Wednesday, April 01, 2015

Great Negotiators in Business Possess Specific Strengths and High Emotional Intelligence


Great Negotiators in Business Possess Specific Strengths and High Emotional Intelligence
One of the many skills employers expect in executive level technology professionals includes the ability to negotiate. While negotiation might be a necessary skill for a technology leader to possess in order to gain sponsorship backing and budget to drive projects, where would a technology leader have been trained to negotiate? Are technology leaders even qualified to negotiate?
Let’s assume that technology leaders generally have a high IQ. Sometimes, people who have a high IQ like to prove that they’re right and want to win at all costs. Technology leaders who negotiate to be right and who negotiate to win at the expense of the other party to their negotiation losing may not be aware of the environment they’re creating.
If a technology leader is buying a widget and they get the lowest price possible and there is no further relationship required with the product vendor, this is one scenario where their natural tendency to need to win might work out in their favor.
However, if a technology leader is negotiating a contract with a service provider and there will be an ongoing human relationship and ongoing interaction with the service provider, it is far better for the negotiation to leave both parties to the negotiation standing rather than one party winning at the expense of the other party losing.
Given that most technology leaders are gifted with deeply Analytical strengths and they are typically not deep in Relationship Building and Influencing strengths, negotiating very likely does not come naturally to most technology leaders. This is not to say that negotiating skills can’t be learned, but the core skills required to effectively negotiate may not naturally be skills that a high IQ gifted technology leader possesses.
In order to negotiate in a manner than leaves both parties to a negotiation standing, skilled negotiators will possess Relationship Building strengths, Influencing strengths and above-average Empathy. Empathy allows a person to briefly step into another person’s shoes to see the world from their vantage point. Empathy is an Emotional Intelligence skill.
People who negotiate from the perspective of only relying on their deep Analytical Strategic thinking skills will very likely miss the boat when it comes to negotiating a well-balanced solution. Negotiators who possess the ability to consider other people’s needs along with relying on their strong Analytical strengths will be much more likely to create an environment where a win-win solution can be achieved.
The good news for technology leaders who are not naturally gifted negotiators is that their natural strengths can be identified, measured and objectively understood. Their Emotional Intelligence skills can also be identified, measured and adjusted through coaching.
The most successful people in the world in all disciplines of work have been found to understand precisely who they are, how they're built and how the can deliver their best performance.
These same people have also been found to be some of the most emotionally intelligent people in the world. They understand themselves and how they come across to other people.
Jeff Snyder, @SecruityRecruit, SecurityRecruiter.com, Coaching Technology Professionals To Greater Results, Public Speaker, 719.686.8810

Sunday, March 29, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of March 29, 2015


CYBER SECURITY NEWS

OF THE WEEK

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Cyber Crime

Gloucester County School District Targeted By Hackers: Swedesboro Woolwich School District felt like it was thrown back into the Stone Age after hackers wreaked havoc, taking over the district’s computer network and holding it for ransom. ABC, March 25, 2015
Tax Fraud Advice, Straight from the Scammers: Some of the most frank and useful information about how to fight fraud comes directly from the mouths of the crooks themselves. Online cybercrime forums play a critical role here, allowing thieves to compare notes about how to evade new security roadblocks and steer clear of fraud tripwires. And few topics so reliably generate discussion on crime forums around this time of year as tax return fraud, as we’ll see in the conversations highlighted in this post. KrebsOnSecurity, March 25, 2015
Kreditech Investigates Insider Breach: Kreditech, a consumer finance startup that specializes in lending to “unbanked” consumers with little or no credit rating, is investigating a data breach that came to light after malicious hackers posted thousands of applicants’ personal and financial records online. KrebsOnSecurity, March 24, 2015

Identity Theft

Hilton Honors Flaw Exposed All Accounts: Hospitality giant Hilton Hotels & Resorts recently started offering Hilton HHonors Awards members 1,000 free awards points to those who agreed to change their passwords for the online service prior to April 1, 2015, when the company said the change would become mandatory. Ironically, that same campaign led to the discovery of a simple yet powerful flaw in the site that let anyone hijack a Hilton Honors account just by knowing or guessing its valid 9-digit Hilton Honors account number. KrebsOnSecurity, March 23, 2015

Cyber Warning

Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk: GUESTS AT HUNDREDS of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel’s reservation and keycard systems. Wired, March 26, 2015
Hackers Use an Android App for Sex Extortion: For years, criminals have been tricking people into performing embarrassing sexual acts on the Internet, and then blackmailing them with recordings of that behavior. The New York Times, March 24, 2015

Cyber Security Management

The ongoing war against cybercrime: Cybercrime is estimated to cost the global economy upwards of US$400 billion a year, and these costs are expected to continue to rise. phys.org, March 24, 2015

Cyber Security Management – Cyber Defense

Information Security Management Boot Camp for IT Professionals: Information security has become part of every IT professional’s job. Hackers are constantly trying to compromise your networks, steal sensitive data, and overwhelm your systems. Adding to the security management challenge, users are demanding to work from anywhere on any device. Designed for both in-house IT staff and IT vendors, ISSA-LA’s Information Security Management Boot Camp combines practical advice with sound security management insight. ISSA-LA, Event Date: June 4, 2015

Cyber Awareness

The #1 Information Security Policy That IT Managers Would Change: Every person within an organization can accidentally break the company’s information security policies if they are not careful. Cyber security is a top concern in the IT industry today. In this series, we will look at various threats to cyber security and their corresponding information security policies – and what steps businesses can take to meet those threats head on. CIO, March 23, 2015

Securing the Village

Nonprofits Get Free Entry to ISSA-LA 7th Annual Info Security Summit on Cybercrime Solutions: The Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) is offering executives and IT personnel of nonprofits to attend, at no charge, the Seventh Annual Information Security Summiton June 4 – June 5, 2015 at the Los Angeles Convention Center. This year’s Summit, The Growing Cyber Threat: Protect Your Business, will highlight practical solutions every organization can implement to better secure their sensitive information from cybercriminals. PRLog, March 19, 2015

Cyber Underworld

Who Is the Antidetect Author?: Earlier this month I wrote about Antidetect, a commercial tool designed to help thieves evade fraud detection schemes employed by many e-commerce companies. That piece walked readers through a sales video for Antidetect showing the software being used to buy products online with stolen credit cards. Today, we’ll take a closer look at clues to a possible real-life identity of this tool’s creator. KrebsOnSecurity, March 26, 2015

Cyber Law

‘Threat-sharing’ cybersecurity bill introduced in U.S. House: Leaders of the House of Representatives Intelligence Committee introduced legislation on Tuesday to make it easier for companies to share information about cybersecurity threats with the government, without the fear of being sued. Reuters, March 24, 2015



Weekend Vulnerability and Patch Report



Important Security Updates

Avast: Avast! Free Antivirus has released version 10.2.22.15. Updates are available on Avast’s website.
AVG Free Edition: AVG has released version 2015.0.5863 of its 64 and 32 bit Free Edition. Updates are available on AVG’s website.
Foxit Reader: Foxit has released version 7.1.3.0320 of its Reader. Updates are available on Foxit Software’s website.
Piriform CCleaner: Piriform has released version 5.04.5151 for CCleaner. Updates are available from Piriform’s website.

Current Software Versions

Adobe Flash  17.0.0.134 [Windows 7: IE, Firefox, Mozilla]
Adobe Flash  17.0.0.134 [Windows 8: IE]
Adobe Flash  17.0.0.134 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.2.9 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 36.0.4
Google Chrome 41.0.2272.101
Internet Explorer 11.0.9600.17633
Java SE 8 Update 40 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.76.80.95
Safari 5.1.7 
Safari 7.1.4 [Mac OS X]
Skype 7.2.0.105

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates and partial fixes for its IOS, IOS XE, IOS XR, Mobility Services Engine, WebEx Meetings Server, 5500 Series Wireless Controllers,  and others. Apply updates.
Citrix Multiple Products: Secunia reports Citrix has released updates and partial fixes for its Command Center, VDI-in-a-Box,  and others. Apply updates.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.
The post Weekend Vulnerability and Patch Report, March 29, 2015 appeared first on Citadel Information Group.

Friday, March 27, 2015

The Market Is Picking Up: Penetration Testing Jobs



The market it picking up.  No, I don't have a crystal ball. I simply know how much my phone is ringing and how many messages are dropping into my LinkedIn Inbox and my Email Inbox.

The topic this week seems to be Penetration Testing Jobs more than anything else.  This isn't the first time I've been asked to find these skills recently.  In the past, a very large security consulting company asked for this type of recruiting help.  I chose to not work with them because they were looking for a different kind of recruiter than me.

