Accelerated programs — earn your MS in as little as 18 months or your DSc in as little as 3 years. Affordable tuition — reasonable tuition and fees, plus an array of financial aid options. When you’re ready to take the next step, you don’t want to take a risk. You can feel secure about continuing your education at Capitol.
Earn your degree in live online courses. Apply now.
CYBERSECURITY
PROTECTION
USA TODAY columnist Kim Komando offers tips on how to stay safe online. Get more of her advice at komando.com.
CYBER SAFETY Six steps to prevent hacking and boost online security BY KI M KO M A N D O
— USA TODAY reporter Elizabeth Weise contributed to this article.
10 cyberSECURITY
Experts suggest creating passwords that are easy to remember and comprised of numbers, letters and characters, making them more difficult for hackers to decipher.
GETTY IMAGES, USA TODAY
A
t this moment, someone wants your information. Hackers are attempting to access your email accounts, home address and Social Security number. They want to commandeer your webcam and break into your bank account. They are just waiting for you to slip up and give them a chance. There are simple ways to protect yourself. Follow these six steps to instantly improve your safety online:
PROTECTION
CYBERSECURITY
Strengthen your passwords
Set up two-factor ID
Delete old email accounts
A lowercase, six-character password takes a hacker around 10 minutes to decipher. Four more characters can extend the time of the heist by 45,000 years. Create unique passwords that are easy to remember. One trick is a “passphrase,” which is both a statement and a complex series of characters, such as “MySonWasBornOnAug12!” Change your password annually.
If a page asks you to name your first car or favorite food before you log in, that’s an example of twofactor identification, which adds an important layer of protection to your account. Also, set up instant alerts that inform you if your account is accessed from an unfamiliar device or locale. You’ll receive digital notification and instructions if someone asked to reset your password.
Spammy messages appear in your inbox, allegedly sent from your aunt. Why does she want you to click on these unfamiliar links? These messages are signs of a hacked account, often one no longer in use. These can contain more personal data than you realize, no matter how short-lived or how long they’ve been abandoned. It’s best to delete old accounts and inform your aunt, so she can do the same.
Check if your info has been stolen
Encrypt all of your messages
Cover your camera
How do you find out whether an account has already been hacked? At least one trusted site is dedicated to precisely this: haveibeenpwned.com sifts through your accounts in search of security breaches. Run your email address and username through the search field, and it will tell you if your login information has been linked to any breaches.
Encrypted messages are recommended because they can’t be digitally intercepted between the sender and recipient. End-to-end encryption scrambles your messages so that they can’t be read if someone other than the intended recipient receives them. Apps such as Facebook Messenger and WhatsApp automatically encrypt communications between users.
This keeps anyone from being able to covertly turn on the camera in your computer or device and use it to record you. At hacker conferences, it’s common to see little bits of paper taped over computer cameras. It’s a low-tech fix for a high-tech problem.
11
CYBERSECURITY
PROTECTION
Cellphone Safety Your mobile device can be used against you
W
eighing less than 5 ounces, Apple’s iPhone 7 knows whom you call and who calls you. It knows the content of your text messages and emails. It
12 cyberSECURITY
knows your banking passwords, the names of your friends and the date of your next doctor’s appointment. And if you’ve ever taken an explicit selfie, it even knows what you look like naked. “Your cellphone is
the most intimate thing in your life,” says security expert Bruce Schneier, author of Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. “It knows more about you than your significant >
GETTY IMAGES
B Y M ATT AL DE RT O N A N D T R A C Y L . S C O T T
Cybersecurity. Could you be doing more?
Cybersecurity is challenging, and clearly lots of companies aren’t getting it right. You’re doing what you can, but is there more?
Be sure to watch your watchers.
A breach through the front door is bad; a breach through the back door is worse.
You can only protect what you know you have and where you have it.
Patent leather shoes reflect up, don’t expose valuable resources.
Learn more with our free 12-page paper, The Common Sense Guide to Cybersecurity.
An ECN Company
If the moat has been breached, change the keys to the castle.
If you didn’t go looking for it, ignore it.
Never waste a good crisis to get additional budget.
Don’t give keys to the castle if all that’s needed are keys to the stable.
DOWNLOAD
© 2017 MIR3. All rights reserved.
CYBERSECURITY
PROTECTION
other does.” If you’re lucky and diligent, there’s a good chance your cellphone won’t ever be hacked. Unfortunately, if it does happen, you might
not immediately recognize the breach. To minimize the damage if your data is compromised, USA TODAY technology expert Marc Saltzman
suggests you “always make backups of your phone by connecting (it) to the computer or opting for ‘cloud’ backup.” If you realize your phone has been hacked,
“change your passwords immediately.” Check credit card and bank statements for suspicious activities and take action if any are found. l
“Your cellphone is the most intimate thing in your life ... It knows more about you than your significant other does.” – Bruce Schneier, security expert and author
Fight Hack Tips to mitigate security risks:
Experts suggest you
protect your smartphone just as you do your laptop. Avoid using public Wi-Fi signals that leave you vulnerable to hackers. “You can read news or stream music ... on a public Wi-Fi connection, but try to avoid doing online banking (or) shopping,” tech expert Marc Saltzman says.
