Monthly Archives: September 2018

The Coders of Kentucky

A bipartisan effort to revitalize the heartland, one tech job at a time.

Matthew Watson opened his car door at a gas station outside Hueysville, Ky., sprang out and exclaimed, “I got a new job! He blushed slightly; he was not one to boast. But for this slender, 33-year-old man with a red beard, a father of two small daughters who had once been ashamed of supplementing his low-pay, long-hours job with food stamps, this was fantastic news.

I’d driven to Hueysville past trucks with “Diggin’ Coal” decals, on a road slicing through mountains that rose in steep, majestic steps up to tops flattened by dynamite, past turnoffs to forgotten union halls where the eight-hour workday had been won and billboards that had recently read, “Trump for President.” (Kentucky went 63 percent for him.) Mr. Watson’s home, like much of Appalachia, reflects the landscape and culture of coal, without the coal mining jobs. And there was little hope of alternatives — until now.

“After I got my two associate’s degrees, the best job I could find was selling cigarettes behind the counter in Hazard, a 45-minute commute from home, for $10 an hour, and that was after a promotion to manager,” Mr. Watson told me the first time we met. “Some of my customers were opioid addicts, who slurred their speech, scratched their arms, laid their heads on my counter. In the back of my mind, I always think, ‘If I want to stay living here, if I didn’t have this job, I’d be working that job.’”

Then one day Mr. Watson heard an ad on the car radio. “It was for a 24-week course in coding, with an eight-week apprenticeship, which I later learned could qualify me for a $40,000-plus job designing apps for cellphones,” he said. The advertisement had been put out by a Louisville tech start-up called Interapt. “I immediately applied online, got interviewed, aced the test, and they hired me as an intern and then as a junior software developer,” Mr. Watson said. Within a year, he was offered yet another job as a software engineer, for a Florida-based company, for a salary well over $50,000.

On its first run in 2016, Interapt had 800 applicants, accepted 50 and graduated 35. (Some of the 15 who dropped out did so to tend a sick relative, join the military or take a non-tech job.) Of the 35 graduates, 25 were given job offers by Interapt, and 10 were hired by other tech companies in the area. This year Interapt will train approximately 90 people; next year Interapt expects that number to rise to more than 150.

Ankur Gopal, a University of Illinois graduate from Owensboro, Ky., started Interapt in his basement in Louisville in 2011, when he was 35. He is now renovating an empty warehouse in a run-down part of the city, investing nearly $4 million and creating jobs in the process. “With millions of U.S. tech jobs out there,” Mr. Gopal said, “we could help transform eastern Kentucky. Well, hey — Middle America.”

Mr. Gopal is at the forefront of a new movement to bring money and jobs from the coastal capitals of high tech to a discouraged, outsource-whipped Middle America. Ro Khanna, the Democratic representative from California whose district includes Apple, Intel, LinkedIn and Yahoo, was among the first politicians to float the idea of Silicon Valley venturing inland. “Why outsource coding jobs to Bangalore when we can insource jobs to eastern Kentucky, poor in jobs but rich in work ethic, and every one I.T. job brings four or five other jobs with it?” he said.

The stories of these Interapt graduates in the green hamlets of eastern Kentucky begin with dead ends and end with new beginnings.

“Nights I was manning the reception desk at Super 8, for $7.50 an hour, and days I was working at Little Caesars and still struggling to pay family bills,” Shea Maynard told me. Now, she said, “I’m modifying the information architecture of Interapt products.” She continued, “I never thought it was possible for a person like me to have a career I love.”

Most described feeling engrossed in the work. “Sitting at the desk in my trailer, I can go till 2 a.m.,” one man said. “I have to remember to stop.”

Starting when Crystal Adkins was 13, she almost single-handedly fed, dressed and raised her two younger siblings, while her own interest in school faded. Now she is Interapt’s star trainer. In addition to teaching, Ms. Adkins has been learning new coding languages and training her own children to code.

The success of the Interapt training program has depended on the enthusiasm of politicians from disconnected regions and increasingly hostile political parties.

Mr. Gopal first gathered support from Gov. Matt Bevin of Kentucky and Representative Hal Rogers, both Republicans. They were instrumental in the Appalachian Regional Commission approving $2.7 million to get the training program off the ground. The Department of Labor authorized apprenticeship status for its graduates.

Mr. Rogers is a conservative who represents Kentucky’s Fifth District, home to many unemployed coal miners and one of the poorest and most population-depleted districts in the country. He found an unlikely ally in Mr. Khanna, a progressive Democrat and former official in the Obama administration, who represents California’s 17th District, one of the richest, fastest-growing and most liberal districts in the country. In the 2016 presidential vote, it went 73.9 percent for Hillary Clinton. Mr. Rogers’s district went 79.6 percent for Mr. Trump. But Mr. Rogers’s office called Mr. Khanna’s, and invited him to see Interapt in a widely promoted visit last year.

