Information Technology

The acronym VPN stands for virtual private network. Those three words tell a lot about how a VPN works.Let’s start with network. VPNs provide network connections, meaning they move data to and from your device. Private means they make that movement private, helping prevent hackers from seeing what you’re sending. And virtual means that you’re doing it all in software. You’re not running a new set of wires. Instead, you’re creating a software-based network connection that then moves data over the physical connection (whether that’s wireless or wired). Also: NordVPN review: A market leader with consistent speed and performance What a VPN actually does is take data that you’re sending out over the Internet and encrypt it before it leaves your machine. That encrypted data is sent to the VPN provider’s servers, where it’s decrypted, and then sent on to, say, Google or Netflix. NordVPN, which is the service we’re talking about today, has more than 5,200 servers across the world. Also: Meet NordSec: The company behind NordVPN wants to be your one-stop privacy suite On the flip side, a VPN takes data from a server on the internet, encrypts it on one of Nord’s servers, sends that encrypted data to your computer, which decrypts it when it arrives. This is what provides protection against, in particular, Wi-Fi snoops at airports, hotels, and schools. By virtue of your data leaving the VPN provider’s server (which, for NordVPN, can be in your choice of 60 countries), your actual location can be hidden, and the final server sees as your location what’s actually the location of your provider’s server.

Also: Inside a VPN service: How NordVPN conducts the business of Internet privacy That’s how VPNs obfuscate your location. Although it’s sometimes illegal, many people use this capability to change their apparent region to watch blacked-out sports or region-locked TV. Far more important is that activists and those concerned about stalkers use it to hide their location for their personal security. OK, so with that introduction into how VPNs — and, specifically, NordVPN — works, let’s look at how to set up and install NordVPN. We’re going to do this on a Windows machine, but the practice is very similar for Macs, Linux, and mobile devices.

Servers: 5242Countries: 60Simultaneous connections: 6Kill switch: yesLogging: Email address and billing information onlyPrice: $11.95 per monthBest Price: $89 for two years ($3.30/mo)Trial: 30-day refund guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux, game consoles, smart TVs, more

Installing NordVPN To kick things off, point your browser at the NordVPN website. The company does run promotions from time to time, so the promotion shown here may or may not be on the site when you visit. Once you click in, you’ll need to choose your plan, create an account, and purchase the service. At this point, it’s time to dig into the dashboard to get your download. Once you log into your account, you’ll see the dashboard. Unfortunately, unlike most of the other VPN services we looked at, the most appropriate download isn’t immediately presented. You’ll need to click View Details first. There are some helpful resources shown on this next page, but what you want is the Download link. And now, finally, you can download the Windows client. Once downloaded, go ahead and hit the Open File link. And tell Windows that yes, you did want to do what you just did. And then tell Windows where to put the client program. You can choose to add a desktop icon and a start menu entry. This is a test Windows install that was setup just for this demo, so we’ll drop both the icon on the desktop and into the Start menu. Normally, on my production Windows machines, I don’t let installers put icons on the desktop (if given the option). It’s your machine, so choose as you wish. And just to quench your need to click even more, here’s one more screen before the install actually happens. Nope. I was wrong. This is the last screen you have to click before the install is done. Yes, Virginia, there really is an application at the end of all those clicks. Go ahead and log in using the same account and password you established when purchasing the service. Checking Settings OK, now that we’re finally in the client application, hit the almost hidden gear at the top of the window to get into the settings area. This first page allows you to choose whether the client is always running when you start Windows and whether the screen is minimized. If you want things to happen behind the screen, turn on minimized. If you want a reminder that NordVPN is present, let it show up on you’re your screen at normal size. Let’s move down to the Auto-connect tab. This is pretty powerful. You can decide that your computer is always routing traffic through the VPN or not. You can also turn it on if you’re using Wi-Fi instead of a hard-wired connection. You can also tell that certain Wi-Fi networks (like your home or office network) don’t need to be set up with the VPN service. That way, when you leave home and go to, say, a coffee shop, it will automatically connect via the VPN. Powerful option. The last settings pane we’re going to look at today is the Kill-Switch. This shuts down your Internet connection if the VPN link is severed. This is important because you don’t want data to suddenly go across the network unencrypted and unprotected.  Using NordVPN And, with that, let’s get started using the VPN service. The easiest thing to do is hit Quick Connect. You can also choose the country you want to connect via. I’m in the US Pacific Northwest, so it makes sense that NordVPN connected me to a reasonably close server. When done, you can punch the Disconnect button. Finally, there’s a hidden feature under the Disconnect button. You can disconnect from the VPN for a specified period of time. This is good if you have to access something over a local network, but want to make sure the VPN is turned back on after. So, there you go. That’s how to use NordVPN. Let us know what you think in the comments below. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

Cybersecurity expertise is in high demand. Faced with threats like phishing, ransomware and data breaches, businesses need information security staff on their teams to help protect their networks from attacks. While the intention to build and improve cybersecurity teams is there, recent research demonstrates how businesses often make mistakes when hiring, leading to difficulties recruiting and retaining IT security staff.  

