Joseph Steinberg

Article / Updated 08-31-2023

While cybersecurity may sound like a simple enough term to define, in actuality, from a practical standpoint, it means quite different things to different people in different situations, leading to extremely varied relevant policies, procedures, and practices. An individual who wants to protect their social media accounts from hacker takeovers, for example, is exceedingly unlikely to assume many of the cybersecurity approaches and technologies used by Pentagon workers to secure classified networks. Typically, cybersecurity means the following: For individuals, cybersecurity means that their personal data is not accessible to anyone other than themselves and others who they have so authorized, and that their computing devices work properly and are free from malware. For small business owners, cybersecurity may include ensuring that credit card data is properly protected and that standards for data security are properly implemented at point-of-sale registers. For firms conducting online business, cybersecurity may include protecting servers that untrusted outsiders regularly interact with. For shared service providers, cybersecurity may entail protecting numerous data centers that house numerous servers that, in turn, host many virtual servers belonging to many different organizations. For the government, cybersecurity may include establishing different classifications of data, each with its own set of related laws, policies, procedures, and technologies. The bottom line is that while the word cybersecurity is easy to define, the practical expectations that enters people's minds when they hear the word vary quite a bit. Technically speaking, cybersecurity is the subset of information security that addresses information and information systems that store and process data in electronic form, whereas information security encompasses the security of all forms of data (for example, securing a paper file and a filing cabinet). That said, today, many people colloquially interchange the terms, often referring to aspects of information security that are technically not part of cybersecurity as being part of the latter. Such usage also results from the blending of the two in many situations. For example, if someone writes down a password on a piece of paper and leaves the paper on their desk where other people can see the password instead of placing the paper in a safe deposit box or safe, they have violated a principle of information security, not of cybersecurity, even though their actions may result in serious cybersecurity repercussions. The risks that cybersecurity mitigates People sometimes explain the reason that cybersecurity is important as being “because it prevents hackers from breaking into systems and stealing data and money.” But such a description dramatically understates the role that cybersecurity plays in keeping the modern home, business, or even world running. In fact, the role of cybersecurity can be looked at from a variety of different vantage points, with each presenting a different set of goals. Of course the following lists aren’t complete, but they should provide food for thought and underscore the importance of understanding how to cybersecure yourself and your loved ones. The goal of cybersecurity: The CIA triad Cybersecurity professionals often explain that the goal of cybersecurity is to ensure the Confidentiality, Integrity, and Availability (CIA) of data, sometimes referred to as the CIA Triad, with the pun lovingly intended: Confidentiality refers to ensuring that information isn’t disclosed or in any other way made available to unauthorized entities (including people, organizations, or computer processes). Don’t confuse confidentially with privacy: Confidentiality is a subset of the realm of privacy. It deals specifically with protecting data from unauthorized viewers, whereas privacy in general encompasses much more. Hackers that steal data undermine confidentiality. Integrity refers to ensuring that data is both accurate and complete. Accurate means, for example, that the data is never modified in any way by any unauthorized party or by a technical glitch. Complete refers to, for example, data that has had no portion of itself removed by any unauthorized party or technical glitch. Integrity also includes ensuring nonrepudiation, meaning that data is created and handled in such a fashion that nobody can reasonably argue that the data is not authentic or is inaccurate. Cyberattacks that intercept data and modify it before relaying it to its destination — sometimes known as man-in-the-middle attacks — undermine integrity. Availability refers to ensuring that information, the systems used to store and process it, the communication mechanisms used to access and relay it, and all associated security controls function correctly to meet some specific benchmark (for example, 99.99 percent uptime). People outside of the cybersecurity field sometimes think of availability as a secondary aspect of information security after confidentiality and integrity. In fact, ensuring availability is an integral part of cybersecurity. Doing so, though, is sometimes more difficult than ensuring confidentiality or integrity. One reason for this is that maintaining availability often requires involving many more noncybersecurity professionals, leading to a “too many cooks in the kitchen” type challenge, especially in larger organizations. Distributed Denial of Service attacks attempt to undermine availability. Also, consider that attacks often use large numbers of stolen computer power and bandwidth to launch DDoS attacks, but responders who seek to ensure availability can only leverage the relatively small amount of resources that they can afford. What cybersecurity means from a human perspective The risks that cybersecurity addresses can also be thought of in terms better reflecting the human experience: Privacy risks: Risks emanating from the potential loss of adequate control over, or misuse of, personal or other confidential information. Financial risks: Risks of financial losses due to hacking. Financial losses can include both those that are direct — for example, the theft of money from someone’s bank account by a hacker who hacked into the account — and those that are indirect, such as the loss of customers who no longer trust a small business after the latter suffers a security breach. Professional risks: Risks to one’s professional career that stem from breaches. Obviously, cybersecurity professionals are at risk for career damage if a breach occurs under their watch and is determined to have happened due to negligence, but other types of professionals can suffer career harm due to a breach as well. C-level executives can be fired, board members can be sued, and so on. Professional damage can also occur if hackers release private communications or data that shows someone in a bad light — for example, records that a person was disciplined for some inappropriate action, sent an email containing objectionable material, and so on. Business risks: Risks to a business similar to the professional risks to an individual. Internal documents leaked after breach of Sony Pictures painted various the firm in a negative light vis-à-vis some of its compensation practices. Personal risks: Many people store private information on their electronic devices, from explicit photos to records of participation in activities that may not be deemed respectable by members of their respective social circles. Such data can sometimes cause significant harm to personal relationships if it leaks. Likewise, stolen personal data can help criminals steal people’s identities, which can result in all sorts of personal problems. Ultimately, cybersecurity will have different implications depending on the industry you’re operating in and the challenges you are facing.

Cheat Sheet / Updated 01-10-2023

To cyber-protect your personal and business data, make sure everyone at home and at work recognizes that they are a target. People who believe that hackers want to breach their computers and phones and that cyber criminals want to steal their data act differently than people who do not understand the true nature of the threat. Many businesses use security awareness programs to improve security related behaviors.

Cheat Sheet / Updated 10-19-2022

Some scams cyber-criminals use to target online shoppers seem to persist for years. This likely indicates that people are continuously falling prey to the scams, thereby encouraging criminals to keep using the same forms of trickery over and over. Look here to discover some straightforward tips on how to keep yourself — and your loved ones — safe when using the internet to shop, as well as how to avoid common cybersecurity mistakes.