Mr. Rogers wants the tech companies in Mr. Khanna’s district to consider investing in Kentucky and hiring its citizens. Mr. Khanna was remarkably open to the idea. “We believe in distributed jobs,” he said. “There is no reason these companies can’t engage thousands of talented workers in Iowa, Kentucky or West Virginia for projects.”

Despite these gestures of bipartisanship, the initiative has had to overcome stereotypes, the first one being about Interapt itself. Many locals were suspicious of outsiders’ intentions. Maybe Interapt was associated with some big-government, Obama-era program, or maybe it was a fraud pulled on rural towns by fast-talking city people. “Even after I was chosen,” a trainee told me, “I didn’t completely trust the program until we were asked to open our folders and I found a check for $400,” the weekly stipend for trainees. “Then I knew it was for real.”

Then there were the stereotypes held by the companies to which Interapt was pitching its graduates; many potential employers were skeptical of the apprenticeship model. As Ervin Dimeny, the former commissioner of the Kentucky Labor Cabinet’s Department of Workplace Standards, explained to me: “We think of apprenticeship as a way to certify 19th-century metalworkers. Or we associate it with boring high school shop class. We need to re-envision apprenticeships as passports to respectable middle-class careers.”

Worse, some saw rural Kentuckians as dubious recruits — tooth-free, grinning, moonshine-drinking hillbillies. “It’s a terrible myth,” an Interapt administrator who is the daughter of an unemployed Pikeville coal miner told me. “A hillbilly can do anything. Out in the hollows, you can’t call in specialists; you fix that stalled truck, that leaky roof, that broken radio yourself.” It’s the “car heads” — who can fix anything under a hood — who turn out to be inspired app developers, a recruiter told me. Those car heads include women too, who made up about a third of the first class.

Other investors are following Mr. Gopal’s lead. For example, the former chief executive of AOL, Steve Case, started an initiative called “Rise of the Rest,” which involves driving a big red bus around the country (it has visited 38 cities so far) and giving out $150 million in seed money to entrepreneurs. J.D. Vance, author of the best-selling “Hillbilly Elegy,” was brought on as a managing partner. As Mr. Case told an audience of hundreds in Louisville’s Speed Art Museum in May, 75 percent of venture capital now goes to three states: California, New York and Massachusetts. And half of all venture capital goes to Silicon Valley. Yet start-ups account for half of all new jobs in the United States. Why can’t those start-ups start somewhere else?

I.T. training is not going to solve all the problems of eastern Kentucky, of course. It may be hard to scale up. Not all of us warm to or can do I.T. work. And like coal-mining itself, I.T. jobs can be lost to automation.

If they are, could these visionary ventures crash into new dead ends? Interapt was itself experimenting with a new software that could improve the process of selecting trainees — possibly reducing tasks associated with one job right there. “Over time, some I.T. jobs will disappear, as will jobs for truck drivers, machine-tool makers and a lot of others too,” Mr. Gopal said. “But we teach our trainees to keep learning.”

If you know French, a trainer explained, “you can get the hang of Spanish and Portuguese. You stay ahead of the curve like that.”

For now, there is so much demand for I.T. workers — 10,000 estimated openings by 2020 in the Louisville metro area alone — that Mr. Gopal is reaching out to new groups. “We’re talking with the Department of Defense about a 16-week, eight-hour-a-day coding training program for vets returning from Afghanistan and Iraq to Fort Knox,” he said.

This is a good-news story. But continuing to increase access to good jobs in Middle America will take deliberate efforts to cooperate across the bitter political and regional divide. President Trump is not helping by proposing cuts in education funding that will raise the cost of student loans by more than $200 billion over the next decade. Last year, he tried to cut all funding for the Appalachian Regional Commission, which paid Interapt students’ stipends. A group of representatives — eight Democrats and two Republicans — signed a joint letter urging Trump to restore the money (it was).

On my last visit to Hueysville, Mr. Watson introduced me to his wife (“I married an outsider,” he said jokingly. “Nicole’s from Martin County, I’m from Floyd.”), his aunt, uncle and cousin, all schoolteachers, and his 93-year-old grandmother, a retired teacher who sews a brightly colored quilt for each new grandchild. His daughters played with dolls and nibbled on chocolate Easter eggs on the living room floor. “We’re really proud of Matthew,” his aunt said.

“My new employer is a home repair services company based in Florida,” Mr. Watson said later, “and I do feature development that had once been outsourced to India. I get to work from home. My 3-year-old asks me to get her juice as if I had nothing better to do.” He chuckled. “But it’s such a blessing. These mountains hug me, and my family is my rock. I thought I’d be forced to leave, and maybe one day I’ll have to. But why would I ever want to?”

 

via:  nytimes

Adobe to Acquire Marketo

Combination of Adobe Experience Cloud and Marketo Engagement Platform Widens Adobe’s Lead in Customer Experience Across B2C and B2B.