The number of unfilled vacancies doesn’t just make it harder for businesses to keep networks secure – it also has an impact on the people already working on cybersecurity teams, who are expected to do everything necessary to maintain network security, but with just a fraction of the required personnel. SEE: A winning strategy for cybersecurity (ZDNet special report) That’s leading to burnout, making it much harder for people to do their jobs at a time when a growing need to secure remote workers is adding to their workload. In some cases, burnout means people could walk away from the industry altogether when their skills are needed most. So why are organisations struggling to fill vacancies when there’s a workforce available, at a time when hiring cybersecurity staff is arguably more important than ever before? Because businesses often don’t understand what they’re looking for, leading to mistakes when trying to hire. Job adverts outside of cybersecurity come with requirements for the role, including experience and qualifications. Human resources departments are taking those templates and applying them to information security, which often doesn’t follow the same stringent requirements for qualifications.  

It’s possible to be highly qualified and highly experienced in cybersecurity without formal qualifications, yet many businesses attempting to hire security staff see qualifications and certifications as a requirement. Alyssa Miller, a business information security officer and public speaker on cybersecurity, has done extensive research into hiring practices in the industry, as well as presenting a TED talk on the issue. She says almost three-quarters of entry-level job vacancies she looked at ask for a Certified Information Systems Security Professional (CISSP) certification, something which takes years of training, costs money to take an exam – and isn’t realistic for someone looking for their first job in the industry. “Of the supposed entry-level job descriptions that I looked at, 71% of them call for a CISSP. That’s not entry-level, because you have to have five years of experience to get a CISSP,” says Miller. 

In some cases, companies are advertising to fill internship positions – something that in usual circumstances allows people to learn on-the-job while also helping the company. However, even when it comes to advertising for internships in cybersecurity, there are adverts that require an applicant has five years of working in the field. People with years of professional experience are being asked to take jobs for little or even no pay. “If you have five years of experience in cybersecurity, you’re not an intern anymore, you’re an advanced professional at that point – do you think you’re going to get a five-year veteran in cybersecurity for intern pay? No, of course not,” says Miller. SEE: The cybersecurity jobs crisis is getting worse, and companies are making basic mistakes with hiringCybersecurity involves a particular set of skills, which people have put in time and effort to learn. The nature of the industry means that, when it comes to skilling up, many information security professionals have ended up in the career path because of a keen interest in cybersecurity – and some are self-taught, showcasing the aptitude required to succeed, even if they don’t have any specific certifications. That can be confusing for human resources departments, which are used to viewing and hiring applicants based on the candidate having certain qualifications that information security people might not have. Someone could have years of experience in the industry, but if HR doesn’t see what they perceive as the correct qualifications, their application could be discarded, despite the hands-on experience. Cybersecurity, in short, is following the same pattern as other careers in computing and technology before it. “We went through all of that with software engineering 10 years ago and now cybersecurity is right at that point,” says Adam Enbar, CEO and co-founder of Flatiron School, which teaches on-campus and online bootcamps in software engineering, data science and cybersecurity. “You have employers who are hiring but they don’t really know what they’re hiring for, and they don’t even know what to look for.” This doesn’t just come down to expecting experienced professionals to work for little or nothing – some businesses simply have unrealistic expectations around what’s required for the job. In addition to requiring certifications, it isn’t uncommon to see job adverts asking for lengthy experience in disciplines that have only existed for a few years. “Job descriptions have got to get better. They need to be focused on the right things – they can’t be asking for 10 years of Kubernetes experience when Kubernetes has only existed for six years. There are plenty of examples of those job descriptions out there that do silly things like that,” says Miller. Then there’s the issue of timing. Some companies will go on major hiring sprees in the aftermath of a major cybersecurity incident, or because they fear becoming the next victim of a massive data breach, ransomware campaign or other cyberattack. In this scenario, the hiring companies want instant results from cybersecurity professionals with years of experience in a security operations centre (SOC). “Most postings are written for people with five to 10 years of experience. This happens because employers often begin to invest and dedicate time to hiring cybersecurity professionals when they’re facing a crisis – at which point, you don’t want someone with minimal experience, you need someone with experience to come and clean up very fast,” says Christine Izuakor, founder and CEO of Cyber Pop-up, a company that provides on-demand cybersecurity services, and a cybersecurity instructor for Udacity.  A strategy that would be better than attempting to panic-hire cybersecurity personnel following an incident would be to have them on staff to begin with – people who know the company well and can help protect incidents from occuring in the first place, or can react in the right way if something goes wrong. “The solution is for organisations to be more proactive in finding these individuals to build a cybersecurity team, instead of just waiting for a cyberattack or other security crisis to happen. In doing so, employees have time to learn and grow into roles,” says Izuakor. 