Article / Updated 12-07-2021

Businesses of all sizes that have employees need an employee handbook that includes specific rules regarding employee usage of business technology systems and data. If you hope to enforce effective cybersecurity policy, you’ll need to ensure that you have the appropriate rules in place and that employees are properly trained. The following are examples of rules and cybersecurity policies that businesses can implement to govern the use of company technology resources: Employees are expected to use technology responsibly, appropriately, and productively, as necessary to perform their professional responsibilities. The use of company devices, as well as company internet access and email, as provided to employees by the company, are for job-related activities. Minimal personal use is acceptable provided that an employee’s use does not violate any other of the company's rules and does not interfere with their work. Each employee is responsible for any computer hardware and software provided to them by the company, including for the safeguarding of such items from theft, loss, or damage. Each employee is responsible for their accounts provided by the company, including the safeguarding of access to the accounts. Employees are strictly prohibited from sharing any company-provided items used for authentication (passwords, hardware authentication devices, PINs, and so on) and are responsible for safeguarding such items. Employees are strictly prohibited from connecting any networking devices, such as routers, access points, range extenders, and so on, to company networks unless explicitly authorized to do so by the company’s CEO. Likewise, employees are strictly prohibited from connecting any personal computers or electronic devices — including any Internet of Things (IoT) devices — to company networks other than to the Guest network, under the conditions stated explicitly in the Bring Your Own Device (BYOD) policy. Employees are responsible to make sure that security software is running on all company-provided devices. The company will provide such software, but it is beyond the company’s ability to check that such systems are always functioning as expected. Employees may not deactivate or otherwise cripple such security systems, and must promptly notify the company’s IT department if they suspect that any portion of the security systems may be compromised, nonfunctioning, or malfunctioning. Employees are responsible to make sure that security software is kept up to date. All company-issued devices come equipped with Auto-Update enabled; employees must not disable this feature. Likewise, employees are responsible for keeping their devices up to date with the latest operating system, driver, and application patches when vendors issue such patches. All company-issued devices come equipped with Auto-Update enabled; employees must not disable this feature. Performing any illegal activity — whether or not the act involved is a felony, a misdemeanor, or a violation of civil law — is strictly prohibited. This rule applies to federal law, state law, and local law in any area and at any time in which the employee is subject to such laws. Copyrighted materials belonging to any party other than the company or employee may not be stored or transmitted by the employee on company equipment without explicit written permission of the copyright holder. Material that the company has licensed may be transmitted as permitted by the relevant licenses. Sending mass unsolicited emails (spamming) is prohibited. The use of company resources to perform any task that is inconsistent with the company’s mission — even if the task is not technically illegal — is prohibited. This includes but is not limited to the accessing or transmitting sexually explicit material, vulgarities, hate speech, defamatory materials, discriminatory materials, images or description of violence, threats, cyberbullying, hacking-related material, stolen material, and so on. The previous rule shall not apply to employees whose job entails working with such material, only to the extent that is reasonably needed for them to perform the duties of their jobs. For example, personnel responsible for configuring the company’s email filter may, without violating the preceding rule, email one another about adding to the filter configuration various terms related to hate speech and vulgarities. No company devices equipped with Wi-Fi or cellular communication capabilities may be turned on in China or Russia without explicit written permission from the company’s CEO. Loaner devices will be made available for employees making trips to those regions. Any personal device turned on in those regions may not be connected to the Guest network (or any other company network). All use of public Wi-Fi with corporate devices must comply with the company’s public Wi-Fi policies. Employees must backup their computers by using the company’s backup system as discussed in the company’s backup policy. Employees may not copy or otherwise back up data from company devices to their personal computers and/or storage devices. Any and all passwords for any and all systems used as part of an employee's job must be unique and not reused on any other systems. All such passwords must consist of three or more words, at least one of which is not found in the English dictionary, joined together with numbers or special characters or meet all of the following conditions: Contain eight characters or more with at least one uppercase character Contain at least one lowercase character Contain at least one number Not contain any words that can be found in an English dictionary Names of relatives, friends, or colleagues not to be used as part of any password Data may be taken out of the office for business purposes only and must be encrypted prior to removal. This rule applies whether the data is on a hard drive, SSD, CD/DVD, USB drive, or on any other media or is transmitted over the internet. Any and all such data must be returned to the office (or at the company’s sole discretion, destroyed) immediately after its remote use is complete or upon employee’s termination of employment, whichever is sooner. In the event of a breach or other cybersecurity event or of any natural or manmade disaster, no employees other than the company’s officially designated spokesperson may speak to the media on behalf of the company. No devices from any manufacturer that the FBI or other United States federal law enforcement and intelligence agencies have warned that they believe foreign governments are using to spy on Americans may be connected to any company network (including the guest network) or brought into the physical offices of the company. It's a good idea to customize these policies to accommodate your organization and industry, but these will act as a good start as you get up and running with your cybersecurity efforts.

