Light Dark
July 3, 2018 By Douglas Bonderud 4 min read
CISO
Data Protection
Fraud Protection

In June’s cybersecurity news, the cyberskills gap is growing and social engineering schemes like phishing attacks remain a top threat vector — especially during high-profile events such as the World Cup.

All this is just a reminder that people are the weakest link. Without enough security professionals to train the next generation of tech-savvy employees, companies are at risk.

Many of the topics we covered in June include actionable advice to help both security leaders and aspiring IT professionals navigate the evolving cybersecurity career pathway — not to mention tips to stay safe online while rooting for your favorite soccer team.

Cybercriminals Score Big on Social Engineering Schemes

High-profile sporting events draw threat actors looking to capitalize on lax cybersecurity, reinforcing the critical role of security experts in educating users and improving network defense.

During this month’s World Cup in Russia, fans, athletes and venues are all under increased threat. Fans in the stands could be duped by insecure Wi-Fi networks, for example, while those at home should be wary of fraudulent emails promising tickets or other World Cup-related windfalls.

IBM X-Force researchers recently observed attackers out in full force with phishing campaigns, including:

  • Financial scams: Using the brand name and logo of popular sponsors, criminals claim users have won prize money. They’re then directed to a malicious site and asked to prepay a small fee by providing their financial information. Instead, the fee disappears and the windfall never materializes.
  • Social engineering efforts: Other threat actors are masquerading as World Cup organizing body FIFA. Using blurry logos and long-winded text, they attempt to convince users that they’ve won an online lottery. The attackers then ask for contact details, which they will likely use for long-term social engineering scams.
  • Fake goods: Attackers are also sending out emails selling everything from knock-off soccer jerseys to auto parts. Best case: Buyers get low-quality replica apparel. Worst case: They get nothing while cybercriminals make off with their credit card or banking information.

Athletes, meanwhile, may be compromised by nation-state or malicious actors who support competing teams. To maintain security at the World Cup, soccer franchises should consider employing a team chief information security officer (CISO), creating secure team networks and asking players to reduce their social media use immediately before and during competition. Venues should be prepared for large-scale cyberattacks and employ trusted security vendors to help identify threats and isolate systems as required.

Promoting Security Education to Close the Skills Gap

These days there simply aren’t enough cybersecurity professionals to go around. As a result, organizations are looking for ways to widen the funnel and encourage security education.

The Girl Scouts of America are hoping to bolster the ranks of science, technology, engineering and mathematics (STEM) professionals by giving young girls the opportunity to engage with new technologies. According to Kymberly Miller, senior director at Girl Scouts of Northern California, who participated in a recent SecurityIntelligence podcast, many girls shy away from trying new things by age six.

Girl Scouts’ leadership, recognizing that “understanding cybersecurity and knowing how to prevent hacks is a life skill,” created the STEM badge program. This program offers a mix of hands-on experience and direct reinforcement from instructors to boost girls’ confidence and help pave a new cybersecurity career pathway.

In another recent podcast, Pete Herzog, co-founder of online learning platform Hacker Highschool, and Heather Ricciuto, academic outreach leader at IBM Security, noted that the earlier students are equipped with cybersecurity knowledge, the better. While some critics argue that knowledge of hacking techniques is dangerous, Hacker Highschool focuses on giving teens enough information to recognize technology threats in their everyday lives. The goal is to encourage students to use their knowledge for good and develop the skills to help make the world a safer place.

Speaking of safety, the evolution of business campuses into digital-first, barrier-free learning environments comes with a unique set of security challenges. Doors may be left unlocked and intellectual property left on full display as hundreds of professionals share lunch and trade ideas over Wi-Fi and in person. Needless to say, this creates a potentially hazardous security environment.

While IT professionals can’t fight the transition to open campus environments, it’s possible to limit total risk by:

  • Changing Wi-Fi: Segment corporate Wi-Fi across buildings or quadrants and use separate private cloud servers for guest Wi-Fi to reduce the chance of a network breach.
  • Letting IT teams roam free: Give IT professionals Raspberry Pi, high-gain antennas or access to Metasploit, and let security teams run wild to discover where flaws exist.
  • Leveraging artificial intelligence (AI): Threat modeling on an open campus requires an open mind — and potentially an artificial one. Advances in AI now offer the potential for fluid threat monitoring that adapts to emerging situations rather than relying on static predictions.

Creating a New Cybersecurity Career Pathway

To address the growing cybersecurity skills gap, companies are changing the way they assess and recruit potential hires. The biggest shift here lies with “new collar” jobs: Organizations are recruiting candidates that may lack traditional college degrees but possess the necessary skills to work in cybersecurity to help alleviate the talent shortage. If prospective candidates are driven to explore, adept at solving problems, ready to learn and willing to work with others, they’ve already laid the groundwork to leap into cybersecurity. Given the emergence of new training programs, such as IBM’s P-TECH, there’s more opportunity than ever for motivated employees to launch security careers.

Consider the case of cybersecurity activist Cris Thomas, who goes by the pseudonym Space Rogue. He’s now the global strategy lead at IBM X-Force Red, a group of white-hat hackers who exploit corporate vulnerabilities to help companies improve network security.

Their work is simple and effective: Recently, an IBM X-Force Red team tailgated its way into corporate offices by dressing like other staff members while carrying a box of donuts along with their testing gear. Once inside, they set up shop in an empty conference room, put up a sign saying they were conducting a network test and then penetrated the company network unchallenged. For Space Rogue, it’s all about educating organizations and elected officials alike to help limit the impact of cybersecurity issues.

Won’t You Be My Neighbor?

The cybersecurity career pathway can be lonely at times. Unlike other professions that have well-defined certification processes, job descriptions and skills requirements, IT security is constantly changing — forcing experts to fight fires with minimal C-suite support and without comprehensive training.

For this reason, community is a valuable lifeline for cybersecurity experts. New initiatives like the IBM Security Community enable IT experts to easily connect with each other to troubleshoot, share learning, discuss defensive strategies and even provide emotional support.

From early education efforts to new collar hiring initiatives and the emergence of security communities, it’s clear that there’s a critical shift underway in the cybersecurity field. As threats continue to evolve and the IT talent gap grows, stay tuned to see how these efforts play out in the ever-intensifying war against cybercrime.

 |  |  |  |  |  |  |  |  |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature