CYBERSECURITY 2019 by STUDIO Gannett

CYBER

SECURITY &

DETECT PROTECT PLUS

Cyber Solvers Wanted Outsmart Malicious Attacks Deepfake Videos Blur Realities

MAY 2019

DATA THREATS ARE SKY HIGH. CYBERSECURITY SHOULD BE TOO. Gogo Business Aviation protects people in the air with cybersecurity thatâ&#x20AC;&#x2122;s built into everything we do. Read this white paper to learn why you can trust your data's integrity in the air because of our proactive cybersecurity approach. Get the white paper: gogo.to/data-security

CYBER SOLUTIONS

PROTECTING EVERY SIDE OF CYBER Raytheon delivers solutions that help government agencies, businesses and nations protect critical information, systems and operations across every side of cyber — to make the world a safer place.

Raytheon.com/cyber @RaytheonCyber Raytheon Cyber

CYBER

SECURITY TECHNOLOGY

8 10

EXPOSED Ever-increasing data breaches are a fact of digital life DETECTING DEEPFAKES Researchers are developing new tools for preventing, exposing fraudulent media

10 LEADING THE WAY

NAVIGATION TOOLS Click on this icon to explore video information about a topic.

4 CYBERsecurity

16 Tap these icons for more information about a topic.

WHITE-HAT HEROES Ethical hackers root out system vulnerabilities to make corporations stronger

BIG DATA DRIVERS Three techniques to push the envelope on burgeoning industry

SOPHISTICATED SPAM Preventing ransomware attacks should become high corporate priority

@usatodaymags

GETTY IMAGES (3); BLUE CHAIR PRODUCTIONS

Contents MAY 2019

EDUCATION & CAREERS

28 32

WANTED: MORE PROBLEM SOLVERS Cybersecurity programs seek students who excel in critical thinking OPEN DOORS Cyber careers boast high salaries, ample job openings

PROTECTION

38 42

CARD SHARKS Gas station skimmers force law enforcement, technology to catch up FIGHTING FRAUD Protect yourself from cybercriminals

PREMIUM PUBLICATION

EDITORIAL DIRECTOR Jeanette Barrett-Stokes jbstokes@usatoday.com CREATIVE DIRECTOR Jerald Council jcouncil@usatoday.com MANAGING EDITOR Michelle Washington mjwashington@usatoday.com ISSUE EDITOR Sara Schwartz EDITORS Amy Sinatra Ayres Tracy Scott Forson Harry Lister Debbie Williams DESIGNERS Hayleigh Corkey Amira Martin Debra Moore Gina Toole Saunders Lisa M. Zilka CONTRIBUTING WRITERS Matt Alderton, Brian Barth, Ellen Chang, Josue Ledesma, Cari Shane, Mike Snider, Adam Stone, Tanisha A. Sykes ADVERTISING VP, ADVERTISING Patrick Burke | (703) 854-5914 pburke@usatoday.com ACCOUNT DIRECTOR Justine Madden | (703) 854-5444 jmadden@usatoday.com FINANCE BILLING COORDINATOR Julie Marco

42 FOLLOW US ON TWITTER

@usatodaymags

COVER DESIGN BY JERALD COUNCIL, GETTY IMAGES

@usatodaymags

Without limiting the rights under copyright reserved herein, no part of this publication may be reproduced, stored in or reproduced in a retrieval system, or transmitted, in any form, or by means electronic, mechanical, photocopying, recording or otherwise without the written consent of USA TODAY. The editors and publisher are not responsible for any unsolicited materials. PUBLISHED IN THE USA

Holdings Inc. Company

Comprehensive Cybersecurity Program Management • Cybersecurity Assessment Services • Cybersecurity Audit Review • Vulnerability Testing • Incident Response • Penetration Testing • Compliance Validation

www.colotraq.com/cybersecurity.html

Research, Compare & Source Colocation - Cloud - Connectivity - Cybersecurity From over 400 Service Providers Worldwide www.dcitraq.com

Exposed Data breaches are a fact of digital life, and they seem to be intensifying

illions of people were affected by data breaches and cyberattacks in 2018 — 765 million in the months of April, May and June alone, according to global digital security firm Positive

8 CYBERsecurity

Technologies. Cyberattacks increased 32 percent in the first three months of the year and 47 percent during the April-June period, compared to the same periods in 2017, according to the firm.

Breaches and cyberattacks continue to escalate, affecting more and more consumers, “and it’s not like it’s slowing down,” says Gary Davis, chief consumer security evangelist for McAfee.

GETTY IMAGES

BY M I K E SN I D ER

TECHNOLOGY

Sign of the times Top 10 reported breaches as of May 19, when they were reported and the number of users affected:

MySpace May 2016

360

million

MyFitnessPal March 2018

150

Yahoo! October 2017

million

Equifax September 2017

145.5

million

billion eBay May 2014

145

million

Target November 2013

110

Marriott November 2018

500

million

Yahoo! September 2016

500

million

LinkedIn May 2016

100

million

Quora December 2018

100

million

TECHNOLOGY

Defeating Deepfakes Researchers developing new tools to prevent, expose fraudulent media

ometimes, the internet gets weird. One of its strangest moments, for instance, took place in January, when a video surfaced of actress Jennifer Lawrence answering questions from reporters at a 2016 awards ceremony. It’s her body. It’s her voice. The face, however, belongs to actor Steve Buscemi, whose countenance is seamlessly superimposed on hers. The video drew myriad reactions on social media, with some calling it “disturbing,” including

10 CYBERsecurity 10 CYBERsecurity

Buscemi himself. And it is, experts agree, but not because it’s creepy or quirky. Rather, because agitators could use similar videos — called deepfakes — to cause mayhem among consumers, businesses and governments. The threat is growing. But fortunately, so are solutions.

