Archive for May 18, 2022

New Compliance Report Finds Explosive Use of Automation, Overwhelming Ransomware And Zero Trust Focus

Posted in Commentary with tags on May 18, 2022 by itnerd

A-LIGN, a cybersecurity compliance and audit firm, has released its second annual benchmark report, highlighting organizational compliance year-over-year as executives emphasize such programs and their significance in accelerating corporate growth. There are sereveal critical themes surrounding automation, ransomware, and zero trust including:

  • 72% of organizations now utilize a form of software for conducting audits compared to only 25% of businesses reporting the use of automation in 2021
  • 85% of businesses can focus on critical security issues and controls essential for corporate growth and regional expansion by streamlining compliance and consolidating auditing processes 
  • 98% of companies plan to develop and implement zero-trust strategies and ransomware preparedness programs 

This benchmark report should be considered required reading by enterprises as it can serve as a roadmap as to where you focus your efforts. The report can be viewed here.

India To VPN Companies: Do What We Want Or Get Out Of India

Posted in Commentary with tags on May 18, 2022 by itnerd

You might recall that I did a story on India wanting VPN companies to retain data on who uses their services, and VPN companies considering their options including leaving the company. India has now escalated this by saying the following:

The Indian Computer Emergency Response Team clarified (PDF) on Wednesday that “virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations” shall follow the directive, called Cyber Security Directions, that requires them to store customers’ names, email addresses, IP addresses, know your customer records, financial transactions for a period of five years.

And:

Rajeev Chandrasekhar, the junior IT minister of India, said that VPN providers who wish to conceal who uses their services “will have to pull out.” He also said that there won’t be any public consultation on these rules.

Keep in mind that India is the second largest Internet market on the planet. So I am guessing that the Indian government is counting on the fact that VPN providers will comply rather than give up doing business in that market. And even if some or most of them do leave, the Indian government will win anyway because it will leave the VPN companies that do comply with their directive. That of course assumes that Indian citizens don’t just go out and get a VPN service from outside the country. After all, it’s not like we haven’t seen that happen before.

This will be interesting to see as I suspect that the push back will be substantial from both sides, and only one side will win. Let’s see which side that is.

Is It Time To Make The Internet An Essential Service And Hold Canadian Telcos Accountable For Providing That Service?

Posted in Commentary with tags , on May 18, 2022 by itnerd

Back in 2016, the CRTC said that high speed Internet was “essential”. This is what they meant by that at the time:

As part of declaring broadband a “basic” or essential service, the CRTC has also set new goals for download and upload speeds. For fixed broadband services, all citizens should have the option of unlimited data with speeds of at least 50 megabits per second for downloads and 10 megabits per second for uploads — a tenfold increase of previous targets set in 2011. The goals for mobile coverage are less ambitious, and simply call for “access to the latest mobile wireless technology” in cities and major transport corridors.

The CRTC estimates that some two million Canadian households, or 18 percent of the population, do not currently have access to their desired speeds. The $750 million government fund will help to pay for infrastructure to remedy this. The money will be distributed over five years, with the CRTC expecting 90 percent of Canadians to access the new speeds by 2021. 

The new digital plan also touches on accessibility problems, with CRTC mandating that wireless service providers will have to offer platforms that address the needs of people with hearing or speech disabilities within six months. Blais said this timeline was necessary, as the country “can’t depend on market forces to address these issues.”

Fast forward to 2022 and this really doesn’t go far enough to address what I think “essential” means to Canadians. Given that a lot of us still work from home, and the Internet is the difference between earning a paycheque and not earning one, or learning and not learning, I think that this needs to change. Now Public Safety Canada has a list of what it defines as “Essential Services” which it defines as this:

Canada’s National Strategy for Critical Infrastructure defines critical infrastructure as the processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. 

And while this list does list “Information and Communication Technologies” as part of this, I think it needs to go further to include not only the Internet specifically, but it should also include telcos like Rogers, Bell, and Telus so that they are responsible for maintaining and resolving issues to a high standard. As in resolving issues within hours and not days. And having a minimum uptime guarantee that said telcos are held accountable to. Now I know that Rogers, Bell, Telus and others would say that this isn’t required and they go above and beyond for their customers. But while I agree that these telcos do the best that they can to resolve customer issues in what they consider to be a timely manner, I don’t think that’s good enough. When the Internet goes out for a single home or a group of homes, even for a few hours, there are people who aren’t learning or making a living. That affects the economy. That alone makes it worthwhile to explore this idea and to take action to make it reality. And perhaps if something like this came into effect, telcos would spend a lot more time and effort to ensure that their networks were resilient enough so that outages became corner cases. That would be good for all Canadians.

What do you think? Should Canada do more to make the Internet an “essential service” as I’ve described above? Please leave a comment and share your thoughts.

Infosec Institute Unveils New Role-Guided Cybersecurity Training Roadmaps 

Posted in Commentary with tags on May 18, 2022 by itnerd

Infosec Institute, a leading cybersecurity education company, today unveiled Infosec Skills Roles, pre-built training roadmaps aligned to the 12 most in-demand cybersecurity roles including SOC Analyst, Penetration Tester, Security Engineer and Cybersecurity Beginner. Hosted in the Infosec Skills training platform, Infosec Skills Roles helps organizations upskill and cross-train talent for open security roles while also improving engagement and performance.

Today there are over 600,000 unfilled cybersecurity roles in the U.S., with more than half requiring at least one certification. As critical cybersecurity roles remain unfilled and technology change continues to outpace skill development, organizations are increasingly vulnerable to today’s record number of cyber threats. Additionally, security leaders face increasing pressure to prevent and mitigate cyberattacks with overburdened cyber teams, inadequate training programs and limited resources.

To help cyber leaders upskill and cross-train talent quickly, Infosec Skills Roles provide training recommendations for 12 of the most common cybersecurity positions, enabling enterprises to upskill and reskill cyber talent at scale and individuals to break into the industry. Backed by the research of skills requested by employers and a panel of cybersecurity subject matter experts, each of the 12 Infosec Skills Roles clearly outline which training and certifications are needed so learners can laser focus on the most important areas to strengthen and security leaders fill skill gaps on their teams. 

Recently named a Leader in IT Training by IDC Marketscape, the Infosec Skills platform offers 1,400+ hands-on cybersecurity courses and cyber ranges mapped to the NICE Workforce Framework for Cybersecurity and MITRE ATT&CK® Matrix. Infosec Skills helps cyber leaders prepare teams for ATT&CK tactics, guide team development and fast-track certification, with over 80% of learners reporting improved skills and abilities. 

Infosec Skills Roles will be showcased at the upcoming RSA Conference, June 6-9 in San Francisco, CA and Gartner Security & Risk Management Summit June 7-9, in National Harbor, MD. Individuals are encouraged to explore Infosec Skills Roles firsthand and take Infosec’s new #MyCyberRole quiz with a custom role recommendation and a trial Infosec Skills subscription to start training towards their newly matched role. 

Explore Infosec Skills Roles.