Article / Updated 12-07-2021

Believe it or not, many modern cyberattacks aren’t conducted with futuristic technology and ultra-advanced hacking skills. Often, cyberattacks still use good ‘ol fashioned social engineering. The following information details the different types of social engineering attacks. Phishing attacks are one of the most common forms of social engineering attacks. The following image shows you an example of a phishing email. Phishing attacks sometimes utilize a technique called pretexting in which the criminal sending the phishing email fabricates a situation that both gains trust from targets as well as underscores the supposed need for the intended victims to act quickly. In the phishing email shown, note that the sender, impersonating Wells Fargo bank, included a link to the real Wells Fargo within the email, but failed to properly disguise the sending address. Common forms of social engineering attacks include spear phishing emails, smishing, spear smishing, vishing, spear vishing, and CEO fraud. Phishing Phishing refers to an attempt to convince a person to take some action by impersonating a trustworthy party that reasonably may legitimately ask the user to take such action. For example, a criminal may send an email that appears to have been sent by a major bank and that asks the recipient to click on a link in order to reset his or her password due to a possible data breach. When the user clicks the link, they are directed to a website that appears to belong to the bank, but is actually a replica run by the criminal. As such, the criminal uses the fraudulent website to collect usernames and passwords to the banking site. Spear phishing Spear phishing refers to phishing attacks that are designed and sent to target a specific person, business, or organization. If a criminal seeks to obtain credentials into a specific company’s email system, for example, they may send emails crafted specifically for particular targeted individuals within the organization. Often, criminals who spear phish research their targets online and leverage overshared information on social media in order to craft especially legitimate-sounding emails. For example, the following type of email is typically a lot more convincing than “Please login to the mail server and reset your password.”: “Hi, I am going to be getting on my flight in ten minutes. Can you please login to the Exchange server and check when my meeting is? For some reason, I cannot get in. You can try to call me by phone first for security reasons, but, if you miss me, just go ahead, check the information, and email it to me — as you know that I am getting on a flight that is about to take off.” CEO fraud CEO fraud is a social engineering attack that is similar to spear phishing in that it involves a criminal impersonating the CEO or other senior executive of a particular business, but the instructions provided by “the CEO” may be to take an action directly, not to log in to a system, and the goal may not be to capture usernames and passwords or the like. The crook, for example, may send an email to the firm’s CFO instructing them to issue a wire payment to a particular new vendor or to send all the organizations’ W2 forms for the year to a particular email address belonging to the firm’s accountant. CEO fraud often nets significant returns for criminals and makes employees who fall for the scams appear incompetent. As a result, people who fall prey to such scams are often fired from their jobs. Smishing Smishing refers to cases of phishing in which the attackers deliver their messages via text messages (SMS) rather than email. The goal may be to capture usernames and passwords or to trick the user into installing malware. Vishing Vishing, or voice-based phishing, is phishing via POTS — that stands for “plain old telephone service.” Yes, criminals use old, time-tested methods for scamming people. Today, most such calls are transmitted by voice over IP systems, but, in the end, the scammers are calling people on regular telephones much the same way that scammers have been doing for decades. Whaling Whaling refers to spear phishing that targets high-profile business executives or government officials. Tampering Sometimes attackers don’t want to disrupt an organization’s normal activities, but instead seek to socially engineer by exploiting those activities for financial gain. Often, crooks achieve such objectives by manipulating data in transit or as it resides on systems of their targets in a process known as tampering. In a basic case of tampering with data in transit, for example, imagine that a user of online banking has instructed their bank to wire money to a particular account, but somehow a criminal intercepted the request and changed the relevant routing and account number to their own. A criminal may also hack into a system and manipulate information for similar purposes. Using the previous example, imagine if a criminal changed the payment address associated with a particular payee so that when the Accounts Payable department makes an online payment. The funds are sent to the wrong destination (well, at least it is wrong in the eyes of the payer.) Other social engineering attacks Additional types of social engineering attacks are popular as well: Baiting: An attacker sends an email or chat message — or even makes a social media post promises someone a reward in exchange for taking some action — for example, telling a target that if she completes a survey, they will receive a free item. Sometimes such promises are real, but, often they’re not and are simply ways of incentivizing someone to take a specific action that they would not take otherwise. Sometimes such scammers seek payment of a small shipping fee for the prize, sometimes they distribute malware, and sometimes they collect sensitive information. There is even malware that baits. Don’t confuse baiting with scambaiting. The latter refers to a form of vigilantism in which people pretend to be gullible, would-be victims, and waste scammers’ time and resources through repeated interactions, as well as (sometimes) collect intelligence about the scammer that can be turned over to law enforcement or published on the Internet to warn others of the scammer. Quid pro quo: The attacker states that they need the person to take an action in order to render a service for the intended victim. For example, an attacker may pretend to be an IT support manager offering assistance to an employee in installing a new security software update. If the employee cooperates, the criminal walks him through the process of installing malware. Social media impersonation: Some attackers impersonate people on social media in order to establish social media connections with their victims. The parties being impersonated may be real people or nonexistent entities. The scammers behind the impersonation below and many other such accounts frequently contact the people who follow the accounts, pretending to be the author, and request that the followers make various “investments.” Tantalizing emails: These emails attempt to trick people into running malware or clicking on poisoned links by exploiting their curiosity, sexual desires, and other characteristics. Tailgating: Tailgating is a physical form of social engineering attack in which the attacker accompanies authorized personnel as they approach a doorway that they, but not the attacker, is authorized to pass and tricks them into letting him pass with the authorized personnel. The attacker may pretend to be searching through a purse for an access card, claim to have forgotten his card, or may simply act social and follow the authorized party in. False alarms: Raising false alarms can also social engineer people into allowing unauthorized people to do things that they should not be allowed to. Consider the case in which an attacker pulls the fire alarm inside a building and manages to enter normally secured areas through an emergency door that someone else used to quickly exit due to the so-called emergency. Water holing: Water holing combines hacking and social engineering by exploiting the fact that people trust certain parties, so, for example, they may click on links when viewing that party’s website even if they’d never click on links in an email or text message. Criminals may launch a watering hole attack by breaching the relevant site and inserting the poisoned links on it (or even depositing malware directly onto it). Virus hoaxes: Criminals exploit the fact that people are concerned about cybersecurity, and likely pay undeserved attention to messages that they receive warning about a cyberdanger. Virus hoax emails may contain poisoned links, direct a user to download software, or instruct a user to contact IT support via some email address or web page. These attacks come in many flavors — some attacks distribute them as mass emails, while others send them in a highly targeted fashion. Some people consider scareware that scares users into believing that they need to purchase some particular security software to be a form of virus hoax. Others do not because scareware’s “scaring” is done by malware that is already installed, not by a hoax message that pretends that malware is already installed. Technical failures: Criminals can easily exploit humans’ annoyance with technology problems to undermine various security technologies. For example, if a criminal impersonating a website that normally displays a security image in a particular area places a “broken image symbol” in the same area of the clone website, many users will not perceive danger, as they are accustomed to seeing broken-image symbols and associate them with technical failures rather than security risks. 6 principles social engineers exploit Social psychologist, Robert Beno Cialdini, in his 1984 work published by HarperCollins, Influence: The Psychology of Persuasion, explains six important, basic concepts that people seeking to influence others often leverage. Social engineers seeking to trick people often exploit these same six principles, so here’s a quick overview of them in the context of information security. The following list helps you understand and internalize the methods social engineers are likely to use to try to gain your trust: Social proof: People tend to do things that they see other people doing. Reciprocity: People, in general, often believe that if someone did something nice for them, they owe it to that person to do something nice back. Authority: People tend to obey authority figures, even when they disagree with the authority figures and even when they think what they’re being asked to do is objectionable. Likeability: People are, generally speaking, more easily persuaded by people who they like than by others. Consistency and commitment: If people make a commitment to accomplish some goal and internalize that commitment, it becomes part of their self-image, and they’re likely to attempt. Scarcity: If people think that a particular resource is scarce, regardless of whether it actually is scarce, they will want it, even if they don’t need it. It’s important to train end users to recognize social engineering attacks to help protect your organization and ensure effective cybersecurity practices.

