SecurityRecruiter.com's Security Recruiter Blog

Mobile Device Application Security Program Manager, Richmond, VA

noreply@blogger.com (Jeff Snyder) — Mon, 30 Jan 2012 21:33:00 +0000

SecurityRecruiter.com has been retained by a leading and fast-growing banking and financial services organization to help build their application security program around iPad, iPhone, Android, Blackberry (Mobile Devices), etc.

Provided that you possess the requisite hands-on development experience shown below, this role represents an opportunity to become the Subject Matter Expert around mobile devices and mobile device compliance for a global corporation. This is not a coding role. Rather, when you come equipped with hands-on coding skills from your present or your past, you’ll have the opportunity here to build an application security program around mobile devices for a global corporation. This is an individual contributor role to step in where nobody has ever served this organization before.

For the first 1+ years of employment, it will be necessary to go to work at the company headquarters. Once you have proven your ability to contribute, the possibility to live where you want to live in the US and telecommute will be considered.

Compensation is competitive and the bonus structure is something to pay attention to. The bonus opportunity has multiple tiers and is based on both company performance and individual performance. The company’s side of the performance has been met since the early 1990s.

Ongoing training and education through this company is unmatched. You'll have an opportunity to work towards certifications as well as the opportunity to develop other business skills that security professionals need in order for their careers to progress.

In this role you will:

·         Lead development and maintenance of IT Security Standards that detail how mobile devices should be configured.
·         Lead development of IT Security Compliance software or tools that control device configuration monitoring.
·         Evaluate future end-user devices for potential use, making appropriate recommendations on security settings.
·         Conduct vulnerability scans of mobile devices.
·         Evaluate mobile device application security to ensure that company and industry standards for hardening are met.

Requirements:

·         This role requires one year or more of development experience in the mobile device arena. Most often these skills will include Java, iPhone / iPad Development, Android Development / Blackberry Development, Mobile Browser Development.

·         A CISSP certification and/or application security certificates or certification such as: CSSLP from ISC2, Secure Coding in Java/J2EE and similar from SANS, etc. are helpful.

Location: VA-Richmond, Possible Telecommute in the Future
Relocation: Some Relocation Possible
Visa Sponsorship: No
Compensation: $105,000 - $120,000 base range, attractive bonus opportunity

Apply On-Line at : http://misjobs.com/cgi-bin/securityrecruiter/showjob.cgi?actiontotake=ShowRecord&JobID=200135
SecurityRecruiter.com's Security Recruiter Blog, home of security jobs

Cyber Vulnerability and Patch Report, January 30, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 30 Jan 2012 15:30:00 +0000

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Google Chrome 16.0.912.77: Google has released an update to patch several highly critical vulnerabilities. Updates are available through the program.

Symantec pcAnywhere 12.x: Symantec has released hotfixes to patch several moderately critical vulnerabilities in pcAnywhere. Information on applying these hotfixes is available from Symantec in notes TECH179526 and TECH 179960. WARNING: Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code. See our Cyber Security News of the Week for more information.

Current Software Versions

Adobe Flash 11.1.102.55 [Warning; see below]

Adobe Reader 10.1.2

Apple QuickTime 7.7.1

Apple Safari 5.1.2 [Warning; see below]

Google Chrome 16.0.912.77

Internet Explorer 9.0.8112.16421

Java SE 6 Update 30

Mozilla Firefox 9.0.1 [Warning; see below]

Newly Announced Unpatched Vulnerabilities

None

For Your IT Department

Trend Micro DataArmor and DriveArmor: Trend Micro reports a less critical vulnerability in these programs. Patches are available from Trend Micro.

Symantec Altiris IT Management Suite: The same vulnerabilities affecting pcAnywhere also impact Altiris IT Management. Additional information is available from Symantec in notes TECH179526 and TECH 179960.

Important Unpatched Vulnerabilities

ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open un-trusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12, 2011. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18, 2011.

