Saturday, February 06, 2016

Security Jobs: Cybersecurity Engineer / Evangelist, Build a Program, Arlington, TX, Great Relocation Package


Cybersecurity Engineer / Evangelist, Build a Program

Location: TX - Arlington
Compensation: Mid $100s
Relocation Package: Yes
Job Type: Full-Time
Required Education: BA/BS Preferred but not required
Certification: CISSP Preferred

The Role

Every once in a while a true Career Opportunity surfaces. An opportunity where the hired professional gets to stretch, grow and take advantage of everything they have done up to this point in their career to leverage it all in one place. In this case, SecurityRecuiter.com has been engaged by a company that creates solutions that have a life or death outcome.

The mission here is to build a Cybersecurity program that protects this company’s products throughout the entire product development life-cycle and after they are in use in the marketplace. This is a newly created role for an experienced individual contributor Cybersecurity Engineer / Analyst / Architect to provide technical expertise in the realm of design, development, qualification, integration and testing.

This company is serious about finding the right talent. They offer a strong relocation package from anywhere in the US for a DoD Secret cleared candidate. Outside of regular benefits, this company will support the security professionals training, certification and industry involvement efforts.

In this role, the Cybersecurity professional will function as part of a cross-functional team that will care about him / her as an individual and a professional. They will challenge him / her to create best in class solutions. This role comes with responsibility and authority from the VP of Engineering to freely use the authority in a productive way. This requires the chosen candidate to need strong Emotional Intelligence to go along with their high Cybersecurity IQ.

Implement security into the company’s products. Work closely with customers to define Cybersecurity solutions. Work with program leaders to build security into the entire product development life-cycle. Lead, educate and advise engineers on Cybersecurity topics. Prepare briefings to obtain approvals by government agencies for contracted efforts.

Requires
  • Requires an Active DoD Secret Clearance.
  • Bachelor’s degree or equivalent in a technical field such as Electrical Engineering, Systems Engineering, Computer Science, Engineering Science or Physics.
  • Requires a CISSP ( A Security+ certification may be considered). 8+ years of related engineering experience in information technology / information security.
  • 4+ years of experience working with white hat, black hat or reverse engineering computer technology.
  • Full life-cycle systems development experience.
  • Prior experience as a systems administrator.

Additional Qualifications
  • Have or be capable of obtaining a DoD Top Secret clearance along with a DoD Special Access Program clearance.
  • Possess a working knowledge of Information Assurance concepts.
  • Prefer JSIG / JAFAN implementation experience. Risk Management experience per DoDI 8510.01.
  • Proficiency in and knowledge of anti-tamper tools and techniques for verification and protection of CPI per DoDI 5200.39
Apply On-Line: https://www.securityrecruiter.com/submit_resume_and_profile.php


Friday, February 05, 2016

Jeff Snyder Speaking at the 9th Annual CSO Roundtable Summit May 22-24, 2016



As of today, I've just confirmed a speaking invitation to speak at the 9th Annual CSO Roundtable Summit being held May 22-24, 2016.  

I'll be participating in panel discussions as well as delivering my own break-out session for this event.

https://cso.asisonline.org/Events/CSO-Events/Pages/9th-Annual-CSO-Roundtable-Summit.aspx