Article / Updated 12-07-2021

Employees, and the many cybersecurity risks that they create, can become major headaches for small businesses. Human errors are the No. 1 catalyst for data breaches. Even if you’re actively seeking to improve your cybersecurity knowledge and posture, your employees and coworkers may not have the same level of commitment as you do when it comes to protecting data and systems. As such, one of the most important things that a small business owner can do is to educate his or her employees. Cybersecurity education consists of essentially three necessary components: Awareness of threats: You must ensure that every employee working for the business understands that he or she, and the business as a whole, are targets. People who believe that criminals want to breach their computers, phones, and databases act differently than people who have not internalized this reality. While formal, regular training is ideal, even a single, short conversation conducted when workers start, and refreshed with periodic reminders, can deliver significant value in this regard. Basic information-security training: All employees should understand certain basics of information security. They should, for example, know to avoid cyber-risky behavior, such as opening attachments and clicking on links found in unexpected email messages, downloading music or videos from questionable sources, inappropriately using public Wi-Fi for sensitive tasks, or buying products from unknown stores with too-good-to-be-true prices and no publicly known physical address. Numerous related training materials (often free) are available online. That said, never rely on training in itself to serve as the sole line of defense against any substantial human risk. Many people do stupid things even after receiving clear training to the contrary. Furthermore, training does nothing to address rogue employees who intentionally sabotage information security. Practice: Information security training should not be theoretical. Employees should be given the opportunity to practice what they have learned — for example, by identifying and deleting/reporting a test phishing email. Incentivize employees to comply with cybersecurity efforts Just as you should hold employees accountable for their actions if things go amiss, you should also reward employees for performing their jobs in a cyber-secure fashion and acting with proper cyber hygiene. Positive reinforcement can go a long way and is almost always better received than negative reinforcement. Furthermore, many organizations have successfully implemented reporting systems that allow employees to anonymously notify the relevant powers within the business of suspicious insider activities that may indicate a threat to your cybersecurity initiatives, as well as potential bugs in systems, that could lead to vulnerabilities. Such programs are common among larger businesses, but can be of benefit to many small companies as well. Remember to revoke access for former employees There are countless stories of employees making mistakes that open the organizational door to hackers and of disgruntled employees stealing data and/or sabotaging systems. The damage from such cybersecurity incidents can be catastrophic to a small business. Protect yourself and your business from these types of risks by setting up your information infrastructure to contain the damage if something does go amiss. How can you do this? Give workers access to all the computer systems and data that they need in order to do their jobs with maximum performance, but do not give them access to anything else of a sensitive nature. Programmers shouldn’t be able to access a business’s payroll system, for example, and a comptroller doesn’t need access to the version control system housing the source code of a company’s proprietary software. Limiting access can make a world of difference in terms of the scope of a data leak if an employee goes rogue. Many businesses have learned this lesson the hard way. Don’t become one of them. Give everyone their own credentials Every employee accessing each and every system in use by the organization should have their own login credentials to that system. Do not share credentials! Implementing such a scheme improves the ability to audit people’s activities (which may be necessary if a data breach or other cybersecurity event happens) and also encourages people to better protect their passwords. because they know that if the account is misused, management will address the matter to them personally rather than to a team. The knowledge that a person is going to be held accountable for their behavior vis-à-vis maintaining or compromising security can work wonders in a proactive sense. Likewise, every person should have their own multifactor authentication capabilities — whether that be a physical token, a code generated on their smartphone, and so on. Restrict administrators System administrators typically have superuser privileges — meaning that they may be able to access, read, delete, and modify other people’s data. It is essential, therefore, that if you — the business owner — are not the only superuser, that you implement controls to monitor what an administrator does. For example, you can log administrator actions on a separate machine that the administrator does not have access to. Allowing access from only a specific machine in a specific location — which is sometimes not possible due to business needs — is another approach common in cybersecurity, as it allows a camera to be aimed toward that machine to record everything that the administrator does. Limit access to corporate accounts Your business itself may have several of its own accounts. For example, it may have social media accounts — a Facebook page, Instagram account, and a Twitter account — customer support email accounts, phone accounts, and other utility accounts. Grant access only to the people who absolutely need access to those accounts. Ideally, every one of the folks to whom you do give access should have auditable access — that is, it should be easy to determine who did what with the account. Basic control and audibility are simple to achieve when it comes to Facebook pages, for example, as you can own the Facebook page for the business, while providing other people the ability to write to the page. In some other environments, however, granular controls aren’t available and you will need to decide between the cybersecurity implications of providing multiple people logins to a social media account or having them submit content to a single person (perhaps, even you) who makes the relevant posts. The challenge of providing every authorized user of corporate social media accounts with their own account to achieve both control and audibility is exacerbated by the fact that all sensitive accounts should be protected with multifactor authentication. Some systems offer multifactor authentication capabilities that account for the fact that multiple independent users may need to be given auditable access to a single account. In some cases, however, systems that offer multifactor authentication capabilities do not blend well with multi-person environments. They may, for example, allow for only one cellphone number to which one-time passwords are sent via SMS. In such scenarios, you will need to decide whether to Use the multifactor authentication, but with a workaround — for example, by using a VOIP number to receive the texts and configuring the VOIP number to forward the messages on to multiple parties via email (as is offered at no cost, for example, by Google Voice). Use the multifactor authentication with no workaround — and configure the authorized users’ devices not to need multifactor authentication for the activities that they perform. Not use the multifactor authentication, but instead rely solely on strong passwords (not recommended). Find another workaround by modifying your processes, procedures, or technologies used to access such systems. Utilize third-party products that overlay systems (often the best option when available). The last option is often the best option. Various content management systems, for example, allow themselves to be configured for multiple users, each with their own independent strong authentication capabilities, and all such users have auditable access to a single social media account. While larger enterprises almost always follow some variant of the last approach — both for management and security reasons — many small businesses tend to take the easy way out and simply not use strong authentication in such cases. The cost of implementing proper cybersecurity, both in terms of dollars and time, is usually quite low, so exploring third-party products should definitely be done before deciding to take another approach to this cybersecurity challenge. The value of having proper security with auditability will become immediately clear if you ever have a disgruntled employee who had access to the company’s social media accounts or if a happy and satisfied employee with such access is hacked. Enforce social media policies Devising, implementing, and enforcing social media policies is important because inappropriate social media posts made by your employees (or yourself) can inflict all sorts of damage. They can leak sensitive information, violate compliance rules, and assist criminals to social engineer and attack your organization, expose your business to boycotts and/or lawsuits, and so on. You want to make clear to all employees what is and is not acceptable use of social media. As part of the process of crafting the policies, consider consulting an attorney to make sure that you do not violate anyone’s freedom of speech. You may also want to implement technology to ensure social media does not transform from a marketing platform into a cybersecurity nightmare. Monitor employees to succeed with cybersecurity Regardless of whether or not they plan to actually monitor employees’ usage of technology, companies should inform users that they have a right to do so. If an employee were to go rogue and steal data, for example, you do not want to have the admissibility of evidence challenged on the grounds that you had no right to monitor the employee. Furthermore, telling employees that they may be monitored reduces the likelihood of employees doing things that violate cybersecurity policy because they know that they may be monitored while doing such things. Here is an example of text that you can provide to employees as part of an employee handbook or the like when they begin work: Company, at its sole discretion, and without any further notice to employee, reserves the right to monitor, examine, review, record, collect, store, copy, transmit to others, and control any and all email and other electronic communications, files, and any and all other content, network activity including Internet use, transmitted by or through its technology systems or stored in its technology systems or systems, whether onsite or offsite. Such systems shall include systems that it owns and operates and systems that it leases, licenses, or to which it otherwise has any usage rights. Furthermore, whether sent to an internal party, external party, or both, any and all e-mail, text and/or other instant messages, voicemail, and/or any and all other electronic communications are considered to be Company’s business records, and may be subject to discovery in the event of litigation and/or to disclosure based on warrants served upon company or requests from regulators and other parties.