ACD Systems Canvas CorelDRAW: A highly critical vulnerabilityhas been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system. Users should not view un-trusted CDR files. Readers should refrain from opening un-trusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

Adobe Flash: The highly critical vulnerabilitywe reported in Weekend Vulnerability and Patch Report, December 11,2011remains un-patched. We recommend users disable the Flash player in their browsers.

Android Browser: Secunia reports a vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

Apple Safari: Secunia reports a non-critical un-patched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

HTC Mobile Devices: The security vulnerabilityin the default Twitter application (Peep) in HTC products remain un-patched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains un-patched. Users are advised to not open files from un-trusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

McAfee SaaS: The highly critical vulnerabilityin McAfee SaaS Endpoint Protection remains un-patched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, January 22, 2012.

Microsoft Windows: Secunia reports a highly critical un-patched vulnerability in Windows 7 Professional 64-bit. Other versions may also be affected. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening un-trusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.

Microsoft Reader: The highly critical vulnerabilityin Microsoft Reader, versions 2.x, remains un-patched. Readers should refrain from opening un-trusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.

Mozilla Firefox: Secunia reports a less critical vulnerability in Mozilla Firefox. The vulnerability is confirmed in Mozilla 9.0.1. Other versions may also be affected. No patch is available at this time. Users should exercise extra caution on un-trusted websites. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, January 15, 2012.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain un-patched. Readers should refrain from opening un-trusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.

Photoshop Elements: Adobe versions 1 - 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user's system. Users should not view un-trusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

VLC Media Player: VLC has released an advisory regarding a highly critical un-patched vulnerability in versions 0.9.0 through 1.1.12. VLC has announced that media player 1.1.13 will address the issue. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week's important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

SecurityRecruiter.com'sSecurity Recruiter Blog

Cyber Security News for the Week of January 30, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 30 Jan 2012 15:00:00 +0000

News of the Week Commentary

From our friends at Citadel Information Group

Symantec's warning this week to users to disable PCAnywhere following the theft of its source code stands in contrast to the company's assurances a few weeks ago that the theft of its source code posed little risk to users. [See Cyber Security News of the Week, January 8, 2012.]

At issue is the responsibility information security vendors have to their customers when the vendor's products may be exposing customers to risk. It's common for a company to circle the wagons and fall into a protective mode when bad news comes out. The strategy is usually a losing one as the bad news comes out eventually and the company ends up with egg on its face. So, from the company's own perspective, the right strategy is often to own up to the problem from the start.

In cases of security the situation also carries moral and ethical implications. Twenty years ago when Tylenol was confronted with the death of several people after someone put poison in it products, Tylenol immediately removed the product from stores across the country and launched a public relations campaign to warn users.

The loss of information is not the same as the loss of lives, but don't those of us in the business of protecting the sensitive information of our clients and customers have the same ethical and moral obligation to warn our users immediately?

Vulnerability Alert

Symantec: Anonymous stole source code, users should disable pcAnywhere: Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. ars technica, January 26, 2012

Cyber Crime - Online Bank Theft

Hackers tap Salem Co. account for $19,000: Computer hackers have broken in and stolen approximately $19,000 by way of an illegal wire transfer from a Salem County bank account that held more than $13 million in funds. nj.com, January 22, 2012

Internet Badlands

Hackers-for-Hire Are Easy to Find: Sitting in his Los Angeles home, Kuwaiti billionaire Bassam Alghanim received an alarming call from a business associate: Hundreds of his personal emails were posted online for anyone to see. The Wall Street Journal, January 23, 2012

Cyber Security Management

Cameras May Open Up the Board Room to Hackers: One afternoon this month, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment. The New York Times, January 23, 2012

Healthcare Privacy - National Dialogue

Should Every Patient Have a Unique ID Number for All Medical Records?: As the U.S. invests billions of dollars to convert from paper-based medical records to electronic ones, has the time come to offer everyone a unique health-care identification number? The Wall Street Journal, January 23, 2012

Cyber War - The Middle East

Pro-Palestinian hackers bring down Haaretz Hebrew website: Pro-Palestinian hackers brought down Haaretz's Hebrew website on Wednesday, after several Israeli websites were targeted earlier in the day. January 25, 2012

