News

What Lessons Can CIOs Learn from the Colonial Pipeline Hack?

Posted in: colonial, hacking, Security - May 20, 2021

The news angles and repercussions of the Colonial Pipeline hack just keep multiplying. It’s a story that serves to emphasize that a data breach bringing down a database or website is one thing – but crashing key infrastructure is quite another.

No ransomware attack has captured the imagination of the public like the Colonial Pipeline debacle. Millions paid in ransom, long lines at gas stations, soaring prices, federal government dallying, even a public explanation from CEO Joseph Blount as to why the company paid the ransom – this one has so many avenues to explore.

Investigators are delving into the exact causes. Whatever the specifics in the Colonial Pipeline hack, the contributing factors are unlikely to fall outside of these familiar vulnerabilities, each of which CIOs need to pay close attention to.

Phishing

Problem: All it takes is one gullible employee clicking on a malicious email link or attachment and the bad guys are inside. And while most know not to click open the email from the overseas banker who needs your help repatriating millions in krugerrands, phishing at the enterprise level still works.

Solution: Invest heavily in security awareness training to teach employees how to avoid being hoodwinked by social engineering ploys. All the security technology in the world and the best IT team in the universe can be utterly defeated by one inattentive staffer.

Backups

Problem: In the event of a ransomware attack, it is vital to have to hand a clean backup so you can get effected systems back up and running rapidly.

Solution: As well as good backup software, ensure you have the capability to test backups regularly, and scan then to make sure that your backups don’t contain ransomware.

Read more about why Tape Remains a Critical Part of Enterprise Storage.

Air Gaps

Problem: Any system that is online such as a disk-based backup is susceptible to attack. If bad actors get in there, they can lock you out and hold you to ransom. All the regular security measures can and should be used to thwart such attacks.

Solution: The only sure way is to have an air gap, which is a physical barrier that is offline between the web and the data. This can be achieved via modern tape archiving and backup systems that keep tapes offline, yet they remain accessible within minutes if needed due to their automated nature.

Don’t pay the ransom.

Problem: FBI directives make it clear that ransoms should not be paid as it encourages the criminals to continue attacking. Plus, those paying have no guarantee they will regain access or that the bad guys have retained some kind of backdoor or malicious code that can allow them to attack again.

Solution: Unless the financial cost of being denied access make the ransom demands seem like chickenfeed, don’t pay. But you have a stronger hand if you have implemented points 2 and 3 above so that you have all or most of the data available for relatively rapid recovery.

Segmentation

Problem: “One network to rule them all” is a bad idea. Period. One way to prevent ransomware from taking over enterprise resources it to internally segment the network. By doing so, malware can’t freely move around from one infected machine to the another.

Solution: Ask your IT department what they are doing about micro-segmentation. Insist they institute some form of granular segmentation within the IT infrastructure in order to limit the visible attack surface. Yes, one segment may become compromised and subject to ransomware. But the others will remain secure as they are walled off.

Zero-trust security

Problem: Part of the problem is that one compromised user account may be enough for cybercriminals to enter the network. And if they gain admin privileges, it’s game over.

Solution:  Implement zero-trust security frameworks and technologies as they enforce proper authorization and validation and limit access to applications, data, and networks. As part of this approach, all resources are micro-segmented so as to allow only the amount of access privileges absolutely needed. Many of the latest firewalls come with micro-segmentation and zero-trust features.

Read more on Rise of Zero-Trust Network Access.

Digital transformation:

Problem: Most companies have submitted to the allure of digital transformation. This basically updates all systems so that they can integrate fully, gets rid of old analog and legacy systems, and brings the world of operational technology (OT – essentially building systems, cooling, heating, mechanical systems, etc.) into the world of IT. The downside is that with everything connected, the bad guys can shut anything down – like a pipeline or a hospital.

Solution: Enforce multi-factor authentication, and data encryption at rest and in transit, as well as the implementation of zero trust security, better endpoint protection, and faster incident response. And adopt a cautious approach to digital transformation so that your digitization initiatives don’t run far ahead of the need to secure them.

Patches:

Problem: Next to phishing, uninstalled patches are the next biggest security hole in the enterprise. It’s shocking to note that urgent security patches from months ago are still deployed in many enterprises.

Solution: Relieve the burden on IT by implementing automated and centralized patch management, and ideally turning the entire function over to a trusted vendor. The sad truth is that this function tends to get neglected as IT has other urgent priorities and firefights going on.

With breaches like the Colonial Pipeline hack making regular appearances in the headlines, CIOs have never been in a potentially stronger position to advance their companies’ security and infrastructure hardening goals. Zero-trust network access and segmentation might not close all the security gaps. But they’re certainly a good place to start.

The post What Lessons Can CIOs Learn from the Colonial Pipeline Hack? appeared first on CIO Insight.

top

What Lessons Can CIOs Learn from the Colonial Pipeline Hack?

Posted in: colonial, hack, hacking, Security - May 20, 2021

The news angles and repercussions of the Colonial Pipeline hack just keep multiplying. It’s a story that serves to emphasize that a data breach bringing down a database or website is one thing – but crashing key infrastructure is quite another.

No ransomware attack has captured the imagination of the public like the Colonial Pipeline debacle. Millions paid in ransom, long lines at gas stations, soaring prices, federal government dallying, even a public explanation from CEO Joseph Blount as to why the company paid the ransom – this one has so many avenues to explore.

Investigators are delving into the exact causes. Whatever the specifics in the Colonial Pipeline hack, the contributing factors are unlikely to fall outside of these familiar vulnerabilities, each of which CIOs need to pay close attention to.

Phishing

Problem: All it takes is one gullible employee clicking on a malicious email link or attachment and the bad guys are inside. And while most know not to click open the email from the overseas banker who needs your help repatriating millions in krugerrands, phishing at the enterprise level still works.

Solution: Invest heavily in security awareness training to teach employees how to avoid being hoodwinked by social engineering ploys. All the security technology in the world and the best IT team in the universe can be utterly defeated by one inattentive staffer.

Backups

Problem: In the event of a ransomware attack, it is vital to have to hand a clean backup so you can get effected systems back up and running rapidly.

Solution: As well as good backup software, ensure you have the capability to test backups regularly, and scan then to make sure that your backups don’t contain ransomware.

Read more about why Tape Remains a Critical Part of Enterprise Storage.

Air Gaps

Problem: Any system that is online such as a disk-based backup is susceptible to attack. If bad actors get in there, they can lock you out and hold you to ransom. All the regular security measures can and should be used to thwart such attacks.

Solution: The only sure way is to have an air gap, which is a physical barrier that is offline between the web and the data. This can be achieved via modern tape archiving and backup systems that keep tapes offline, yet they remain accessible within minutes if needed due to their automated nature.

Don’t pay the ransom.

Problem: FBI directives make it clear that ransoms should not be paid as it encourages the criminals to continue attacking. Plus, those paying have no guarantee they will regain access or that the bad guys have retained some kind of backdoor or malicious code that can allow them to attack again.

Solution: Unless the financial cost of being denied access make the ransom demands seem like chickenfeed, don’t pay. But you have a stronger hand if you have implemented points 2 and 3 above so that you have all or most of the data available for relatively rapid recovery.

Segmentation

Problem: “One network to rule them all” is a bad idea. Period. One way to prevent ransomware from taking over enterprise resources it to internally segment the network. By doing so, malware can’t freely move around from one infected machine to the another.

Solution: Ask your IT department what they are doing about micro-segmentation. Insist they institute some form of granular segmentation within the IT infrastructure in order to limit the visible attack surface. Yes, one segment may become compromised and subject to ransomware. But the others will remain secure as they are walled off.

Zero-trust security

Problem: Part of the problem is that one compromised user account may be enough for cybercriminals to enter the network. And if they gain admin privileges, it’s game over.