DEEPFAKES EXPLAINED In both name and notion, deepfakes combine “fake news” with “deep learning” — a type of artificial intelligence (AI).

“A deepfake is a completely fabricated video that looks very, very real,” says Craig Stack, founder and chief operating officer of Truepic, a photo and video verification platform. “It used to be that talented visual effects artists were needed to manipulate videos. … Now, this can be done quickly and cheaply by AI software.” Instead of innocuous clips showcasing bizarre celebrity mashups, realistic videos could depict moral authorities in lascivious situations, >

BLUE CHAIR PRODUCTIONS

BY MATT AL D ERTON

Cyber everywhere Go anywhere Cyber is about starting things. Not stopping them. Sparking the confidence that builds the freedom to create. With human insight, technological innovation, and comprehensive cyber solutions, weâ&#x20AC;&#x2122;re by your side for all things cyber. www.deloitte.com/us/cyber Copyright ÂŠ 2019 Deloitte Development LLC. All rights reserved.

TECHNOLOGY

When Seeing Isn’t Believing

Three ways to scrutinize possible deepfake videos

world leaders in treasonous scenarios, military figures making provocative declarations, consumers endorsing dangerous products, fraudsters fabricating evidence for insurance claims or business executives reporting false financial results. Suddenly, deepfakes go from amusing to alarming.

DISRUPTING DECEIT Researchers are taking a two-pronged approach to neutralizing the deepfake threat. The first is detection. That’s the purview of Matt Turek, program manager at the Defense Advanced Research Projects Agency (DARPA), whose four-year Media Forensics (MediFor) program is developing 12 CYBERsecurity 12 CYBERsecurity

automated technology that exposes fraudulent media. MediFor seeks to identify deepfakes by analyzing three types of information: digital, physical and semantic. On a digital level, it’s analyzing pixels: inconsistencies that can indicate when images come from different sources. On a physical level, it’s examining the physics; in deepfakes, for example, facial shadows may be inconsistent with light sources. And on a semantic level, it’s comparing media to external data like the weather — if a video takes place outdoors, for example, one can verify whether it was hot or cold when the footage was shot, then analyze skin properties for >

1. ANALYZING BLINK PATTERNS Because deepfake software often uses still images as inputs, subjects rarely blink.

2. STUDYING FACIAL ORIENTATION If faces don’t move in sync with the heads to which they’re attached, the video is likely fake.

3. LOOKING AT RESOLUTION To make realistic images, deepfake software must resize the facial images it uses as inputs, which leaves behind artifacts evident to detection software. “I think it will take a compound of multiple methods to detect deepfake videos,” Lyu says. “Any single detection method potentially could be evaded by using countermeasures, but to beat all these detection methods together is much more difficult.” — M AT T A L D E RT O N

TRUEPIC; GETTY IMAGES

The Truepic app uses controlled capture technology to verify time, date, location and pixelation of images and video. For example, on this image from Kolkata, India, all authentication steps have been verified, indicating to viewers that the image has not been altered.

Siwei Lyu, an associate professor of computer science at the University at Albany, State University of New York, has developed three means for exposing deepfakes:

Powering Digital Transformation Software for bridging now and next

The digital transformation journey is promising but perilous. We know it well and we can help. Our solutions cover every challenge your agency may faceâ&#x20AC;&#x201D;from modernizing critical infrastructure to protecting against cyber security threats. Let us smooth the way.

A Solution for Every Digital Transformation Need: Enterprise DevOps

Hybrid IT Management

Security, Risk & Governance

Predictive Analytics

Build and deliver better software faster

Operate with agility

Secure what matters most

Analyze in time to act

Keep your agency running as you evolve: Learn more at mfgsinc.com â&#x20AC;ş

TECHNOLOGY

14 CYBERsecurity 14 CYBERsecurity

ing insurance claims, and news organizations — can quickly and easily verify the resulting media. “Deepfake detection is important, but not an ultimate solution to the problem,” Stack says. “We ultimately see deepfake detection as an ongoing ‘arms race’ … without any real end. Until videos can be verified the instant they are captured, post-capture detection will only be a temporary measure.” Siwei Lyu, an associate professor of computer science at the University at Albany, State University of New York, is also working on prevention. By adding imperceptible noise to images, he thinks he can

disrupt the face-detection algorithms that deepfake software rely on, thereby “breaking” them.

WHAT NOW? Because neither prevention nor detection is ready to scale across the entire internet, how can individuals and businesses protect themselves? For now, the best antidotes are education and vigilance. “Society as a whole should focus more on media literacy to educate … on the differences between authentic and deceptive content,” Stack says. “If we are better educated from the onset, the utility of deepfakes and deceptive content is limited.” l

GETTY IMAGES

consistency with recorded temperatures. “We’re building an approach to combine information across all levels to produce a single integrity score for a media asset,” Turek explains. “That integrity score gives us a way to rate what the likelihood is that an image has been manipulated.” The second approach to fighting deepfakes is prevention. Truepic, for example, has created technology that authenticates images and videos at their point of origin by imprinting them with metadata and storing copies on an immutable blockchain. Users — including singles on dating apps, consumers fil-

CYBERSECURITY CAN BE Cyber threats are malicious, dark and intrusive, and attacks have never been more complex. At Trend Micro, we’re turning this ugliness into something beautiful, helping you prepare for, withstand, and rapidly recover from threats – so you can empower your business in new, strategic ways. See how we’ve made cybersecurity beautiful at TheArtofCyberSecurity.com

Unknown threats detected and stopped over time by Trend Micro. Created with real data by artist Matt Deslauriers

LEADING THE WAY

Hacker Heroes

Cyber experts spot potential security breaches in systems to strengthen corporations

orporations are increasingly turning to ethical hackers to increase security and keep malicious attackers out of their systems, servers, networks and software. Also called penetration testing or white hat hacking, this critical practice seeks out vulnerabilities that the companies’ own developers may have missed. “People who build software think differently from hackers. They think about making a system that works, a system that is useful. A hacker is trying to see through the cracks,” says Jason Haddix, vice president of researcher growth at

16 CYBERsecurity 16 CYBERsecurity

Bugcrowd, a crowdsourced security platform that organizes “bug bounties” — programs in which companies pay to have their systems probed by ethical hackers for potential flaws. Each bug bounty has a defined reward range. Bugcrowd’s Vulnerability Rating Taxonomy is used to evaluate the criticality and business impact of each bug submitted by the Crowd. Once the customer accepts it,

the hacker is awarded the bounty, which Bugcrowd manages. The bounty goes up with the severity of the security flaw. Haddix says his firm has paid tens of thousands of dollars for a single bug, although the average reward is typically a few hundred dollars. Here’s how five companies are using ethical hacking:

GM General Motors has leveraged the help of security firm HackerOne to engage with the hacker community. It’s devoting “significant sums of money” to reward bug bounty participants — outside researchers who aug-

GETTY IMAGES

B Y A DAM S TON E

Put to the Test Companies improve their security by hiring ethical hackers to find weaknesses. Here’s how Bugcrowd works: Bugcrowd’s ethical hackers pressure test a company’s products to spot potential vulnerabilities. Hackers report vulnerabilities through Bugcrowd’s platform. Bugcrowd verifies the vulnerability is valid and shares with the company to fix the issue.

GETTY IMAGES; ILLUSTRATION: DEBRA MOORE

The ethical hacker receives Bugcrowd points and a monetary reward based on the vulnerability reported.

ment the carmaker’s internal team of security pros, says Jeff Massimilla, GM’s vice president of global cybersecurity. The company has invited hackers to seek out flaws in its onboard entertainment systems, and it is looking at expanding ethical hacking into assembly plants and other areas. “It is so important because these people come with a different perspective. They take a different approach to security,” Massimilla says. “We’ve learned

a lot about our environment through this. More importantly, we’ve developed relationships with people who can help us to continue to improve.”

HP Printers and peripherals can be the weak link in a company’s security — they’re connected to the internet, but may get overlooked when systems are configured. That’s why HP uses Bugcrowd bug bounties to test its devices

for potential weak spots. “We get access to highly trained ethical hackers, people with hard-to-find technical skills,” says Shivaun Albright, chief technologist of print security at HP. “We are catching potential vulnerabilities before they are found by unethical hackers who might exploit them. We are preventing negative media and protecting our brand.” The big advantage to ethical hacking is that it enables HP > 17 17

LEADING THE WAY

DASH When founders at digital currency startup Dash wanted to ensure their digital cash product was secure, they turned to Bugcrowd, with a bug bounty program that gives them access to difficult-to-find talent. The program has yielded tangible results. “In one case, we learned of a method by which an attacker could bypass an important security feature on an Android phone wallet,” says Jim Bursch, who manages the program for Dash. “There was never a report of this attack used on an actual user, so by learning of the vulner18 CYBERsecurity 18 CYBERsecurity

ability from a hacker, we were able to implement a fix that eliminated the vulnerability before it affected a user.”

KEEPER SECURITY When you’re in the password management and security business you can’t afford mistakes. Keeper Security’s product is intended to safeguard users’ online credentials, so the company must ensure its code is solid. To aid in this endeavor, the firm uses bug bounties as a way to bring fresh eyes to the challenge. “It is great to have an outsider look it over, especially people who are specifically skilled at looking for vulnerabilities. It allows us to find potential issues much earlier in the process,” says chief technology officer and co-founder Craig Lurey. By having hackers try to break the product, Keeper creates a business differentiator for itself. “When it comes to se-

curity, a large customer won’t just take your word for it. They want third-party validation,” Lurey says. Ethical hacking helps reassure customers that systems are indeed sound.

GRAMMARLY Online grammar-checking service Grammarly launched a public bug bounty program in partnership with HackerOne in late 2018. “At Grammarly, we view security as the most critical feature,” says Joe Xavier, vice president of engineering. “While we have a team of engineers who obsess about user and data security, we believe that we’ll have an even more secure product by engaging with thousands of security researchers who are experts at their craft,” he says. “We want our users to know that any data they share with us while using our products remain safe and protected.” l

GETTY IMAGES

to see its products in a new light. “I can do security reviews on a product, but I won’t be thinking like a hacker: Where can I break into this? Where are the weaknesses?” Albright says. “Part of doing these bug bounties is having those discussions.”