14 cyberSECURITY
PROCEED WITH CAUTION Think twice before
clicking on links included in emails and text messages, and “stick with well-known and reputable app makers,” says Saltzman. “Don’t be the first to download a new app; read comments from previous (users first).” Be suspicious of phishing schemes. Your bank, Internet service provider or favorite store won’t ask you for personal data via text, email or phone call.
UPDATE OFTEN Many smartphones prompt you when operating system updates are available. While the process may commandeer your device momentarily, experts say this is for your own good. “Engineers always patch vulnerabilities or add new features to keep you safe,” Saltzman says. These updates will help keep hackers away from your private information.
GETTY IMAGES
SECURE YOUR SIGNAL
EARN YOCJR MASTER'S DECREE IN CVBERSECURITV
CYBERSECURITY
PROTECTION
SAFE AT HOME? Smart devices have created new conveniences — and new risks
H
aving a voiceactivated smart speaker in your home is like having a personal concierge. Whether you want to know the weather, hail an Uber or hear your favorite song, simply ask your Amazon Echo or Google Home. Your wish is their command. But what if your concierge could be kidnapped and turned against you? “Ultimately, any device you put in
16 cyberSECURITY
your home that’s connected to the Internet is at risk,” says Gary Davis, chief consumer security evangelist for Intel Security, a software company based in California. A 2014 study by Hewlett-Packard examined 10 of the most popular smarthome devices and found an average of 25 security vulnerabilities on each. A 2015 analysis of 50 devices by Symantec, a leading cybersecurity company based in Virginia,
likewise found at least one security flaw in all of them. For consumers, the message is clear: “Smart” isn’t always “safe.” Here are some ways your smart-home devices can put you at risk:
INFORMATION SHARING “There’s a concern about what information these connected devices are collecting,” says attorney Christopher Dore, a partner at Edelson PC, a Chicago-based law
firm that specializes in class-action lawsuits against consumer technology companies. Even seemingly mundane facts could become a liability. For example, the company that makes your smart refrigerator could collect data about your diet and sell that to your insurance company, which could use the details to raise your premiums. In a real-life scenario, law enforcement officials in Arkansas subpoenaed an >
GETTY IMAGES
BY M AT T A L D E RT O N
PROTECTION
CYBERSECURITY
5 Trustworthy Smart-Home Devices There’s no such thing as a hack-proof device, but you can increase your home’s smart security by choosing those with built-in safety features from manufacturers with good cybersecurity track records. Here are five: B Y M ATT AL D E RT O N
ASKED AND ANSWERED
If you need to know the weather or want to hear a song, ask Amazon’s Echo. You’ll quickly have a response from this smart speaker that has numerous security features. For example, you can turn off its listening function and delete your Alexa command history using its companion app. $179.99
HEATING THINGS UP The Nest Learning Thermostat, which adapts to your life and programs itself, features “Secure Boot” technology that blocks incompatible or malicious software, ensuring that only Nest’s software is running on the device. $249
LIGHT UP YOUR LIFE
Illiminate the house while you’re away to keep would-be burglars at bay. Philips Hue white and color ambiance A19 starter kit allows you to control lighting away from home. In 2016, security researchers demonstrated how Philips Hue smart bulbs could be hacked from as far as 400 meters. Proving its commitment to security and transparency, the company worked with the researchers to quickly engineer a fix. $199.99
PROVIDED BY THE COMPANIES
A MUST-SEE TV
In addition to offering true-to-life color, the Samsung QN65Q7F flat 65-inch 4K ultra HD smart QLED TV now comes with GAIA, a three-layer security solution that’s designed to safeguard all areas of the smart TV ecosystem, including its connected services, software and hardware. $3,499.99
SECURITY IS KEY
August Smart Lock, Apple HomeKit Enabled lets you lock and unlock your door with a digital instead of physical key. Because it has to comply with Apple’s stringent security requirements — which mandate end-to-end encryption of information shared between smart-home and Apple devices — its HomeKit edition enjoys an inherent security advantage. $229 17
PROTECTION
Echo owner to turn over its recordings, hoping the audio would lead them to an arrest in a murder case.
DEVICE HIJACKING During a 2016 conference, Davis learned how hackers could remotely install ransomware on a connected thermostat. In the middle of summer, they could set the thermostat to 99 degrees and refuse to unlock it until the owner pays. They could even program smart lights to create a strobe effect that could cause an epileptic seizure. The potential for similar scenarios is endless.
NETWORK PENETRATION Davis says hackers could 18 cyberSECURITY
use connected devices as “back doors” into your home network. Once inside, they can traverse your wireless router to get inside your computer or smartphone — and access all the information inside them, including usernames, passwords to banking and e-commerce sites, Social Security numbers and personal photos.
