Monday, September 29, 2014

Colorado Springs ISSA Cybersecurity Conference, Wednesday October 15, 2014




Colorado Springs ISSA
Cybersecurity Conference
Wednesday October 15, 2014
University of Colorado Colorado Springs


I've been invited to speak at the Colorado Springs ISSA Cybersecurity Conference on Wednesday October 15, 2014 at the University of Colorado Colorado Springs.

My host asked me to address career development topics for Cyber Security professionals. I'm excited about presenting to this group because I get to deliver what I've experienced over the past 25 years of recruiting and the past 19 years of working in the information security / cyber security, compliance, risk management and privacy areas.

If you're in or around Colorado Springs, you can register for this event by clicking on the ISSA logo above.


Jeff Snyder's, Security Career Coach, Security Recruiter Blog, 719.686.8810


Information Security Leadership Forum San Antonio, TX Thursday November 6, 2014 Plaza Club

Information Security Leadership Forum
San Antonio, TX
Thursday November 6, 2014
Plaza Club


If you are a leader in Information Security, Audit, Risk Management, Legal, Compliance, Privacy or IT, please by my guest at the Information Security Leadership Forum meeting in San Antonio, TX.

I worked with this group as a guest speaker to help them kick off their inaugural meeting in Dallas one year ago. They invited me back as a speaker for a second time for their most recent meeting in Dallas in June of 2014.

Registration is free but you do need to register in order to attend.  I look forward to meeting you in San Antonio.






Information Security Leadership Forum, Austin, TX, Tuesday November 4, 2014

Information Security Leadership Forum
Austin, TX
Tuesday November 4, 2014
The Hills of Lakeway Country Club


If you are a leader in Information Security, Audit, Risk Management, Legal, Compliance, Privacy or IT, please by my guest at the Information Security Leadership Forum meeting in Austin, TX.

I worked with this group as a guest speaker to help them kick off their inaugural meeting in Dallas one year ago. They invited me back as a speaker for a second time for their most recent meeting in Dallas in June of 2014.

Registration is free but you do need to register in order to attend.  I look forward to meeting you in Austin.






Cyber Security News, Education and Vulnerability Patch Report for the Week of September 29, 2014


Cyber Security News of the Week


From our friends at Citadel Information Group

Cyber Crime

Jimmy John’s Confirms Breach at 216 Stores: More than seven weeks after this publication broke the news of a possible credit card breach at nationwide sandwich chain Jimmy John’s, the company now confirms that a break-in at one of its payment vendors jeopardized customer credit and debit card information at 216 stores. KrebsOnSecurity, September 24, 2014
Home Depot: 56M Cards Impacted, Malware Contained: Home Depot said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers from its customers between April and September 2014. That disclosure officially makes the incident the largest retail card breach on record. KrebsOnSecurity, Septemebr 18, 2014
In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes: The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation. The finding could mean thieves stole far fewer cards during the almost five-month breach than they might have otherwise. KrebsOnSecurity, September 18, 2014

Cyber Privacy

Private.me’s Dr. Stan Stahl Talks Secure Internet Browsing, Usage; Possible Tor Alternative And The Privacy Culture Shift: Tuesday I got a chance to interview Dr. Stan Stahl, Chief Information Security Officer of Private.me. Right now it’s an anonymous internet search browser, similar to DuckDuckGo in most ways, except that it requires users to create an account. This seems counter-intuitive but Private.me says that it allows users to stay in control of their data by controlling settings and restricting access by search providers. Private.me encrypts the data, slices it up and stores it in multiple non-profits for added security. iDigitalTimes, September 24, 2014

Identity Theft

Your medical record is worth more to hackers than your credit card: (Reuters) – Your medical information is worth 10 times more than your credit card number on the black market. Reuters, September 24, 2014
Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm: How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach. KrebsOnSecurity, September 18, 2014

Financial Cyber Security

$1.66M in Limbo After FBI Seizes Funds from Cyberheist: A Texas bank that’s suing a customer to recover $1.66 million spirited out of the country in a 2012 cyberheist says it now believes the missing funds are still here in the United States — in a bank account that’s been frozen by the federal government as part of an FBI cybercrime investigation. KrebsOnSecurity, September 25, 2014

Cyber Warning

Shellshock: ‘Deadly serious’ new vulnerability found: A “deadly serious” bug potentially affecting hundreds of millions of computers, servers and devices has been discovered. BBC, September 25, 2014

National Cyber Security

Steptoe Cyberlaw Podcast – Interview with Phyllis Schneck: Our guest this week is Dr. Phyllis Schneck, the Deputy Undersecretary for Cybersecurity for the Department of Homeland Security’s National Protection and Programs Directorate (NPPD). She and Marc Frey, Senior Director in Steptoe’s DC office and former Chief of Staff at DHS’s Office of Policy Development, discuss the status of cybersecurity legislation and DHS’s highest cybersecurity priorities. Steptoe Cyberblog, September 16, 2014

Cyber Underworld

Who’s Behind the Bogus $49.95 Charges?: Hardly a week goes by when I don’t hear from a reader wondering about the origins of a bogus credit card charge for $49.95 or some similar amount for a product they never ordered. As this post will explain, such charges appear to be the result of crooks trying to game various online affiliate programs by using stolen credit cards. KrebsOnSecurity, September 22, 2014

Cyber Misc

Home Depot’s Former Lead Security Engineer Had a Legacy of Sabotage: Information continues to trickle in on the Home Depot data breach, and it’s an ugly one. Last week, the company confirmed that its security lapse—the biggest ever for a retailer—had compromised the credit cards of 56 million customers from April to September. The data now being sold on black markets could contribute to an estimated $3 billion in illegal purchases. Slate, September 23, 2014


Weekend Vulnerability and Patch Report, September 28, 2014


Important Security Updates

Apple iOS: Apple has released version 8.0.2 of its iOS for iPhone 4 and later, iPad and iPod touch. The update is available through the devices or through Apple’s website.
Foxit Reader: Foxit has released version 7.0.3.0916 of its Reader. Updates are available through the program or from Foxit’s website.
Google Chrome: Google has released Google Chrome version 37.0.2062.124 for Windows, Mac, and Linux to fix a moderately critical vulnerability reported in previous versions. Updates are available from within the browser or from Google Chrome’s website.
Mozilla Firefox: Mozilla has released version 32.0.3 for Firefox to fix a moderately critical vulnerability. Updates are available within the browser or from Mozilla’s website. Updates are also available for Thunderbird and SeaMonkey.
Opera: Opera has released version 24.0.1558.64. Updates are available from within the browser or from Opera’s website.
Piriform CCleaner: Piriform has released version 4.18.4842 for CCleaner. Updates are available from Piriform’s website.

Current Software Versions

Adobe Flash  15.0.0.167 [Windows 7: IE]
Adobe Flash  15.0.0.152 [Windows 7: Firefox, Mozilla]
Adobe Flash  15.0.0.167 [Windows 8: IE]
Adobe Flash  15.0.0.152 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.30 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 32.0.3
Google Chrome 37.0.2062.124
Internet Explorer 11.0.9600.17280
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.1 [Mac OS X]
Skype 6.20.0.104

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Nexus 1000V: Secunia reports an unpatched vulnerability in Cisco’s Nexus 1000V InterCloud for VMware versions 5.2(1)IC1 (1.1) and (1.2), Nexus 1000V Switch versions 6.3(2) Base and 7.0(2) Base, Nexus 1000V Switch for VMware vSphere version 9.2(1)SP1(4.8). No official solution is currently available.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.


Wednesday, September 24, 2014

Information Security Leadership Forum, Skillman, New Jersey, Thursday October 9, 2014, Cherry Valley Country Club

Information Security Leadership Forum
New Jersey
Thursday October 9, 2014
Cherry Valley Country Club

If you are a leader in Information Security, Audit, Risk Management, Legal, Compliance, Privacy or IT, please by my guest at the inaugural Information Security Leadership Forum meeting in SkillmanNew Jersey.

I worked with this group to help them kick off their inaugural meeting in Dallas one year ago. They invited me back as a speaker for a second time for their second meeting in Dallas in June of 2014.

Registration is free but you do need to register in order to attend.  I look forward to meeting you in New Jersey.




Information Security Leadership Forum, Houston, TX, Tuesday October 7, 2014


Information Security Leadership Forum
Houston, TX
Tuesday October 7, 2014


If you are a leader in Information Security, Audit, Risk Management, Legal, Compliance, Privacy or IT, please by my guest at the inaugural Information Security Leadership Forum meeting in Houston, TX.

I worked with this group to help them kick off their inaugural meeting in Dallas one year ago. They invited me back as a speaker for a second time for their second meeting in Dallas in June of 2014.

Registration is free but you do need to register in order to attend.  I look forward to meeting you in Houston.





Jeff Snyder's, SecurityRecruiter.com, Security Recruiter Blog, 719.686.8810

Monday, September 22, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of September 22, 2014



Cyber Security News of the Week


From our friends at Citadel Information Group

Cyber Crime

Breach at Goodwill Vendor Lasted 18 Months: C&K Systems Inc., a third-party payment vendor blamed for a credit and debit card breach at more than 330 Goodwill locations nationwide, disclosed this week that the intrusion lasted more than 18 months and has impacted at least two other organizations. KrebsOnSecurity, September 16, 2014
Decade-long cybercrime ring hacked European banks and labs: A 12-year-long European cybercrime operation targeting more than 300 banks, governments, research labs, critical infrastructure facilities and more has finally been discovered and scuppered. Wired, September 16, 2014
After Breach, JPMorgan Still Seeks to Determine Extent of Attack: The headache caused by the attack on JPMorgan Chase’s computer network this summer may not go away anytime soon. The New York Times, September 12, 2014

Cyber Privacy

New Apple encryption locks out police from iPhones, iPads: Apple said Wednesday night that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user data. The Boston Globe, September 18, 2014
California Breaks New Ground in Education Privacy Law with K-12 Student Data Privacy Bill: A substantial rise in schools’ use of online educational technology products has caused educators to become increasingly reliant on these products to develop their curricula, deliver materials to students in real time, and monitor students’ progress and learning habits through the collection of data by third-party cloud computing service providers. Unfortunately, with these advances come the data security concerns that go hand-in-hand with cloud computing—such as data breaches, hacking, spyware, and the potential misappropriation or misuse of sensitive personal information. The National Law Review, September 17, 2014
Yelp pays $450,000 to settle FTC’s child privacy violation charges: Yelp has agreed to pay $450,000 to the U.S. Federal Trade Commission to settle charges that the company accepted registrations to its services from children under 13 through its apps. PCWorld, September 17, 2014

Cyber Warning

Kindle security vulnerability can ‘compromise’ Amazon accounts: A security vulnerability exists in Amazon’s Kindle Library, which can be used to “compromise” an entire Amazon.com account, according to the researcher who found the flaw. ZDNet, September 16, 2014
WikiLeaks releases FinFisher ‘weaponized malware’ to help people build defenses: WikiLeaks has today released copies of ‘weaponized malware’ used by various governments around the world to snoop on individuals. TheNextWeb, September 15, 2014
Your adviser could be an easy target for cyber crooks: At a time when security experts, regulators and law enforcement are warning of attacks on the financial sector, more than one-third of registered investment adviser firms don’t do risk assessments for cyber threats, vulnerabilities or potential consequences, new data finds. MarketWatch, September 15, 2014

Cyber Security Management

Did Home Depot’s Outdated Software Help Hackers?: Former staffers allege management’s aversion to spending money on state-of-the-art security could have been a factor in the recent breach. CFO, September 16, 2014
Here’s What Hackers Can Do With Your CRM Data: It is clear why malware writers target such retailers as Home Depot HD +0.27% and Target. It is obvious, if not pathetic, why hackers break into the cloud to find and publish private nude photos of celebrities. … But a company’s customer relationship management data? Well, yes. … Even the CRM systems that don’t store end customer payment account information? Yes, again. Forbes, September 14, 2014
Former Home Depot Managers Depict ‘C-Level’ Security Before the Hack: Home Depot’s (HD) in-store payment system wasn’t set up to encrypt customers’ credit- and debit-card data, a gap in its defenses that gave potential hackers a wider window to exploit, according to interviews with former members of the retailer’s security team. Bloomberg, September 12, 2014

Cyber Security Management – Cyber Defense

8 Security Tips for a Safe iOS 8 Upgrade: Apple’s iOS 8 is here. If you’ve got an iPhone, you’re probably champing at the bit to download Apple’s latest and greatest OS. Or perhaps you’ve already pre-ordered an iPhone 6 or 6 Plus and are ready to party with a totally new handset. Either way, now is a great time to spruce up the security of your iOS device. PCMag, September 17, 2014
Apple Expands Two-Factor Authentication to iCloud Backups: Apple has extended two-factor authentication to iCloud, which – if activated – would make it much harder for scammers to gain unauthorized access to iOS data that has been backed up to the cloud. PCMag, September 17, 2014

Cyber Security Management – Cyber Update

Critical Update for Adobe Reader & Acrobat: Adobe has released a security update for its Acrobat and PDF Reader products that fixes at least eight critical vulnerabilities in Mac and Windows versions of the software. If you use either of these programs, please take a minute to update now. KrebsOnSecurity, September 17, 2014

ISSA-LA

Internationally Renowned Security Expert Bruce Schneier to Keynote the 2015 ISSA-LA Information Security Summit on Cybercrime Solutions: One of the world’s leading experts on computer security and privacy issues will deliver the keynote address on June 4, 2015, at the Hilton Universal City Hotel in Los Angeles. PRWeb, September 15, 2014

National Cyber Security

Chinese Hackers Infiltrated U.S. Defense Contractors, Senate Report Says: Hackers staged at least 20 attacks on private firms involved in the movement of U.S. troops and equipment. Time, September 17, 2014


Weekend Vulnerability and Patch Report


Important Security Updates

Adobe Reader: Adobe has released version 11.0.09 to fix at least 8 highly critical vulnerabilities reported in previous versions. Updates are available through the program’s Help menu/Check for Updates or from Adobe’s website. Updates are also available for Adobe Acrobat.
Apple iCloud: Apple has released an update for iCloud for Windows. The update is available through Apple’s website.
Apple iOS: Apple has released version 8 of its iOS for iPhone 4 and later, iPad and iPod touch to fix at least 19 unpatched vulnerabilities, some of which are highly critical, in previous versions. The update is available through the devices or through Apple’s website.
Apple OS X: Apple has released updates for its OS X to fix at least 37 vulnerabilities, some of which are highly critical, reported in previous versions. Update to version 10.9.5 or apply Security Update 2014-004.
Apple Safari: Apple has released updates for Safari to fix at least 8 vulnerabilities, some of which are highly critical, reported in previous versions. Update to version 6.2 or 7.1. Updates are available from Apple’s website.
Apple TV: Apple has released version 7 for Apple TV to fix at least 14 unpatched vulnerabilities, some of which are highly critical, in previous versions. Updates are available through the device or Apple’s website.
Dropbox: Dropbox has released version 2.10.30 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Mozilla Firefox: Mozilla has released version 32.0.2. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 24.0.1558.61 to fix multiple moderately critical unpatched vulnerabilities reported in previous versions. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash  15.0.0.152 [Windows 7: IE]
Adobe Flash  15.0.0.152 [Windows 7: Firefox, Mozilla]
Adobe Flash  15.0.0.152 [Windows 8: IE]
Adobe Flash  15.0.0.152 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.30 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 32.0.2
Google Chrome 37.0.2062.120
Internet Explorer 11.0.9600.17280
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.1 [Mac OS X]
Skype 6.20.0.104

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for IOSXR and others. Apply available updates.
Apple OS X Server: Apple has released updates for its OS X Server to fix at least 7 moderately critical vulnerabilities, reported in previous versions. Update to version 3.2.1.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.


Friday, September 19, 2014

How To Get Started in an Information Security Career


How To Get Started In An Information Security Career?