The companies that reached out to me this week asking for Penetration Testing skilled candidates were both looking for a very specific type of top-shelf skill set.  These are the types of companies I enjoy recruiting for.

I'll let you know more about these positions if I determine that these are in fact great companies for the candidates I will recruit to take their careers to.

Jeff Snyder's, SecurityRecruiter.com, Security Recruiter Blog, 719.686.8810

My Best Advice for a Telephone Interview



Job Candidate Question:

Jeff, I’m between jobs and my funds are tight right now.  I can't afford your coaching but I would sure appreciate your help.  I’ve had a few phone interviews but I can’t seem to get to the next step and I don't know what I'm doing wrong.  Would you be willing to share your best advice for someone who has a phone interview?

Mr. / Ms. Job Candidate, I do have a best piece of advice to share with you.  

Over 25 years of recruiting, I’ve seen people do all kinds of things…both good and bad when they approach a phone interview. 

The most important thing you can do when you have a phone interview is to listen.  When I say listen, I’m talking about Actively Listening. 

What this looks like when you’re on the phone is listening to the entire question the interviewer asks.  A lot of people will hear the first part of an interview question but then they start writing or thinking about how they’re going to answer the question and they miss the last part of the question.

Our brains do best when we stay focused on one idea at a time.

Listen to the entire question you’re being asked and then answer the interviewer’s question rather than interjecting your own agenda to early in the interview.

I've seen job candidates do this very poorly and I've also seen job candidates handle this step in the interview process very well.


Negotiate Is Not A Dirty Word



Yes, I use goofy pictures that are in my growing graphics library in an attempt to provide visual support for my written words.  Notice that these two characters are not yelling or screaming at each other. One is not standing while the other one is on his knees.  They’re both standing and they appear to be making progress.  This is what negotiation should look like.

Dictionary.com defines Negotiate like this:
“To deal or bargain with another or others, as in the   preparation of treaty or contract or in preliminaries   to a business deal.

Negotiations are only successful when both parties to the negotiation feel like they’re whole and still standing at the end of the negotiation.  When two parties are trying to work together and the negotiation process causes one of the two parties to feel like they've been beaten up, this is not a good way to start an ongoing business relationship.

People are Emotional Beings

Notice that I am purposely using the word feel in the last paragraph.  Negotiations happen between people.  People are human.  Humans are emotional.

Seek Balance When Negotiating

I had a one hour unexpected negotiations call yesterday afternoon with someone I know well and someone I respect deeply.  My goal with this person was to understand his point of view while also sharing my point of view.  My goal was not to “win” the negotiation call but it was to establish mutual understanding.

My first call this morning occurred with the CEO of a security software company.  I’ve researched this CEO’s background and I’ve had several occasions to deal with this CEO on the phone.  He’s a very intelligent person. 

Once again, my goal was to more deeply understand this CEO’s point of view while helping him to understand my point of view.  I don’t expect him to be an expert in the field of Talent Acquisition and Recruiting any more than I am an expert in Cybersecurity software development.  

In order for us to work together, we need to meet in the middle and our negotiation process has to leave both parties to the negotiation standing.

I'm Energized

By ending yesterday with a negotiation call and beginning today’s work with a negotiation call, I’m energized and ready to go. Negotiating is an opportunity to build and develop meaningful relationships.  If the negotiation doesn’t work out, the relationship wasn't meant to be developed.


Thursday, March 26, 2015

2 Anonymous Question Job Satisfaction Survey

Job Satisfaction...Get Some!




This morning I saw the following statistics on someone's Facebook post.  I don't know the origin of this person's numbers so I don't know if they are accurate or not.

  • 87% of all people DISLIKE their job
  • 33% of all people HATE their job
  • 25% say their job is their #1 stress factor
  • 41% live paycheck-to-paycheck 
  • 43% are overworked
  • 50% feel like they are underpaid
  • 70% feel no motivation

I went to Google and ran a search as you can see here.

If you're part of the 70% or more of people who apparently hate their jobs, why don't you do something about it?  

Last night I had the privilege of coaching a technology professional to help him understand his talents and strengths, how they operate and what this all means in terms of his future career choice.

This particular client came to me because he really does not like his current job.  Rather than accepting his current pain, he decided to seek out a solution that would enable him to not just get rid of the pain but he wants to make the most intelligent career move possible.

In our coaching call last night, the "Ah Ha" and "Light Bulb Moments" were occurring.  In our next call, we'll pull everything together to build a career road map plan that my client can take action on to execute.