DDOS ATTACKS Distributed denial of service attacks, or DDOS, occur when hackers virtually disable companies by inundating websites with traffic from multiple sources — and they use your smarthome devices to do it. The downside for homeowners could be restricted access
to video-streaming services or social media platforms, as was the case in October 2016, when an attack utilizing more than 100,000 connected devices such as DVRs and printers blocked access to Twitter, Netflix, Amazon, PayPal and other popular sites. Ultimately, however, experts say the best way to protect yourself might be the simplest: Don’t buy technology you don’t really need. “In the technological world, it takes a certain amount of skepticism to protect yourself,” Dore concludes. “Maybe you can tell you’re out of milk without a Wi-Fi-connected fridge. Just open the door.” l
GETTY IMAGES
CYBERSECURITY
Securing the Internet of Things Disruptive trends like the IoT increase productivity and business agility and also increase risks, vulnerabilities, and uncertainties. The Allegro suite of IoT security and connectivity toolkits enable development teams to take a proactive approach to IoT threats. Allegro’s embedded software components are FIPS validated solutions that speed your time to market and reduce your risk. Learn how to increase your security presence and reduce the exposure of your IoT ecosystem to hacks, breaches, data theft, and ruined reputations by downloading Allegro’s white paper “7 Key Elements of Proactive IoT Security”.
DOWNLOAD by texting secure-iot to 44222 or visit bit.ly/secure-iot
CYBERSECURITY
ELECTIONS
Lessons Learned
Can the U.S. government avoid future election interference? B Y BR I A N BA RT H
I
20 cyberSECURITY
GETTY IMAGES
FBI Director James Comey says his agency is investigating whether the Trump administration was involved with Russia’s effort to influence the presidential election.
to foreign propaganda conducted through cyberespionage. Cybersecurity experts highlight two primary concerns in the aftermath of the Russian influence campaign: the possibility of tampering with electronic voting machines; and the vulnerability of political organizations to hacking. According to the intelligence community, hacks on voting systems were attempted in 2016 but were not successful. Yet it
“Political organizations cannot rely on personal cybersecurity measures to protect a campaign.” –Simon Crosby, co-founder of the cybersecurity firm Bromium
could easily happen in the future. “One of the lessons of the 2016 election was that the election system itself is a form of critical cyber infra-
structure that the government needs to protect,” says professor J. Alex Halderman, an expert on electronic voting security at the University of Michigan. Vote recounts carried out in three closely contested states — Michigan, Wisconsin and Pennsylvania — found no evidence of fraud. The ODNI report found that none of the Russian attempts to crack local and state boards of election touched vote-tallying equipment. >
THE DES MOINES REGISTER, GETTY IMAGES, EPA, USA TODAY
n January, just weeks before Donald Trump was sworn in as the nation’s 45th president, the Office of the Director of National Intelligence (ODNI) — which oversees U.S. civilian intelligence activities — stated that Russia had conducted an “influence campaign” in the months leading up to the election, with the intent of damaging Hillary Clinton’s candidacy and undercutting citizens’ trust in the system. Whether the effort, which was reportedly sanctioned by Russian President Vladimir Putin, actually benefitted Trump may never be known, but FBI Director James Comey has confirmed that his agency is investigating the matter. “The FBI ... is investigating the Russian government’s efforts to interfere in the 2016 presidential election and that includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government,” Comey said at a House Intelligence Committee hearing in March. Though the investigation is ongoing, one thing is already very clear: The U.S. government and the electoral process are painfully vulnerable
you
r fr Click ee Gr here ad ua to re te Stu ceive de nt Gu
ide
Further your education. Earn your MBA with a concentration in
CYBER SECURITY MBA program graduates who complete this concentration will balance information availability with information security at a time when there is a vast amount of data being collected and stored electronically. Graduates will be prepared to assess and manage risk by identifying security threats and vulnerabilities, and then designing and implementing appropriate safeguards and controls. This concentration is also designed to align with industry standards for Information Security best practices set forth by the National Institute of Standards and Technology.
Apply today! www.stritch.edu/apply Available 100% online! www.stritch.edu/MBA OUR MISSION IS TO HELP YOU FIND YOURS.
!
ELECTIONS
The challenges of figuring out which precincts to target and how to covertly access voting machines, which are never connected directly to the Internet, likely prevented a major hack in 2016, says Halderman, who suggests such an intrusion is inevitable. “It’s only a matter of time until we see successful cyberattacks on voting machines,” he adds. Other attacks did obtain private information from the Democratic National Committee (DNC) and influential politicians. The perpetrators — most affiliated with Russian intelligence — used phishing scams to distribute malware and gain access to emails, which were given to WikiLeaks, which made them public. Unlike many large corporations and government agencies, most political organizations lack robust cybersecurity protocols to ward off such attacks. “There is a fundamental lesson to be learned, which is that political organizations cannot rely on personal cybersecurity
22 cyberSECURITY
Local elections were not affected by Russian interference, say experts, who suggest paper ballots may be preferred in the future.
measures to protect a campaign,” says Simon Crosby, cofounder of the California-based cybersecurity firm Bromium. “At the very least, each party should run its own national cybersecurity infrastructure.” As the DNC learned, it takes only one unsuspecting person to click on a hacker’s malevolent link. When there are hundreds of employees and volunteers with access to an email system, it is next to impossible to ensure that nobody takes the bait. To prevent voting machine fraud, Halderman recommends reverting to paper ballots, which are still used in many locales, and instituting a man-
LESSON: The election system is a form of critical cyber infrastructure.
datory auditing system for every election. Instead of moving in that direction, “there has been an effort in Congress to eliminate the U.S. Election Assistance Commission, the federal body that provides the most oversight on voting technology,” he says. As for hacking campaign email accounts, Crosby says mandating two-factor authentication or installing virtualizationstyle software, which isolates any malware and effectively quar-
antines the damage, would decrease risks. The DNC recently implemented twofactor authentication in addition to establishing a cybersecurity advisory board. A cybersecurity executive order Trump postponed signing in January, would require federal agencies to review their cyber vulnerabilities and proposes consolidating responsibility for cybersecurity within a single agency. “A security mindset is beginning to take hold in the federal government,” says Crosby. “We’ve learned that the most vulnerable assets of a democratic society are not in private enterprise but within the government, so we have to begin acting that way.” Comey suggests Americans aren’t the only ones who may have learned from the election interference. “One of the lessons (Russian hackers) may draw from this is that they were successful because they introduced chaos and division and discord and sowed doubt about the nature of this amazing country.” l
GETTY IMAGES
CYBERSECURITY
4.5 Million Job Openings worldwide in IT and Cybersecurity Evolving a Cyberworld workforce to meet this demand
Cultivates and validates certified and competent talent ENTERPRISE SOLUTIONS
Is your IT Department trained and prepared to defend your valuable data? • Training and Certification Cyberworld's Customized Strategic Training Plan • Cyber Resiliency
For more information about securing your enterprise today
BUSINESS SOLUTIONS
Hackers view small businesses as easy targets. According to statistics from the National Cyber Security Alliance: • More than 70% of cyber-attacks target small businesses with 100 employees or less. • Nearly 50% of small businesses have been impacted by a cyber-attack. • More than 75% of employees leave their computers unsecured. • Almost 60% of hacked small to medium-sized businesses go out of business after six months
For more information about Securing your business today
INDIVIDUAL SOLUTIONS
The demand for cybersecurity is expected to rise to 6 million globally, with a projected shortfall to hit 1.5 million by the year 2019. The call for skilled and certified professional is outpacing the supply. The need is present and urgent. Constant change and innovation is creating boundless opportunities for IT professionals, especially those with industry training and certification credentials. - Source: Michael Brown, Former CEO at Symantec
If you are: • A curiosity seeker with a passion for learning. • An adventurous intellectual open to new challenges. • A creative thinker with no limits to problem solving. • A determined competitor with the ability to meet new challenges and tackle obstacles. • A spirited Cyber warrior with the talent to understand the hacker mind and counter the attack.
For more information about securing the future today
CYBERSECURITY
AT RISK
Holding Your Data Hostage Costly ransomware attacks are on the rise B Y B RITTAN Y S HOOT
R
24 cyberSECURITY
“Avoid unknown links, ads or websites, and don’t download unverified attachments or apps.”
–Trevor Hawthorn, chief technology officer at Wombat Security Technologies
byterian Medical Center paid $17,000 to hackers who gained control of the hospital’s computer systems and prevented staff from communicating from affected devices. To make matters worse, there’s evidence that meeting hackers’ monetary requirements doesn’t necessarily restore all the information that was compromised or guarantee protection from future breaches. >
52%
OF AMERICANS SURVEYED IN A 2017 STUDY WERE UNABLE TO GUESS WHAT RANSOMWARE IS SOURCE: WOMBAT SECURITY
GETTY IMAGES
ansomware attacks — security breaches in which a malicious malefactor holds another’s data and technology systems hostage until a payment is made — continue to increase in frequency, demanding higher monetary amounts from victims. According to a December IBM study, “70 percent of businesses infected with ransomware have paid ransom to regain access to business data and systems.” Along with major corporations, health care systems and educational institutions are often prime targets. Being offline causes critical disruptions to patient care and student services, which leaves these facilities scrambling to quickly pay the staggering six- or seven-figure ransom demands and protect the personal information of those they serve. Last year, Hollywood Pres-
Lead in Cybersecurity / Information Assurance with the degree that gets you noticed. The National Security Agency and
Bellevue University’s Center for Cybersecurity
Department of Homeland Security
Education offers degrees designed to meet the
have designated Bellevue University
needs of top hiring agencies in the public and
a National Center of Academic
private sectors.
Excellence in Information Assurance/Cybersecurity.
These agencies need people now. They need you.
When you enroll in one of Bellevue University’s career-relevant and recognized degree programs, you learn 100% online from professors with real-world experience. Plus, you gain the knowledge you need to make a difference in this important, growing field. Then, you’ll be the one they seek out to lead.
Bachelor’s and Master’s Degrees Cybersecurity Computer Information Systems International Security and Intelligence Studies
Certificates of Completion Cybersecurity Strategic Deterrence Information Security Management
MBA/MSMIS with Concentrations Cybersecurity and Information Security Management
Learn more now at bellevue.edu. A non-profit university, Bellevue University is accredited by The Higher Learning Commission through the U.S. Department of Education. • hlcommission.org • 800-621-7440. Bellevue University does not discriminate on the basis of age, race, color, religion, sex, national origin, or disability in the educational programs and activities it operates.
