SAN FRANCISCO — From the RSA security conference, welcome to a special edition of Cyber Security Today. I’m Howard Solomon reporting for ITWorldCanada.com.
Information technology is a male dominated profession, and within it cyber security is an overwhelmingly-male dominated field. At one session, Mandy Galante of the SANS Institute and Michelle Guel of Cisco Systems advised infosec pros on how to make the balance better. First, teachers have to open the minds of girls to the potential of an IT career as early as middle school. Second, girls are motivated by stories. So explain to them what happens when a hospital gets hit with ransomware; a when couple can’t get a mortgage because of identity theft. Money may appeal to guys; helping the world appeals to many girls. Information security pros should take opportunities to speak to groups including computer and cyber clubs about their careers. And government helps: In the U.S., 27 governors are backing state-wide cyber competitions for girls only. To encourage women in college and university studying computer science, companies can offer internships. Once women are in the workforce companies can offer leadership training and other types of support. The message to men: Women need your support.
It wouldn’t be a cyber security conference without horror stories. We got a lot at a session on what’s called business email compromise scams. These are scams where an attacker pretending to be a company official sends an email to someone in the finance department asking them to wire or transfer money to pay an invoice or secure a contract. The email may look official because the executive’s mail has been hacked. Or the attacker is able to spoof the executive’s email address. The first thing you should know is that gangs behind these kinds of attacks do a lot of research on their targets, getting personal information from the open Internet. Do you list coaching your daughter’s softball team on your Facebook page? Well, now a criminal knows where you’ll be on Friday night. So imagine this message to a secretary. “Hi. I’m off to my daughter’s game. Please look after this late request from Oxnard Corp. to pay $10,000 to hold down an order.”
I’ll have more details shortly on this presentation in a story on ITWorldCanada.com. But for now there’s this advice for companies: First, of course, staff who handle money need security awareness training to be suspicious of mail requests that seem to come from execs. Second, there are some technology solutions that will help to authenticate messages, such as implementing a protocol called DMARC. Check with your IT department. And it will help to colour-code internal email a certain colour – say blue. If an email isn’t the right colour then it must be from outside the company and therefore not legit. And third, don’t put too much of your personal life online. That’s how the con looks real.
Speaking of keeping your personal life offline, that was also one of the cautions for consumers at a session on new online attacks to watch out for. A security consultant had client who was certain she was being followed. She was right. She’d given away too much personal information. So, don’t put your birthday on Facebook or LinkedIn or other sites, make sure you use strong passwords, and sign up for two-factor authentication wherever you log into sensitive sites – your email, your bank, social media sites. And, check your privacy settings. IF you use Gmail, log into to myactivity.google.com and it will guide you through your settings. If you use apple iCloud you can do the same.
That’s it for this special edition of Cyber Security Today from the RSA Conference in San Francisco. Until my next podcast look for my news stories on the conference at ITWorldCanada.com. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon