Newsletter
01.25.2022 | 4'' read
Behind the unsolvable security skills shortage
* The most clicked link from the last newsletter was this essay by Google Cloud CISO Phil Venables on the main components of successful cybersecurity programs.
Monday blues.
My recent feature on the ‘great resignation’ and labor shortage in cybersecurity touched off a series of conversations with CISOs on leadership, workplace culture, remote work pros-and-cons, and the tough decisions that must be made to slow the exodus of talent.
These conversations have confirmed a very jarring reality: The skills shortage in cybersecurity will never be solved.
Let’s keep it a buck:
- The .gov sector simply can’t afford high-quality talent on public service salary scales. Fully aware of this, the government is banking on a “sense of mission” to attract (mostly junior) staff. As soon as they’re senior enough, they leave for Silicon Valley’s rich RSU packages.
- A handful of BigCos are paying super-salaries to snap up proven security-conscious engineers and architects, creating a dangerous world of “haves” and “have nots.”
- The rest of the ecosystem, starved for talent, must outsource security and/or turn to AI/ML algorithms to backfill security posts.
- Senior engineers, bored from maintaining and supporting the AI/ML algorithms and tools, look externally for new challenges.
Now we’re back to square one with nonstop resignations, demands for re-negotiations and staff churn at unimaginable levels.
Separately, the Bill Gates Trustworthy Computing memo is 20 years old. That document helped to create and sustain successful careers for many of us.
Remember to patch and reboot your iPhones.
_ryan
Sponsored.
- The SecurityWeek Ransomware Resilience & Recovery Summit (tomorrow, Jan 26th) will include a fireside chat with Coveware CEO Bill Siegel on the murky world of negotiating ransom payments; and a CISO panel discussion on a robust ransomware recovery playbook. Listen in here.
UEFI implant in the wild.
Malware hunters at Kaspersky GReAT are showing their notes on a new UEFI implant being used by a prolific Chinese nation-state APT actor:
- Here’s the Kaspersky technical report (pdf) documenting the the firmware implant being used to maintain stealthy persistence across reboots, disk formatting or disk replacements.
- Binarly publishes follow-up research with a discussion of multiple infection delivery paths.
- This is the third known case of a firmware bootkit in the wild.
- Eclypsium weighs in on the recently discovered HP iLO compromise.
Must-read headlines.
- Kim Zetter with a fantastic scoop on Joe Grand’s work hacking into a hardware wallet to retrieve $2 million in cryptocurrency. Here’s a video from Joe documenting the project.
- ESET finds a watering hole attack deploying a new macOS malware.
- CISA has added four new CVEs to its “known exploited vulnerabilities” list.
- Bloomberg Law reports on Merck’s $1.4 billion insurance legal victory in the NortPetya ‘act-of-war’ ransomware case.
- Apple says it never intended iOS 14 security updates to last forever. Google is having the same PR nightmare with Pixel and lack of security support.
Research projects.
- Project Zero’s Natalie Silvanovich conducts a black-box audit of the Zoom videoconferencing platform and finds a pair of security vulnerabilities the absence of ASLR support.
- Wearing Many Hats is a paper that attempts to set the historical record of the birth and professionalization of the cybersecurity industry.
- Shubs Shah has found hardcoded credentials in the Solarwinds Web Help Desk product. “These hardcoded credentials enabled access to sensitive controllers that were capable of executing arbitrary HQL queries. Through this vulnerability, an attacker could extract, update, delete, or insert almost any information in the database.”
- The U.K. government’s NCSC plans to ship Scanning Made Easy (SME), a collection of NMAP Scripting Engine scripts designed to help find systems with specific, high-impact vulnerabilities.
Essays.
- Ibukun Oyewumi shares the top-10 security best practices for securing backups in AWS.
- Lyft’s engineering team on how to improve web vulnerability management through automation.
- JupiterOne’s Kenneth Kaye on red-teaming.
- Intel471 looks at the signals from Russia’s crackdown on REvil and argues that this won’t result in much change in the ransomware-at-a-service ecosystem.
Sponsored.
- Using Symmetry DataGuard, cloud-security teams tighten IAM policies around data, incident response teams know precisely what data objects are involved in a breach, and governance teams audit every access across every data store. Schedule a demo.
Tangentially.
- This guy reverse-engineered the Wordle source code and built a bot to publish spoilers. He was promptly banned from Twitter. Good.
P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.