Adobe (Nasdaq:ADBE) today announced it has entered into a definitive agreement to acquire Marketo, the market-leading cloud platform for B2B marketing engagement, for $4.75 billion, subject to customary purchase price adjustments. With nearly 5,000 customers, Marketo brings together planning, engagement and measurement capabilities into an integrated B2B marketing platform. Adding Marketo’s engagement platform to Adobe Experience Cloud will enable Adobe to offer an unrivaled set of solutions for delivering transformative customer experiences across industries and companies of all sizes.

Today, consumers have a very high bar for what constitutes a great customer experience and Adobe Experience Cloud has enabled B2C companies to successfully drive business impact by harnessing massive volumes of customer data and content in order to deliver real-time, cross-channel experiences that are personalized and consistent. When businesses buy from other businesses, they now have the same high expectations as consumers.

Marketo’s platform is feature-rich and cloud-native with significant opportunities for integration across Adobe Experience Cloud. Enterprises of all sizes across industries rely on Marketo’s marketing applications to drive engagement and customer loyalty. Marketo’s ecosystem includes over 500 partners and an engaged marketing community with over 65,000 members.

This acquisition brings together the richness of Adobe Experience Cloud analytics, content, personalization, advertising and commerce capabilities with Marketo’s lead management and account-based marketing technology to provide B2B companies with the ability to create, manage and execute marketing engagement at scale.

“The imperative for marketers across all industries is a laser focus on providing relevant, personalized and engaging experiences,” said Brad Rencher, executive vice president and general manager, Digital Experience, Adobe. “The acquisition of Marketo widens Adobe’s lead in customer experience across B2C and B2B and puts Adobe Experience Cloud at the heart of all marketing.”

“Adobe and Marketo both share an unwavering belief in the power of content and data to drive business results,” said Steve Lucas, CEO, Marketo. “Marketo delivers the leading B2B marketing engagement platform for the modern marketer, and there is no better home for Marketo to continue to rapidly innovate than Adobe.”

The transaction, which is expected to close during the fourth quarter of Adobe’s 2018 fiscal year, is subject to regulatory approval and customary closing conditions. Until the transaction closes, each company will continue to operate independently.

Upon close, Marketo CEO Steve Lucas will join Adobe’s senior leadership team and continue to lead the Marketo team as part of Adobe’s Digital Experience business, reporting to executive vice president and general manager Brad Rencher.

Conference Call Scheduled for 2 p.m. PT September 20th.

Adobe executives will comment on the acquisition of Marketo today during a live conference call, which is scheduled to begin at 2 p.m. PT. Analysts, investors, press and other interested parties can participate in the call by dialing (877) 376-9431 and using passcode 2867298. International callers should dial (402) 875-4755. The call will last approximately 30 minutes and an audio archive of the call will be made available later in the day. Questions related to accessing the conference call can be directed to Adobe Investor Relations by calling 408-536-4416 or sending an email to ir@adobe.com.

Forward-Looking Statements Disclosure

This press release includes forward-looking statements within the meaning of applicable securities law. All statements, other than statements of historical fact, are statements that could be deemed forward-looking statements. Forward-looking statements relate to future events and future performance and reflect Adobe’s expectations regarding the ability to extend its leadership in the experience business through the addition of Marketo’s platform and other anticipated benefits of the transaction. Forward looking statements involve risks, including general risks associated with Adobe’s and Marketo’s business, uncertainties and other factors that may cause actual results to differ materially from those referred to in the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to: Adobe’s ability to embed Marketo technology into Adobe Experience Cloud; the effectiveness of Marketo technology; potential benefits of the transaction to Adobe and Marketo customers, the ability of Adobe and Marketo to close the announced transaction; the possibility that the closing of the transaction may be delayed; and any statements of assumptions underlying any of the foregoing. The reader is cautioned not to rely on these forward-looking statements. All forward-looking statements are based on information currently available to Adobe and are qualified in their entirety by this cautionary statement. For a discussion of these and other risks and uncertainties, individuals should refer to Adobe’s SEC filings. Adobe does not assume any obligation to update any such forward-looking statements or other statements included in this press release.

 

via:  adobe

Is Your Security Dashboard Ready for the Cloud?

The ability to feed key security information onto a big screen dashboard opens up many new opportunities for managing the day-to-day security and maintenance workload as well as providing a useful method of highlighting new incidents faster than “just another email alert.”

Most Security Operation Centers I’ve visited in recent years have embraced having a few dedicated big-screen displays, but most are restricted to monitoring the on-premise architecture such as local firewalls and servers rather than taking a more holistic approach and accounting for the increasing use of cloud hosted infrastructure and services.

Security no longer starts and ends at the “front door,” with cloud playing a bigger role in more and more organizations. Here’s four things I think every company that uses cloud infrastructure should consider surfacing on their security dashboards.