Insider Threat? Get eMotive Now

• Continuous criminal background check annual/manual background check

• 100% law enforcement-sourced multi-jurisdictional database • Updated as soon as law enforcement updates data • Prevent false positives; Searches against text + Facial Recognition • Notifications through end-to-end encrypted alerts

NV PILB License #1295

LEADING THE WAY

Big Data Drivers

Three techniques that are solving cybersecurity challenges BY JOS UE LEDES MA

very minute data is created. By 2020, 1.7 MB of data will be generated per second for every person on Earth, according to Domo’s latest Data Never Sleeps report. For cybersecurity purposes, companies need to collect, organize and analyze massive amounts of data to see whether their traffic looks “clean,” whether a connected device needs a security update or whether malware has infected their networks. Here’s where big data analytics comes into play: cybersecu-

rity solutions help organizations store, centralize and organize their data to have better visibility. Big data is also driving advancements in the fields of machine learning, data science and artificial intelligence (AI). Here’s how three companies are leveraging big data:

FROM DEFENSE TO POST-BREACH ANALYSIS Trustwave relies on big data to identify and mitigate potential damage if hackers are targeting a company or have successfully breached a network.

“(Big data) gives you the capability to ID potential attacks or breaches, pulling information via machine learning, data analytics, real-time analysis and even postmortem analysis, providing a significant upgrade and control of your environment,” says Chris Schueler, SVP of managed security services at Trustwave. For example, if your organization is sending out denial-of-service alerts because your system was compromised by a botnet, big data allows you to see that massive amounts of traffic are coming from your organization >

GETTY IMAGES; TRUSTWAVE

Trustwave’s Spiderlabs Fusion Center

20 CYBERsecurity

RESPOND TO THE DEMANDS OF DIGITAL TRANSFORMATION – SECURELY MODERNIZE YOUR BUSINESS WITH LESS RISK Take a comprehensive approach to improving network visibility, addressing the limitations and complexities of the traditional WAN, tailoring access control methods and deploying organizationally-appropriate network segmentation and application-speciﬁc methodologies to reduce your attack surface. Together, ePlus and Fortinet offer a comprehensive secure SD-WAN solution that provides:

+ Integrated SD-WAN networking and security capabilities in a single device

+ Single-pane-of-glass management + Zero-touch deployment + The industry’s ﬁrst advanced, secure SD-WAN system on a chip

If you’d like assistance with modernization of your WAN with a security focus, contact ePlus today.

LEADING THE WAY

and targeting a single website. Trustwave recently opened their Spiderlabs Fusion Center, an advanced command center that provides training and education across a variety of cybersecurity disciplines.

IBM Security understands that big data analysis doesn’t always make up for a shortstaffed security department. Given how much data is available to any given company, it’s challenging to properly parse out what is important and take the appropriate action, whether that’s implementing a new device management process or introducing a new endpoint security solution. “The No. 1 threat in security for (organizations) today is complexity. Products are often deployed in silos, while organizations and teams are limited by the absence of collaboration masses of data,” says Koos Lodewijkx, vice president and chief information security officer at IBM. Lodewijkx points to AI and IBM’s QRadar Advisor with Watson as its response to this challenge. In addition to centralizing the data from a disparate number of sources, QRadar Advisor helps security practitioners analyze vast amounts of data created by an organization. Watson’s AI then uses external threat feeds and data to help analysts identify the threat or take the appropriate action.

22 CYBERsecurity

PREPARING FOR INFLUX OF BIG DATA TECHNOLOGIES Although machine learning and AI are getting a lot of attention, Cloudera is also focused on additional cutting-edge technologies. “New high-speed 5G networks, connected autonomous vehicles and new technologies mean the volume of data available to security staff is growing exponentially,” says Arun Murthy, chief product officer at Cloudera. This requires communication efforts across the entire cybersecurity community so that new defenses, processes and tech-

nologies can emerge. “Defense is a team game in security, and an open community using the best tools and all the data available to them is the key to success,” says Murthy. Cloudera’s Enterprise Data Cloud incorporates information from multiple devices and networks in a single enterprise and uses a shared view of metadata, tracking, governance and security information based on their Shared Data Experience to defend against vulnerabilities resulting from these new technologies. l

GETTY IMAGES

COMBINING BIG DATA ANALYTICS WITH ACTIONABLE STEPS

PLEASE TOUCH Experience the world’s most amazing animals in one app. WWF TOGETHER — the free app from World Wildlife Fund. Download it today. worldwildlife.org/together

LEADING THE WAY

“Flat” networks are the perfect environment for ransomware to spread, giving unimpeded access across a company.

Sophisticated Spam Preventing ransomware attacks should be high corporate priority B Y E LLEN CHAN G

24 CYBERsecurity

Affected users were greeted with an ominous message that their files were encrypted and payment ranging from $300 to $600 in Bitcoin was required to restore access. The hack caused massive and costly disruption to the U.K.’s National Health Service. The National Audit Office’s report stated that one-third of NHS hospital trusts were disrupted, and thousands of appointments and surgeries were canceled. Emergency centers in five areas had to divert patients to other health care centers. More than 200,000 people in 150 countries were affected. The attack spread

from the U.K. to the U.S. and stretched as far as China and Russia. Although the attack was halted by a malware researcher in the U.K., new versions surfaced quickly.

A PERFECT ENVIRONMENT Ransomware spreads rapidly because it self-replicates, exploiting vulnerabilities in networks and endpoints, says Justine Bone, CEO of MedSec. “If a network is too ‘flat,’ or easy to connect from machine to machine, then it’s a perfect environment for a worm to spread,” Bone says. “The network allows

THEHACKERNEWS.COM

ne of the most destructive cyberattacks started May 12, 2017, on a computer in Europe. An email was opened, a compressed file unzipped, and the WannaCry ransomware attack began to spread — quickly and deftly. Using EternalBlue, a cyberspying tool that was likely stolen from the National Security Agency and leaked online, a cryptoworm infected Microsoft Windows operating systems that hadn’t installed a security patch issued two months prior. Without needing permission from users, a malicious code used file sharing to spread.