Privacy Rights - European Union

EU Data-Privacy Overhaul Gives Consumers More Control: The European Commission on Wednesday proposed an overhaul to its data protection laws, which will provide users with more control over their data and make the process of monitoring data security less complex for agencies across the EU. PC Magazine, January 25, 2012

Ray of Sunshine

FileSonic disables file sharing in wake of MegaUpload arrests: Following the MegaUpload shutdown and indictments last week, FileSonic, one of the Internet's most popular file-sharing services, has disabled its sharing functionality. Cnet, January 22, 2012

New Web Piracy Arrest as Site Founder Is Denied Bail: THE HAGUE, Netherlands - An Estonian citizen was arrested by Dutch police at the request of American authorities investigating the file-sharing Web site Megaupload, a prosecutor's office spokeswoman said Wednesday. January 25, 2012

SecurityRecruiter.com's Security Recruiter Blog

LinkedIn, the Global Road to Everywhere!

noreply@blogger.com (Jeff Snyder) — Fri, 27 Jan 2012 18:44:00 +0000

It is always fascinating to see who stops by and visits my LinkedIn profile. Some people I’ve talked to think LinkedIn is a waste of time. If you don’t have a strategic plan in place for how to make use of LinkedIn, you very well could be wasting time. Build a strategy and your results could be surprising.

LinkedIn Strategy

If you set out to use LinkedIn strategically as I did back in 2004, it most definitely does lead to business opportunity. This morning, I shared a scheduled call with the assistant to a CEO in London, England. The CEO is looking for someone who can recruit the right talent to help his company expand into the US market.

Where did this person find me? On Google, where SecurityRecuiter.com sits on Page 1 for over 200 different search terms and on LinkedIn where he did further research to validate the information he found through a variety of Google searches. At least that is what he told me when I asked.

Daily Visits From Around the Globe

Just looking at the past few days, my LinkedIn profile has been visited from the following locations:

Belgium
Canada

Ireland

Poland

Korea

Kenya, Africa

India

United Arab Emirates

Toronto, Canada

Atlanta, GA

Austin, TX

Boston, MA

Colorado Springs, CO

Columbus, OH

Chicago, IL

Dallas, TX

Fort Pierce, FL

Fort Worth, TX

Greenville, SC

Houston, TX

Las Vegas, NV

New York City, NY

Orange County, CA

Philadelphia, PA

Phoenix, AZ
Raleigh, NC

Salt Lake City, UT

San Francisco, CA

Washington, DC

LinkedIn Doesn’t Work ?

To anybody who still isn’t convinced that LinkedIn is the world’s largest and fastest growing business network and that it has business value, I hope I’ve given you at least something to think about. I don’t keep track of where my daily LinkedIn invitations come from. If I did, I suspect that the list of locations I’d report would look a lot like the list of locations people have been sitting in when they visited my LinkedIn profile.

Looking Back

When I came up with the URL for SecurityRecruiter.com in 2001, I had at that time recruited nationally through a network of general IT recruiters going as far back as 1990. The idea that SecurityRecruiter.com would someday be known in places such as Ireland, England, India, Africa, Korea and beyond never crossed my mind.

In 2004, when another recruiter was kind enough to introduce me to LinkedIn, like many of you, I wasn’t quite sure what to do with it.

Building a LinkedIn Strategy

I was on LinkedIn for a few months before I carved out time to actually pay attention to the resource. Between Christmas and New Year’s when business traditionally slows down a bit, I decided to make a project out of clicking everything there was to click on LinkedIn. I took notes and formulated a strategy for how I would approach LinkedIn as a branding tool, a business development tool and a recruiting tool.

When I launched SecurityRecruiter.com on-line in January of 2006, I tied it at the hip so to speak with my LinkedIn profile. I didn’t know what this effort would or wouldn’t be worth but it turns out that it was worth a lot.

If you’re going to invest time to build a LinkedIn profile, do so with a strategy in mind. If you’re not sure what that might look like, I can help. Since 2004, I’ve built relationships by way of LinkedIn. I’ve found people to recruit on LinkedIn. I’ve been found by people who are seeking new security jobs on LinkedIn. Companies that have security jobs to fill have found me on LinkedIn.