Whatever the actual percentage is of people who dislike going to their jobs every day, my mission is to show as many people as I can how to escape the dislike category and enter the category that allows a person to maximize their performance, job satisfaction and financial rewards.

Jeff Snyder's, Career Coaching, Security Recruiter Blog, 719.686.8810

Wednesday, March 25, 2015

John's Quest for Professional Greatness...A Short Story




His Name Is John

I placed John in the early 1990s as a COBOL Systems Analyst.  John possessed technical skill set at the time.  

Technical skills got john in the door of his new job back in the early 1990s but the technical skills aren't what got him to where he is today.

Progression

John didn't know and I certainly didn't know that 20+ years later, he would be an Executive Vice President for the company I placed him in back in the early 1990s.  John didn't stay in the COBOL job for long.  In just a few years, John became the CIO of this company’s entire IT operation.

As his career progressed, John moved into positions that required him to work more and more closely with clients.  He soon found himself joining sales professionals on multi-million dollar sales calls.  He found himself making board level presentations with ease.

John is an Anomaly

It wasn't until recently that John and I got together to discover his natural traits and strengths.  To my surprise, John’s scores didn't look anything like most of the CIOs and CISOs I’ve seen to date.

Without giving away John’s strengths profile, I will share that many years ago when John was doing hands-on COBOL Systems Analyst work, he was just getting started. I’ll go so far as to say that John was stretching to do what he was capable of doing but he wasn’t yet doing what he was designed to do or what he would one day have passion to do.

People Person

John is loaded with Relationship Building and Influencing traits and strengths.  What I refer to as John’s hard wiring, his natural traits and strengths are the opposite of what I normally find to be the hard wiring of CIOs and CISOs.  

John truly is a “People Person”.  He isn't just a “People Person”, he’s a “People Person” who can influence others to make decisions and to take action. 

John’s wiring made him a very different kind of CIO.  He was smart enough to handle the bits and bytes but he was gifted to build relationships across the company and outside the company.  He was also a great manager at the time in that he could influence people around him to move in a common direction.

More Progression

John was so successful that he was moved out of IT and moved into the business. For many years, he has been running lines of business for the CEO of John’s privately held company.  It is John’s Relationship Building and Influencing skills that have made him so successful.

Quest for Greatness!

I’m now working with John to help him understand and embrace his strengths so he can leverage them.  I'm also helping John to understand and work to improve his Emotional Intelligence so he can take his career success to yet another level. 

This is what the pursuit of greatness looks like and it’s my passion to walk my clients through this journey.




Passion Alone Won’t Do It…You Also Need Clarity and an Executable Plan


Never Work Another Day In Your Life

Someone once suggested that if we were to do what we love to do, we’d never work another day in our lives.  I don’t know who came up with that idea but I’ve been trying to figure out how to make this idea my reality for a few years and I’m getting there. 

My Life Changed

It was the night of September 17, 2010.  Several hours after a very late hockey game, I was driving home and had this very uncomfortable and first-time-ever feeling in my shoulders and chest.  It’s a long story.  I’ll keep it short and fast-forward to the point where my heart stopped beating in the back of an ambulance. 

Had I not been in the hands of a paramedic at that very moment, I would not be alive today.  The cardiologist called it a massive heart attack.  No high blood pressure and no high cholesterol preceded this event.  In fact, I had just skated my 75th hockey game of 2010.  None of what was happening made sense.

I Had To Find My Purpose

Since this event in 2010, I’ve been on a personal mission.  I’ve done research, gone through training and have earned certifications to get myself ready to deliver my passion.  The greatest work I do today is that of helping my clients to understand how they are put together in terms of their natural traits and strengths so I can then show them how to build a career strategy that enables them to find that thing they need to do to create their best performance.


In addition to the clarity and alignment work, I also help my clients to figure out how to fine-tune their performance to reach peak performance.  Life is very short.  Doesn't it make sense to invest your life into doing something you have the potential to be great at once you align all the moving parts?

I'm passionate about helping my clients to find clarity around their unique purpose and then to build a road map to help them get from where they are to where they belong.



Tuesday, March 24, 2015

Tuesday Morning...I've Been Informed That I'm "Naive"



Last week I contributed a piece to LinkedIn called, "What It Takes to be a Great Security Leader".  The contribution to LinkedIn contained this graphic that I invested a significant amount of time to create.

