Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
To Narrow the Cyber Skills Gap with Attackers, Cut the Red Tape
Newest First  |  Oldest First  |  Threaded View
RetiredUser
RetiredUser,
User Rank: Ninja
5/22/2019 | 3:17:32 AM
The Offensive Security Model
This is one of the most re-hashed complaints in tech and for a reason.  Since the Nineties I've been working in tech and always sought out work where part of the interview process put me in front of a terminal.  Even the certifications I've obtained I leave off my resume because getting a job based off certs my last company footed the bill for means I didn't prove myself to the new employer.  Give the candidate a pile of parts and have them build a PC/server/laptop, install an OS, configure a network; break into the network.  Don't tell me what you've done, show me what you can do.

For InfoSec, just as in respected certs for Linux, the model must include partial book work and paper tests, but the majority has to be hands-on execution, proof of knowledge, or no cert.  Companies who want to obtain quality employees and keep them will adopt a similar model, including some of the recommendations in this article.  Implement an intensive hands-on interview process, "show me".  Implement a regular boot-camp with capture the flag (CTF) events to keep employees sharp; encourage gamification.

It's amazing how quickly the weak links are identified when your models become interactive - combative - and stop being passive.  If you're serious about your security and the integrity of your network, background checks and onsite hands-on proof of skill should be priority one, paper an afterthought.   
REISEN1955
REISEN1955,
User Rank: Ninja
5/21/2019 | 3:43:39 PM
Certifications
They are paper proving you passed a test.  In a sense, great but mostly not so much.  Experience in the field counts and that goes for ANY subject in ANY field.  Not all IT staff have the budget for a CIISP certification and similiar ones.  True that is the gold standard but not many exist and the skill gap needs to be filled.  i would encourage filling the gap and providing resources for knowing candidates to GET a degee relatively quickly and efficiently.  BTW - when I was a self-employed consultant some 5 years ago, knew nothing about malware and practical measures on backup saved a 501C3 museum from Cryptolocker.  I was doing it RIGHT WITHOUT KNOWING IT.  Restoration 98% within 3 hours.  Not bad.  So experience counts.  Read that Baltimore?  

Full disclosure - on September 11 my data center crashed 103 floors in the south tower and I got out of 101 of them by walking.  Relatively familiar by default with disaster recovery and business continuity planning. 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-31884
PUBLISHED: 2022-06-28
Marval MSM v14.19.0.12476 has an Improper Access Control vulnerability which allows a low privilege user to delete other users API Keys including high privilege and the Administrator users API Keys.
CVE-2022-31887
PUBLISHED: 2022-06-28
Marval MSM v14.19.0.12476 has a 0-Click Account Takeover vulnerability which allows an attacker to change any user's password in the organization, this means that the user can also escalate achieve Privilege Escalation by changing the administrator password.
CVE-2020-19896
PUBLISHED: 2022-06-28
File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php.
CVE-2020-19897
PUBLISHED: 2022-06-28
A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remote attackers to execute arbitrary web script or HTML via the imgurl parameter.
CVE-2021-41559
PUBLISHED: 2022-06-28
Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.