Monday, February 01, 2016

Cybersecurity Vulnerability and Patch Report for the Week of January 31, 2016



CYBERSECURITY VULNERABILITY
AND PATCH REPORT

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Important Security Updates

Apple tvOS: Apple has released version 9.1.1 for Apple TV (4th generation) to fix at least 7 vulnerabilities, some of which are highly critical, reported in previous versions. Updates are available through the device.
AVG Free Edition: AVG has released version 2016.41.7441 of its 64 and 32 bit Free Edition. Updates are available on AVG’s website.
Google Chrome: Google has released Google Chrome version 48.0.2564.97. Updates are available from within the browser or from Google Chrome’s website.
LastPass for Windows: LastPass has released version 4.0.6 of LastPass for Windows. Updates are available from the LastPass website.
Mozilla Firefox: Mozilla has released version 44.0 Updates are available within the browser or from Mozilla’s website.
Piriform CCleaner: Piriform has released version 5.14.5493 for CCleaner. Updates are available from Piriform’s website.
Current Software Versions
Adobe Flash 20.0.0.286 [Windows 7: IE, Firefox, Mozilla]
Adobe Flash 20.0.0.286 [Windows 8: IE]
Adobe Flash 20.0.0.286 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader DC 2015.010.20056
Dropbox 3.12.6 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]
Firefox 44.0
Google Chrome 48.0.2564.97
Internet Explorer 11.0.9600.18161
Java SE 8 Update 71 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.9
Safari 9.0.3 [Mac OS X Mavericks, Yosemite, El Capitan]
Skype 7.18.0.109
For Your IT Department
Cisco Multiple Products: Cisco reports patched vulnerabilities in its RV220W Wireless Network Security Firewall, Wide Area Application Service (WAAS) appliances, Virtual WAAS (vWAAS), WAAS modules, Small Business 500 Series Switches and many Cisco products with the  Network Time Protocol Daemon. Apply updates. Cisco also reports unpatched vulnerabilities in its Cisco Unified Contact Center Express, Application Policy Infrastructure Controller Enterprise Monitor (APIC-EM) Release 1.0.10, Small Business SG300 Managed Switch, Unity Connection (UC) version 10.5(2.3009) and products with OpenSSL. Additional details are available on Cisco’s website.
OpenSSL Project: The OpenSSL Project has pushed out new versions of the widely used OpenSSL cryptographic library, which incorporate patches for two distinct security bugs, and an update of the protection against the infamous Logjam vulnerability. Users who run OpenSSL 1.0.2 are advised to upgrade to 1.0.2f, and those running OpenSSL 1.0.1 should switch to 1.0.1r. See the Security Advisory on the OpenSSL website for more information.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2016 Citadel Information Group. All rights reserved.

Cybersecurity News and Cybersecurity Education for the Week of January 31, 2016


CYBERSECURITY NEWS

OF THE WEEK

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Cyber Crime

Wendy’s Probes Reports of Credit Card Breach: Wendy’s, the nationwide chain of fast-food restaurants, says it is investigating claims of a possible credit card breach at some locations. The acknowledgment comes in response to questions from KrebsOnSecurity about banking industry sources who discovered a pattern of fraud on cards that were all recently used at various Wendy’s locations. KrebsOnSecurity, January 27, 2016

Cyber Attack

‘Critical’ Israel power grid attack was just boring ransomware: The SANS Institute has moved to quell reports that Israel’s energy grid has been hit by malware, revealing instead that the attacks were ransomware infecting the nation’s utility regulatory authority. The Register, January 28, 2016

Financial Cyber Security

DDoS Attack Slams HSBC: Britain’s HSBC, which is one of the world’s largest banks, is warning customers that it’s been targeted by distributed denial-of-service attacks that continue to disrupt customers’ access to online banking services. BankInfoSecurity, January 29, 2016

Cyber Privacy

Why Proposed State Bans on Phone Encryption Are Moronic: American politics has long accepted the strange notion that just a pair of states—namely Iowa and New Hampshire—get an outsize vote in choosing America’s next president. The idea of letting just two states choose whether we all get to have secure encryption on our smartphones, on the other hand, has no such track record. And it’s not a plan that seems to make much sense for anyone: phone manufacturers, consumers, or even the law enforcement officials it’s meant to empower. Slate, January 29, 2016
US police contracts and private forum posts dumped online: A data dump covering hundreds of police contracts and thousands of private forum posts by US law enforcement officers has been posted online. TheRegister, January 29, 2016
Consumers are increasingly concerned about privacy and they’re acting on it: More Americans are concerned about not knowing how the personal information collected about them online is used than losing their principal source of income. HelpNetSecurity, January 29, 2016
Skype Now Hides Your Internet Address: Ne’er-do-wells have long abused a feature in Skype to glean the Internet address of other users. Indeed, many shady online services that can be hired to launch attacks aimed at knocking users offline bundle so-called “Skype resolvers” that let customers find a target’s last known location online. At long last, Microsoft says its latest version of Skype will hide user Internet addresses by default. KrebsOnSecurity, January 25, 2016

Identity Theft

Report identity theft and get a recovery plan: IdentityTheft.gov can help you report and recover from identity theft. IdentityTheft.gov, January 29, 2016
FTC: Tax Fraud Behind 47% Spike in ID Theft: The U.S. Federal Trade Commission (FTC) today said it tracked a nearly 50 percent increase in identity theft complaints in 2015, and that by far the biggest contributor to that spike was tax refund fraud. The announcement coincided with the debut of a beefed up FTC Web site aimed at making it easier for consumers to report and recover from all forms of ID theft. KrebsOnSecurity, January 28, 2016