Inventory and Discovery

The traditional model of server provisioning started changing with the growth of virtualization. No longer can you assume that new hardware would be purchased and entered into a CMDB.

With the growth of cloud infrastructure, the provisioning of new virtual infrastructure became even easier, but with that comes new challenges for your security processes. For that reason, making sure that newly detected devices are highlighted front and center on a dashboard makes a lot of sense and can help to understand the changes going on during provisioning of a new or updated application during the DevOps cycle. Ensuring security coverage against these new devices is key to making sure that gaps don’t develop over time.

Vulnerabilities and Priorities

When vulnerabilities are detected, it’s important that they are presented in a practical fashion. Simply listing every missing patch or misconfiguration often isn’t a sensible approach to managing your workload. A good dashboard should help reveal the most common and highest risk vulnerabilities in an easy-to-read fashion.

Tracking progress of investigations is important, too, in order to ensure you’re keeping on top of what’s been discovered as well as giving your security team a goal. Showing how old a vulnerability is, alongside its potential risk, can help provide a focus for teams as well as a sense of accomplishment when you clear down a challenging vulnerability from the dashboard.

Coverage

If you’re carrying out regular scans of your cloud infrastructure via one or more scanning appliances and/or applications, it’s important to account not just for the health of the environment you’re monitoring but also for the status of the tools you’re using to provide the monitoring. Availability indicators for your monitoring architecture as well as alerting for whether or not scans are completing successfully ensures that you always have the full picture.

Compliance

Alongside triaging vulnerabilities, ensuring compliance to your internal security hardening requirements is key.

Making sure that you are proactively and consistently implementing security procedures helps to minimize your company’s risk, and showing compliance levels (typically through a simple percentage score) can verify not just how secure your environment is today but also allow you to track your success over time, helping to demonstrate how everyday investment in your security configuration can help improve your security posture.

Getting the right information out and visible to your SOC team is key. Hopefully, these starting points will help you plan for your security dashboards to provide better overviews of your cloud security.

 

via:  tripwire

Computer System Security Requirements for IRS 1075: What You Need to Know

The IRS 1075 publication lays out a framework of compliance regulations to ensure federal tax information, or FTI, is treated with adequate security provisioning to protect its confidentiality. This may sound simple enough but IRS 1075 puts forth a complex set of managerial, operational and technical security controls you must continuously follow in order to maintain ongoing compliance.

Any organization or agency that receives FTI needs to prove that they’re protecting that data properly with IRS 1075 compliance. Federal, state, county and local entities – as well as the contractors they employ – are all within its scope.

IRS 1075 is comprised of the following sections:

  1. Introduction
  2. Federal Tax Information and Reviews
  3. Recordkeeping Requirement: IRC 6103(p)(4)(A)
  4. Secure Storage: IRC 6103(p)(4)(B)
  5. Restricting Access: IRC 6103(p)(4)(C)
  6. Other Safeguards: IRC 6103(p)(4)(D)
  7. Reporting Requirements: IRC 6103(p)(4)(E)
  8. Disposing of FTI: IRC 6103(p)(4)(F)
  9. Computer System Security
  10. Reporting Improper Inspections or Disclosures
  11. Disclosure to Other Persons
  12. Return Information in Statistical Report

The complete document describing IRS 1075 requirements is available here.

All agency information systems used for receiving, processing, storing or transmitting FTI must be hardened in accordance with the requirements in IRS 1075. Agency information systems include the equipment, facilities and people that collect, process, store, display and disseminate information. This includes computers, hardware, software and communications as well as policies and procedures for their use.

The computer security framework was primarily developed using guidelines specified in NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments, and NIST SP 800- 53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Only applicable NIST SP 800-53 controls are included in IRS 1075 as a baseline. Applicability was determined by selecting controls required to protect the confidentiality of FTI.

Let’s focus on Section 9: Computer System Security.

IRS 1075 requires organizations and agencies to protect FTI using core cybersecurity best practices like file integrity monitoring (FIM) and security configuration management(SCM). Both of these technologies depend upon a known, secure baseline. Any deviations from this baseline signal authorized or unauthorized changes that could bring your systems out of compliance or expose them to attacks.

According to IRS 1075, all organizations and agencies that handle FTI must do the following:

  • Determine the types of changes to the information system that are configuration controlled
  • Review proposed configuration-controlled changes to the information system and approve or disapprove such changes with explicit consideration for security impact analyses
  • Document configuration change decisions associated with the information system
  • Implement approved configuration-controlled changes to the information system
  • Retain records of configuration-controlled changes to the information system for the life of the system
  • Audit and review activities associated with configuration-controlled changes to the information system
  • Coordinate and provide oversight for configuration change control activities through a Configuration Control Board that convenes when configuration changes occur
  • Test, validate and document changes to the information system before implementing the changes on the operational system

Tripwire can help with its Tripwire Enterprise software.