ZDNet Recommends

That’s going to require a change in attitude around hiring. Companies can’t just expect experienced cybersecurity professionals to materialise out of nowhere and accept working on an entry-level salary. Businesses need to accept they must begin hiring people at the very start of their careers. While they may have less experience, they can learn on the job and, if taken care of, can be a positive investment for an organisation – even if they don’t have any technical qualifications to begin with. SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) In her TED talk, Miller explains how someone like a barista could have the necessary skills to thrive in a cybersecurity career. They can do many different things at once making and serving coffee, so what’s to say they can’t take that experience and use it in a security analyst role? “I’m looking for somebody who’s really good at taking those multiple inputs, like a barista – they can take that myriad of things that comes at them, and synthesise that into tasks and then prioritise and execute on those tasks. That’s what I ask a SOC analyst to do,” she says. By expanding the search for cybersecurity staff in this way, organisations have a better chance of diversifying the workforce, which can help improve cybersecurity for everyone by bringing different viewpoints and considerations into the room, as well as being able to respond better to new threats and issues. “Organisations need to look at recruiting individuals who come from a variety of backgrounds, and can adapt to the growing threat landscape and new challenges. A versatile workforce will assist in battling any cyber threats and maturing current cyber capabilities,” says Izuakor, who adds that investing in training these employees is also key.  “Due to the pace at which technology is evolving, constant development of talent is critical. By implementing a robust training and upskilling program, individuals are given the opportunity to learn and progress in their own careers while organisations can get ahead of the growing competition in the industry by building up internal talent.” Cybersecurity is a vital part of modern business, so businesses should invest in hiring the right people. Demanding five years of experience for an entry-level role isn’t going to work, neither is a tick-box exercise of demanding particular qualifications in an industry famous for people joining in unconventional ways, and where new threats mean new skill sets are always required. In which case, businesses need to think ahead when it comes to cybersecurity hiring. Recruitment isn’t something to be done just to patch things up after an incident – it’s a major part of running a business and should be treated as such. That’s why hiring the right people and treating them with respect and care is necessary. Get it wrong, and your existing cybersecurity team could become burned out and walk away – and the only people who will benefit are cyber criminals. MORE ON CYBERSECURITY More

IT training company Global Knowledge has released a ranking of the 15 top-paying certifications in 2021 based on the responses of 3,700 US-based respondents, finding that some Google, AWS and Microsoft certifications often led to six-figure salaries.Number one on the list was the Google Certified Professional Data Engineer, which the survey found can bring in $171,749. Google Certified Professional Cloud Architect was next on the list with a salary of $169,029 followed closely by Associate AWS Certified Solutions Architects, who bring in $159,033.

CRISC, CISSP, CISM, PMP, CISA, MCSE, CompTIA Security+, CCA-V and other certifications all made their way onto the list, with salaries ranging from $151,000 to $110,000. Certifications for Azure, Cisco, Nutanix and VMware were also featured on the list. The company surveyed US IT workers from November to February this year and only included certifications that got at least 68 responses. The researchers behind the study noted that many of the top-paying certifications relate to cloud computing and cybersecurity. ITIL Foundation is the most widely held certification, the survey found. More than 65% of IT leaders said the annual economic value of having an employee with the additional skills and contributions made by being certified over a non-certified employee is over $10,000 while another 22% said the annual value is $25,000 and above.”Technology is only as powerful as the capabilities of the people trained to use it,” said Michael Yoo, general manager of technology & developer skills at Skillsoft, which owns Global Knowledge. “With this in mind, certifications are an excellent way of infusing vital skills into an organization, while boosting employee productivity and investing in ongoing professional development.”

More than 75% of IT leaders said they struggle to find employees who match the skills they’re looking for, particularly now that hacks and technology-related outages have become more commonplace and damaging, Yoo explained. Yoo added the certifications on the list are all accredited by industry-leaders, including AWS, Cisco, Google Cloud, ISACA and Microsoft. 