Solution:  Implement zero-trust security frameworks and technologies as they enforce proper authorization and validation and limit access to applications, data, and networks. As part of this approach, all resources are micro-segmented so as to allow only the amount of access privileges absolutely needed. Many of the latest firewalls come with micro-segmentation and zero-trust features.

Read more on Rise of Zero-Trust Network Access.

Digital transformation:

Problem: Most companies have submitted to the allure of digital transformation. This basically updates all systems so that they can integrate fully, gets rid of old analog and legacy systems, and brings the world of operational technology (OT – essentially building systems, cooling, heating, mechanical systems, etc.) into the world of IT. The downside is that with everything connected, the bad guys can shut anything down – like a pipeline or a hospital.

Solution: Enforce multi-factor authentication, and data encryption at rest and in transit, as well as the implementation of zero trust security, better endpoint protection, and faster incident response. And adopt a cautious approach to digital transformation so that your digitization initiatives don’t run far ahead of the need to secure them.

Patches:

Problem: Next to phishing, uninstalled patches are the next biggest security hole in the enterprise. It’s shocking to note that urgent security patches from months ago are still deployed in many enterprises.

Solution: Relieve the burden on IT by implementing automated and centralized patch management, and ideally turning the entire function over to a trusted vendor. The sad truth is that this function tends to get neglected as IT has other urgent priorities and firefights going on.

With breaches like the Colonial Pipeline hack making regular appearances in the headlines, CIOs have never been in a potentially stronger position to advance their companies’ security and infrastructure hardening goals. Zero-trust network access and segmentation might not close all the security gaps. But they’re certainly a good place to start.

The post What Lessons Can CIOs Learn from the Colonial Pipeline Hack? appeared first on CIO Insight.

top

What Are CIOs Looking for in Current IT Grads?

Posted in: business skills, Careers, github, IT grads, IT interviews, IT Management, IT project management, Leadership, new graduates, programming languages, Project Management, soft skills, technical skills - May 19, 2021

Few industries are experiencing the growth and role diversification happening in computer and IT professions. IT roles, particularly in the areas of cloud computing, big data, and information security, are expected to grow by 531,200 jobs from 2019 to 2029, which bodes well for IT graduates entering the job market.

But in a booming IT job market, are IT graduates truly prepared for the work that they’re heading toward? Do they possess both the technical and pragmatic skills to succeed when pitted against more experienced IT professionals? We connected with more than 50 CIOs and other IT leaders to learn more about what they’re looking for in new hires. Here’s what they had to say.

Read Next: The Post-COVID Future of IT Remote Work

Best Professional Practices for New IT Grads

• Develop a strong technical backbone and aptitude for more.
• Work on problem solving and business acumen skills early.
• Build on soft skills and propensity for learning constantly.

Develop a strong technical backbone and aptitude for more.

New IT graduates rarely have all, or even most, of the skills that CIOs want. Especially since most computer and data science university curriculums focus on theoretical over practical application, many graduating students have not yet developed the real-world skills that will make their knowledge relevant to a business. 

IT leaders recognize this gap in experience, but still want new hires to demonstrate skills in the basic building blocks of the industry, with background or coursework in coding languages and relevant data science courses.

Arthur Iinuma, the cofounder and president of ISBX, explained in detail the technical skills that IT grads need to get noticed by hiring managers: 

“We expect IT graduates to have coding skills in at least one of the main languages: Java, HTML, CSS and C++. Ideally, they should have some familiarity with one of the more exotic languages like C#, Python, AngularJS, Ruby or React.”

Beyond relevant coursework and knowledge, tech leaders look for IT grads who have applied this knowledge to real-world problems prior to entering the job market. 

Iinuma offered another solution for current students and new IT grads who want to build their experience in the industry:

“Regarding technical skills, we are looking for experience with contributing to open source projects like GitHub. Candidates must have a firm understanding of systems architecture and database management. As the future of IT is data, strong data analysis skills are a must.”

Read Next: What Key Lessons Can CIOs Take from COVID?

Work on problem solving and business acumen skills early.