One of Tripwire Enterprise’s most fundamental capabilities is establishing a secure baseline configuration for your system and tracking all changes against that baseline. Tripwire Enterprise ensures the integrity of your files and systems, keeping a record of all changes that take place and producing audit-ready reports to make proof of compliance easier.

Tripwire Enterprise supports IRS 1075 Policy Compliance hardening guidelines out of the box.

If your organization or agency handles federal income tax information of any sort, you are required to stay in compliance with IRS 1075. Failure to do so can lead to heavy fines and even criminal charges, but Tripwire technology makes ongoing compliance simple and keeps you audit-ready at all points in time.

 

 

via:  tripwire

14 million customer records exposed in GovPayNow leak

GovPayNow.com, a payment system used by thousands of federal and state government agencies in the U.S. and recently acquired by Securus Technologies, has leaked 14 million customer records.

Information exposed includes the last four digits of payment cards, names, phone numbers and addresses, according to Brian Krebs, who discovered the leak.

Anyone could view the information by changing the digits in the URL of an online receipt that the service gives users when they pay parking citations, fines or make other financial transactions.

“GovPayNet [which is doing business as GovPayNow] has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients,” according to a company statement sent to KrebsOnSecurity, which also said there was no “indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction.”

Noting that most of the information exposed “is a matter of public record that may be accessed through other means,” the company said. “Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their receipts.”

Calling the breach at the Indianapolis-based company “fairly minor” compared to others over the last year, Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, said, “Online payment providers, especially those doing business with the government, should take special care to protect their customers’ receipts by using HTTPS and checking that the user is logged in and has permissions to view them.”

Bilogorskiy also recommended, to “avoid information disclosure and directory traversal issues,” that companies deny “anonymous web visitors the ability to read permissions for any sensitive data files and removing any unnecessary files from web-accessible directories.”

Pravin Kothari, CEO of CipherCloud, noted the security incident – which exposed data from as far back as 2012 – isn’t the first for Securus, which bought the company in January.

“Securus has had other issues with cybersecurity over the past few years including the misuse of a service that tracked convicted felons’ cellphones, hackers penetrating this same system and subsequently stealing logins and legitimate credentials, and finally another flaw in May that allowed unauthorized access to accounts by guessing answers to the security questions,” he explained.

In the spring, a hacker swiped 2,800 logins and passwords from Securus, on the heels of Sen. Ron Wyden, D-Ore., asking the Federal Communications Commission (FCC) to investigate the wireless carriers that allow law enforcement to have “unrestricted access to the location data” of their customers after a former Missouri sheriff was indicted for, among other things, tracking the cell phones of numerous persons, including some state troopers, without the benefit of a court order.

The issues prompted wireless carriers like Verizon to review their location aggregator programs and terminate existing location data sharing agreements with third-party brokers.

Many of the “flaws are simple to find and fix. That’s not the issue,” said Kothari. “The issue is that there will always be open vulnerabilities, misconfigurations, and missing updates that attackers can exploit. You cannot fix them all.”

It’s inevitable that attackers will penetrate networks, given increasing numbers and an escalating volume of persistent attacks,” he said.

“Best practices today position safekeeping of your data, at all times, in a pseudonymized form,” Kothari said. “This makes it an order of magnitude harder for the attackers to acquire useful information which they can exploit from within your on-premise networks or your cloud services.”

GovPayNow.com displays an online receipt when citizens use it to settle state and local government fees and fines via the site. Until this past weekend it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.

 

via:  scmagazine

ICO Receiving 500 Breach-Related Calls a Week Since GDPR Took Effect

The United Kingdom’s Information Commissioner’s Office (ICO) has been receiving 500 calls pertaining to data breaches since the European Union’s General Data Protection Regulation (GDPR) took effect.

Speaking before hundreds of senior business leaders at the Confederation of British Industry’s (CBI’s) fourth annual Cyber Security Conference, ICO deputy commissioner James Dipple-Johnstone revealed that of the 500 breach-related calls received weekly by the Office, a third of them aren’t warranted or pertain to events that don’t qualify as data security incidents.

All of these unnecessary reports could be an indication that organizations are eager to comply. Dipple-Johnstone clarified that many of the reports tend to “over-report” the details of a perceived security incident. He attributed this phenomenon to organizations’ desire to manage their risk or a prevailing perception that they need to report everything, reported ITPro.

Despite these attempts to maintain transparency, some companies failed to comply with the ICO’s reporting requirements. Dipple-Johnstone explained that some of the data breach reports received by the Office were incomplete. In other notices, organizations mistook the mandatory reporting period of 72 hours as 72 “business” hours, not three consecutive days from the moment of discovery.

These findings came at around the same time that cloud and data firm Talend disclosed a majority of organizations’ failure to comply with certain elements of GDPR. Specifically, it found that just 35 percent of EU-based companies were fulfilling subject access requests (SARs) filed by customers looking to access their data held by controllers within the legal time frame. Outside of Europe, only a half of organizations were meeting those deadlines.