Every

14 seconds

a new organization will fall victim to ransomware in 2019, according to CyberSecurity Ventures. By 2021, that number will reach every 11 seconds.

$133 thousand

GETTY IMAGES; ILLUSTRATION: HAYLEIGH CORKEY

was the median cost to address damage after a ransomware attack in 2017, according to a survey by British security company Sophos. Ransomware remains lucrative because it’s relatively inexpensive and easy to deploy.

for unimpeded access from computer to computer.” For many industries, especially health care, preventing ransomware attacks remains a high priority because of the threat to patient safety and privacy. The destructive power is immense — many networks are connected to devices and machinery such as MRIs and incubators, Bone notes. These medical devices can be infected with ransomware just like computers, and could malfunction or become inoperable — “putting people’s lives in danger,” Bone notes. “The WannaCry attack was an early warning sign of the dan-

gers for connected equipment,” she says. “Hospitals are vulnerable as they are already struggling with basic cybersecurity issues.”

PLAN ON BEING HACKED “It only takes an email getting through a filter and being opened by a single user to infect an entire organization through the network,” says Debra Geister, a consultant who advises institutions on fraud prevention like malware and other attacks at NICE Actimize. Backing up data offline and not merely the critical database, is also significant, adds Na-

than Wenzler, senior director of cybersecurity at Moss Adams. Testing backups beforehand is just as important because they are worthless if the data cannot be restored correctly, he adds. “Having good backups means you can just wipe a compromised system and restore it without any data loss — and without paying the ransom.” Bone says companies should undertake a full audit of their networks to learn how exposed they are, and what, if any, measures are in place to mitigate damage: “It may seem counterintuitive, but as a business you should plan on being hacked >

LEADING THE WAY

Government 28 (1.41%) Energy 51 (2.56%) Retail 54 (2.71%) Services 66 (3.31%) Technology 90 (4.51%)

Health Care 122 (6.12%)

Manufacturing 352 (17.65%)

No one is immune

— only by doing so can you protect yourself against significant damage.” She also recommends isolating sensitive networks and devices from the main network and creating impediments to a lateral infection by malware. “Failure to anticipate this type of event is a critical mistake.”

GETTING THE VICTIM TO PAY Paying the ransom is sometimes best, especially if it costs less than the combined value of the comprised data or system

26 CYBERsecurity

Education 535 (26.83%) Finance & Insurance 696 (34.9%)

and recovery costs, Wenzler says. “There are a lot of ethical and emotional reasons to want to fight against this sort of criminal activity, but ultimately, this is a business-risk decision. If the cost to recover is too high, then it may pose less risk to the organization to take a chance on the attacker upholding their end of the arrangement.” Cryptocurrencies are still a popular payment method, but altcoins such as Ripple and Monero are gaining traction because they are cheaper to trade and have faster transaction

speeds, notes Jason Glassberg, co-founder of Casaba Security. He adds that payout amounts have stayed in the $10,000 to $50,000 range, and that criminals tend to target smaller- and medium-sized companies that have less meticulous backup plans and are more likely to pay. Cybercriminals are eager to get a return on their investment and many will negotiate, says Carlos Perez, head of research and development at TrustedSec. “It’s all about getting the victim to pay — one way or another.” l

ILLUSTRATION: HAYLEIGH CORKEY

Ransomware affects all industries. Vectra collected data from multiple companies in nine sectors between January 2018 and February 2019. The figure connected to the industry indicates the number of times that ransomware behaviors were detected. During this time, Vectra collected data on 42,782,279 devices and workloads. On these devices and workloads, Vectra flagged 47,449,530 network events that were condensed to 1,584,516 detections.

EARN YOUR MASTER’S IN INTELLIGENCE AND SECURITY STUDIES ONLINE.

FULLY ONLINE

The Citadel’s Master of Arts in Intelligence and Security Studies is 100% online, oﬀering instruction from intelligence professionals around the nation. The Citadel has been named a National Center of Academic Excellence in Cyber Defense Education by the United States Department of Homeland Security and National Security Agency. Find out more at citadel.edu/iss

Presented by

JULY 29 - 31, 2019 | DALLAS, TX

WESTIN DALLAS PARK CENTRAL Join ISC Security Events, SIA and PSA Security Network for 2+ days of networking and unparalleled education!

Connecting Leaders in Cybersecurity, Physical Security and Systems Integration This two-day event connects IT and physical security leaders to examine and share information on:

Cyber-hardening of integrated security systems

How to improve your firm’s cyber posture

The business of cyber: From liabilities to opportunities

New cybersecurity tools and resources for integrators

Wanted: Problem Solvers Cybersecurity programs seek students who look at the world analytically B Y CARI SH ANE

ne of the most important skills for cyber success is the ability to think critically. If you “have the kind of brain that enjoys being tickled by puzzles,” then cyber could be for you, says Mandy Galante, program director of SANS CyberStart, a project designed to entice students to cybersecurity. These critical thinkers are at an advantage: By 2021, it’s estimated that there will be a global cyber jobs deficit of 3.5 million. The demand for such experts has led to an increase in the number of higher-education degrees in cybersecurity. These public colleges and universities offer exceptional concentrations and degree programs:

UNIVERSITY OF ARIZONA

28 CYBERsecurity

OKLAHOMA STATE UNIVERSITY

Recognized as a CAE-CD, OSU’s management information systems degree, earned through the Department of Management Science and Information Systems in the Spears School of Business, is a STEM-focused technical major. Students can also learn practical applications through the school’s Information Security and Assurance Club, which focuses on evolving threats and mitigation techniques.