Article / Updated 12-07-2021

Data breaches are dreaded by most cybersecurity professionals and organizations. In fact, much of the planning that is done in the cybersecurity world is an attempt to prevent such an event from occurring. But the best-laid cybersecurity plans often go awry. If you do not have the ability to bring in a pro, the following steps are those that you should follow. These steps are essentially the ones most cybersecurity professionals follow: Figure out what happened (or is happening). Contain the cyberattack. Terminate and eliminate the cyberattack. Step 1: Figure out what happened or is happening with the cyberattack If possible, you want to figure out as much about the cyberattack as possible so that you can respond accordingly. If an attacker is transferring files from your computer to another device, for example, you want to disconnect your device from the internet ASAP. That said, most home users do not have the technical skills to properly analyze and understand exactly what the nature of a particular cyberattack may be — unless, of course, the attack is overt in nature. Gather as much information as you can about What happened to cause the cyberattack What information systems and databases were hit What could a criminal or other mischievous party do with the stolen material Who, besides yourself, may face risks because of the data breach (this includes any potential implications for your employer) Do not spend a lot of time on this step — you need to take action, not just document — but the more information that you do have, the greater the chances that you will be able to prevent another similar cyberattack in the future. Step 2: Contain the cyberattack Cut off the attacker by isolating him or her from the compromised devices. Containing may entail: Terminating all network connectivity ASAP: To terminate network connectivity for all devices on a network, turn off your router by unplugging it. (Note: If you’re in a business setting, this step is usually not possible). Unplugging any Ethernet cables: Understand, however, that a network-borne cyberattack may have already spread to other devices on the network. If so, disconnect the network from the internet and disconnect each device from your network until it is scanned for security problems. Turning off Wi-Fi on the infected device: Again, a network-borne attack may have already spread to other devices on the network. If so, disconnect the network from the internet and disconnect each device from your network by turning off Wi-Fi at the router and any access points, not just on the infected computer. Turning off cellular data: In other words, put your device into airplane mode. Turning off Bluetooth and NFC: Bluetooth and NFC are both wireless communication technologies that work with devices that are in close physical proximity to one another. All such communications should be blocked if there is a possibility of infections spreading or hackers jumping from device to device. Unplugging USB drives and other removable drives from the system: Note: The drives may contain malware, so do not attach them to any other systems. Revoking any access rights that the attacker is exploiting: If you have a shared device and the attacker is using an account other than yours to which he or she somehow gained authorized access, temporarily set that account to have no rights to do anything. If, for some reason, you need internet access from your device in order to get help cleaning it up, turn off all other devices on your network, to prevent any cyberattacks from spreading over the network to your device. Keep in mind that such a scenario is far from ideal. You want to cut off the infected device from the rest of the world, not just sever the connections between it and your other devices. Step 3: Terminate and eliminate the cyberattack Containing a cyberattack is not the same thing as terminating and eliminating an attack. Malware that was present on the infected device is still present after disconnecting the device from the internet, for example, as are any vulnerabilities that a remote hacker or malware may have exploited in order to take control of your device. So, after containing the cyberattack, it is important to clean up the system. The following describes some steps to follow at this point: Boot the computer from a security software boot disk If you have a security software boot disk boot from it. Most modern users will not have such a disk. If you do not, move to the next section. Remove all USB drives, DVDs, CDs, floppies (yes, some people still have them), and any other external drives from your computer. Insert the boot disk into the CD/DVD drive. Shut down your computer. Wait ten seconds and push the power button to start your computer. If you are using a Windows computer and it does not boot from the CD, turn the machine off, wait ten seconds, and restart it while pressing the BIOS-boot button (different computers use different buttons, but most use some F-key, such as F1 or F2) to go into the BIOS settings and set it to boot from the CD if a CD is present, before trying to boot from the hard drive. Exit the BIOS and Reboot. If you’re using a Windows PC, boot the computer in Safe Mode. Safe Mode is a special mode of windows that allows only essential system services and programs to run when the system starts up. To do this, follow these steps: Remove all USB drives, DVDs, CDs, floppies (yes, some people still have them), and any other external drives from your computer. Shut down your computer. Wait ten seconds and push the power button to start your computer. While your computer is starting press the F8 key repeatedly to display the Boot Options menu. When the Boot Options menu appears select the option to boot in Safe Mode. If you’re using a Mac, boot it with Safe Boot. MacOS does not provide the full equivalent of Safe Mode. Macs always boot with networking enabled. It’s Safe Boot does boot cleaner than a normal boot. To Safe Boot, follow these steps: Remove all USB drives, DVDs, CDs, floppies (yes, some people still have them), and any other external drives from your computer. Shut down your computer. Wait ten seconds and push the power button to start your computer. While your computer is starting, hold down the Shift key. Older Macs (macOS versions 6–9) boot into a special superuser mode without extensions if a user presses the hold key during reboot. The advice to boot with Safe Boot applies only to Macs running more recent operating systems. Backup If you have not backed up your data recently, do so now. Of course, backing up a compromised device is not necessarily going to save all of your data (because some may already be corrupted or missing), but if you do not already have a backup, do so now — ideally by copying your files to an external USB drive that you will not attach to any other devices until it is properly scanned by security software. Delete junk (optional) At this point, you may wish to delete any files that you do not need including any temporary files that have somehow become permanent. Why do the deletion now? Well, you should be doing periodic maintenance, and, if you are cleaning up your computer now, now is a good time. The less there is for security software to scan and analyze the faster it will run. Also, some malware hides in temporary files, so deleting such files can also directly remove some malware. For users of Windows computers, one easy way to delete temporary files is to use the built-in Disk Cleanup utility: Click on the Start menu. Click on Programs (or All Programs). Click on Accessories (or Windows Accessories). Right-click on System Tools. Click on Accessories (or Windows Accessories). Click on Disk Cleanup. Run security software Hopefully, you already have security software installed. If you do, run a full system scan. One important caveat: Security software running on a compromised device may itself be compromised or impotent against the relevant threat (after all, the data breach took place with the security software running). So, regardless of whether such a scan comes up clean, it may be wise to run the security software from a bootable CD or other read-only media, or, in cases of some products, from another computer on your home network. Not all brands of security software catch all variants of malware. Security professionals doing a device “cleanup” often run security software from multiple vendors. If you are using a Mac and your Safe Boot includes internet access, run the security software update routines prior to running the full scan. Malware, or attackers, may add new files to a system, remove files, and modify files. They may also open communication ports. Security software should be able to address all of these scenarios. Pay attention to the reports issued by the security software after it runs. Keep track of exactly what it removes or repairs. This information may be important, if, for example, some programs do not work after the cleanup. (You may need to reinstall programs from which files were removed or from whose malware-modified files malware was removed.) Email databases may need to be restored if malware was found within messages and the security software was unable to fully clean the mess up. Security software report information may also be useful to a cybersecurity or IT professional if you end up hiring one at a later date. Also, the information in the report may provide you with clues as to where the cyberattack started and what enabled it to happen, thereby also helping to guide you on preventing it from recurring. Security software often detects, and reports about, various non-attack material that may be undesirable due to their impact on privacy or potential to solicit a user with advertisements. You may, for example, see alerts that security software has detected tracking cookies or adware; neither is a serious problem, however, you may wish to remove adware if the ads bother you. In many cases you can pay to upgrade the software displaying the ads to a paid version that lacks ads. As far as recovering from a cyberattack is concerned, these undesirable items are not a problem. Sometimes, security software will inform you that you need to run an add-on in order to fully clean a system. Symantec, for example, offers its Norton Power Eraser, that it says “Eliminates deeply embedded and difficult-to-detect crimeware that traditional virus scanning doesn’t always detect.” If your security software informs you that you need to run such a scanner, you should do so, but make sure that you obtain it from the legitimate, official, original source. Also, never download or run any scanner of such a sort if you are told to do so not as the result of running security software. Plenty of rogue popups will advise you similarly, but install malware if you download the relevant “security software.” Ideally, these steps will help you move forward, but consulting a cybersecurity professional is also a good idea to ensure you are protected against future attacks.