An up and coming technology professional recently asked me if I could help him with advice for entering the information security profession.  

This is a tough question for me to answer directly because the search work I do and the search work I've done for 25 years requires me to recruit professionals who possess generally 5-20+ years of experience.

Please Help Your Up-And-Coming Security Colleagues To Advance


  • If you're already in the information security profession and you could offer advice to up and coming security professionals, please share your advice.  
  • If your company has entry-level security jobs, please share them with me so I can help you to circulate them.


Jeff Snyder's, SecurityRecruiter.com, Security Recruiter Blog, 719.686.8810






Another Security Career Coach Client Wins!





A Security Career Coach Client Shares:

“Expecting an offer by next week...head of security and technology”

I get to win when my job coaching and career coaching clients win.


How can I be helpful to you?
  • Resume coaching to help you get the interview?
  • Interview coaching to help you land the job?
  • Career coaching to help you determine how to maximize your performance?
  • Leadership coaching to help you maximize your performance to deliver what the business wants needs and expects from you as a leader?



Jeff Snyder’s, Security Career Coach, Security Recruiter Blog, 719.686.8810

Tuesday, September 16, 2014

Security Jobs: Computer Forensics Senior Security Consultant, Southern Connecticut



Computer Forensics Senior Security Consultant

Southern Connecticut
$100,000+ Base, benefits, training opportunities
Education: BA/BS Preferred
Certification:  CISSP Appreciated, GCFA, CCE, CFCE Preferred

The Opportunity:

SecurityRecruiter.com has helped this well-established information security consulting company to grow for years. Our client’s focus is on forensics, business continuity / business recovery, data privacy and information security.  They’ve been providing these services for over 25 years.
Since this firm was created in 1998, it has been on the forefront of providing highly ethical services to prevent exploitation of its clients. 

When they add to their consultant team, they look for consultants who have a passion for the information security profession.  They hire consultants who have a passion for learning and who are curious to know what comes next.  If you’re a candidate for this role, you’ll be challenged to demonstrate your passion, the ways in which you keep up-to-date with the changing security landscape and you’ll be expected to learn new tools in order to deliver world-class forensics services.

Our client operates a lab environment at their corporate office in Southern Connecticut.  You will be expected to work from this office while also making face-to-face visits to client sites.  You will conduct on-site client project planning meetings and you will interface with client management to acquire data, to conduct tests, to review designs, findings and to make recommendations.

Innovation, considerable independent action, and sound technical judgment are required for effective implementation of client requirements.  You must be able to conceive and recommend alternative practices to maximize results and minimize risk.  This position requires organizational skills and dealing with complex and difficult technical and procedural methods.

In addition to a competitive base salary, our client also offers paid holidays, generous vacation, medical, dental, disability insurance, 401 (K) and technical training opportunities.

Required Background Skills:
  • Demonstrate expertise with EnCase Forensic software
  • A 4-year degree is highly appreciated.  Candidates who do not have a 4-year degree will be considered
  • Must have 4+ years of progressively responsible experience and research in digital forensics
  • Demonstrate a deep working knowledge of various operating and network systems, encryption programs and data retrieval procedures
  • Prove an ability to analyze digital data and to think outside the box during investigative tasks
  • Show that you can effectively communicate findings and recommendations orally and in writing
  • Demonstrate a full understanding of “Chain of Custody”
  • Forensics Certification preferred (GCFA, CCE, CFCE, etc.)
  • Familiarity with intrusion detection systems (IDS), security information and event monitoring (SIEM) and log aggregation preferred
  • Having previously testified in court is a plus

Considerable independent action, innovation and sound technical judgment are required.  You must be able to conceive and recommend alternative practices to maximize results and minimize risk.  Tasks could involve computer hard drives, storage devices, cell phones, PDAs, tablets, MP3 players, smart phones, electronic notebooks, video game consoles or any other electronic device to test what a hacker could do in a system or what s/he might have done, or to accumulate evidence that could be admissible in a court of law.

Connecticut Security Jobs, Forensics Security Jobs, Security Forensics Consulting Jobs




SecurityRecruiter.com's Security Recruiter Blog