Many IT professionals start in hands-on, daily, problem-solving roles for their company or clients, which requires them to understand technical resolutions, people skills, and team collaboration skills. 

CIOs will often use a problem-solution interview technique to assess a candidate’s skills in this area. What is a possible problem scenario the new hire could encounter in this role and how could they fix it? Consider several areas spanning from technical errors to interpersonal diplomacy, and determine what solution would help a new hire succeed in that scenario.

Several IT leaders also recommended that aspiring IT professionals gain project management experience before they search for an IT role. 

Thilo Huellmann, CTO at Levity.ai, offered these project management suggestions for inexperienced IT professionals to build their skills:

“Project management isn’t technically a skill, but without it, even the most skilled programmer wouldn’t be able to achieve much. IT graduates who are employed by reputable tech firms are those who have shown the ability to see projects through from start to finish. Being a CTO, I think fresh IT grads should take project management classes or volunteer with tech projects that they can credit in interviews or applications. It’s a surefire way to set fresh IT grads apart to stand out from the crowd.”

Project management isn’t technically a skill, but without it, even the most skilled programmer wouldn’t be able to achieve much.

-Thilo Huellmann, CTO at Levity.ai

IT students learned a wide variety of technical skills in school, but probably very few business and project management skills. Like web development and coding, project management skills can be learned online in courses like The Junior Project Manager – Learning Project Management Through Stories

Build on soft skills and propensity for learning constantly.

Technology is always changing, so IT grads should always consider themselves students of their craft and their line of business. Hiring managers look for evidence that a prospect is committed to continuing to learn, staying up-to-date with tech trends, and learning emerging technologies. More importantly, CIOs want to be sure new hires arrive ready on day one to contribute to the team both professionally and personally, offering solutions and a collaborative spirit on all team projects.

Rich Temple, Vice President and CIO at Deborah Heart and Lung Center, offered these words of wisdom about the soft skills and culture fit that the right candidate needs to succeed early on in their career:  

“I place a particular emphasis on the so-called “soft skills”. How would this person interact with colleagues and end users? Building constructive and collaborative relationships is extremely important, even in the most technically complex roles. Ensuring that we aren’t hiring someone who could be toxic to a positive team environment or would work in a “bubble,” not being cognizant of the larger impact of their work, is exceedingly important to me.” 

Candidates who ask good questions will more than likely maintain that curiosity and willingness to learn as they grow in their role. IT leaders can assess an applicant’s aptitude for the position based on the quality of questions that they ask during the interview. Are they interested in continued learning opportunities at the firm? Are they curious about the team culture and what the company is looking for? Do their questions show a true passion for the position’s or company’s goals? All of these questions point to a candidate who will absorb their training and apply it as a new hire.

Temple shared these final words about why curiosity can help the new IT graduate to land into a new role successfully:  

“What I can safely say is that, while specific technical skills or certifications are welcomed and valuable, that is only a piece of the puzzle. I like to see individuals who are eager to learn, have an understanding of the world around them, and seem as though they would be able to understand the business and operational contexts of the technical work they would be doing.” 

Read Next: 6 Insightful CIO Interview Questions

The post What Are CIOs Looking for in Current IT Grads? appeared first on CIO Insight.

top

What Are CIOs Looking for in Current IT Grads?

Posted in: business skills, Careers, IT grads, IT hiring, IT interviews, IT Management, Leadership, new graduates, problem solving, programming languages, Project Management, soft skills, technical skills - May 19, 2021

Few industries are experiencing the growth and role diversification happening in computer and IT professions. IT roles, particularly in the areas of cloud computing, big data, and information security, are expected to grow by 531,200 jobs from 2019 to 2029, which bodes well for IT graduates entering the job market.

But in a booming IT job market, are IT graduates truly prepared for the work that they’re heading toward? Do they possess both the technical and pragmatic skills to succeed when pitted against more experienced IT professionals? We connected with more than 50 CIOs and other IT leaders to learn more about what they’re looking for in new hires. Here’s what they had to say.