GETTY IMAGES

The Bachelor of Applied Science with an emphasis in Cyber Operations has an engineering track or a defense and forensics track. The degree has led to the school’s designation as a Center of Academic Excellence in Cyber Defense (CAE-CD), a program created by the National Security Agency and the Department of Homeland Security to recognize schools that offer rigorous information security programs. The school has also been named a Center of Academic Excellence in Cyber Operations (CAECO), an additional NSA-sponsored designation. Jason Denno, who directs the cyber operations program at UA, says graduates “are not going to be looking for work. Work is going to be looking for them.”

Photo credit

Jason Villafranca of RRMM

EARN YOUR DEGREE FROM A CYBERSECURITY LEADER

Protect. Prevent. Prevail. The demand for cybersecurity professionals

is high. Be on the frontline when it comes to protecting against cyber attacks by earning

a bachelor’s or master’s degree from Norfolk State University’s top-rated cybersecurity

program. Contact us to begin the process of earning your degree today.

• DOD Center of Excellence in Cybersecurity Research • DOE Cybersecurity Consortium Leader • NSA/DHS Center of Academic Excellence in Cyber Defense (CAE-CD)

Tuition Support Available (757) 823-9106 | cybersecurity@nsu.edu

Norfolk State University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools to award the associate, baccalaureate, master’s and doctoral degrees. Contact the Commission on Colleges at 1866 Southern Lane, Decatur, Georgia 30033-4097, telephone (404) 679-4500, http://www.sacscoc.org, for questions about the accreditation of Norfolk State University.

270 The number of U.S. colleges designated as Centers of Academic Excellence in cyber defense.

UNIVERSITY OF NEBRASKA OMAHA

Offered through the College of Information Science & Technology, UNO’s B.S. in cybersecurity features a special track in cyber operations, earning CAE-CO status. NULLify, a student-run cybersecurity group, hosts hackathons every year with cash prizes. “It’s more important than ever that we have a committed workforce dedicated to protecting assets against cyber attacks,” says Abhishek Parakh, associate professor and undergraduate cybersecurity program committee chair.

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN

This public research university and CAE-CD center offers B.S. degrees in both computer science and electrical and computer engineering that require a cybersecurity research project and a summer internship within a government organization. In addition, through its Information Trust Institute, the school offers the CyberCorps Scholarship for Service, a merit scholarship funded by the National Science Foundation.

UNIVERSITY OF CONNECTICUT

UCONN is the only school in the state to be recognized as a CAE-CD center. “Security needs to be an integral part of computer science culture,” says Laurent Michel, associate department head of computer science who helped to create the cybersecurity curriculum. This summer, the school plans to open its first cybersecurity lab. The Altschuler Cybersecurity Lab will offer hands-on classes to undergraduate and graduate students.

TOWSON UNIVERSITY

The first university in Maryland to offer a cyber degree program, TU’s Jess & Mildred Fisher College of Science and Mathematics started one of the first B.S. degrees in computer science with a track in computer security. The school also holds a CAE-CO and CAE-CD center designation. Additionally, Towson is one of the first schools in the country to earn a cybersecurity accreditation from the Accreditation Board for Engineering and Technology, effective through 2024. 30 CYBERsecurity

GETTY IMAGES; TOWSON UNIVERSITY PHOTOGRAPHIC SERVICES; UCONN SCHOOL OF ENGINEERING; UNIVERSITY OF NEBRASKA AT OMAHA; UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN

THE SMART CHOICE Earn Your Advanced Degree in Cybersecurity www.MarymountCyber.com

D I G I TA L F O R E N S I C S AT B G S U

STUDY CYBERSECURITY DEFENSE

Prepare for a career as a forensic analyst or digital analyst in corporations, law enforcement agencies or crime labs. More information at bgsu.edu/digitalforensics

OLIVET.EDU 19AS2137

EDUCATION & CAREERS

Open Doors

Cyber careers boast high salaries, ample job openings B Y C ARI S HAN E

s cybercriminals grow more creative, cyber defenders are evolving to combat new threats. And there’s good news for job seekers: By 2021, there will be 3.5 million cybersecurity positions available globally, according to Cybersecurity Ventures. Cyber careers, ranging from private sector jobs in health care, retail, manufacturing and financial services to national security and government jobs, boast

starting salaries up to $100,000. Here’s a look at five cool cyber jobs:

UNCOVERING MYSTERIES Sometimes referred to as the “detective” of the cyber world, a digital forensic analyst searches computers, mobile devices and networks for evidence in the wake of an incident. That could be a targeted hack, a major corporate breach, a missing child or act of terrorism, explains Heather Mahalik,

director of forensics at ManTech CARD. A forensic analyst gets, “the thrill of the hunt,” Mahalik says. “It’s CSI for cyber geeks.” Often cases require forensic analysts to work in a team, while other times they work alone. Mahalik says that a degree in forensic science, computer science or electrical engineering is helpful but not required. Mahalik describes what she does as diving into electronic data to

uncover a truth. “In this line of work the answer may not be what we assumed when we approached the case. Maybe the person you are investigating was innocent. Maybe malware did it. Maybe you are looking at the wrong suspect. We never know what to expect.”