My work on LinkedIn includes both B2B and B2C success. I can teach you.

I’m an OpenNetworker so feel free to send a LinkedIn invitation if you’d like to join my 26,000+ direct connection network.

Jeff Snyder, SecurityRecruiter.com 719.686.8810

Social Media for Job Search, LinkedIn Job Search Strategies

noreply@blogger.com (Jeff Snyder) — Wed, 25 Jan 2012 20:00:00 +0000

Today, I read an article about social networking and job search that suggested it might be impossible to keep one’s job search confidential if the individual is using social networking to find a new job. Difficult...perhaps. Impossible...not so.

Some don’ts to consider when using Social Media for job search:

· Tweeting to tell friends about your latest interview probably isn’t the best idea.

· Updating your Facebook status to tell your friends about your latest interview probably isn’t the best idea.

· Updating your LinkedIn status with an announcement that you’ll be out of the office this afternoon because you have an interview probably isn’t the best move you could make.

· Placing your resume on-line just to draw attention to it and then trying to explain to your employer that you’re not looking for a job probably isn’t the best idea.

Some ideas to consider when searching for a job:

· Sending your resume to a reputable recruiter who is specialized in recruiting your skill set for the purpose of building a relationship that gets you onto that recruiter’s radar screen when new searches hit their desk is a very good idea.

· Building out your LinkedIn profile and keeping it built out all the time, not just when you’re in a job search mode is a good idea. If you only beef up your LinkedIn presence when you’re looking for a job, you’ll likely get caught. Build a complete professional profile and keep it up-to-date all the time. Nobody will know when you’re actually open to making a professional change.

· You don’t have to check the box at the bottom of your LinkedIn profile suggesting that you’re open to Career Opportunities. A true recruiter, one who recruits and builds relationships rather than an e-cruiter, one who only searches the Internet for resumes will call on you whether your LinkedIn profile indicates that you’re open to Career Opportunities or not. This is a good! A recruiter won’t necessarily call on you however if you’re profile doesn’t do a great job in differentiating you from the 135M and growing LinkedIn crowd.

· There are opinions that accepting invitations to connect on Social Networks when they come from recruiters is bad. Become an OpenNetworker where you connect to anyone in the business community, particularly on LinkedIn, the world's largest and fastest growing business network. Then, when a recruiter invitation arrives in your Inbox, it isn’t a big deal. You accept all invitations to connect whether you’re in an active job search mode or not.

· Why not just send highly specialized recruiters intivitations to connect on LinkedIn? If you connect to recruiters when you're not in a job search mode, who's going to know when you are in a job search mode?

Advanced ideas to consider when searching for a job:

· Build a LinkedIn network proactively so that when you need to tap into the network, it is already there. Don’t wait until your ship is taking on water and you’re about to drown to become an active networker.

· Seek out recruiters who specialize in placing your skill set. Get to know these recruiters before you need them and invest time periodically to foster these relationships so when you need a particular recruiter, a relationship is already established. Think of a recruiter relatinoship like a cactus. It doesn't require constant attention but a little water here and there is good to keep the cactus or the recruiter relationship alive.

· Build a LinkedIn profile that is search engine optimized. Build a LinkedIn profile that is loaded with keywords and buzzwords that point to your skills. Build a LinkedIn profile that is loaded with accomplishments, value and contribution so the person who reads your profile can tell that you’re a producer in your professional life. Again, don’t do this just at the time when you’re searching for a job or your HR department may be calling you to find out why you’re looking.

· If you need security resume writing help, help is available. If you need help to understand how to optimize your LinkedIn profile for business, help is available from someone who has been using LinkedIn since 2004, someone whose network exceeds 26,000 direct connections and someone who provides enough value to generate B2B and B2C business on LinkedIn every day.

· If you need help to understand how to leverage LinkedIn for business, help is available. If you need Security Career Consulting, help is available. If you need longer term Security Career Executive Leadership Coaching, help is available.