AT RISK
“There is a misconception that if you are victim of a ransomware attack, you will be able to fully restore and access your files simply by paying the price,” says Trevor Hawthorn, chief technology officer at Wombat Security Technologies, a security awareness and training provider in Pittsburgh. “There have been known instances of ransomware with critical flaws that render data unrecoverable or requests for additional, larger payments.” Though primarily a crime targeted toward organizations that are more likely to pay the large amounts criminals demand, individuals are also at risk. “We were getting ready for a trip, so I 26 cyberSECURITY
was busy. I was expecting a package so I thought nothing of opening an email that said there was a situa-
Trevor Hawthorn, of Wombat Security, warns that paying ransom doesn’t always protect against future attacks.
tion with the delivery,” says Saundra Martinez. After returning home, she discovered the link she accessed was a ransomware trap and the files on her computer had been encrypted. Criminals wanted $2,000, says Martinez, who refused to pay.
Instead, she deleted software and files, then called people to ask them to resend things. “Many people told me they understood because it had happened to them,” she adds. The IBM study found that nearly 40 percent of all spam sent in 2016 contained ransomware attachments. Despite the increasing urgency of understanding and preventing ransomware attacks, 52 percent of those surveyed in the U.S. are unable to even guess what ransomware is, according to the January 2017 State of the Phish report by Wombat Security. To thwart ransomware attempts, Hawthorn says vigilance is crucial. “Avoid
unknown links, ads or websites, and don’t download unverified attachments or apps,” he suggests. “Keep software up to date and patch any known vulnerabilities.” Because paying ransomware does not guarantee your files will be restored, he suggests backing up files to a secure location daily, or even hourly. Jeremiah Grossman, chief of security strategy at Californiabased cybersecurity firm SentinelOne, likens ransomware attacks to high seas piracy, with valuable treasures at risk, but Martinez describes it another way: “It’s just plain wicked.” l – USA TODAY reporter Elizabeth Weise contributed to this story.
GETTY IMAGES; PROVIDED BY TREVOR HAWTHORN
CYBERSECURITY
Innovation. Success. Career.
Information Security Professionals Are you interested in becoming a member of a company that is leading the world in financial services and technology? Every day at TSYS we are on the front line, helping credit card customers around the globe. Our team has a passion for putting people at the center of every interaction. If you’re ready to continue your career with development opportunities, then it’s time for you to apply for a position with TSYS. What’s in it for me? • Base salary • Full benefits package • Career growth opportunities Bonus points: • Casual dress in a fun, secure work environment • Rewards & recognition program • Family-oriented company which supports work-life balance © 2017 Total System Services, Inc.® All rights reserved worldwide. Inc.
Get to know us at tsys.com/careers
INFORMATION SECURITY IS RISKY BUSINESS. Your skills shouldn’t be. EARN YOUR M.S. IN CYBERSECURITY • 100% online curriculum • Taught by leading industry experts • Stackable certificate options for degree completion Additional online master’s programs available in Criminal Justice and Public Administration
M.S. IN CYBERSECURITY Learn more at grad.rwu.edu/cyber
CYBERSECURITY
AT RISK
Wanted: Cybercrime Fighters Threats are on the rise, but the number of experts working to thwart attacks isn’t BY MARY H EL EN B ERG
28 cyberSECURITY
Ready for the Fight Many efforts are underway to recruit and educate a new generation of cybersecurity experts. For example: EARLY START
A cybersecurity curriculum for K-12 students is now available through a partnership of the Department of Homeland Security (DHS) and the National Integrated Cyber Education Research Center (NICERC).
HIGHER LEARNING
More than 200 colleges offer cyber-related degrees recognized by DHS and the National Security Agency.
GETTY IMAGES
T
he number and frequency of malicious cyber incidents are increasing, and trained specialists who can stop these crimes are still in short supply, putting individuals, industries and governments at risk worldwide, says Stuart Madnick, professor of information technologies at Massachusetts Institute of Technology’s Sloan School of Management. “The bad guys are learning faster than the good guys,” Madnick says. “The worst is yet to come.” Will we be ready? There were more than 1 million unfilled cybersecurity jobs worldwide in 2015, according to a Cisco Systems report. If the trend continues, up to 2 million cyber-defense jobs across the globe could go unfilled by 2019, according to a McAfee study conducted for the Center for Strategic and International Studies. In 2015, 209,000 cybersecurity jobs were left vacant in the U.S., according to Stanford University’s Peninsula Press, which analyzed Bureau of Labor Statistics numbers. However, experts hope greater awareness of cybercrime will increase interest in cybersecurity careers, reducing the current talent deficit. Experts expect cybersecurity jobs to be plentiful, increasing by 18 percent through 2024, much faster than other occupations. But without a trained workforce, those positions will remain unfilled. The cybersecurity talent gap actually narrowed >
Get advanced Degrees in Cyber Security at Dakota State University! DSU’s Doctorate in Cyber Security focuses on legal issues, networking, wireless security, applied cryptography, cellular mobile, and advanced topics and skills in the areas of software exploitation, malicious code, and reverse engineering. These technologies and techniques are critical to intelligence, military and law enforcement organizations, as well as to employers in data-intensive industries and academia. DSU’s Master’s in Information Assurance and Security emphasizes information security and protection through computer forensics and intrusion detection. Learn to prevent digital attacks, and develop security strategies for all aspects of your networks. DSU also offers other tech infused and industry distinguished degrees including:
• Doctorate of Science in Information Systems • Master of Science in Information Systems • Master of Science in Applied Computer Science • Master of Science in Health Infomatics • Master of Science in Analytics
Visit us online at:
dsucyber.com
Bachelor of Science in
Information Technology
GAwebBSIT.org
Flexible. Powerful. Reputable. Earn a Bachelor of Science Degree online through the WebBSIT program, a collaborative program from Clayton State University, Columbus State University, Georgia Southern University and Georgia Southwestern State University.
AT RISK
slightly in the U.S in 2016. Part of that uptick may have been the result of a push from the federal government. Last year, the White House hired 6,000 cyber workers as part of its initiative to fill the critical positions by January 2017. Despite those strides, the demand for these experts still far outpaces supply, according to data from the jobs site Indeed.com. “We’re particularly concerned about (cyberattacks) to the physical (U.S.) infrastructure,” Madnick says. Such attacks would result in tangible damage, such as causing an oil refinery explosion or a grid blackout. 30 cyberSECURITY
“The bad guys are learning faster than the good guys. The worst is yet to come.” — Stuart Madnick, professor of information technologies at MIT’s Sloan School of Management
“There’ve been without robust cyberrelatively few of these security hesitate to events so far, but introduce new prodthere’s no technologiucts and initiatives cal reason why they because they fear couldn’t happen being hacked. more frequent“That’s a di18% ly,” he adds. saster in this The expected There’s fast-moving growth rate of also the fear business cybersecurity jobs that cyberatenvironment,” through 2024 tacks can stall Martino says. the economy, That shortage says Steve Martino, of cybersecurity chief information seexperts is negatively curity officer at Cisco impacting innovation, Systems. Security he adds. breaches mean lost Ultimately, if there revenue and customaren’t enough trained ers, so organizations workers to fight cy-
berattacks, the battle against harmful technology may be fought with technology itself, Madnick notes. IBM announced in February that its Watson supercomputer is ready to take on cyberthreats. Adding Watson to the cybersecurity workforce is the equivalent of “hundreds, thousands, even millions of bodies,” Madnick says. But the industry isn’t resting all its hopes on technology; several organizations and universities are working to train the next wave of IT professionals. These programs, combined with frequent news of cyberattacks, seem to be reaching millennials who are showing increased interest in the cybersecurity field, according to a Raytheon survey conducted with the nonprofit online safety advocacy group, National Cyber Security Alliance. “Young people must come to understand that a career in cybersecurity is a lucrative and worthwhile option,” the Raytheon report reads. “Failure to (fill these positions) is not an option worth considering.” l
GETTY IMAGES
CYBERSECURITY
CYBERSECURITY
EDUCATION
Learn and Protect Where to earn a cyber degree B Y D I AN A L A M BD I N M E Y E R
CALIFORNIA STATE UNIVERSITY-SAN BERNARDINO (CDE) Bachelor of Science in administration with emphasis in cybersecurity; Master of Science in national cybersecurity studies; Master of Business Administration with a focus in cybersecurity
32 cyberSECURITY
mation assurance education (IAE), cyber defense education (CDE) or cyber defense research (R). These schools offer courses in security for computer networks, policy development and more. Here are a few schools and the degrees they offer:
DEPAUL UNIVERSITY, CHICAGO (CDE) Bachelor, Master or combined Bachelor/Master of Science in cybersecurity
GEORGE WASHINGTON UNIVERSITY, WASHINGTON, D.C. (R) Bachelor of Arts and Bachelor of Science in computer science; Master of Science in cybersecurity in computer science; Ph.D. in computer science
PROVIDED BY THE INSTITUTIONS
I
nformation security is now a full-blown profession with more than 200 institutions offering cybersecurity programs designated as National Security Agency/ Department of Homeland Security Centers of Academic Excellence in infor-
McCrary Institute
The Charles D. McCrary Institute for Critical Infrastructure Protection and Cyber Systems at Auburn University conducts advanced research and development focused on the security of critical infrastructure and cyber systems. Drawing on the expertise of Auburn’s leading faculty and graduate researchers, the institute carries out innovative, peer-reviewed research to advance the body of knowledge in these fields and protect our critical systems from external threats. The institute’s mission includes an emphasis on practical, transferable knowledge and results, as well as meaningful service and outreach to its stakeholders, which include state and nation-wide residents and entities.
Focus Areas • Critical Infrastructure Security, Protection and Operations • Smart Grid Research and Development • Responsible Development and Conservation of Natural Resources • Secure Systems Engineering • Tactical Systems Cyber Security • Psycho-Social Cyber and Institutional Security • Cyber Security and Forensics of the Internet of Things and
Industrial Control Systems
Work With Us The McCrary Institute offers its expertise to both public and private organizations to address real-world challenges. In funded research and development efforts, faculty and students work together with industrial and government collaborators on programs tailored to the institute’s areas of competency and the customer’s needs. Auburn professors are highly engaged in practical and applied research and development that addresses strategic, time-to-market and technology roadmap advancement of organizations with which the institute partners. We work with partner organizations in many ways, including through subcontracts, direct contract work, grants and Faculty Acceleration Awards. Contact us to see how we can leverage the McCrary Institute’s expertise in these areas with your organization’s research and development needs.
mccrary.auburn.edu
mccrary-institute@eng.auburn.edu
334.844.6360
EDUCATION
HAMPTON UNIVERSITY, HAMPTON, VA (CDE, IAE) Master of Science in computer science; Master of Science in information assurance
IOWA STATE UNIVERSITY (CDE, R) Master of Science in information assurance; Ph.D. in computer science with emphasis in information assurance; Ph.D. in computer engineering with emphasis in information assurance; Ph.D. in math with emphasis in information assurance
UNIVERSITY OF COLORADOCOLORADO SPRINGS (CDE, IAE) Master of Engineering with emphasis in information assurance; Ph.D. in engineering with emphasis in security
UNIVERSITY OF IDAHO (CDE)
UNIVERSITY OF PITTSBURGH (CDE, R)
UNIVERSITY OF NEW ORLEANS (R)
Bachelor and Master of Science; Ph.D. in computer science with emphasis in information assurance
Bachelor of Science in information sciences with specialization in networks and security; Master of Science in telecommunications; Ph.D. in information science
Bachelor of Science; Master of Science; Ph.D. in computer science
34 cyberSECURITY
PROVIDED BY THE INSTITUTIONS
CYBERSECURITY
A NEW LANDSCAPE are you ready? The growth of the Information Technology field has created a vast array of career possibilities from web design and cyber security to computer programming and software development. There’s never been a better time to explore these disciplines, and at Sullivan University, we’re training the next wave of professionals.
Our Programs Include: Associate of Science in Network Security Associate of Science in Computer Forensics Bachelor of Science in Network Security Bachelor of Science in Computer Forensics Master of Science in Cyber Security (no GRE required)*
sullivan.edu
For more information about program successes in graduation rates, placement rates and occupations, please visit: sullivan.edu/programsuccess.
CYBERSECURITY
SOLUTIONS
Cognitive Genius
IBM’s Watson technology analyzes big data to assist in cybersecurity B Y B RIT TA N Y S H O O T
M
any companies are short on the manpower needed to effectively defend against cyberattacks using malware. The problem can remain undetected for months or longer as hackers steal critical data that can be used to wreak havoc. This leaves organizations more vulnerable at a time when cyberthreats are on the rise. “The security industry is facing a workforce shortage of 1.5 million by 2020, and security analysts are inundated with massive amounts of data to sift through to pinpoint threats,” says Caleb Barlow, vice president at IBM Security. IBM’s Watson for Cyber Security (WCS) may help fill the void with artifi-
36 cyberSECURITY
cial intelligence technology that allows federal agencies and companies to identify threats 50 percent faster than without the supercomputer. To do the best job, companies need a workhorse computing system that can help mere humans sort overwhelming amounts of information. Watson, named for IBM’s first CEO, Thomas J. Watson, already assists H&R Block tax preparers in finding deductions for customers; it also helps health care centers such as the Cleveland Clinic enhance patient care. Created to process, analyze and learn from information just as people do, Watson also ingests tweets, research reports and other data at a blistering rate of 800 million pages per second. >
IBM
IBM’s Watson can understand and reason and learn about constantly evolving cyberthreats.
CYBER DEFENSE FOR TODAY & TOMORROW Government networks, often a mix of systems from various hardware vendors, are collecting millions of bits of information, every second—every day. Only the most simplistic network signals alarm us to discrepancies—often after a breach has occurred. A comprehensive Cyber Defense strategy is needed. Carahsoft® and Ciena®, an industry-leader in packet and optical networking, have partnered to bring high-performance assured networking solutions to the Federal Government and help support military, defense, and civilian agencies to shore up cyber resilience, increase the efficiency of network operations, and enable virtualization of network functions.
Learn more at carahsoft.com or
call toll free 888-662-2724 © 2017 Ciena Corporation. All rights reserved
Download the Internet’s Most Complete Bug Bounty Manual Free! Learn how to plan, launch and operate a successful bug bounty program.
FILL YOUR CYBER SKILLS GAP CYBER SECURITY TRAINING AND CERTIFICATION PREP COURSES FOR THE MODERN WORKFORCE.
DOWNLOAD MANUAL
VIEW OUR COURSES
SOLUTIONS
In December 2016, several dozen global leaders in various fields joined the Watson for Cyber Security beta program, testing and improving Watson’s ability to assist in fighting cybercrime. The feedback was used to help develop the WCS cognitive security technology, released in February and now available for companies that want to purchase its computing power. To be trained in the language of cybersecurity, WCS processed more than a million documents to learn how to identify suspicious behavior and alert users to possible malicious activity. Among other capabilities, WCS can provide background informa-
800 MILLION
38 cyberSECURITY
tion on types of malware employed on a system, which vulnerabilities are being exploited and the scope of the threat to an organization. With cybersecurity threats coming from many directions and in different forms, fighting off possible breaches and attacks with the help of a specially trained cognitive computer is a crucial element in the future fight against cybercrime. “By bringing the power of man and machine together with Watson,” adds Barlow, “we can create security systems that can reason and learn, bringing the most relevant information to security analysts’ fingertips to help them outthink hackers.” l
Pages per second ingested by Watson to analyze and learn information. SOURCE: IBM
“The security industry is facing a workforce shortage of 1.5 million by 2020, and security analysts are inundated with massive amounts of data to sift through to pinpoint threats.” — Caleb Barlow, vice president at IBM Security
Read more about the cybersecurity employee shortage on page 28.