Read Next: The Post-COVID Future of IT Remote Work

Best Professional Practices for New IT Grads

• Develop a strong technical backbone and aptitude for more.
• Work on problem solving and business acumen skills early.
• Build on soft skills and propensity for learning constantly.

Develop a strong technical backbone and aptitude for more.

New IT graduates rarely have all, or even most, of the skills that CIOs want. Especially since most computer and data science university curriculums focus on theoretical over practical application, many graduating students have not yet developed the real-world skills that will make their knowledge relevant to a business. 

IT leaders recognize this gap in experience, but still want new hires to demonstrate skills in the basic building blocks of the industry, with background or coursework in coding languages and relevant data science courses.

Arthur Iinuma, the cofounder and president of ISBX, explained in detail the technical skills that IT grads need to get noticed by hiring managers: 

“We expect IT graduates to have coding skills in at least one of the main languages: Java, HTML, CSS and C++. Ideally, they should have some familiarity with one of the more exotic languages like C#, Python, AngularJS, Ruby or React.”

Beyond relevant coursework and knowledge, tech leaders look for IT grads who have applied this knowledge to real-world problems prior to entering the job market. 

Iinuma offered another solution for current students and new IT grads who want to build their experience in the industry:

“Regarding technical skills, we are looking for experience with contributing to open source projects like GitHub. Candidates must have a firm understanding of systems architecture and database management. As the future of IT is data, strong data analysis skills are a must.”

Read Next: What Key Lessons Can CIOs Take from COVID?

Work on problem solving and business acumen skills early.

Many IT professionals start in hands-on, daily, problem-solving roles for their company or clients, which requires them to understand technical resolutions, people skills, and team collaboration skills. 

CIOs will often use a problem-solution interview technique to assess a candidate’s skills in this area. What is a possible problem scenario the new hire could encounter in this role and how could they fix it? Consider several areas spanning from technical errors to interpersonal diplomacy, and determine what solution would help a new hire succeed in that scenario.

Several IT leaders also recommended that aspiring IT professionals gain project management experience before they search for an IT role. 

Thilo Huellmann, CTO at Levity.ai, offered these project management suggestions for inexperienced IT professionals to build their skills:

“Project management isn’t technically a skill, but without it, even the most skilled programmer wouldn’t be able to achieve much. IT graduates who are employed by reputable tech firms are those who have shown the ability to see projects through from start to finish. Being a CTO, I think fresh IT grads should take project management classes or volunteer with tech projects that they can credit in interviews or applications. It’s a surefire way to set fresh IT grads apart to stand out from the crowd.”

Project management isn’t technically a skill, but without it, even the most skilled programmer wouldn’t be able to achieve much.

-Thilo Huellmann, CTO at Levity.ai

IT students learned a wide variety of technical skills in school, but probably very few business and project management skills. Like web development and coding, project management skills can be learned online in courses like The Junior Project Manager – Learning Project Management Through Stories

Build on soft skills and propensity for learning constantly.

Technology is always changing, so IT grads should always consider themselves students of their craft and their line of business. Hiring managers look for evidence that a prospect is committed to continuing to learn, staying up-to-date with tech trends, and learning emerging technologies. More importantly, CIOs want to be sure new hires arrive ready on day one to contribute to the team both professionally and personally, offering solutions and a collaborative spirit on all team projects.

Rich Temple, Vice President and CIO at Deborah Heart and Lung Center, offered these words of wisdom about the soft skills and culture fit that the right candidate needs to succeed early on in their career:  

“I place a particular emphasis on the so-called “soft skills”. How would this person interact with colleagues and end users? Building constructive and collaborative relationships is extremely important, even in the most technically complex roles. Ensuring that we aren’t hiring someone who could be toxic to a positive team environment or would work in a “bubble,” not being cognizant of the larger impact of their work, is exceedingly important to me.” 

Candidates who ask good questions will more than likely maintain that curiosity and willingness to learn as they grow in their role. IT leaders can assess an applicant’s aptitude for the position based on the quality of questions that they ask during the interview. Are they interested in continued learning opportunities at the firm? Are they curious about the team culture and what the company is looking for? Do their questions show a true passion for the position’s or company’s goals? All of these questions point to a candidate who will absorb their training and apply it as a new hire.