Article / Updated 12-06-2021

CISO stands for chief information security officer. The CISO represents the information security function in an enterprise. This person is responsible for ensuring that cybersecurity initiatives are carried through in an organization. While all businesses need someone within them to ultimately own responsibility for information security, larger enterprises often have large teams involved with information security and need someone who can oversee all of the various aspects of information security management, as well as manage all the personnel involved in doing so. This person also represents the information security function to senior management — and sometimes to the board. Typically that person is the CISO. While the exact responsibilities of CISOs vary by industry, geography, company size, corporate structure, and pertinent regulations, most CISO roles share basic commonalities. In general, the CISO’s role includes overseeing and assuming responsibility for all areas of information security. Keep reading to gain a better understanding of each of these areas. Overall cybersecurity program management The CISO is responsible to oversee the company’s security program from A to Z. This role includes not only establishing the information security policies for the enterprise, but everything needed to ensure that business objectives can be achieved with the desired level of risk management — something that requires performing risk assessments, for example, on a regular basis. While, in theory, small businesses also have someone responsible for their entire cybersecurity programs, in the case of large enterprises, the programs are usually much more formal and have more moving parts. Such programs are also forever ongoing. Test and measurement of the cybersecurity program The CISO is responsible to establish proper testing procedures and success metrics against which to measure the effectiveness of the information security plan and to make adjustments accordingly. Establishing proper security metrics is often far more complicated than one might initially assume, as defining “successful performance” when it comes to information security is not a straightforward matter. Human risk management in cybersecurity The CISO is responsible for addressing various human risks as well. Screening employees before hiring them, defining roles and responsibilities, training employees, providing employees with appropriate user manuals and employee guides, providing employees with information security breach simulations and feedback, creating incentive programs, and so on all often involve the participation of the CISO’s organization. Information asset classification and control This function of the CISO includes performing an inventory of informational assets, devising an appropriate classification system, classifying the assets, and then deciding what types of controls (at a business level) need to be in place to adequately secure the various classes and assets. Auditing and accountability should be included in the controls as well. Security operations Security operations means exactly what it sounds like. It is the business function that includes the real-time management of cybersecurity, including the analysis of threats, the monitoring of a company’s technology assets (systems, networks, databases, and so on) and information security countermeasures, such as firewalls, whether hosted internally or externally, for anything that may be amiss. Operations personnel are also the folks who initially respond if they do find that something has potentially gone wrong. Information security strategy This role includes devising the forward-looking security strategy of the company to keep the firm secure as it heads into the future. Proactive planning and action is a lot more comforting to shareholders than reacting to attacks. Identity and access management This role deals with controlling access to informational assets based on business requirements, and includes identity management, authentication, authorization, and related monitoring. It includes all aspects of the company’s password management policies and technologies, any and all multifactor authentication policies and systems, and any directory systems that store lists of people and groups and their permissions. The CISO’s identity and access management teams are responsible to give workers access to the systems needed to perform the workers’ jobs and to revoke all such access when a worker leaves. Likewise, they manage partner access and all other external access. Major corporations almost always utilize formal directory services type systems — Active Directory, for example, is quite popular. Cybersecurity and data loss prevention Data loss prevention includes policies, procedures, and technologies that prevent proprietary information from leaking. Leaks can happen accidentally — for example, a user may accidentally attach the wrong document to an email before sending the message — or through malice (e.g., a disgruntled employee steals valuable intellectual property by copying it to a USB drive and taking the drive home just before resigning). In recent years, some social media management functions have been moved into the data loss prevention group. After all, oversharing on social media often includes the de facto sharing by employees of information that businesses do not want going out onto publicly accessible social networks. Fraud prevention Some forms of fraud prevention often fall in the CISO’s domain. For example, if a company operates consumer-facing websites that sell products, it is often part of the CISO’s responsibility to minimize the number of fraudulent transactions that are made on the sites. Even when such responsibility doesn’t fall within the purview of the CISO, the CISO is likely to be involved in the process, as anti-fraud systems and information security systems often mutually benefit from sharing information about suspicious users. Besides dealing with combatting fraudulent transactions, the CISO may be responsible for implementing technologies to prevent rogue employees from stealing money from the company via one or more of many types of schemes — with the CISO usually focusing primarily on means involving computers. Cybersecurity incident response plan The CISO is responsible to develop and maintain the company’s incident response plan. The plan should detail who speaks to the media, who clears messages with the media, who informs the public, who informs regulators, who consults with law enforcement, and so on. It should also detail the identities (specified by job description) and roles of all other decision-makers within the cybersecurity incident response process. Disaster recovery and business continuity planning This function includes managing disruptions of normal operations through contingency planning and the testing of all such plans. While large businesses often have a separate DR and BCP team, the CISO almost always plays a major role in these functions — if not owns them outright —for multiple reasons: Keeping systems and data available is part of the CISO’s responsibility. As such, there is little difference from a practical perspective if a system goes down because a DR and BC plan is ineffective or because a DDoS attack hit — if systems and data are not available, it is the CISO’s problem. CISOs need to make sure that BCP and DR plans provide for recovery in such a manner that security is preserved. This is especially true because it is often obvious from major media news stories when major corporations may need to activate their continuity plans, and hackers know that companies in recovery mode make ideal targets. Cybersecurity compliance The CISO is responsible to ensure that the company complies with all with legal and regulatory requirements, contractual obligations, and best practices accepted by the company as related to information security. Of course, compliance experts and attorneys may advise the CISO regarding such cybersecurity matters, but, ultimately, it is the CISO’s responsibility to ensure that all requirements are met. Investigations into cybersecurity incidents If (and when) an information security incident occurs, the folks working for the CISO in this capacity investigate what happened. In many cases, they’ll be the folks who coordinate investigations with law enforcement agencies, consulting firms, regulators, or third-party security companies. These teams must be skilled in forensics and in preserving evidence. It does little good to know that some rogue employee stole money or data if, as a result of mishandling digital evidence, you can’t prove in a court of law that that is the case. Physical security Ensuring that corporate informational assets are physically secure is part of the CISO’s job. This includes not only systems and networking equipment, but the transport and storage of backups, disposal of decommissioned computers, and so on. In some organizations, the CISO is also responsible for the physical security of buildings housing technology and for the people within them. Regardless of whether this is the case, the CISO is always responsible to work with those responsible to ensure that information systems and data stores are protected with properly secured facilities sporting adequate security perimeters and with appropriate access controls to sensitive areas on a need-to-access basis. Security architecture The CISO and their team are responsible to design and oversee the building and maintenance of the company’s cybersecurity architecture. Sometimes, of course, CISOs inherit pieces of the infrastructure, so the extent to which they get to design and build may vary. The CISO effectively decides what, where, how, and why various countermeasures are used, how to design network topology, DMZs and segments, and so on. Ensuring auditability of system administrators It is the CISO’s responsibility to ensure that all system administrators have their actions logged in such a fashion that their actions are auditable, and attributable to the parties who took them. Cyber-insurance compliance Most large companies have cybersecurity insurance. It is the CISO’s job to make sure that the company meets all security requirements for coverage under the policies that are in effect, so if something does go amiss and a claim is made, the firm will be covered. While the CISO role can cover many of these responsibilities, the function is constantly evolving and may take on new task responsibilities. https://www.dummies.com/programming/networking/network-administration-user-access-and-permissions/