TESTING SYSTEMS A vulnerability assessor, or a vulnerability assessment analyst, looks for security weaknesses >

Help Wanted According to CyberSeek, there were 313,735 online job listings for cybersecurity-related positions from September 2017 through August 2018.

up from about 200,000 in 2015.

32 CYBERsecurity

GETTY IMAGES

More than 300,000 cyber jobs are currently available

ZeroBounce: Improve Email Email marketing is in full swing, and everybody wants a piece of the pie. On the other hand, email databases are more vulnerable than ever. More than half of the world’s email trafﬁc is spam, and organizations are confronted with constant data decay. If your business operates with customers contact information or email, you may be facing the same set of challenges. How do you maintain data hygiene while harnessing the power of digital sales and marketing communication? That is one of the questions ZeroBounce decided to answer when it launched, in 2015, as a novel, security-focused email validation system. Created by serial entrepreneur Liviu Tanase, ZeroBounce helps you consistently deliver emails to the computers of actual humans. Furthermore, its artiﬁcial intelligence (A.I.) email scoring system empowers you with in-depth insight into your customer quality.

Why email validation is worth your attention Businesses thrive when they communicate successfully to their existing and target clients. Whether you’re sending transactional messages or use email as a marketing medium, email validation helps you to: • avoid bots and connect with humans • eliminate fraud and phishing • ensure your transactional emails reach the intended recipient • boost your deliverability and make the most of your marketing campaigns “Maintaining good email hygiene is paramount for businesses today. When your data is outdated or tainted by fake contacts, it undermines your entire communication protocol. Not only are you emailing nonexistent email addresses, but you’re preventing genuine human leads from receiving your emails. This is where ZeroBounce makes a real difference, as an essential extension service for companies that send any type of email communication,” explains ZeroBounce founder and CEO Liviu Tanase. The system veriﬁes email lists and removes spam traps, invalid, catch-all, abuse, temporary and dormant email addresses. Also, ZeroBounce enhances email databases by adding information where it’s missing. It appends the ﬁrst and last name, the gender and the location of your subscribers, making segmentation and targeting much easier.

ZeroBounce A.I., anticipating the market’s needs In 2018, ZeroBounce introduced a powerful feature to its suite of solutions: an ingenious A.I.-driven email scoring system. “Our forward-thinking culture focuses on constant innovation. At ZeroBounce, the overriding mentality is to anticipate the market’s needs and develop ideas and solutions ahead of time,” adds CEO Liviu Tanase. ZeroBounce A.I. takes data quality assessment further than ever by rating the value of an email address. Through an algorithm that is now at the forefront of email scoring, it analyzes all patterns of an email address. Then, it returns a predictive quality score. ZeroBounce A.I. is an efﬁcient catch-all email validator, and paints a clear perspective on the recipients’ potential interaction levels. “We have a team of email experts driven by the constant ambition to improve our service. Our goal is to accelerate email as a channel for customers,” says Tanase. A telecommunication executive with over 15 years of experience, Liviu Tanase has founded six companies and has participated in three exits creating quadruple digit-returns. Together with other specialists in the email industry, he developed ZeroBounce to support safe and efﬁcient email communication for businesses worldwide. Four years later, ZeroBounce’s breakthrough technology has turned the company into a top player in the email validation landscape. With over 2 billion emails validated to date, ZeroBounce serves 50,000+ businesses in 135+ countries and adds up to 150 new clients every day. The system guarantees an accuracy of 98% and deploys the most robust data protection mechanisms in the industry. Visit

www.zerobounce.net and chat with an email deliverability expert today!

INTEGRATE ZEROBOUNCE WITH YOUR FAVORITE PLATFORMS

EDUCATION & CAREERS

CRACKING CODES

With multiple titles — signals analyst, message decoder, data decoder and encryption expert — a cryptographer is also unofficially known as the “sheriff of the cyber world” or the “white knight of data.” Cryptographers develop ways to hide information in plain sight, and then they figure out how to crack other

34 CYBERsecurity

MAKING STRIDES Women represent 20 percent of the global cybersecurity workforce, according to Cybersecurity Ventures.

cryptographers’ codes and uncover what was hidden. “Code makers create a computer program that translates messages into gibberish and a second program that translates it back to English,” says Alan Paller, founder and research director at the SANS Institute. “This way, the message remains secret to everyone but the intended receiver who has an

‘unlock key.’ ” On the flip side, the code breaker gathers thousands of messages that all look like gibberish and figures out how each letter is being encrypted. “The code breaker teases out the encryption technique, and ultimately, if successful, can decode every message as it is being sent,” says Paller. Those with a bachelor’s degree in mathematics, computer

science or computer engineering can often get a job as a cryptographer right out of college, according to cyberdegrees.org.

BUILDING NETWORKS Requiring a trifecta of talent — creative skills, technical skills and business savvy — a security architect needs to understand all sides of a business so that they can design >

GETTY IMAGES

and flaws in a client’s IT networks and websites. Casey Bourbonnais, an information security engineer with ManTech, says a vulnerability assessor, “tells you: ‘Hey, that door on the side of your house might be unlocked! You might want to go check it.’” To become a vulnerability assessor, cyberdegrees.org recommends a bachelor’s in computer science, IT or cybersecurity. But Bourbonnais says, “As an employer, I am looking at the candidates’ raw technical abilities and personality, not the degree they hold.” He says it’s important to be able to think analytically, be methodical, have good written and verbal communication skills and be able to adapt quickly.

We love working in the high-tech, fast-paced payments industry, and we think you will too.