IBM’s Watson helps security experts identify threats faster.
Watson’s artificial intelligence is also used to help calculate tax returns, assist medical facilities and more. SOURCE: IBM
MITRO HOOD/IBM
CYBERSECURITY
Finding the right
Cybersecurity Talent
is a board level imperative. Cybersecurity Executive Search Specialists and build world class teams. It is all we do . Over 30 years of trusted relationships, knowledge & access
Tailored Network Deep Industry Knowledge
Built the largest network women in cybersecurity
Expert Recruiters
www.altaassociates.com
HELP US PROTECT THE MISSION OF CARE At CynergisTek, our consultants are helping healthcare organizations secure their systems, protect their valuable data and ensure that they are able to do what they do best – care for patients. We are rapidly growing nationwide and looking for talented professionals interested in healthcare cybersecurity, privacy or compliance to join our team. Learn more about our organization and submit your resume at cynergistek.com/careers
CynergisTek won the 2017 Best in KLAS award for Cyber Security Advisory Services.
CYBERSECURITY
ENDGAME
Serious Threat
Trump administration, government still devising cybersecurity strategy
B
reaches of the Office of Personnel Management and the IRS by hackers in recent years, and the exposure of the CIA’s own hacking practices by WikiLeaks, are evidence that U.S. government agencies are as vulnerable to cyberattacks as breached companies that have unwittingly exposed customers’ personal information. No matter the type of organization, the increase in cyberthreats is a concern for most, but many are still at a loss as to how to handle them. “The cyberthreats we face are enormous. I don’t know if we can stay ahead of them. To say otherwise would be hubris,” said FBI Director James Comey at a Boston College cybersecurity conference in March. “We may not know enough. We may not be smart enough; we may not be fast enough,” he added, referring to the FBI’s cyber defense strategy. The FBI informed the Democratic National Committee about Russia’s intrusion into their cyber infrastructure in 2015. It took 10 months for the FBI to receive forensic analysis of the hack, Comey said during a House committee hearing in March. The breach, which publicized DNC emails during a contentious general election, represented an unprecedented attempt to influence an election and underscored a lack of
40 cyberSECURITY
urgency in the collective response to it. Though Comey deemed cybersecurity a “priority for every enterprise of the United States at all levels,” President Trump hasn’t yet presented a national cybersecurity strategy. Trump postponed signing a cybersecurity executive order in January and failed to meet a self-imposed deadline to have a cyber team in place within 90 days of taking office. A modified executive order on cybersecurity was expected in late April, but is seemingly still in the works. However, Trump has taken action to protect the nation’s digital infrastructure by appointing Tom Bossert as his homeland security adviser. “We need to tackle the notion of securing our nation and the American people, and cybersecurity is the area where we talk about it quite a bit, but we have not yet gotten serious,” Bossert said in March at a Center for Strategic and International Studies cybersecurity summit in Washington, D.C. “The idea, from my perspective, is to take the Cabinet, bring them together very seriously ... and figure out how we’re going to share information responsibly with our allies and how we are going to deter our adversaries. That is a stated objective. This administration will take it seriously.” — USA TODAY reporter Kevin Johnson contributed to this article.
GETTY IMAGES
B Y B RI TTAN Y SHO O T A N D T R A C Y L . S C O T T
Protect yourself from cyber attack
Contact us to book Marc Goodman, one of the world’s leading authorities on global security. speakers@penguinrandomhouse.com (212) 572-2013 • prhspeakers.com
Use ISO/IEC 27001, 27017 and 27018 to shield your systems GET CERTIFIED
“Marc Goodman’s presentation on the future of crime was the chilling awakening our audience didn’t know they needed. . . . There’s no doubt everyone in the room learned something new.” —Association of Certified Fraud Examiners Available in paperback and eBook. AnchorBooks.com
18-19 OCTOBER 2017 MCCORMICK PLACE, CHICAGO CYBERSECURITY-CHICAGO.COM Protect your organization from cyber criminals.
Stay ahead of cyberthreats. Book your trip early.
RSA Conference 2018. April 16-20. RSA Conference is the who’s who of cybersecurity. Rub shoulders with industry leaders as you engage in five intensive days of learning. You’ll experience expert-led sessions and inspiring keynotes. Hands-on breakout sessions. Cutting-edge products and solutions. And much more. It’s the latest in cybersecurity, and beyond. Register your interest for RSA Conference 2018 and we’ll provide you with a discount code for $100 off the Early Bird rate.*
Go to rsaconference.com/2018USRYI and register your interest today!
Save the dates!
*Only one discount per registration. Discount cannot be combined.