Article / Updated 04-26-2021

Malware, or malicious software, is an all-encompassing term for software that intentionally inflicts damage on its users who typically have no idea that they are running it. Malware includes computer viruses, worms, Trojans, ransomware, scareware, spyware, cryptocurrency miners, adware, and other programs intended to exploit computer resources for nefarious purposes. Viruses Computer viruses are instances of malware that, when executed, replicate by inserting their own code into computer systems. Typically, the insertion is in data files (for example, as rogue macros within a Word document), the special portion of hard drives or solid state drives that contain the code and data used to boot a computer or disk (also known as boot sectors), or other computer programs. Like biological viruses, computer viruses can’t spread without having hosts to infect. Some computer viruses significantly impact the performance of their hosts, while others are, at least at times, hardly noticeable. While computer viruses still inflict tremendous damage worldwide, the majority of serious malware threats today arrive in the form of worms and Trojans. Worms Computer worms are standalone pieces of malware that replicate themselves without the need for hosts in order to spread. Worms often propagate over connections by exploiting security vulnerabilities on target computers and networks. Because they normally consume network bandwidth, worms can inflict harm even without modifying systems or stealing data. They can slow down network connections — and few people, if any, like to see their internal and Internet connections slow down. Trojans Trojans (appropriately named after the mythical Trojan horse) is malware that is either disguised as non-malicious software or hidden within a legitimate, non-malicious application or piece of digital data. Trojans are most often spread by some form of social engineering — for example, by tricking people into clicking on a link, installing an app, or running some email attachment. Unlike viruses and worms, Trojans typically don’t self-propagate using technology — instead, they rely on the effort (or more accurately, the mistakes) of humans. Ransomware Ransomware is malware that demands that a ransom be paid to some criminal in exchange for the infected party not suffering some harm. Ransomware often encrypts user files and threatens to delete the encryption key if a ransom isn’t paid within some relatively short period of time, but other forms of ransomware involve a criminal actually stealing user data and threatening to publish it online if a ransom is not paid. Some ransomware actually steals the files from users’ computers, rather than simply encrypting data, so as to ensure that the user has no possible way to recover his or her data (for example, using an anti-ransomware utility) without paying the ransom. Ransomware is most often delivered to victims as a Trojan or a virus, but has also been successfully spread by criminals who packaged it in a worm. In recent years sophisticated criminals have even crafted targeted ransomware campaigns that leverage knowledge about what data is most valuable to a particular target and how much that target can afford to pay in ransoms. The image below shows the ransom demand screen of WannaCry — a flavor of ransomware that inflicted at least hundreds of millions of dollars in damage (if not billions), after initially spreading in May 2017. Many security experts believe that the North Korean government or others working for it created WannaCry, which, within four days, infected hundreds of thousands of computers in about 150 countries. Scareware Scareware is malware that scares people into taking some action. One common example is malware that scares people into buying security software. A message appears on a device that the device is infected with some virus that only a particular security package can remove, with a link to purchase that “security software.” Spyware Spyware is software that surreptitiously, and without permission, collects information from a device. Spyware may capture a user’s keystrokes (in which case it is called a keylogger), video from a video camera, audio from a microphone, screen images, and so on. It is important to understand the difference between spyware and invasive programs. Some technologies that may technically be considered spyware if users had not been told that they were being tracked online are in use by legitimate businesses; they may be invasive, but they are not malware. These types of nonspyware that also spies includes beacons that check whether a user loaded a particular web page and tracking cookies installed by websites or apps. Some experts have argued that any software that tracks a smartphone’s location while the app is not being actively used by the device’s user also falls into the category of nonspyware that also spies — a definition that would include popular apps, such as Uber. Cryptocurrency miners Cryptocurrency miners are malware that, without any permission from devices’ owners, commandeers infected devices’ brainpower (its CPU cycles) to generate new units of a particular cryptocurrency (which the malware gives to the criminals operating the malware) by completing complex math problems that require significant processing power to solve. The proliferation of cryptocurrency miners exploded in 2017 with the rise of cryptocurrency values. Even after price levels subsequently dropped, the miners are still ubiquitous as once criminals have invested in creating the miners, there is little cost in continuing to deploy them. Not surprisingly, as cryptocurrency prices began to rise again in 2019, new strains of cryptominers began to appear as well — some of which specifically target Android smartphones. Many low-end cybercriminals favor using cryptominers. Even if each miner, on its own, pays the attacker very little, miners are easy to obtain and directly monetize cyberattacks without the need for extra steps (such as collecting a ransom) or the need for sophisticated command and control systems. Adware Adware is software that generates revenue for the party operating it by displaying online advertisements on a device. Adware may be malware — that is, installed and run without the permission of a device’s owner — or it may be a legitimate component of software (for example, installed knowingly by users as part of some free, ad-supported package.) Some security professionals refer to the former as adware malware, and the latter as adware. Because no consensus exists, it’s best to clarify which of the two is being discussed when you hear someone mention just the generic term adware. Blended malware Blended malware is malware that utilizes multiple types of malware technology as part of an attack — for example, combining features of Trojans, worms, and viruses. Blended malware can be quite sophisticated and often stems from skilled attackers. Zero day malware Zero day malware is any malware that exploits a vulnerability not previously known to the public or to the vendor of the technology containing the vulnerability, and is, as such, often extremely potent. Regularly creating zero day malware requires significant resource and development. It’s quite expensive and is often crafted by the cyber armies of nation states rather than by other hackers. Commercial purveyors of zero day malware have been known to charge over $1 million for a single exploit. Cybersecurity professionals need to know the possible security vulnerabilities and ensure systems are prepare for a variety of cyberattacks.

