Tag Archives: SANS Institute

STEM prodigies battle it out in competition to find UK’s next generation of cyber security talent

This year’s CyberCenturion winners are from St Paul’s School, Barnes in London. The school’s two teams scooped both first and second place, with Team B winning the competition and Team A finishing second. The day-long cyber defence competition was led by global security company Northrop Grumman and the Cabinet Office-backed Cyber Security Challenge UK. The national finals follow months of gruelling online qualifiers between over 100 teams from across the UK and overseas territories.

The candidates were tasked with defending a start-up drone-based food delivery service – named ‘Always Food Available’ – using their evolving cyber security skills to identify vulnerabilities in the company’s network and systems, repair the vital issues and maintain the company’s services, while also fending off adversaries.

“Congratulations to our winning team,” said Nigel Harrison, acting COO and co-founder of the Cyber Security Challenge UK. “They emerged victorious after a day of intense competition. The next CyberCenturion is now open for registration and we would like to encourage more young people to consider taking part. With an increasing number of processes and jobs becoming digitally-focused, it’s vital that we find workers to protect our connected world, whether they’re intelligence officers supporting the Government’s hunt for criminals or network engineers protecting the launch systems of spacecraft.”

The winning team received 16 Pi-top CEED kits for their school to help further promote STEM and cyber careers and provide them with a competitive edge for their future careers.

“The enthusiasm of the participants and the high standards among the teams in the finals has been impressive to see,” said Andrew Tyler, CEO at Northrop Grumman Europe. “We congratulate all of the finalists on their accomplishments, wish them success and look forward to the positive impact they can make in addressing the global security challenges of the future.”

StPaulsTeamB

Tyler went on to state: “There’s a severe shortage of diverse young people entering careers in STEM subjects, and it’s up to industry leaders like Northrop Grumman to help rectify that situation. Through CyberCenturion, we’re helping to inspire and build a diverse workforce that addresses this global imperative.”

With the backing of founding sponsors like the SANS Institute, the Challenge started out in 2010 to create a series of virtual and face-to-face competitions that would identify talented people for the cyber security industry.

Now in its eighth year, the Challenge is backed by over 50 of the UK’s most prestigious public, private and academic organisations, and hosts a wide programme of activities designed to spread the word about why cyber security is such a fulfilling and varied career while also helping talented people to access their first cyber security jobs.

Working with those at schools and universities and individuals looking to change careers, the Challenge is making a notable difference to the career prospects of people with the talent and aptitude to become cyber security professionals.

*For further information access https://cybersecuritychallenge.org.uk/

Leave a comment

Filed under Risk UK

“Wireless security skills need to prepare for the IoT age” urges SANS Institute

The proliferation of new wireless communication technologies within consumer electronics and smart devices is overtaking the skills harboured within the information security industry. That’s the considered opinion of Larry Pesce, a leading expert in the field and a SANS Institute instructor.

“There’s a great deal of disparity between the security of the different wireless standards, and particularly so when you compare the 802 family that were predominately built for business use and emerging technologies that came from the consumer landscape such as Bluetooth, Zigbee and Z-Wave,” explained Pesce, who co-authored the books entitled ‘Linksys WRT54G Ultimate Hacking’ and ‘Using Wireshark and Ethereal’.

“For example, Bluetooth has some solid maths around encryption, but many of the security decisions are left in the hands of the users which means things can go horribly wrong. Zigbee has a poor design for how it handles passphrase and replay packets which are highly vulnerable, while security in some of the proprietary formats like Z-Wave offers almost non-existent security.”

blank template 450x450 RGB

Pesce, who also develops real-world challenges for the Mid-Atlantic Collegiate Cyber Defence Challenge, is complementary about newer wireless protocols such as 802.15.4 and Zigbee which uses baseline profiles to help deliver enhanced security, but comments: “The technology is probably ahead of the skill sets out in the field. The problem is also somewhat underestimated.”

Pesce also highlights the privacy issues that wireless-enabled devices are starting to hit against. “If we look forward, a large number of devices in the workplace and the home will be wirelessly enabled and communicating autonomously between each other and back to manufacturers. Unless more consideration is given towards securing both the devices and the communication links, there are likely to be breaches that will burrow into this Internet of Things infrastructure and start to gather private information or act as a staging post for more damaging attacks.”

Wireless Ethical Hacking, Penetration Testing and Defences

Pesce will be teaching the SANS course SEC617: Wireless Ethical Hacking, Penetration Testing and Defences at SANS London in July. The hands-on course takes an in-depth look at the security challenges of many different wireless technologies, exposing students to wireless security threats through the eyes of an attacker.

Using readily available and custom-developed tools, students navigate through the techniques attackers use to exploit Wi-Fi networks, including attacks against WEP, WPA/WPA2, PEAP, TTLS and other systems.

The course also examines the commonly overlooked threats associated with Bluetooth, ZigBee, DECT and proprietary wireless systems.

“We’re at a crossroads from a standards perspective,” concluded Pesce. “The vendors are still mostly obsessed with ‘bigger and faster’, but there’s also increased pressure from a privacy perspective and many are having a hard time figuring it out. For information security professionals, the skills needed to secure these new types of wireless connections are in high demand.”

