People talk about the cybersecurity job market like it’s a monolith, but there are a number of different roles within cybersecurity, depending not only on your skill level and experience but on what you like to do.In fact, Cybercrime Magazine came up with a list of 50 cybersecurity job titles, while CyberSN, a recruiting organization, came up with its own list of 45 cybersecurity job categories. Similarly, OnGig.com, a company that helps firms write their job ads, analyzed 150 cybersecurity job titles and came up with its own top 30 list. This article is based on research I did with Springboard, one of the first cybersecurity bootcamps with a job guarantee and 1:1 mentorship.

The complicated part is that these titles and roles generally aren’t standardized, plus they constantly change as the industry itself evolves. The National Institute for Science and Technology, in its National Initiative for Cybersecurity Education workforce framework, does try to standardize positions using the notions of:

If you’re looking to build your skill set towards building a career in cybersecurity and a way to get started, Springboard’s cybersecurity bootcamp is one of the first to offer a job guarantee in cybersecurity along with 1:1 mentorship with an industry expert — get a job or your money back.

ENGLEWOOD CLIFFS — The borough is suing its former IT professional, claiming it failed to archive official emails and was fraudulent and negligent.The suit filed late last month claims that Intrep Solutions, which started working in the borough in 2012, and owner Cameron Arabi led officials to believe the official email server had archived emails, which was not the case.

According to the suit, the borough shifted to Microsoft Office in 2017 and Arabi was made a global administrator to the account to give him the “appropriate authority” and make sure that emails were archived and that he could conduct audit logs for security purposes.

The lawsuit highlighted that emails from three of the five Democrats who served on the council in recent years had been deleted. Ed Aversa, Gloria Oh and Ellen Park served on the borough’s affordable housing committee and were often at odds with Mayor Mario Kranjac.

Subject: COVID-19-themed cyberattack detections continue to surge
Source: Help Net Security
https://www.helpnetsecurity.com/2021/04/19/covid-19-themed-cyberattack/

Subject: Growing reliance on third-party suppliers signals increasing security risks
Source: ZDNet
https://www.zdnet.com/article/growing-reliance-on-third-party-suppliers-signals-increasing-security-risks/#ftag=RSSbaffb68

Two years ago, we announced our plans to fundamentally shift our approach to protecting people’s privacy. Today, I’d like to share the continued progress we’ve made by publishing a new Privacy Progress Update that provides our most detailed look to date at the work we’re doing to embed privacy into all facets of our company and the investments we’re making to keep improving our privacy technology and practices. You may have seen some of these updates in the form of new privacy tools and controls in our apps. Others are less obvious, like the ways we’ve created a cultural shift to make privacy a core responsibility of everyone at Facebook. With today’s update, we’re bringing all of this together to make it easier to understand the details of our privacy approach.As Chief Privacy Officer, Product at Facebook, my job is to oversee our company-wide privacy program and make sure that we respect and honor people’s privacy in everything that we do.

…

Last week the US Department of Justice revealed how the FBI had worked to remove malicious web shells from hundreds of computers in the United States that were running vulnerable versions of Microsoft Exchange Server. While the move will have helped keep many organisations secure, it has also raised questions about the direction of cybersecurity.

Hundreds of unmitigated web shells have been identified and removed from hundreds of systems – to such an extent that the Department of Justice says it has removed one hacking group’s remaining web shells entirely.

Even if the intent was good – in short, helping to protect the businesses by removing the access of cyber attackers, and authorised by the courts – this is a significant step by law enforcement.

“The effort by the FBI amounts to the FBI gaining access to private servers. Just that should be a full stop that the action is not OK,” says David Brumley, professor of electrical and computer engineering at Carnegie Mellon University and co-founder and CEO of ForAllSecure, a cybersecurity company.

“We don’t want a future where the FBI determines someone may be vulnerable, and then uses that as a pretext to gain access. Remember: the FBI has both a law enforcement and intelligence mission. It would be the same as a police officer thinking your door isn’t locked, and then using that as a pretext to enter,” he says.