Cyber Warning — Consumer

Two-thirds of Android users vulnerable to web history sniff ransomware: Miscreants have put together an especially pernicious strain of Android ransomware that threatens to bare your browsing history. TheRegister, January 29, 2016
60+ Trojanized Android games lurking on Google Play: Dr. Web researchers have discovered over 60 Trojanized game apps being offered on Google Play through more than 30 different game developer accounts. HelpNetSecurity, January 29, 2016

 Cyber Update — Consumer

Data Theft Hole Identified in LG G3 Smartphones: A group of researchers are encouraging any smartphone users who own an L3 G3 to upgrade their devices after coming across a serious security vulnerability. ThreatPost, January 29, 2016
Oracle Pushes Java Fix: Patch It or Pitch It: Oracle has shipped an update for its Java software that fixes at least eight critical security holes. If you have an affirmative use for Java, please update to the latest version; if you’re not sure why you have Java installed, it’s high time to remove the program once and for all. KrebsOnSecurity, January 26, 2016

Cyber Threat

27% of all malware variants in history were created in 2015: Last year was a record year for malware, according to a report from Panda Security, with more than 84 million new malware samples collected over the course of the year. CSO, January 29, 2016

Cyber Security Management

British Businesses ‘still na├»ve to the risks of cybercrime’: Close to half (44%) of all businesses in the UK are of the opinion that they are safe from cybercrime, according to new research. WeLiveSecurity, January 29, 2016

Cyber Security Management – Cyber Defense

Compromised enterprise networks fuel 236 percent increase in viruses and worms: Solutionary performed a broad analysis of the threat landscape, which uncovered several key findings. One of the most compelling finding links the rapid growth (236 percent) in viruses and worms from Q3-Q4 – which often indicates successfully compromised enterprise networks – to the free fall (88 percent decrease) in reconnaissance activity between Q2 and Q4 of 2015. HelpNetSecurity, January 29, 2016
ORACLE TO KILL JAVA BROWSER PLUGIN: It’s the end of an era. Oracle has announced its intent to nail the coffin shut on the Java browser plugin. ThreatPost, January 28, 2016

Cyber Security Management – Cyber Update For IT

Cisco patches authentication, denial-of-service, NTP flaws in many products: Cisco Systems has released a new batch of security patches this week for flaws affecting a wide range of products, including for a critical vulnerability in its RV220W wireless network security firewalls. PCWorld, January 29, 2016
OpenSSL bug that could allow traffic decryption has been fixed: The OpenSSL Project has pushed out new versions of the widely used OpenSSL cryptographic library, which incorporate patches for two distinct security bugs, and an update of the protection against the infamous Logjam vulnerability. Help Net Security, January 29, 2016

Cyber Awareness

The computer virus that blackmails you: Ransomware is the fastest growing form of computer malware, experts warn. BBC, December 14, 2015

Cyber Politics

Presidential hopeful John Kasich: Work out encryption backdoors in backroom deals: Presidential candidate Gov. John Kasich thinks granting encryption backdoors is something that ought to be worked out in private by the president. NetworkWorld, January 29, 2016

National Cyber Security

NSA faces congressional probe over Juniper back door vulnerability: US lawmakers have launched an investigation following the discovery of unauthorized code in firewall software from Juniper Networks. The probe will examine the possibility that the software was altered by the National Security Agency. RT, January 29, 2016

Internet of Things

FDA releases draft guidelines to improve cybersecurity in medical devices: There’s no doubt that the global Internet of Things (IoT) healthcare market is growing. NakedSecurity, January 29, 2016

Thursday, January 28, 2016

Finding the Right Career Coach Produces Value and Results


2016 Cybersecurity Skills Gap from ISACA


Tuesday, January 26, 2016

He Asked For Help...He Was a Great Student...He's a Winner



The police officer called and stated that he was ready to move on to the next chapter of his career. 

I asked the police officer to describe the next chapter in his career.

He quickly told me that he didn’t have any idea what the next chapter might look like and he didn’t even know where to begin to find the next chapter.

I was interested in this caller’s problem.  In order to solve this kind of problem, two conditions had to be met. 
  1. Someone had to know how to solve the problem. In this case, that was me.
  2. The police officer in this case had to be willing to face what he didn’t know in order to get out of his own way to receive help. He had to demonstrate a coachable and teachable spirit.  He got out of his own way, admitted that he didn't know what he didn't know and he asked for help.
Personal Strengths Coaching

Both conditions were met and a plan of action was established.  Since the police officer had never been in position in his career to truly make choices, we started with Strengths Coaching.  Strengths Coaching enabled me to show the police officer how he was built and what he ultimately has the potential to be great at when he aligns his natural strengths with his chosen work.

