Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
To Narrow the Cyber Skills Gap with Attackers, Cut the Red Tape
Newest First  |  Oldest First  |  Threaded View
RetiredUser
RetiredUser,
User Rank: Ninja
5/22/2019 | 3:17:32 AM
The Offensive Security Model
This is one of the most re-hashed complaints in tech and for a reason.  Since the Nineties I've been working in tech and always sought out work where part of the interview process put me in front of a terminal.  Even the certifications I've obtained I leave off my resume because getting a job based off certs my last company footed the bill for means I didn't prove myself to the new employer.  Give the candidate a pile of parts and have them build a PC/server/laptop, install an OS, configure a network; break into the network.  Don't tell me what you've done, show me what you can do.

For InfoSec, just as in respected certs for Linux, the model must include partial book work and paper tests, but the majority has to be hands-on execution, proof of knowledge, or no cert.  Companies who want to obtain quality employees and keep them will adopt a similar model, including some of the recommendations in this article.  Implement an intensive hands-on interview process, "show me".  Implement a regular boot-camp with capture the flag (CTF) events to keep employees sharp; encourage gamification.

It's amazing how quickly the weak links are identified when your models become interactive - combative - and stop being passive.  If you're serious about your security and the integrity of your network, background checks and onsite hands-on proof of skill should be priority one, paper an afterthought.   
REISEN1955
REISEN1955,
User Rank: Ninja
5/21/2019 | 3:43:39 PM
Certifications
They are paper proving you passed a test.  In a sense, great but mostly not so much.  Experience in the field counts and that goes for ANY subject in ANY field.  Not all IT staff have the budget for a CIISP certification and similiar ones.  True that is the gold standard but not many exist and the skill gap needs to be filled.  i would encourage filling the gap and providing resources for knowing candidates to GET a degee relatively quickly and efficiently.  BTW - when I was a self-employed consultant some 5 years ago, knew nothing about malware and practical measures on backup saved a 501C3 museum from Cryptolocker.  I was doing it RIGHT WITHOUT KNOWING IT.  Restoration 98% within 3 hours.  Not bad.  So experience counts.  Read that Baltimore?  

Full disclosure - on September 11 my data center crashed 103 floors in the south tower and I got out of 101 of them by walking.  Relatively familiar by default with disaster recovery and business continuity planning. 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41807
PUBLISHED: 2022-12-05
Missing authorization vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to alter the product settings without authentication by sending a specially crafted request. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASK...
CVE-2022-41830
PUBLISHED: 2022-12-05
Stored cross-site scripting vulnerability in Kyocera Document Solutions MFPs and printers allows a remote authenticated attacker with an administrative privilege to inject arbitrary script. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASKalfa 5550ci/4550ci/3550ci/3050ci, TASKa...
CVE-2022-42496
PUBLISHED: 2022-12-05
OS command injection vulnerability in Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier allows a remote attacker to obtain appkey of the product and execute an arbitrary OS command on the product.
CVE-2022-43442
PUBLISHED: 2022-12-05
Plaintext storage of a password vulnerability exists in +F FS040U software versions v2.3.4 and earlier, which may allow an attacker to obtain the login password of +F FS040U and log in to the management console.
CVE-2022-43470
PUBLISHED: 2022-12-05
Cross-site request forgery (CSRF) vulnerability in +F FS040U software versions v2.3.4 and earlier, +F FS020W software versions v4.0.0 and earlier, +F FS030W software versions v3.3.5 and earlier, and +F FS040W software versions v1.4.1 and earlier allows an adjacent attacker to hijack the authenticati...