Article / Updated 04-26-2021

Cybersecurity professionals have a wide range of responsibilities. Each cybersecurity job can vary quite a bit based on their exact role, but most, if not all, ultimately work to help either protect data and systems form being compromised, or, in the case of certain government positions, to breach the systems and compromise the data of adversaries. No one, single career path called “cybersecurity” exists. The profession has many nuances, and different paths along which people’s careers can progress. Security engineer Security engineers come in multiple types, but the vast majority are hands-on technical folks who build, maintain, and debug information security systems as part of organizational (corporate, government, or nonprofit) projects. Security engineers working in the professional services arms of vendors may also help ensure that software being deployed at clients is done so in a secure fashion. Security manager Security managers are typically mid-level management within larger enterprises who have responsibility for some specific area of information security. One security manager, may, for example, be responsible for all of a firm’s security training, and another may be responsible for overseeing all of its internet-facing firewalls. People in security manager positions typically perform less hands-on, technically detailed security activities than do the folks who report to them. Security director Security directors are the people who oversee information security for an organization. In smaller firms, the director is usually the de facto chief information security officer (CISO). Larger firms may have several directors responsible for various subsets of the firm’s information security program; such folks, in turn, usually report to the CISO. Chief information security officer (CISO) The CISO is the person responsible for information security throughout an organization. You can think of the CISO role as being that of the chief of staff of the organization’s information-security defensive military. The CISO is a senior, C-level management position. Serving as a CISO usually requires significant management knowledge and experience, in addition to an understanding of information security. Security analyst Security analysts work to prevent information security breaches. They review not only existing systems, but study emerging threats, new vulnerabilities, and so on in order to ensure that the organization remains safe. Security architect Security architects design and oversee the deployment of organizational information security countermeasures. They often have to understand, design, and test complex security infrastructures and regularly serve as the security team member who is involved in projects outside of the security department as well. For example, security architects would design the security needed for a custom application an organization is designing and building; they also help guide networking folks as the latter design various elements of corporate IT networking infrastructure. Security administrator Security administrators are hands-on folks who install, configure, operate, manage, and troubleshoot information security countermeasures on behalf of an organization. These folks are the ones to whom nontechnical professionals often refer when they say “I am having a problem and need to call the security person.” Security auditor Security auditors conduct security audits — that is, they check that security policies, procedures, technologies, and so on are working as intended and are effectively and adequately protecting corporate data, systems, and networks. Cryptographer Cryptographers are experts at and work with encryption, as used to protect sensitive data. Some cryptographers work to develop encryption systems to protect sensitive data, while others, known as cryptanalysts, do the opposite: analyzing encrypted information and encryption systems in order to break the encryption and decrypt the information. As compared to other information security jobs, cryptographers disproportionately work for government agencies, the military, and in academia. In the United States, many government jobs in cryptography require U.S. citizenship and an active security clearance. Vulnerability assessment analyst Vulnerability assessment analysts examine computer systems, databases, networks, and other portions of the information infrastructure in search of potential vulnerabilities. The folks working in such positions must have explicit permission to do so. Unlike penetration testers, vulnerability assessors don’t typically act as outsiders trying to breach systems, but as insiders who have access to systems and have the ability to examine them in detail from the start. Ethical hacker Ethical hackers attempt to attack, penetrate, and otherwise compromise systems and networks on behalf of — and with the explicit permission of — the technologies’ owners in order to discover security vulnerabilities that the owners can than fix. Ethical hackers are sometimes referred to as penetration testers or pen-testers. While many corporations employ their own ethical hackers, a significant number of folks who work in such positions work for consulting companies offering their services to third parties. Security researcher Security researchers are forward-looking folks who seek to discover vulnerabilities in existing systems and potential security ramifications of new technologies and other products. They sometimes develop new security models and approaches based on their research. As far as ethics are concerned, and as far as most jurisdictions are concerned, a security researcher who hacks an organization without explicit permission from that organization is not a security researcher or an ethical hacker, but simply someone breaking the law. Offensive hacker Offensive hackers attempt to break into adversaries’ systems to either cripple the systems or steal information. In the United States of America, it is illegal for a business to go on the offensive and attack anyone, including striking back at hackers who are actively trying to penetrate the organization. As such, all legal offensive hacking jobs in the United States are government positions, such as with intelligence agencies. If you enjoy attacking and are not satisfied with just ethical hacking, you may wish to pursue a career with the government or military. Many offensive hacking positions require security clearances. Software security engineer Software security engineers integrate security into software as it is designed and developed. They also test the software to make sure it has no vulnerabilities. In some cases, they may be the coders of the software itself. Software source code security auditor Software source code security auditors review the source code of programs in search of programming errors, vulnerabilities, violations of corporate policies and standards, regulatory problems, copyright infringement (and, in some cases, patent infringement), and other issues that either must, or should be, resolved. Software security manager Secure development managers oversee the security of software throughout the software’s lifecycle, from initial business requirements gathering all the way through disposal. Security consultant There are many different types of security consultants. Some advise corporate executives on security strategy, serve as expert witnesses, or help security companies grow and succeed. Others are hands-on penetration testers. Others may design or operate components of security infrastructure, focusing on specific technologies. When it comes to security consulting, you can find positions in just about every area of information security. Security specialist The title security specialist is used to refer to people serving in many different types of roles. All of the various roles, however, tend to require at least several years of professional experience working in the information security field. Incident response team member The incident response team consists of the de facto first responders who deal with security incidents. Team members seek to contain and eliminate attacks, while minimizing the damage from them. They also often perform some of the analysis into what happened — sometimes determining that nothing requires any corrective activity. You can think of incident responders as roughly the equivalent of cybersecurity firefighters — they deal with dangerous attacks, but sometimes get called in to verify that there is no fire. Forensic analyst Forensic analysts are effectively digital detectives, who, after some sort of computer event, examine data, computers and computing devices, and networks to gather, analyze, and properly preserve evidence and deduce what exactly happened, how it was possible to happen, and who did it. You can think of incident responders as roughly the equivalent of law enforcement and insurance company inspectors who analyze properties after a fire to determine what happened and who might be responsible. Cybersecurity regulations expert Cybersecurity regulations experts are knowledgeable in the various regulations related to cybersecurity and help ensure that organizations comply with such regulations. They are often, but not always, attorneys who have prior experience working with various compliance-type matters. Privacy regulations expert Privacy regulations experts are knowledgeable in the various regulations related to privacy and help ensure that organizations comply with such regulations. They are often, but not always, attorneys who have prior experience working with various compliance-type matters. Understanding the expected tasks of each cybersecurity role can help you determine which career path is right for you.