Temple shared these final words about why curiosity can help the new IT graduate to land into a new role successfully:  

“What I can safely say is that, while specific technical skills or certifications are welcomed and valuable, that is only a piece of the puzzle. I like to see individuals who are eager to learn, have an understanding of the world around them, and seem as though they would be able to understand the business and operational contexts of the technical work they would be doing.” 

Read Next: 6 Insightful CIO Interview Questions

The post What Are CIOs Looking for in Current IT Grads? appeared first on CIO Insight.

top

VPN vs. SDP vs. ZTNA: Who Won 2020?

Posted in: Infrastructure, SDP, VPN - May 14, 2021

The headline sounds like we might be discussing three competing political groups. Instead of the RNC and the DNC, it’s the VPN vs. SDP vs. ZTNA. Only this time, it’s all about competing remote networking architectures.

Virtual Private Networks (VPNs) have been with us for some time. Of late, though, Software-defined perimeter (SDP—aka zero trust network access or ZTNA) vendors have been proclaiming the VPN to be dead, urging organizations to switch to this newer approach.

Read More: Why You Should Implement Zero-Trust Security in 2021

VPNs dominated 2020.

But a recent survey by NetMotion of 750 IT leaders found that VPNs continued to be the dominant cloud access security tool used by businesses. 54% relied on VPNs to provide secure remote access in 2020 compared to 15% utilizing ZTNA/SDP solutions.

Another survey done by the company found that 45% of organizations intend to continue to harness VPNs at least three more years.

ZTNA, SDP are on the rise; vendor count triples.

But the overall trend is away from VPNs. Matt Chisholm, Content Marketing Manager at NetMotion Software, expects that SDPs will eventually take over. But there are many factors that inhibit the instant switch to the newer technology.

“The transition will not occur overnight as most organizations have on-premise applications,” he said.

Meanwhile, the excitement over SDPs and their market potential is highlighted in the number of startups entering this space. The vendor count in SDP has grown from 10 to more than 30 in the past two years. And now, we see the big boys taking note. Some are developing their own SDP technology. Others are gobbling up the best and brightest among the SDP startups. Over the past year or two, Verizon has acquired Vidder SDP, OPSWAT has acquired Impulse, Symantec gained Luminate, and Proofpoint has acquired Meta Networks.

COVID accelerates the trend.

Having pushed many organizations further into the cloud than they anticipated, COVID-19 may have accelerated the trend from VPN to SDP. NetMotion numbers show that 70% of organizations are at least considering SDP adoption over the next year. The delaying factor is the extent of cloud adoption. Most have deployed more cloud resources of late, but few have gone all in. Only 4% of enterprises globally have fully migrated to the cloud, according to the survey.

While SDP is the latest and greatest, sluggish transition to the cloud is causing many enterprises to consider modernization of VPNs, firewalls, and secure web gateways (SWG) as a more viable approach than changing over to SDP. An interim alternative under consideration by some is to migrate their VPNs to the cloud. By doing so, they make it easier to both implement an enterprise cloud strategy, as well as open the door to eventual implementation of SDP.

Zero-trust technologies and policies are another potential driver of SDP adoption. Zero trust has become something of a security buzzword in recent months. With the topic under discussion in board rooms, ZTNA/SDP projects could find themselves more likely to receive a green light.

Nevertheless, VPN will persist.

The VPN vs. SDP vs. ZTNA battle is just beginning. But for the time being, the VPN is expected to stick around for another few years.

“When times got tough in 2020, IT leaders across the globe overwhelmingly turned to enterprise VPNs to provide secure remote access for thousands of employees,” said Chisholm. “This fact is so indisputable that it can be objectively argued that VPNs did more to ensure business continuity last year than any other technology did, or even could have done.”

The post VPN vs. SDP vs. ZTNA: Who Won 2020? appeared first on CIO Insight.

top