This step opened the police officer's eyes to possibilities he had never before considered. 

Personal Packaging, Branding and Marketing

We also addressed the police officer’s marketing, packaging and branding.  In this case, we worked together to build a resume that was designed for the benefit of the resume’s next audience.  The next audience doesn’t use the same vocabulary as the police officer’s current audience.  I taught him how to blend the right mix of technical writing, business writing and creative writing in a resume format that has opened doors around the globe.

Align the Resume's Message with LinkedIn's Message

In addition to the resume work, we also worked together to build the police officer’s LinkedIn presence to match his resume with a similar message.  Because the police officer was pursuing a career move, I taught him how to build his LinkedIn profile in a manner that would make it easy to find by recruiting professionals.

An Interview Door Opened...Interview Coaching

The police officer’s first success was an interview for an investigator role with a very large public utility.  While this first interview did not produce a job offer, it did give me an opportunity to provide interview coaching; something he police officer had never received before.

Winner!

The police officer was and continues to be a great student.  The second job the police officer pursued was an investigative role with a public defender’s officer.  This time, everything came together and he got the job. 

Moving from law enforcement, government or a federal agency is entirely possible but there is a learning curve. You can either approach this learning curve without guidance and figure out what it takes to crush the learning curve by yourself  or you can fast-track your learning by investing in coaching that is proven to crush learning curves and deliver results.

Sunday, January 24, 2016

Cybersecurity Vulnerability and Patch Report for the Week of January 24, 2016


CYBERSECURITY VULNERABILITY
AND PATCH REPORT

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Important Security Updates

Adobe Flash Player: Adobe has released version 20.0.0.286 to fix at least 18 vulnerabilities. Updates are available from Adobe’s website.
Apple iOS: Apple has released version 9.2.1 of its iOS for iPhone 4 and later, iPod touch (5th generation) and later and iPad 2 and later to fix at least 13 vulnerabilities reported in previous versions, some of which are highly critical. The update is available through the devices or through Apple’s website.  Information about the updates is also available from Apple’s website.
Apple OS X: Apple has released updates for its OS X to fix at least 9 vulnerabilities reported in previous versions, some of which are highly critical. Update to version 10.11.3 or apply Security Update 2016-001.  Update information is available at Apple’s website. Information about the updates is also available from Apple’s website.
Apple Safari: Apple has released updates for Safari to fix at least 6 vulnerabilities reported in previous versions, some of which are highly critical. Update to version 9.0.3. Update information is available at Apple’s website. Information about the updates is also available from Apple’s website.
AVG Free Edition: AVG has released version 2016.0.7357 of its 64 and 32 bit Free Edition. Updates are available on AVG’s website.
Google Chrome: Google has released Google Chrome version 48.0.2564.82. Updates are available from within the browser or from Google Chrome’s website.
Opera: Opera has released version 34.0.2036.50. Updates are available from within the browser or from Opera’s website.
Oracle Java: Oracle has released versions Java SE 8 Update 71 to fix at least 4 security vulnerabilities. The update is available through Windows Control Panel or Java’s website. [See Citadel’s recommendation below]
Skype: Skype has released Skype 7.18.0.109. Updates are available from the program or Skype’s website.
Current Software Versions
Adobe Flash 20.0.0.286 [Windows 7: IE, Firefox, Mozilla]
Adobe Flash 20.0.0.286 [Windows 8: IE]
Adobe Flash 20.0.0.286 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader DC 2015.010.20056
Dropbox 3.12.6 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]
Firefox 43.0.4
Google Chrome 48.0.2564.82
Internet Explorer 11.0.9600.18161
Java SE 8 Update 71 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.9
Safari 9.0.3 [Mac OS X Mavericks, Yosemite, El Capitan]
Skype 7.18.0.109
For Your IT Department
Cisco Multiple Products: Cisco reports patched vulnerabilities in its Web Security Appliance (WSA), UCS Manager, Firepower 9000 Series appliance, and Modular Encoding Platform D9036. Apply updates. Additional details are available on Cisco’s website.
Oracle Multiple Products: US-CERT reports Oracle has released updates to fix hundreds of vulnerabilities in its Database Server, Fusion Middleware  and Applications, Enterprise Manager, E-Business Suite, Supply Chain Products Suite, PeopleSoft Products, JD Edwards Products, iLearning, Communications Applications, Retail Applications, Sun Systems Products Suite, Linux and Virtualization, and MySQL and others. Additional details are available on Oracle’s website.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2016 Citadel Information Group. All rights reserved.


SecurityRecruiter.com's Security Recruiter Blog