Dipple-Johnstone said the ICO will be working with organizations to help them with their data protection efforts going forward. He also made a point of indicating how the ICO doesn’t always issue fines following an investigation into a potential data security incident. As quoted by ITPro:

The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance. For every investigation which ends in a fine, we have dozens of audits, advisory visits and guidance sessions. That is the real norm of the work we do.

Data protection goes beyond implementing security technologies like encryption and machine learning. It also involves investing in those who use those solutions.

 

via:  tripwire

 

Cyber attack led to Bristol Airport blank screens

 

Broken screens at Bristol Airport

The screens at the airport stopped working on Friday morning

Bristol Airport has blamed a cyber attack for causing flight display screens to fail for two days.

An airport spokesman said the information screens were taken offline early on Friday to contain an attack similar to so-called “ransomware”.

They are now working again at “key locations” including in departures and arrivals, and work is continuing to get the whole site back online.

The spokesman said no “ransom” had been paid to get the systems working again.

Ransomware is a form of malware in which computer viruses threaten to delete files unless a ransom is paid.

Spokesman James Gore said: “We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens.

“That was done to contain the problem and avoid any further impact on more critical systems.

Out of order departure boards at Bristol Airport

A spokesman said whiteboards and marker pens had to be used in place of display screens.

“The indications are that this was a speculative attempt rather than targeted attack on Bristol Airport.”

Mr Gore said flights were unaffected, but contingency measures and “manual processes”, including whiteboards and marker pens, had to be used in place of display screens.

“At no point were any safety or security systems impacted or put at risk.”

He said it had taken “longer than people might have expected” to rectify due to a “cautious approach”.

“Given the number of safety and security critical systems operating at an airport, we wanted to make sure that the issue with the flight information application that experienced the problem was absolutely resolved before it was put back online.”

No flights are understood to have been disrupted as a result.

 

via:  bbc

Google, Apple and 13 other companies that no longer require employees to have a college degree

The economy continues to be a friendly place for job seekers today, and not just for the ultra-educated — economists are predicting ever-improving prospects for workers without a degree as well.

Recently, job-search site Glassdoor compiled a list of 15 top employers that have said they no longer require applicants to have a college degree. Companies like Google, Apple, IBM and EY are all in this group. But currently, EY’s non-degree requirements are applicable to candidates in the UK.

In 2017, IBM’s vice president of talent Joanna Daley told CNBC Make It that about 15 percent of her company’s U.S. hires don’t have a four-year degree. She said that instead of looking exclusively at candidates who went to college, IBM now looks at candidates who have hands-on experience via a coding boot camp or an industry-related vocational class.

Check the list below to see what other top companies you can score a job at if you don’t have a college degree:

Google has expanded its Google for Jobs initiative, launched last summer, to feature a job search tool that uses AI technology. The company believes it will radically change the online job-seeking experience.

Bloomberg | Getty Images

Google has expanded its Google for Jobs initiative, launched last summer, to feature a job search tool that uses AI technology. The company believes it will radically change the online job-seeking experience.

1. Google

Glassdoor company rating on a five-point scale: 4.4

Current openings include: product manager, recruiter, software engineer, product marketing manager

Hiring locations include: Mountain View, CA; Austin, TX; San, Francisco, CA

Click to view openings

Ernst and Young building in Berlin, Germany.

Patti Domm | CNBC

Ernst and Young building in Berlin, Germany.

2. Ernst & Young (EY)

Glassdoor company rating on a five-point scale: 3.7

Current openings include: assurance services senior, risk advisor, experience management manager, tax services senior

Hiring locations include: Alpharetta, GA; San Francisco, CA; Boston, MA

Click to view openings

Penguin and Random House in Deal Talks

Joseph Devenne | Getty Images

3. Penguin Random House

Glassdoor company rating on a five-point scale: 3.8

Current openings include: marketing designer, publicity assistant, senior manager of finance, production assistant

Hiring locations include: New York, NY; London, England; Colorado Springs, CO

Click to view openings

jetcityimage | iStock Editorial | Getty Images

4. Costco Wholesale

Glassdoor company rating on a five-point scale: 3.9

Current openings include: cashier, stocker, pharmacy sales assistant, bakery wrapper

Hiring locations include: Baton Rouge, LA; Vallejo, CA; Kalamazoo, MI

Click to view openings

Vehicles drive through the parking lot outside a Whole Foods Market Inc. location in Willowbrook, Illinois.

Daniel Acker | Bloomberg | Getty Images

Vehicles drive through the parking lot outside a Whole Foods Market Inc. location in Willowbrook, Illinois.

5. Whole Foods

Glassdoor company rating on a five-point scale: 3.5

Current openings include: grocery team member, cashier, bakery team member, whole body team member

Hiring locations include: Napa, CA; Petaluma, CA; Tigard, OR

Click to view openings

The New York Hilton midtown hotel is show in this December 2013 photo.