A Great Career Starts Here. AT TSYS, YOU CAN: • Take your career to the next level through growth opportunities • Have fun, tackle challenges and make a difference • Enjoy great benefits for health and wealth • Thrive in a work environment you can stay with over time • Achieve a satisfying work-life balance WORK FOR US: TSYS.COM/CAREERS © Total System Services, Inc.® All rights reserved worldwide. TSYS® is a federally registered service mark of Total System Services, Inc.

Daggers Group provides responsive cybersecurity services to ensure our clients can Build, Secure, and Sustain a robust defense posture to protect their critical assets. Our services include Information Systems Security, Risk Management Framework, FISMA Compliance assessment assessments, cybersecurity training, Insider Threat Analysis, Identity and Access Management, and Knowledge Management program development and implementation.

Our Corporate Social Responsibility (CSR) Program: Job relevant cybersecurity training Career counseling Lifelong Cyber mentorship We prepare veterans for a sustainable career in the cybersecurity industry!

Our Clients

Department of Defense

Office of the Controller of Commerce

City of Washington D.C.

DUNS: 079386815 | CAGE: 74BH0 www.daggersgroup.com | info@daggersgroup.com 800.933.7871 ext 2

A Service-Disabled, Veteran-Owned Business, Small Business, and Minority Business Enterprise

EDUCATION & CAREERS

CYBERSECURITY SUPPLY AND DEMAND This map by CyberSeek shows the number of cybersecurity job openings across the U.S.

Total job opening 172 - 811 812 - 1,342 1,343 - 2,032 2,033 - 3,322 3,323 -7,722 7,723 - 12,813 12,814 - 36,602

a network security infrastructure that is responsive to vulnerabilities, threats and regulations. “You get to design the solution, end-to-end, and not just around the perimeter of the network,” says Ed Skoudis, director of team-based training and cyber ranges at SANS. A security architect designs systems for an organization to prevent malware, hacker and denial-of-service attacks and continually audits the system for vulnerabilities.

36 CYBERsecurity

“The architect has a role in ensuring everything is planned with multiple layers of defense,” says Skoudis. Cyberdegrees.org recommends a bachelor’s degree in computer science or cybersecurity or a master’s degree in IT. Skoudis adds that those considering a career as a security architect should expect to consistently supplement their education with additional training and certifications: “It is vital because the field is constantly changing.”

ANALYZING THREATS Risk management specialists are like “the bomb-squad,” identifying security land mines and mitigating impact on the enterprise. They also act like a conscience, too, says David Hoelzer, chief of operations for Enclave Forensics Corporation. “We all know that all systems should be patched and up-todate, but we also know that we have that unpatchable legacy system that we’ve been saying we need to replace for

years,” says Hoelzer. “It’s a bit like getting ourselves to the gym. We know we should do it, but it’s way easier to just lie around on the couch.” A risk management specialist works within these organizations to recommend ways to control, combat and avoid risks. Cyberdegrees.org notes that because this position is highly technical, a bachelor’s or a master’s degree in computer science, information systems or cybersecurity is typically required. l

CYBERSEEK

No MSA

Rated Top 50 Must-Attend Security Conferences Globally

PROTECT YOUR COMPANY FROM CYBER ATTACKS!

Dallas - 5/16 | New York - 10/3

$95.00

ADMISSION

Use Promo Code: USAToday

Standard Cost of Admission is $350.

LEARN FROM THOUGHT LEADERS & EXPERTS INCLUDING

INTER ACTIVE PA NEL S AND DISCUSSIONS INCLU DE

INSIDER THREAT: What the CISO and Every IT Security Management Team Must Face & Govern 24/7

Ronald Yearwood Section Chief, Cyber Ops III The FBI

David Cass Chief Information Security Oﬃcer IBM

Ron Henry Senior Information Security Researcher Dell Secureworks

Brian Sanders Electronic Crimes Task Force US Secret Service

CLOUD INSECURITY: Common Pitfalls Organizations Make When Moving to the Cloud and How to Avoid Them INCIDENT RESPONSE: What to do Before, During and After a Breach

ENGAGE WITH EXHIBITORS & SPONSORS INCLUDING

6 CPE CREDITS

All delegates in attendance for a full Cyber Security Summit will receive 6 CPE Credits via email post event

PROTECTION

An Arizona state employee shows how credit card skimmers are designed to fool.

Card Sharks Gas station skimmers force law enforcement, technology to step up their game

ne of the most common places to have your credit card information stolen might be one of the least expected: the gas station, according to cybersecurity expert and author Adam Levin. Over the past year, law enforcement officials removed more than 1,200 credit card skimmers — devices that thieves insert into readers to cull financial information —

38 CYBER CYBERsecurity

from gas pumps in Florida, according to the Florida Department of Agriculture and Consumer Services. These clandestine instruments are often attached to gas pumps or ATMs and “skim” the magnetic strips on cards swiped at these locations. Sometimes they come with a camera that’ll capture you punching in your PIN. Why gas stations? “The closer the credit card reader is to the

cashier, the more difficult it is for the thieves to install a skimmer,” notes Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. He also points out that not only are gas station attendants not standing watch at each card reader, the readers on gas pumps are accessible 24-7. “So they can do it in the middle of the night.” >

GETTY IMAGES; THE ARIZONA REPUBLIC

B Y B RIAN BARTH

Reduce Cybercrime in Your Community

FREE, EFFECTIVE TOOLS TO PROTECT SMALL BUSINESS gcatoolkit.org/smallbusiness