Yoo told ZDNet that project management and virtualization are perennial entries in this list, which he said is not surprising given how mission critical those skills are. “With Virtualization, it is the technical backbone of any modern technical infrastructure that hopes to run efficiently at scale, and it’s essential whether you are working on-premises, in the cloud, or in a hybrid of both,” Yoo said. “The no. 1 reason mentioned by IT professionals who changed jobs and why organizations who support continuous learning/upskilling will have an easier time attracting and retaining talent while deriving more value from its employees. If IT professionals don’t see a future with your company, they’ll leave.” This was backed up by the findings of the survey, where 52% of respondents had two to four positions they were unable to fill in the last 12 months. Yoo noted that the pandemic has accelerated cloud adoption and made it clear that enhanced digital security measures have become fundamental to business operations. “Cybersecurity risks paired with the high rate of skills gaps and growing talent wars, you can understand why organizations are willing to pay higher salaries to skilled IT professionals who can protect them,” Yoo said. “In regards to cloud computing, worldwide end-user spending on public cloud services is forecast to grow 23.1% in 2021 to total $332.3 billion, up from $270 billion in 2020, according to Gartner, Inc.. The crisis was a catalyst for establishing the value and flexibility of cloud computing. However, with cloud adoption, IT now faces a the challenge of finding skilled talent.”IT departments, Yoo explained, are now investing more in hiring externally or upskilling employees with the necessary certifications.  More

(Image: Surfshark)The acronym VPN stands for virtual private network. Those three words tell a lot about how a VPN works. Let’s start with network. VPNs provide network connections, meaning they move data to and from your device. Private means they make that movement private, helping prevent hackers from seeing what you’re sending. And virtual means that you’re doing it all in software. You’re not running a new set of wires. Instead, you’re creating a software-based network connection that then moves data over the physical connection (whether that’s wireless or wired). What a VPN actually does is take data that you’re sending out over the Internet and encrypt it before it leaves your machine. That encrypted data is sent to the VPN provider’s servers, where it’s decrypted, and then sent on to, say, Google or Netflix. Surfshark, which is the service we’re talking about now, has more than 3,200 servers across the world. On the flip side, a VPN takes data from a server on the internet, then encrypts it on one of Surfshark’s servers, and sends that encrypted data to your computer, which decrypts it when it arrives. Must read:This is what provides protection against, in particular, Wi-Fi snoops at airports, hotels, and schools. By virtue of your data leaving the VPN provider’s server (which, for Surfshark, can be in your choice of 65 countries), your actual location can be hidden, and the final server sees as your location what’s actually the location of your provider’s server. That’s how VPNs obfuscate your location. Although it’s sometimes illegal, many people use this capability to change their apparent region to watch blacked-out sports or region-locked TV. Far more important is that activists and those concerned about stalkers use it to hide their location for their personal security.

OK, so with that introduction into how VPNs, and specifically Surfshark works, let’s look at how to set up and install Surfshark. We’re going to do this on a Windows machine, but the practice is very similar for Macs, Linux, and mobile devices.

Servers: 3200 Countries: 65Simultaneous connections: unlimitedKill switch: yesLogging: noBest Price: $59.76 for 24 months ($2.49 per month)Trial: 30-day refund guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux, FireTV

Installing Surfshark Let’s get started. Point your browser to Surfshark’s website and click the Get Surfshark button. Next, go ahead and choose a plan. If you’re planning on using Surfshark for more than five or six months, you might as well go ahead and sign up for the two-year plan, since it’ll be about the same price as going month-to-month. Remember, there is a 30-day money-back guarantee. We strongly recommend you test everything you think you might want Surfshark to do in that time, to decide if this is really for you. Surfshark does have an upsell, for antivirus and account monitoring. It’s up to you whether you want to sign up for it. We’re only covering the VPN-related features in this tutorial. Once you’ve completed the sign-up process, go back to the Surfshark.com home page and log in. Once you do, you’ll be on the main account page. We’re installing Surfshark for Windows, so we’ll click the Windows download button. Once it downloads, hit Open File. Let Windows know you did that on purpose. Starting Surfshark And there we go. Next, log into the program using the same credentials you used to sign up for your account. You’ll get a nice welcome message to start. Before you see the main interface, you’ll be given a number of configuration options. The main decision you should make now is whether you want your Internet connection to run through Surfshark as soon as you boot up or not. If you always want the connection over a VPN, turn this on now. Using Surfshark And with that, you’re ready to use Surfshark. Here’s the main screen. Unless you’re trying to spoof your location or surf as if you’re in another country, your best results will be found by clicking on Fastest Server. That will start the connection. My fastest connection was in Bend, Oregon. Since I live in Oregon, that makes sense. There’s a pie shop in Bend that makes the best grilled cheese sandwich I’ve ever had. Unfortunately, Bend is a few hours from here by car, so I’ve only had that sandwich once. But a boy can dream, can’t he? So, that’s it for the basic operation of Surfshark. To end a connection, just click the Disconnect button as shown above. Next, let’s look at a few settings. Must read: Checking Surfshark’s settings You can access the Settings menu in the lower-left corner. The other icons on the left dashboard panel are for the antimalware and identity scan upgrades Surfshark offers. For now, let’s tap the gear icon. Here you can get to your account and plan information. Let’s scroll down because that’s where the good settings live. As you can see, you can change the language used, and turn on dark mode. But what we’re focusing on is the Connectivity and Advanced menus. It’s the Connectivity Settings pane where you should pay the most attention. As you can see, you can decide to launch Surfshark on login and, once again, here’s the button that lets you decide whether to auto-connect when you log in. Further down, though, is the most important option, the Killswitch option. This is critical because if you’re connected and counting on VPN security and that VPN connection drops, you don’t want your computer to send data in the clear. Make sure to turn on Killswitch when you need to stay secure. It’s critical. Next, let’s look at the Advanced pane. The NoBorders option normally comes on when necessary. It basically spoofs international connections when you’re surfing. Here’s more detail on that feature, should you need it. At the very bottom of the Advanced pane, you’ll see speed test. We’re going to look at that next. Speed test lets you run connection tests for various regions. Here, I went ahead and clicked Run Test and the feature is gathering data on servers in Europe. So, there you go. That’s how to use Surfshark. Let us know what you think in the comments below. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