I'm anything but an artist but I am often a reporter.  In order to create this graphic that is not built around my personal opinions, I had to become a reporter.  

I went out to the business, the customer of security, and asked the business what it thought of the security leadership it had encountered. 

My follow-up question dealt with what the business might want, need and expect from security leadership.  What I built into this graphic represents what the business told me.

My motive here is simple. I'm trying to step out in front of the security leaders to find out what security leaders can do to turn their set of skills into a true profession.   A profession that is consistently taken seriously at the "C" suite table.  

Some security leaders have legitimately become part of the "C" suite but most have not. No, I don't think security is considered to be a profession yet and I'm doing what I can to help move security to the stature of a profession.

These were the words one of your colleagues left at the bottom of my LinkedIn article today.

"AI feel a lot of what Mr. Snyder states is naïve. A security professional must not be approachable by all employees. He/she is not supposed to be friendly. As regards speaking the language of business, I agree. the security leader/professional must base his/her decision on cost benefit analysis. He/she must identify threat trends and price security solutions for them."
So help me with this one please.  I ask the customer of security to give me a report card on the performance of security.  Then I write up and present my findings like a reporter would and I'm "naive".  Can someone please explain that to me?

Later today, I'll demonstrate how this situation calls for an Emotional Intelligence skill called Impulse Control.


Jeff Snyder's, Security Career Coach, Security Leadership Coach, Security Recruiter Blog, 7190.686.8810

Monday, March 23, 2015

You’re making an Impact When You’re Rejected from LinkedIn Groups!




Rejected: LinkedIn’s Largest Human Resource Group

Just over a week ago, I tried to join the largest Human Resource group in LinkedIn.  My attempt to join was rejected.  They said I brought nothing of value to the group. 

Is that really true?  Or, is it possible that the group didn’t want to be challenged to think outside their box? 

That’s what I would have brought to the group.  Pushing them into the future. 

Rejected: A LinkedIn CISO Group That Invited Me To Join

Last week, I was invited to join a CISO group.  I won’t name the specific group because I’m not trying to pick a fight but consider this.  Last week I wrote an article that was filled with information I gained by way of asking the business what it wants, needs and expects from security leadership. 

What It Takes To Be A Great Security Leader” was the article I published in LinkedIn.  I shared this article with the CISO group I was asked to join last week.  Apparently, sharing truth was not appreciated because I no longer see this particular group on my list of LinkedIn groups this morning.

I will not apologize for sharing truth now or in the future.

No Value

A few years ago, I was a paid member of a very large Human Resource association for one year.  In one year, I never received one ounce of value from this association that I’d paid money to join.  Towards the end of my paid membership, I received a survey email from the association.  Their goal from this survey was to establish a benchmark for success in the HR profession.

The survey asked HR practitioners to determine what success looked like for the HR profession.  This was one of the most ridiculous ideas I’d ever seen.  If you want to know what success looks like, don’t ask those who deliver a service.  Ask those who consume the service.

I Surveyed the Customer of Security Leadership

Soon after seeing this ridiculous survey from the Human Resource group, I started reaching out to the customer of Security Leadership.  I reached out to those who consume the services provided by security leadership in order to find out what they thought of the service they were receiving.

Coaching…Gain A Competitive Advantage and Improve Your Results

Because I asked for it, today I’m sitting on information generated by the customer of security leadership. If security leaders want to know how to improve, they need to look no further than my research to find out. 

If security leaders are doing well, they’ll appreciate my research as it will serve as a confirmation of great performance.

If security leaders are not doing so well, they can either reject my research or they can embrace and appreciate my research if they want to improve their game. 

I share this information with my coaching clients to help them improve their performance.





Sunday, March 22, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of March 23, 2015

 

CYBER SECURITY NEWS

OF THE WEEK

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Cyber Crime

Authorities Closing In on Hackers Who Stole Data From JPMorgan Chase: It has become a familiar pattern: The computer system of a big American company is breached, the personal information of tens of millions of customers is stolen and a public outcry ensues. Rarely are the thieves caught. The New York Times, March 16, 2015

Cyber Privacy

How Two Obscure Court Verdicts In Europe Could Impact Americans’ Privacy, Cybersecurity, and Taxes: Two recent court verdicts in Europe, barely covered by American media, could have serious – if not outright scary – consequences for Americans and American businesses. Forbes, March 15, 2015
A Police Gadget Tracks Phones? Shhh! It’s Secret: A powerful new surveillance tool being adopted by police departments across the country comes with an unusual requirement: To buy it, law enforcement officials must sign a nondisclosure agreement preventing them from saying almost anything about the technology. The New York Times, March 15, 2015

Financial Cyber Security

Pointing Fingers in Apple Pay Fraud: When Apple was planning its Apple Pay electronic payment system last summer for its iPhones, the nation’s banks raced to be included among the first credit card issuers associated with the new technology. The New York Times, March 17, 2015
Mobile Threat Monday: Android Malware Breaks Banking Security: If you use the Internet, you have probably had to prove your identity by jumping through an extra hoop. Perhaps it was entering the code from a special app, or copying the code from a text message. But if that information were intercepted, an attacker could gain access to your account. That’s exactly the scenario we look at this week. SecurityWatch, March 16, 2015

Identity Theft

Premera Blue Cross Breach Exposes Financial, Medical Records: Premera Blue Cross, a major provider of health care services, disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers. Although Premera isn’t saying so just yet, there are indicators that this intrusion is once again the work of state-sponsored espionage groups based in China. KrebsOnSecurity, March 17, 2015

Cyber Warning

Why Yahoo’s new on-demand password system is no two-factor authentication killer: In an effort to simplify authentication for its services, Yahoo has introduced a new mechanism that allows users to log in with temporary passwords that are sent to their mobile phones. PCWorld, March 16, 2015

Cyber Security Management

IT Professionals Think Information Security And Disaster Recovery Should Be Last To Get Budget Cuts: This year, we can expect presidential campaign promotion to slowly kick into gear. Early next year, advertising will pick up, and by summer there will be so much media hype that we will be colossally sick of it long before the actual November 8 election. Then, in 2017, all will be silent. Why? Because, for obvious reasons, spending on presidential campaigns runs on a four-year cycle. Information security and disaster recovery budgets run on cycles too, but IT professional may be surprised at how budget cuts and other factors drive them. CIO, March 19, 2015

Cyber Security Management – Cyber Defense

OpenSSL Patch to Plug Severe Security Holes: The world is about to get another reminder about just how much of the Internet runs on technology maintained by a handful of coders working on a shoestring budget. OpenSSL — the software used by thousands of companies to encrypt online communications — is set to get a security makeover this week: The OpenSSL project said it plans to release new versions of its code to fix a number of security weaknesses, including some classified as “high” severity. KrebsOnSecurity, March 18, 2015
Google adds evil-code scanning to Play Store: Google is cleaning up its app store to limit the amount of malware and age-inappropriate content. The Register, March 17, 2015
OpenSSL team warns of major vulnerability: The team behind the popular OpenSSL cryptographic library has warned of an impending patch, due for release this Thursday, which fixes an as-yet unreleased serious security vulnerability. Bit Tech, March 17, 2015
Patch Tuesday: KB3002657 Causing Authentication Problems with Exchange Other Apps: For the first couple days after March’s Patch Tuesday, things were pretty quiet. For some this tends to indicate that Microsoft could have been moderately successful in delivering updates without problems for the first time in years. But, the first couple days have now become test and patch for companies with policies and procedures in place and patch and pray for the others. WindowsITPro, March 16, 2015

Securing the Village

FICO: INDUSTRY NEEDS MORE DATA TO STOP CYBERCRIME: As lawmakers consider measures for fighting payment data breaches, they need to consult with the people who are already in the fraud-fighting loop — and make sure they get the data they need, according to FICO VP of product management Doug Clare in a post on the credit-scoring company’s blog. PYMNTS, March 18, 2015

National Cyber Security

Steptoe Cyberlaw Podcast, Episode #58: An Interview with Andy Ozment: In episode 58 of the Cyberlaw Podcast, our guest is Andy Ozment, who heads the DHS cybersecurity unit charged with helping improve cybersecurity in the private sector and the civilian agencies of the federal government. We ask how his agency’s responsibilities differ from NSA’s and FBI’s, quote scripture to question his pronunciation of ISAO, dig into the question whether sharing countermeasures is a prelude to cybervigilantism, and address the crucial question of how lawyers should organize cybersecurity information sharing organizations (hint: the fewer lawyers and the more clients the better). In the news roundup, we revisit the cybersecurity implications of net neutrality, and Stephanie Roy finds evidence that leads me to conclude that the FCC has stolen the FTC’s playbook (and, for all we know, deflated the FTC’s football). This ought to at least help AT&T in its fight with the FTC over throttling, but that’s no sure bet. Lawfare, March 18, 2015