*More information on SANS London Summer 2016 is available at: http://www.sans.org/london-in-the-summer-2016

Leave a comment

Filed under Risk UK News, Uncategorized

SANS Institute returns to Brussels for delivery of “vital” training and education on information security

SANS Institute, the world’s largest cyber security training provider, will be returning to Belgium in early 2016 to host five essential information security training courses.

Entitled ‘SANS Brussels Winter 2016’, the training event offers security, penetration testing and forensics tracks including the popular SEC401: Security Essentials Bootcamp taught by Dr Eric Cole, a SANS faculty Fellow, course author and member of the Commission on Cyber Security for the 44th President.

“Demand for security expertise is outstripping supply, making this a great time for both individuals and organisations to benefit from strengthening and gaining new skills,” urged Cole, “Events like ‘SANS Brussels Winter 2016’ and other SANS training opportunities around Europe are vital to help combat what’s now an increasingly complex threat landscape.”

‘SANS Brussels Winter 2016’ takes place from Monday 18 January-Saturday 23 January at the Radisson Blu Royal Hotel in the heart of Brussels, and includes a programme of evening talks and networking opportunities.

Training courses scheduled to run at the event are as follows:

  • SEC542: Web App Penetration Testing and Ethical Hacking (Tutor: Raul Siles)
  • SEC401: Security Essentials Bootcamp Style (Tutor: Dr Eric Cole)
  • SEC504: Hacker Tools, Techniques, Exploits and Incident Handling (Tutor: Steve Armstrong)
  • FOR572: Advanced Network Forensics and Analysis (Tutor: George Bakos)
  • FOR408: Windows Forensic Analysis (Tutor: TBC)

Each course has an associated GIAC certification. Discounted rates for the certification attempt are available when purchased with a training course.

*For more information on ‘SANS Brussels Winter 2016’ visit: https://www.sans.org/event/belgium-2016/

Leave a comment

Filed under Risk UK News

“Human Resources Departments are key to information security” states SANS Institute

In tandem with European Cyber Security Awareness Month, Lance Spitzner (director at the SANS Institute) suggests that Human Resources Departments have a critical role to play in helping their organisations improve information security procedures.

“Organisations are beginning to realise that they have to secure the human element as technology can only go so far,” explained Spitzner, an internationally recognised leader in the field of cyber threat research and security training and awareness. “As long as individuals store, process or transfer information then they too must be secured. One of the most effective ways in which to secure employees is to change their behaviours through an active, longer term security awareness programme.”

Spitzner (who has spoken to and worked with numerous organisations including the NSA, FIRST, the Pentagon, the FBI Academy, the US President’s Telecommunications Advisory Committee, MS-ISAC, the Navy War College and the CESG in Britain) suggests that, based on the available evidence, it’s extremely likely every large organisation will experience an information security breach at some point in time.

According to the influential Data Breach Investigation Report which has examined over 100,000 security breaches across the last decade, 81% of the incidents charted can be described by just four root causes: miscellaneous errors (27%), insider misuse (19%), crimeware (19%) and physical theft/loss (16%).

The SANS Institute believes that security awareness training must be given more importance as the likelihood of human error leading to a security breach increases

The SANS Institute believes that security awareness training must be given more importance as the likelihood of human error leading to a security breach increases

The main threat comes from human error, such as someone accidentally posting private data to a public site, sending information to the wrong recipients or failing to dispose of documents or assets in a secure manner. However, lack of security awareness also has a part to play in insider misuse, physical theft and incidents of loss.

“In the past,” continued Spitzner, “organisations have orchestrated security awareness programmes, but these were primarily compliance-driven and designed by auditors to ensure the company could ‘check the box’. These programmes consisted of nothing more than a once-a-year PowerPoint presentation or some very basic computer-based training. In recent times, host organisations have begun a fundamental shift in terms of how they approach awareness and training. They’re now building mature security awareness programmes that identify and change high risk human behaviours.”

Spitzner advocates the first task is to gain the support of management and answer the key questions of: ‘Who?’, ‘What?’ and ‘How?’

“Once you have a programme rolled out,” continued Spitzner, “you’ll need the ability to measure it. Measuring provides several things. First, it helps you identify where your greatest risks are and where you need to focus your efforts. Second, it can be used to demonstrate the value of the programme to senior management, in turn gaining you the support you need in order to keep that programme going in the longer term.”

European Cyber Security Awareness Month

European Cyber Security Awareness Month is a European Union advocacy campaign that takes place each October. The overall aim is to promote the subject of cyber security among citizens, change their perception of cyber threats and provide up-to-date security information through education and sharing of good practices.

To further support this initiative in 2014, Spitzner is running a webinar session offering a step-by-step walk through of how to take your security awareness programme to the next level. The session covers key points including how to leverage the Security Awareness Maturity Model, effectively engage people, measure change in behaviours and communicate those results to management.

Registration is available via: https://www.sans.org/webcasts/securing-human-emea-generation-awareness-programs-98857

Leave a comment

Filed under Risk UK News