Ransomware is one of the biggest cybersecurity threats to businesses today, and cyber criminals can potentially make millions of dollars in Bitcoin for a single successful attack. This lure of quickly making large sums of money is attracting interest from across the cyber-criminal spectrum, from sophisticated gangs specialising in ransomware attacks, to affiliate schemes where wannabe ransomware kingpins can lease out ransomware as a service in exchange for a cut of the profits. 

It’s also attracted low-level cyber criminals, who see an opportunity to grab a slice of the ransomware pie – even if they have little idea what they’re doing. SEE: A winning strategy for cybersecurity (ZDNet special report)Cybersecurity researchers at Abnormal Security have detailed an amateur ransomware campaign using social engineering in an attempt to fool employees into installing DemonWare ransomware on their organisation’s network, in return for a slice of the payout.DemonWare ransomware – also known as Black Kingdom and DEMON – is one of the least sophisticated forms of ransomware around, but that hasn’t stopped cyber criminals trying to use it. In this instance, the attacker uses LinkedIn and other publicly available information to identify targets and reaches out to them by email, asking if they want to install DemonWare ransomware on the network in exchange for a million dollars – a 40% cut of a $2.5 million ransom.  

The attacker leaves an email address and a Telegram username for interested parties to contact – which researchers did, using a fictitious persona, in order to find out more about the campaign and those behind it. It quickly became apparent that the ransomware attacker wasn’t the most sophisticated cyber criminal in the world, and they quickly lowered the proposed cost of the ransom down to $120,000. For the attacker, however, that would still be a lot of money. “Like most financially motivated cyber criminals, this actor is simply trying to make any amount of money from this scam. Although he quickly pivoted to a much lower ransom amount over the course of our conversation, $100,000 or $1 million would both be a life-changing amount for him,” Crane Hassold, director of threat intelligence at Abnormal Security, told ZDNet. The attacker claimed that the person responsible for installing ransomware on the network wouldn’t be caught, claiming that DemonWare would encrypt everything, including CCTV files. Researchers note that this approach suggests the attacker is “not very familiar with digital forensics or incident response investigations”. But analysis of the files sent by the attacker confirmed that they’re really attempting to distribute a working version of DemonWare ransomware. The attacker claims that they’ve coded the ransomware themselves, but this is a lie – DemonWare is freely available to download from GitHub, its actual author having placed it there “to demonstrate how easy ransomware are [sic] easy to make and how it work [sic].” The attacker’s self-coding claims are likely just another part of the attempt to persuade people to go through with the scheme. According to the attacker, they’ve successfully encouraged people to help them to deploy ransomware, although their claims are unlikely to be trustworthy. But who is this wannabe ransomware attacker? By using the email and Telegram contact details they provided in their initial message, researchers were able to trace them to a trading website for Naira, the currency of Nigeria, as well as a Russian social media platform. When presented with this information in messages, the attacker confirmed they are Nigerian – which might explain the initial attempts at social engineering. SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) Cyber criminals working out of Nigeria tend to focus their efforts around phishing and business email compromise (BEC) attacks, but in this case, they’ve taken what they know and attempted to apply it to ransomware. “Knowing the actor behind this campaign is Nigerian really adds a lot of context to the tactics he’s using. For years, cyber criminals in Nigeria have used basic social engineering techniques to commit a wide variety of scams, so it makes sense that this actor is trying to use the same tactics to deploy ransomware,” said Hassold “It seems this actor is trying to jump on the ransomware bandwagon due to the attention recent attacks have gotten in the media; however, he’s adapted historical ransomware delivery methods to fit within the attack framework he’s likely used to,” he added. While this attacker might not be very successful, other more experienced ransomware operations benefit from finding insiders to help them gain access to networks. For example, LockBit ransomware – which has surged in popularity in recent months – regularly advertises for insiders to help carry out campaigns. To help prevent the network from being compromised with ransomware – be it via an outside intrusion or an insider threat – information security teams should limit permissions of users unless it’s necessary for them to have admin privileges. This can prevent cyberattacks from exploiting regular user accounts as a means of gaining access to key parts of the network. Regularly applying security patches, enforcing the use of multi-factor authentication and storing offline backups can also help prevent disruptive ransomware attacks. MORE ON CYBERSECURITY More

Some 56% of Asia-Pacific businesses admit to sidestepping digital processes to accommodate remote or flexible work arrangements. This despite 48% expressing increased concern about their company’s ability to manage security threats. The latter figure was higher than their counterparts in the Americas, 41% of whom were similarly more concerned than before about their organisation’s ability to mitigate cyber threats, revealed EY’s 2021 Global Information Security Survey. Conducted in March and May this year, the study polled 1,010 respondents worldwide, with 20% from Asia-Pacific, 36% in the Americas, and the remaining 43% from Europe, Middle East, India, and Africa (EMEIA). Just 20% in Asia-Pacific said the cybersecurity teams were part of the planning stage of any digital transformation initiative, the study found. Respondents further noted that while business managers recognised cybersecurity team’s strengths in traditional areas, such as controlling risk, they did not always regard it as a strategic partner. 

In fact, 71% of cybersecurity leaders described their relationships with business owners as neutral or negative. Some 44% said their engagements with marketing and HR departments were poor. Despite the emergence of sophisticated cyber attacks, the EY report noted that 57% of organisations in the region were uncertain if their cybersecurity defences were sufficiently robust to combat new hacking tactics. Some 73% cited an increase of disruptive attacks such as ransomware over the past year, up significantly from 47% in the 2020 report. Another 47% warned that their company’s cybersecurity budget was inadequate to mitigate challenges that had surfaced in the last 12 months. In fact, 41% were anticipating a major breach that they might be able to avoid if they had better investment in cybersecurity, compared to 29% in the Americas.

The report revealed that Asia-Pacific respondents allocated 0.05% of their annual revenue to cybersecurity, which was similar to the global average of 0.04%. EY’s Asia-Pacific cyber leader Richard Watson said: “Businesses are planning a new wave of technology investments to thrive in the post-COVID-19 era. If cybersecurity is left out of investment discussions, the threat will continue to grow in the years to come. They should consider sharing the cost of cybersecurity across the business to support transformation.”EY’s Asean cybersecurity lead Steve Lam added that businesses were realising “stop-gap technology solutions” rolled out in the early days of lockdowns were inadequate to securely support the new normal around work. With some parts of Southeast Asia still in lockdown, Lam said such challenges for CISOs (chief information security officers) in the region were further compounded by the shortage and high turnover rates for cybersecurity skills local markets. If these executives were able to plug the talent gaps, he noted that CISOs could tap their company’s ongoing business and technology transformation in response to the pandemic and drive improvements in the organisation’s cybersecurity posture.  Watson said: “CISOs must make difficult decisions, realigning cybersecurity requirements to better meet changing business needs after the COVID-19 pandemic. Mapping cybersecurity strategy and their organisation’s risk profile against business and IT goals will ensure alignment and cement strategic relationships between CISOs, CEOs, and the rest of the C-suite.””At a time of greater distrust and with the cyber function being under more scrutiny than ever, CISOs have an opportunity to better demonstrate the strategic importance of their role and raise their profiles within the business, especially in the aftermath of the pandemic,” he added. Remote arrangements accelerate education security risksIn a separate note published Thursday, Check Point Software Technologies revealed that cyber attacks against the Southeast Asian education and research sector climbed 28% in July 2021 to an average of 1,739 attacks a week, compared to the first half of 2021. Globally, this increase clocked in at 29% for the sector, with India the top-most targeted country, followed by Italy, Israel, Australia, and Turkey. India’s education and research sector saw an average of 5,196 weekly attacks per organisation, up 22% from the first half of the year.  Sector-wise, South Asia also was the most targeted region, followed by East Asia and Australia/New Zealand, according to Check Point.The security vendor’s Asean and Korea regional director Teong Eng Guan noted: “The education sector in Southeast Asia was attacked significantly more compared to other industries in the month of July. Schools, universities, and research centers make for attractive targets to cybercriminals because they are often under resourced from a security perspective. “The short-notice, on-and-off shift to remote learning exacerbates the security risk,” Teong said. “With so many students logging on from their home networks using their personal devices, the current school season presents a range of new security threats that many aren’t prepared to address. Organisations in the education sector should be proactive in their protection strategies. It’s important to constantly change and strengthen your passwords and use technologies that prevent cyberattacks, such as ransomware.”RELATED COVERAGE More