…

filed: https://www.zdnet.com/topic/security/

MORE ON CYBERSECURITY

• SolarWinds: US and UK blame Russian intelligence service hackers for major cyber attack
• Congress confronts US cybersecurity weaknesses in wake of SolarWinds hacking campaign
• Cybersecurity: How to get your software patching strategy right and keep the hackers at bay
• Most applications today are deployed with vulnerabilities, and many are never patched
• Supply chain security is actually worse than we think

Tentatively excellent news! The FTC has declared that it is serious about racist algorithms, and it will hold businesses legally accountable for using them. In a friendly-reminder type announcement today, it said that businesses selling and/or using racist algorithms could feel the full force of their legal might.“Fortunately, while the sophisticated technology may be new, the FTC’s attention to automated decision making is not,” FTC staff attorney Elisa Jillson wrote in a statement on Tuesday, adding that the agency “has decades of experience” enforcing laws that racist algorithms violate. They write that selling and/or using racially biased algorithms could qualify as unfair or deceptive practices under the FTC Act. They also remind businesses that racial discrimination (by algorithm or human) could violate the Fair Credit Reporting Act and the Equal Credit Opportunity Act.

The effects of algorithmic racial bias and automated white favoritism spill out far beyond the types of products Facebook serves us. Racist algorithms have been shown to disproportionately deny Black people recommendations for specialized healthcare programs. They have priced out higher interest rates on mortgages for Black and Latinx people than whites with the same credit scores. They have drastically exaggerated Black defendants’ risk of recidivism, which can impact sentencing and bail decisions. They have encouraged police to target locations and arrest records which perpetuate further disproportionate arrests in Black communities. The list goes on.

…

In other words, no one knows the extent of racist algorithms’ damage, and the FTC urges businesses to hold themselves accountable or the FTC “will do it for you,” read: the FTC will come for you, even if you’re a small potatoes Honda dealership.

The Cybersecurity and Infrastructure Security Agency on Tuesday confirmed that a number of federal agencies were compromised by a threat actor last year through vulnerabilities found in virtual private networking software made by Pulse Connect Secure.

In a blog post on Tuesday, cybersecurity firm FireEye detailed its investigation into 12 malware families all associated with exploiting Pulse Secure VPN devices. The company labeled the hacking campaigns behind the attacks as UNC2630 and UNC2717. The former is suspected to be working on behalf of the Chinese government and targeting defense industrial base contractors, according to FireEye.

When it comes to preferred passwords among healthcare industry employees, many are choosing weak options that can make their employer hospital or health system organization vulnerable to cyberattacks, according to an April 20 NordPass report. For its analysis, NordPass, a password manager for B2B and B2C clients, partnered with a data breach research company to examine data from public third-party breaches that affected Fortune 500 companies. The researchers analyzed data from 15,603,438 breaches and categorized the top 10 passwords used in 17 different industries.

Here are the 10 most common passwords healthcare industry employees use, according to the report. Passwords marked by an asterisk (*) are a company name or variation of it; NordPass did not name the companies.

The two-page document, which is labeled “law enforcement sensitive” and was distributed by a DHS intelligence “fusion center,” reads in part:

…

Mail tie-ins seem to be sort of loose. In a 2019 year-end report, the USPIS said that it employed 1,289 inspectors charged with enforcing “roughly 200 federal laws, covering crimes that include fraudulent use of the U.S. Mail and the postal system.” This surprisingly thrilling tie-in means that they hunt down prolific mail thieves, mail marketers, dark web-sourced mailed drugs, drug delivery bribes, and even on a $7 billion fraud scheme. But it also has a long-running unit for investigating child exploitation material, which, it seems, may or may not be detected through the process of flowing through mail. In its 2019 year-end report, for example, USPIS said that it was handed an investigation into a hard drive (which had at one point been mailed) containing child sexual abuse material, but the investigation was passed along from a Rhode Island internet child abuse task force, not seized en route or at a delivery point.

And, as the Washington Post has noted, the postal service’s investigatory powers granted since 1775 make it the oldest law enforcement agency in the country. The USPIS’s report suggests that it collaborates with virtually every federal investigatory body, including the Securities and Exchange Commission, Customs and Border Protection, the Department of Justice, the Department of Defense, the FBI, the DEA, and more.