Call Jeff Snyder for Recruiting Help, Security Resume Writing Help, LinkedIn Profile Optimization Help, Security Career Consulting Help, Security Executive Leadership Coaching Help and Security Career Public Speaking.

Jeff Snyder, SecurityRecruiter.com 719.686.8810

LinkedIn: 26,000+ Direct Connections for SecurityRecruiter.com

noreply@blogger.com (Jeff Snyder) — Tue, 24 Jan 2012 15:00:00 +0000

Busy Months For LinkedIn Network Growth

Over the past few months, my LinkedIn network has been growing like a weed. When I was in Los Angeles to speak to the ISSA-LA and CISO Forum in September, I remember Stan Stahl PhD, President of ISSA-LA, making a big deal in front of the audience about my LinkedIn network hitting 22,000 that night. Someone in the ISSA audience was my 22,000^th connection.

LinkedIn For Business Training

When I provided a LinkedIn For Business training to a group of technology sales professionals in Denver, CO back in December, one of the attendees in the audience was my 24,000^th connection. This is what one person in the audience of technology sales professionals had to say about the LinkedIn For Business training I brought to their office in December of 2011.

“Jeff is a proven leader in the IT industry, and specifically the area of security and coaching. I have had the opportunity to get to know Jeff the past 5 years, and he has provided valuable insight to me as an IT professional. Having over 20yrs of IT and business experience myself, I have rarely met anyone with the knowledge and experience Jeff has and the ability to deliver this information to his audience. Jeff recently presented to our group of professionals an overview of using LinkedIn as a business tool. Incredible knowledge and depth of not only the tool but provided specific uses as it related to our industry. Jeff has a strong business background and outstanding presentation skills. I would highly recommend bringing Jeff in as a speaker for your group for coaching or the use of industry tools like LinkedIn to help your professionals.” December 19, 2011

1^st Mark Rodholm, Acct. Exec., Sirius Computer Solutions

Today, my network surpassed the 26,000 direct connection mark. Why does this matter?

· A Network of Security Professionals: I am likely sitting on the world’s largest network of security professionals. The companies that call on SecurityRecruiter.com looking for security talent to hire benefit from my ability to reach out to so many highly skilled security professionals through direct recruiting.

· Unlimited Resources: When security professionals reach out to me for information, I’m usually only one phone call away from getting to the information I need to help my clients. This includes the companies that turn to me to fill security jobs as well as security professionals who turn to me for security career consulting services.

· Business Intelligence: As I teach professionals how to leverage LinkedIn for Business, I’m able to demonstrate on the spot my ability to get to business intelligence. If you are in a job search, you could benefit from having more business intelligence. If you’re in sales, marketing or business development of any kind, you could benefit from business intelligence.

· Direct Sales: LinkedIn has enabled me to put my brand and experience in front of companies that need help with their security recruiting. What I can tell these perspective clients about my experience is one thing but what others have been so kind to share about their experiences working with my by way of LinkedIn Recommendations has been helpful in ways that I can’t measure.

Observation

I’ve recently sat in on presentations, watched videos and have read articles, newsletters, blogs and books written by “LinkedIn Experts” who have been using LinkedIn for half as long as I have and whose networks are less than half the size of my network.

I’m not sure what constitutes one as a “LinkedIn Expert” but it seems to me that an expert should have a deeper than average understanding of the various functions of LinkedIn.

A “LinkedIn Expert” would likely be an early-adopter who jumped into LinkedIn in the 2004-2005 time-frame before LinkedIn was a popular networking platform and has learned through trial and error what works and what doesn’t work so well within the LinkedIn networking environment.

A “LinkedIn Expert” would very likely be someone who has figured out how to leverage the power of LinkedIn for branding, marketing and profit. Profit in a B2B format rather than just B2C profit from selling books, videos and seminars to show individuals how to build a LinkedIn profile.

Get LinkedIn Training

As an individual, if you wonder how to leverage the power of LinkedIn to grow and advance your career, I have a solution.