Image: Citizen Lab
Apple’s application of filters for blocking content in China has seeped into how it operates in Hong Kong and Taiwan, according to Citizen Lab researchers.According to research performed by Citizen Lab, Apple’s application of filters, which pertain to derogatory, racist, sexual, and sometimes political content, censor more than what is required by a certain region’s moderation regulations. The research looked at keyword filtering rules used by Apple to moderate content across China, Hong Kong, Taiwan, Japan, Canada, and the United States. While the six jurisdictions each have different regulatory and political environments that may affect Apple’s filtering decisions and content moderation policies, Citizen Lab found the censorship applied within China also bled into both Hong Kong and Taiwan, with much of this censorship exceeding Apple’s legal obligations.In Taiwan, Apple does not have any legal obligation to perform political censorship, but it still blocks engravings related to the Chinese Communist Party, China’s state organs, and political-religious groups like Falun Gong.Meanwhile, in Hong Kong, Apple broadly censors references to collective action, such as the Umbrella Revolution, Hong Kong Democratic Movement, double universal suffrage, and freedom of the press.Although the National Security Law took effect in Hong Kong last year, which can potentially be used to mandate entities and individuals to remove political content, freedom of expression is legally protected in the region under the city’s Basic Law and the Bill of Rights.

Beyond Apple double-dipping China’s filtering practices in Hong Kong and Taiwan, the iPhone maker at times also made arbitrary blocks. In one case, Citizen Lab said Apple censored ten Chinese names surnamed Zhang with generally unclear significance, although it said the names were also on a list used to censor products from a Chinese company.”Apple does not fully understand what content they censor and that, rather than each censored keyword being born of careful consideration, many seem to have been thoughtlessly reappropriated from other sources,” Citizen Lab claimed.”Apple’s seemingly thoughtlessly and inconsistently curated keyword lists highlight the ongoing debates of companies’ content regulation models. Companies, especially those operating globally, have great impacts on both users of their products and non-users who may be indirectly affected by their products.”In the research, Citizen Lab analysed how Apple engravings for keywords are filtered across the six different regions. For each region, Apple verifies engravings using a different API endpoint, which facilitates different filtering rules for each region. By testing how these different API endpoints responded to the engravings of over 505,000 previously discovered keywords that are censored in various Chinese applications, including WeChat, Citizen Lab discovered the largest amount of blocks applied to mainland China, where Citizen Lab found 1,045 keywords filtering product engravings, followed by Hong Kong with 542, and then Taiwan with 397.By reviewing the filtered engravings, Citizen Lab found the Taiwan filtering rules are a strict subset of the Hong Kong filtering rules which are a strict subset of the mainland China filtering rules.The researchers also said Apple does not have any public-facing policy documents that explain or regulate what users can or cannot engrave on Apple products across each of the six jurisdictions.In light of the lack of transparency regarding how Apple moderates its content, Citizen Lab has called for the company to release a set of guidelines explaining why and how the company moderates content.”The need for Apple to provide transparency in how it decides what content is filtered is especially important as we discovered evidence that Apple derived their Chinese language keyword filtering lists from outside sources, whether copying from others’ lists or receiving them as part of a directive,” the Canadian research group said. Citizen Lab previously unveiled WeChat, the popular messaging app operated by Tencent, subjected China’s pervasive content surveillance to accounts beyond China that were previously thought to be exclusively reserved for China-registered accounts.”WeChat implements censorship for users with accounts registered to mainland China phone numbers. This censorship is done without notification to users and is dynamically updated, often in response to current events,” Citizen Lab wrote in that piece of research.Related Coverage More

The Office of Inspector General (OIG) has released a report this week saying the US Census Bureau dealt with a cyberattack on January 11, 2020.OIG investigators reviewed the incident from November 2020 and March 2021, finding that while the Census Bureau was successful in stopping the attackers from gaining access to sensitive data, they left open a slate of vulnerabilities that hackers could have exploited.The investigators found that servers operated by the Census Bureau — which were in place to allow employees to access production, development, and lab networks remotely — were attacked using a publicly available exploit. “According to system personnel, these servers did not provide access to 2020 decennial census networks. The exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution,” the report found.  “However, the attacker’s attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.”The attack was initially handled by the Department of Commerce’s Enterprise Security Operations Center (ESOC), which manages security incidents and facilitates information sharing between the department, the Census Bureau and CISA. While commending the Bureau for stopping the attack, the OIG investigators found many other problems with how the incident was responded to and the way the Bureau used the servers. 

