Experts say that smart toys are particularly vulnerable to cyber attacks. Kayne McGladrey, a member of the Institute of Electrical and Electronics Engineers, said their desire to keep toy prices low means manufacturers have little incentive to add reasonable security mechanisms.
Cyber attacks are bad and getting worse, and you’d like to turn things around before it’s too late. In this session, you’ll learn how the three most common attacks target people, how to deter and deny threat actors attacking your applications, and how to defend yourself and your community.
For some organizations CCPA will require a total overhaul on their privacy policies, while others might only need to make minor changes due to existing GDPR compliance. But as Kayne McGladrey, Chief Information Security Officer at Pensar Development, pointed out, there will certainly be another round of endless privacy disclosure emails.
We thought it would be a great idea to get Kayne’s take on some key issues facing the world from a cybersecurity perspective, and also learn more about his journey. We get lots of questions from readers about how to break into the cybersecurity industry, how to get their foot in the door, and all manner of other questions relating to getting started. This is why we think it’s so important to share the experiences of those in the industry.
A key ingredient for success in cybersecurity is a passion for all things tech and security. Needless to say, we were also impressed to learn that Kayne has over fifty smart devices and a handful of robots! Let’s take a look at what Kayne had to say:
“Effective defense in depth is not just shiny overlapping technical controls,” said Director of IT and Security Kayne McGladrey. “Rather, it’s the combination of culture, documented and tested processes, policies, and technical controls. For example, an organization with a policy of least privilege, a process for approving account privileges, and a process for auditing and harvesting unused privileges does not need multiple technical controls to implement the desired outcome.” It’s best to start with policy and then enact that in culture, where feasible.
Venture capitalists will accelerate feature development via mergers and acquisitions. In recent years, VCs have funded point solution vendors for technologies like SOAR and UEBA. These are features, not stand-alone technologies, and it’s often cheaper for market leaders to buy rather than build new features. CISOs should be aware of this market reality, as buying early-stage cybersecurity from a startup carries the risk of unintentionally having a business relationship with a much larger vendor within two years, and consequently needing to either buy the larger technology solution or rip and replace after the acquisition closes.
Here’s the Thinkers360 leaderboard for the top 50 global thought leaders and influencers on Cybersecurity for November 2019.
“There’s a perception that it is all hands-on-keyboards — people sitting in a basement somewhere drinking soda,” McGladrey said. “That perception, unfortunately, drives a lot of talented individuals who would have made a lot of meaningful contributions to the field to make other career choices.”
McGladrey wants security pros to talk to their colleagues, friends and families about the field and its diversity of roles. He also urges organizations to widen their candidate pools to include those with more varied backgrounds and life experiences.
“Right now in cybersecurity, we’re doing the same thing over and over and expecting a different result — the definition of insanity,” he said.
Cloud computing will continue to grow despite the frequency of breaches due to a lack of administrative controls and unintentional configuration errors. When an administrator had access to an on-premises server, they could only administer that server; a “cloud administrator” can administer all the assets in a given cloud instance, including backing up and exfiltrating entire servers. This is like the unintentional configuration errors that have plagued so many Amazon S3 buckets in 2019, where organizations have stored PII in S3 in a default configuration, and then those data have been accessed by security researchers.
Keeping an organization secure is every employee’s job. Instead of the obligatory employee training, Director of Security & IT for Pensar Development Kayne McGladrey recommends continuous engagement with the end-user community. “Provide opportunities and instrumentation to demonstrate policy violations rather than lecture at people.” Examples include leaving a USB data stick in a break room or using phishing tools to falsify emails from known employees that seem suspicious. “This helps educate and creates healthy suspicion,” said McGladrey.
The Internet of Things is a dumpster fire and upcoming regulatory controls aren’t going to put it out. Putting a sticker on a box with a username and random password and providing an updated privacy policy that consumers ignore isn’t adequate, although it is compliant. Manufacturers need to invest in user behavior analysis, require multi factor authentication, and to force patching of IoT devices. Otherwise, threat actors will continue to violate the privacy of people’s homes and nation states will built botnets as part of battlespace preparations.
Recognizing that fact, Kayne McGladrey, director of security and information technology at Pensar Development, an engineering consultancy in Seattle, says continuously phishing end users is the best way to help them identify phishing and other potentially malicious content. “This continuous exposure [to phishing] should take a variety of forms, from email-based phishing to direct messages on social media.”
McGladrey says short, actionable, culturally relevant education initiatives on a regular schedule are recommended because “users don’t want to sleep through the mandatory ‘October is cybersecurity month,’ two-hour, PowerPoint presentations.”