Cyber Underground

Dark Web’s ‘Evolution Market’ Vanishes: The Evolution Market, an online black market that sells everything contraband — from marijuana, heroin and ecstasy to stolen identities and malicious hacking services — appears to have vanished in the last 24 hours with little warning. Much to the chagrin of countless merchants hawking their wares in the underground market, the curators of the project have reportedly absconded with the community’s bitcoins — a stash that some Evolution merchants reckon is worth more than USD $12 million. KrebsOnSecurity, March 18, 2015
‘AntiDetect’ Helps Thieves Hide Digital Fingerprints: As a greater number of banks in the United States shift to issuing more secure credit and debit cards with embedded chip technology, fraudsters are going to direct more of their attacks against online merchants. No surprise, then, that thieves increasingly are turning to an emerging set of software tools to help them evade fraud detection schemes employed by many e-commerce companies. KrebsOnSecurity, March 16, 2015

Cyber Law

Few Target victims to benefit from settlement: Few Target data breach victims will likely get anything, and even fewer will get the maximum $10,000 they’re eligible for as part of a $10 million settlement granted preliminary approval on Thursday. USA Today, March 20, 2015

Cyber Misc

QR Codes Engineered into Cybersecurity Protection: QR, or Quick Response, codes – those commonly black and white boxes that people scan with a smartphone to learn more about something – have been used to convey information about everything from cereals to cars and new homes. UCONN Today, February 26, 2015
Anonymous hackers list 9,200 ISIS Twitter accounts, enlist other hackers in cyberwar: The hacker group Anonymous released the biggest list of social media accounts affiliated with the Islamic State, in an unprecedented collaborative effort with two other hacking groups, GhostSec and Ctrlsec. WashingtonTimes, March 17, 2015

Cyber Sunshine

Convicted Tax Fraudster & Fugitive Caught: Lance Ealy, an Ohio man who fled home confinement last year just prior to his conviction on charges of filing phony tax refund requests on more than 150 Americans, was apprehended in a pre-dawn raid by federal marshals in Atlanta on Wednesday. KrebsOnSecurity, March 19, 2015


Weekend Vulnerability and Patch Report



Important Security Updates

Apple OS X: Apple has released updates for OS X Yosemite v10.10.2 to fix at least 2 moderately critical vulnerabilities. Apply Security Update 2015-03. Updates are available from Apple’s website.
Apple Safari: Apple has released updates for Safari 8.0.4 for OS X Yosemite v10.10.2, Safari 7.1.4 for OS X Mavericks v10.9.5, Safari 6.2.4 for OS X Mountain Lion v10.8.5. Updates are available from Apple’s website.
Avira Free Antivirus: Avira has released version 15.0.8.656 of its free Antivirus. Updates are available from Avira’s website.
Google Chrome: Google has released Google Chrome version 41.0.2272.101. Updates are available from within the browser or from Google Chrome’s website.
Malwarebytes Anti-Malware: Malwarebytes has released version 2.1.4 of its free Malwarebytes Anti-Malware. Updates are available from Malwarebytes’ website.
Mozilla Firefox: Mozilla has released version 36.0.4 to fix 2 highly critical vulnerabilities. Updates are available within the browser or from Mozilla’s website.
TechSmith Corporation SnagIt: TechSmith has released version 12.3.1.2879 for SnagIt. Updates are available from TechSmith’s website.

Current Software Versions

Adobe Flash  17.0.0.134 [Windows 7: IE, Firefox, Mozilla]
Adobe Flash  17.0.0.134 [Windows 8: IE]
Adobe Flash  17.0.0.134 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.2.9 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 36.0.4
Google Chrome 41.0.2272.101
Internet Explorer 11.0.9600.17633
Java SE 8 Update 40 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.76.80.95
Safari 5.1.7 
Safari 7.1.4 [Mac OS X]
Skype 7.2.0.105

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Moodle: Secunia reports that Moodle has released updates to address at least 4 vulnerabilities reported in versions 2.8 through 2.8.3, 2.7 through 2.7.5, and 2.6 through 2.6.8. Update to version 2.8.4, 2.7.6, or 2.6.9.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.

SecurityRecruiter.com's Security Recruiter Blog