Victor J. Blue | Bloomberg | Getty Images

The New York Hilton midtown hotel is show in this December 2013 photo.

6. Hilton

Glassdoor company rating on a five-point scale: 4

Current openings include: event manager, front office manager, housekeeper, hotel manager

Hiring locations include: San Rafael, CA; Napa, CA; Indianapolis, IN

Click to view openings

0554M919

John Greim | Getty Images

7. Publix

Glassdoor company rating on a five-point scale: 3.7

Current openings include: pharmacist, retail set-up coordinator, maintenance technician, job fair

Hiring locations include: Lakeland, FL; Atlanta, GA; Deerfield Beach, FL

Click to view openings

Apple CEO Tim Cook greets guests at the grand opening of Apple's Chicago flagship store on Michigan Avenue in Chicago, Illinois. 

Scott Olson | Getty Images

Apple CEO Tim Cook greets guests at the grand opening of Apple’s Chicago flagship store on Michigan Avenue in Chicago, Illinois. 

8. Apple

Glassdoor company rating on a five-point scale: 4

Current openings include: design verification engineer, engineering project manager, iPhone buyer

Hiring locations include: Santa Clara, CA; Austin, TX; Las Vegas, NV

Click to view openings

1006_29_peru120115118.jpg

Jeff Greenberg | Getty Images

9. Starbucks

Glassdoor company rating on a five-point scale: 3.8

Current openings include: barista, shift supervisor, store manager

Hiring locations include: Dublin, GA; San Francisco, CA; Compton, CA

Click to view openings

Pedestrians walk past a Nordstrom Inc. store.

Ben Nelms | Bloomberg | Getty Images

Pedestrians walk past a Nordstrom Inc. store.

10. Nordstrom

Glassdoor company rating on a five-point scale: 3.6

Current openings include: retail sales, cleaning, stock and fulfillment, bartender

Hiring locations include: Phoenix, AZ; Las Vegas, NV; Scottdale, AZ

Click to view openings

A cashier scans a customers purchases at a Home Depot store in New York.

Mark Kauzlarich | Bloomberg | Getty Images

A cashier scans a customers purchases at a Home Depot store in New York.

11. Home Depot

Glassdoor company rating on a five-point scale: 3.5

Current openings include: department supervisor, customer service sales, store support

Hiring locations include: Colonial Heights, VA; South Plainfield, NJ; San Diego, CA

Click to view openings

Pedestrians walk in front of the IBM building in New York.

Scott Mlyn | CNBC

Pedestrians walk in front of the IBM building in New York.

12. IBM

Glassdoor company rating on a five-point scale: 3.4

Current openings include: financial blockchain engineer, lead recruiter, contract and negotiations professional

Hiring locations include: San Francisco, CA; Raleigh-Durham, NC; Austin, TX

Click to view openings

Pedestrians pass in front of a Bank of America Corp. branch in New York, U.S., on Wednesday, Oct. 12, 2016.

Mark Kauzlarich | Bloomberg | Getty Images

Pedestrians pass in front of a Bank of America Corp. branch in New York, U.S., on Wednesday, Oct. 12, 2016.

13. Bank of America

Glassdoor company rating on a five-point scale: 3.5

Current openings include: client service representative, client associate, analyst, executive assistant

Hiring locations include: Tulsa, OK; Wilmington, DE; New York, NY

Click to view openings

Diners eat at a Chipotle restaurant in Chicago, Illinois.

Getty Images

Diners eat at a Chipotle restaurant in Chicago, Illinois.

14. Chipotle

Glassdoor company rating on a five-point scale: 3.4

Current openings include: district manager, kitchen manager, service manager

Hiring locations include: Sandy, UT; Woburn, MA; Pleasant Hill, CA

Click to view openings

Lowes Retail Store Sign

Getty Images

15. Lowe’s

Glassdoor company rating on a five-point scale: 3.3

Current openings include: plumbing associate, commercial sales loader, lumber associate

Hiring locations include: Westborough, MA; Omaha, NE; Mooresville, NC

 

 

 

via:  cnbc

Amazon S3 Security Step-by-Step

Bucket Policies and Defense-in-Depth: Amazon S3

Excellent paper by Rajat Ravinder Varuni and Rafael Marcelino Koike. I read it and it will help me when I have to talk with “people whose heads are in the cloud”.

In this blog post, we show you how to prevent your Amazon S3 buckets and objects from allowing public access. We discuss how to secure data in Amazon S3 with a defense-in-depth approach, where multiple security controls are put in place to help prevent data leakage. This approach helps prevent you from allowing public access to confidential information, such as personally identifiable information (PII) or protected health information (PHI).

via:  Stephen Northcutt

Configuration Hardening: Proactively Guarding Systems Against Intrusion

The concept of configuration hardening has nice imagery to it. When we use it to describe battle-hardened soldiers who have been tested in combat, a grim, determined image invariably leaps to mind. The same thing happens when we speak of hardened steel that’s been repeatedly quenched and tempered or of hardened fortifications and bunkers.

