Cybersecurity: is the talent gap a myth? Is the industry delusional? – ESW #376
This week, the cybersecurity industry's most basic assumptions under scrutiny. Following up our conversation with Wolfgang Goerlich, where he questions the value of phishing simulations, we discuss essays that call into question:
- the maturity of the industry
- the supposed "talent gap" with millions of open jobs despite complaints that this industry is difficult to break into
- cybersecurity's 'delusion' problem
Also some whoopsies:
- researchers accidentally take over a TLD
- When nearly all your customers make the same insecure configuration mistakes, maybe it's not all their fault, ServiceNow finds out
Fortinet has a breach, but is it really accurate to call it that?
Some Coalfire pentesters that were arrested in Iowa 5 years ago share some unheard details about the event, and how it is still impacting their lives on a daily basis five years later.
The news this week isn't all negative though! We discuss an insightful essay on detection engineering for managers from Ryan McGeehan is a must read for secops managers.
Finally, we discuss a fun and excellent writeup on what happens when you ignore the integrity of your data at the beginning of a 20 year research project that resulted in several bestselling books and a Netflix series!
Hosts
- 1. ESSAYS: Cybersecurity Workforce Woes
An essay examining the "talent gap". Is it real? Was it all a myth? Was it ever real?
There's a lot of nuance in the answers to these questions, and Chris Hughes does a good job of covering the bases in this long(ish) read.
- 2. ESSAYS: Prioritizing Detection Engineering
This is a followup on Ryan's infamous 2017 essay titled, Lessons Learned in Detection Engineering. Ryan seems to share my obsession with understanding what works and what doesn't in the enterprise, and how things fail when they don't work.
If I'm being honest, I see a LOT of my own mistakes in this one. Granted, many of those were made almost exactly 20 years ago, but I imagine people being people, some of those same mistakes are still being made today.
- 3. ESSAYS: Cybersecurity’s Delusion Problem
BREAKING: Cybersecurity is not the most important thing to the business. It's not even their biggest risk. Not by a long shot.
- 4. ESSAYS: Beyond Immature Rhetoric: The Case Against Mockery and Ambulance Chasing in the Security Industry
Sit down, be humble
- 5. WHOOPSIES: We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
One of those incredible stories that will become legend.
Situations like this is why the entire category of External Attack Surface Management (EASM) was created, but to find these kinds of issues for one customer - an organization and its subsidiaries. It wasn't designed to find these issues at the TLD or internet architecture level!
Every now and then, it feels like Lopht testifying before Congress in 1998 all over again.
- 6. WHOOPSIES: Enterprise ServiceNow Knowledge Bases at Risk
Similar to that issue Salesforce had last year. In fact, I just realized it was discovered by the same person, Aaron Costello, and that's how he got his job at AppOmni, as a security researcher!
This is in that category of "misconfiguration due to unclear UI/UX". We have at least one of these every year - there should be an award, in the shape of an S3 bucket.
- 7. BREACHES: Fortinet confirms data breach after hacker claims to steal 440GB of files
The threat actor, known as "Fortibitch,"
Okay, NOW you've got my attention.
- 8. DUMPSTER FIRES: Cybersecurity Pen Test Arrests: 5 Years Later
An incredible listen. Remember when a couple of physical pentesters were thrown in jail in Iowa during a paid engagement to break into a courthouse? This is THAT story, with the benefit of 5 years of hindsight.
Includes both pentesters, the CISO of Coalfire, and the journalist at Dark Reading that covered it as the news was breaking. 5 years later, and these poor guys are still dealing with the fallout on an almost daily basis.
- 9. SQUIRREL: ‘The data on extreme human ageing is rotten from the inside out’ – Ig Nobel winner Saul Justin Newman
This is less of a non-sequitur than I usually post for a squirrel story, because it's a tale about what can happen when you don't check the integrity of your source data. I've run into this problem on several occasions while working with data scientists in cybersecurity, though none of them were as huge and impactful as this one.
This science faux pas isn't quite as bad as the misunderstanding that lead to a food industry-wide fat-free craze, but it's still pretty bad.