The report said the Bureau “missed opportunities to mitigate a critical vulnerability which resulted in the exploitation of vital servers.” Even after the servers had been exploited, the Bureau did not discover and report the incident “in a timely manner.””Additionally, the Bureau did not maintain sufficient system logs, which hindered the incident investigation. Following the incident, the Bureau did not conduct a lessons-learned session to identify improvement opportunities,” the OIG report said. “We also found that the Bureau was operating servers that were no longer supported by the vendor. Since the January 2020 incident, the Bureau has made changes to its incident response program. By addressing the findings and recommendations in this report, the Bureau can continue to improve and have a more effective response to future cybersecurity incidents.”The Bureau had multiple opportunities to mitigate the vulnerability in its remote-access servers — in December 2019 and January 2020. Investigators found that on December 17, 2019, Citrix, the vendor the Bureau worked with on the servers, released information about the vulnerability along with steps to mitigate it. NIST gave the vulnerability a severity rating of “critical” and a member of the Bureau’s CIRT team attended security meetings with CISA where it was discussed. CISA even sent out a link for ways to mitigate the vulnerability.The changes were not made until after the attack had been started. The attack would have failed if the Bureau had simply made the changes necessary, the OIG said. They noted that the Bureau was also not conducting vulnerability scanning of the remote-access servers and the servers were not even included in a list of devices to be scanned.”This occurred because the system and vulnerability scanning teams had not coordinated the transfer of system credentials required for credentialed scanning,” the report said, noting that while the attackers failed to gain access to systems, they still were able to create new user accounts. “The Bureau was not aware that the servers had been compromised until January 28, 2020, more than two weeks later. We found that this delay occurred because, at the time of the incident, the Bureau was not using a security information and event management tool (SIEM) to proactively alert incident responders of suspicious network traffic. Instead, the Bureau’s SIEM was only being used for reactive, investigative actions.”The report said that by not using a SIEM to generate automated security alerts, it took the Bureau longer to confirm that the servers have been attacked. Their systems also failed to catch much of the attack at first.The investigators found that one of the remote-access servers was trying to communicate to a malicious IP address outside of the Bureau’s network and their SOC misidentified the direction of the malicious network traffic, concluding it had been blocked.The OIG said this was a missed opportunity that was compounded by the failure of the ESOC to immediately share critical information about the exploited servers.ESOC allegedly was contacted by CISA about the attack on January 16, 2020 but did not respond. CISA sent another notice on January 30 to investigate the issue, which was then forwarded by ESOC to other Bureau leaders. There were a number of other delays that they said “wasted time during the critical period following the attack.” They urged the director of the US Census Bureau to ensure the CIO reviews automated alert capabilities on the Bureau’s SIEM and develop procedures to handle alerts from outside entities like CISA. The Bureau also did not maintain sufficient system logs, hindering the investigation. A number of servers were configured to send system logs to a SIEM that had been decommissioned since July 2018. Even after migrating the capabilities of a number of remote access servers to new server hardware in September and December 2020, the report said investigators found in February 2021 that the Bureau was still running all of the original servers that were involved in the incident. All of the servers were operating past their end-of-life date which occurred on January 1, 2021. Despite the mistakes made, the Bureau’s firewalls blocked the attacker’s attempts to establish a backdoor to communicate with the attacker’s external command and control infrastructure.In a letter attached to the report, Acting Director of the US Census Bureau Ron Jarmin reiterated that there are “no indications of compromise on any 2020 Decennial Census systems nor any evidence of malicious behavior impacting the 2020 Decennial counts.” “Furthermore, no system or data maintained and managed by the census bureau on behalf of the public were compromised, manipulated, or lost because of the incident highlighted in the OIG report,” Jarmin said. His office noted that this was a “federal-wide incident that impacted numerous departments and agencies.””The Census Bureau’s response to this incident was in line with federal direction and response activities,” Jarmin added. While they admitted to waiting too long to report the exploitation of the servers, they claimed they were waiting for further direction from CISA. In response to the criticisms about using legacy systems that needed to be decommissioned, the Census Bureau said in late 2020, they were working with Citrix engineers to migrate capabilities to new devices. “Due to circumstances outside the bureau’s control — including a dependency on Citrix engineers who were already at capacity supporting customers across the federal government who had realized greater impacts from the January 2020 attack, to complete the migration, and the COVID-19 pandemic — the migration was delayed,” Jarmin’s office explained. Jarmin pledged to take end-of-life concerns more serious and said they have already made changes to how they respond to critical vulnerabilities and share information with other departments. They have also developed automated alerting capabilities and established information sharing procedures, Jarmin said.The OIG report suggested the Census Bureau introduce a slate of further changes to how vulnerability notifications are handled and how assets are scanned for vulnerabilities. They also said Bureau incident responders need to ensure that they comply with Departmental and Bureau requirements to report confirmed computer security incidents to ESOC within 1 hour.But the report criticized the Bureau for not holding any kind of formal lessons-learned meeting, roundtable or talk after the attack at any level of the organization. “One incident responder stated that the team was consumed with responding to data requests from outside entities, which interfered with holding a lessons-learned session,” the investigators said. “Furthermore, after reviewing Bureau incident response policies and procedures, we were unable to locate any requirement or guideline prescribing the timeframe in which to hold a lessons-learned session.”The Bureau said in a letter on July 19 that it concurred with all nine of OIG’s recommendations and sent in plans to achieve all of them.  More