But what does this state of “being hardened” mean in the context of information systems? What do we mean when we talk about operating system hardening techniques to repel exploits and withstand intrusions? Much of this is captured in three simple concepts:

  1. Ensure a system’s security configurations are appropriately set given the job it needs to do.
  2. Ensure operating system software, firmware  and applications are updated to stay ahead of exploits that attack flaws in the underlying code.
  3. Ensure this process runs continually, leveraging and employing as much automation as possible.

What is Configuration Hardening?

Configurations are, in an almost literal sense, the DNA of modern information systems. “Configuration settings” are the attributes and parameters that tell these systems—from servers to network devices and from databases to desktops and applications—how to act and how to behave.

Unfortunately, these systems are made to “do work” and not to “be secure.” In other words, they’re shipped infinitely capable but effectively insecure. Modern computer systems have over 1,000 well-known ports with which to get work done. They also have another 40,000 or so “registered” ports and yet another 20,000 or so “private” ports. These in turn support a vast number of services and processes.

There’s a nice analogy that helps us get our arms around this: If we translate a server’s “ports and processes and services” to the “doors and gates and windows” in a house, we see information systems as unimaginably large, fundamentally porous houses.

Security configuration management

Security configuration management becomes the job of determining which of these doors and gates and windows should be open, closed or locked at any given time.

Of course, this notion of whether something should be “open or closed or locked” is very conditional—it depends on circumstances like “when” or “where.” If I’m going away for a week, I double-check that everything in my house is locked down tight.  If I’m only going to be gone for an hour, I may leave the back door unlocked.

And if it’s the height of summer, I may have an air conditioner in a window that comes right off the front porch. In this case, I’ve knowingly traded an inherent security weakness (I can’t lock that window until autumn!) for comfort.

To drag this analogy back to the modern computer network, we need to amplify our numbers exponentially. The first thing we note is that the number of “configuration items”—doors and gates and windows that need to be monitored and assessed just to achieve a basic level of security—becomes staggering:

  • Network device configurations can have an average of 2000 lines of code for each device.
  • Each device configuration can contain hundreds of parameters for about 20 different IP protocols and technologies that need to work together.
  • A Fortune 1000 enterprise can have over 50 million lines of configuration code in its extended network.
System hardening best practices

At the device level, this complexity is apparent in even the simplest of “vendor hardening guideline” documents. These are vendor-provided “How To” guides that show how to secure or harden an out-of-the box operating system or application instance. Some examples:

  • The hardening guide for Oracle Solaris v11 has 55 of these critical configuration items. (My house has just 30 doors and windows, by comparison.)
  • The vmWare guide for vSphere 5 highlights 60 critical security items that must be checked
  • For Windows 2008, the Microsoft guide for minimal system hardening includes 158 settings that need to be immediately secured out of the box (it’s is a big house).

This still falls short of a number of settings that need to be managed in prescriptive guides for information security. Prescriptive guidance comes from sources like the Center for Internet Security’s (CIS) “Benchmarks,” the Defense Information Systems Agency’s “Security Technical Implementation Guides” (DISA STIGs) or NIST 800-53 and the National Institute of Standards and Technology’s “Recommended Security Controlsfor Federal Information Systems and Organizations.”

The degree of “prescriptive-ness” in these standards refers to the level of specific guidance they provide: a non-prescriptive guide like SOX might say “Passwords should be complex.” But prescriptive guidelines like the ones above provide specific values that must be attained for each control.

Compared to the simple SOX standard for passwords, CIS requires passwords that:

  • Are at least 8 characters in length for standard enterprises servers
  • Are at least 11 characters for critical systems
  • Are changed every 90 days but not more often than once a day
  • Are different from the previous 24 passwords created by the user
  • Contain characters from multiple classes: alphabet, numeric, special characters, etc.
  • Are not saved or stored in any form of reversible encryption

Because of this level of control, prescriptive standards like CIS tend to be more complex than vendor hardening guidelines. Some standards, like DISA or NIST, actually break these down into more granular requirements depending on Hi/Med/Lo risk ratings for the systems being monitored.

It’s worth mentioning, too, that there are dozens more—a veritable alphabet soup of acronyms and abbreviations – that provide guidance across industry segments and areas of interest. “NERC CIP” requirements provide standards for critical infrastructure protection in the energy space, while HIPAA requirements govern systems that store or transmit patient health records. The list is long and covers virtually every industry and nearly every region or country.

In any industry or setting, the discipline of security configuration management seeks to find a balance between security and usability: somewhere between “server passwords are allowed to be blank” and a ridiculous work-stopping requirement like “the system needs to have a new, never-used, complex 30-character password that’s changed every 48 hours” rests that ongoing balance.

 

via:  tripwire