If you are the person in a company who is responsible for the growth of your company’s sales or perhaps you’re responsible for finding channel partners, I can show you how to tap into the power of LinkedIn in a proactive and professional way to:

· Identify Key Decision Makers

· Gather Business Intelligence

· Reach Key Decision Makers

· Exchange Value and Make Money

To learn more about how you too could be leveraging LinkedIn For Business, call Jeff Snyder at 719 686 8810.

One more thing, if you've reached a point where you want to build your LinkedIn network, this technique worked for me and it just worked for the person who wrote this recommendation.

"So I’m at 936 connections and leveraging LinkedIn as much as possible. When we met for lunch back in November (ish) I was approaching 200. Seems like I should celebrate when I hit the first 1000!" (This message came to me last week. John followed my advice and look where he is today. Click John's name below and send him an invite if you wish. He is an Open Networker)

John followed my advice and used Open Networker as one of the techniques to build his LinkedIn network. Though I can't tell you exactly how fast your network will grow, I can tell you that 3.5 years ago, my network was at 7,000 direct connections and today, I surpassed 26,000 direct connections. In early December, John's network was at 200 and it is now approaching 1,000 direct connections. This system works!

“Jeff is well known within the IT industry and has an impeccable reputation as a senior security recruiter for cyber and corporate security. That said, my experience with Jeff started when I attended one of his speaking engagements on the topic of social media and specifically LinkedIn. Jeff has been using and evaluating social media as it develops and had the foresight several years ago to recognize the value of LinkedIn and became an early adopter. If you have not yet leveraged LinkedIn or need to understand more about its capabilities and how to use it in conjunction with other formats I would highly recommend attending one of Jeff's session. He is an excellent public speaker and subject matter expert on LinkedIn who ignores the temptation to work from a script and as a result you are likely to learn a great deal more than you anticipate. I highly recommend Jeff and a speaker or mentor on the topic of social media as it pertains to the business environment and specifically LinkedIn.” December 8, 2011

1^st John Belcher, Senior Sales Executive, Sirius Computer Solutions

SecurityRecruiter.com’s Security Recruiter Blog

Vulnerability and Patch Report for January 23, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 23 Jan 2012 15:30:00 +0000

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Adobe Reader and Acrobat 10.1.2: Adobe has released an update to patch several highly critical vulnerabilities. For users who cannot upgrade to version X, Adobe has also released version 9.5. Updates are available through the program.

Apple iTunes 10.5.3: Apple has released an update to patch several minor issues, including security.

Current Software Versions

Adobe Flash 11.1.102.55 [Warning; see below]

Adobe Reader 10.1.2

Apple QuickTime 7.7.1

Apple Safari 5.1.2 [Warning; see below]

Google Chrome 16.0.912.75

Internet Explorer 9.0.8112.16421

Java SE 6 Update 30

Mozilla Firefox 9.0.1 [Warning; see below]

Newly Announced Unpatched Vulnerabilities

McAfee SaaS: Secunia reports a highly critical vulnerability in McAfee SaaS Endpoint Protection. No patch is available at this time.

For Your IT Department

McAfee GroupShield: Secunia reports a highly critical vulnerability in McAfee GroupShield. No patch is available at this time. The vulnerability is reported in version 7.0.716.101. Other versions may also be affected.

Oracle: US-CERT reports Oracle has released its Critical Patch Update for January 2012 to address 78 vulnerabilities across multiple products. Several of these are highly critical.

Sonicwall: Secunia reports a less-critical vulnerability in Sonicwall AntiSpam & EMail security. The vulnerability is reported in version 7.3.1 and 7.3.4.5725. Other versions may also be affected. No patch is available at this time.

Important Unpatched Vulnerabilities

ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system. Users should not view un-trusted CDR files. Readers should refrain from opening un-trusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.

Adobe Flash: The highly critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11 remains unpatched. We recommend users disable the Flash player in their browsers.

Android Browser: Secunia reports a vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

Apple Safari: Secunia reports a non-critical un-patched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain un-patched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains un-patched. Users are advised to not open files from un-trusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

Microsoft Windows: Secunia reports a highly critical unpatched vulnerability in Windows 7 Professional 64-bit. Other versions may also be affected. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening un-trusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.

Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user's computer. Security updates are currently unavailable. Readers should refrain from opening un-trusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains un-patched. Readers should refrain from opening un-trusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.

Mozilla Firefox: Secunia reports a less critical vulnerability in Mozilla Firefox. The vulnerability is confirmed in Mozilla 9.0.1. Other versions may also be affected. No patch is available at this time. Users should exercise extra caution on un-trusted websites.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain un-patched. Readers should refrain from opening un-trusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.

Photoshop Elements: Adobe versions 1 - 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user's system. Users should not view un-trusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.

VLC Media Player: VLC has released an advisory regarding a highly critical un-patched vulnerability in versions 0.9.0 through 1.1.12. VLC has announced that media player 1.1.13 will address the issue. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week's important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

SecurityRecruiter.com’s Security Recruiter Blog

Cyber Security News for the Week of January 23, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 23 Jan 2012 15:00:00 +0000

From our friends at Citadel Information Group

News of the Week Summary - Cybergeddon?

Zappo's reported that it had been hacked, exposing the personal information of 24 million customers. Anonymous brought down the Justice Department's website and several websites associated with the entertainment industry in response to the Feds bringing down MegaUpload, a large pirate site. America's critical infrastructure, including water and power, as well as our manufacturing base was put at greater risk with the public release of exploits that target vulnerabilities in industrial control systems. Cyber criminals are targeting our children by installing malicious software (malware) on popular child-focused sites. Israel, Palestine and hacktivists in Saudi Arabia seem locked in cyber war. Adding insult to injury, security vendor McAfee was caught with it's pants down as a vulnerability in one of its products allowed cyber criminals to send spam from supposedly protected PCs.

The New York Times reports again on how difficult it is even for large companies to protect their sensitive information while PC World once again documents several challenges every organization faces in securing information outside the corporate perimeter, whether in the Cloud, in employee's homes, on laptops, on iPads and other tablets, etc. Meanwhile bank regulators are pushing financial institutions to do more to protect their customers from online bank fraud.

Want to know how cyber crime might impact your organization? Want to better understand your exposure to cyber crime? We encourage you to contact us.

Threats and Warnings

Email, Personal Information on PlayBook Left Vulnerable to Hackers: Research in Motion may have improved its overall experience on the PlayBook with its recent update, but security researchers recently revealed that the device leaves corporate email and user information open to potential hackers. Researchers Zach Lenier and Ben Nell of Intrepidus Group uncovered a vulnerability in the PlayBook's Bridge application that leaves the authentication token for the Bridge application somewhere anyone could dig it up. PCWorld, January 17, 2012

Cyber Crime

Hackers Steal $6.7 Million in Cyber Bank Robbery: The first major cybercrime of 2012 has taken place in South Africa, with hackers made off with about $6.7 million from Postbank, which is state-owned and part of the South African post office. PCWorld, January 18, 2012

Zappos hacked, 24 million accounts accessed: NEW YORK (CNNMoney) - Online shoe store Zappos has been hacked, exposing the names, e-mail addresses, addresses, phone numbers and partial credit card numbers of its 24 million customers, the company said late Sunday night. CNN, January 16, 2012

Internet Badlands

Megaupload Founder Kim Dotcom, By the Numbers: When news of the international raid on Megaupload broke Thursday in the U.S., Internet aficionados got a glimpse at the man behind of the largest file-sharing websites in the world. And it turns out the site's founder, Kim Dotcom, was rich, large, and most certainly in charge. He currently sits in a New Zealand prison awaiting trial, while we attempt to dissect the man who (formerly) controlled the online media empire. Time, January 21, 2012

Megaupload Execs Had Thing For Bling, Indictment Shows: The Justice Department Thursday unsealed an indictment in Virginia charging seven executives at file-sharing site Megaupload.com with copyright violations, racketeering, and money laundering. Four of the people charged, including 37-year-old Megaupload CEO and founder Kim Dotcom (aka Kim Tim Jim Vestor, aka Kim Schmitz), were arrested by New Zealand authorities, while the others remain at large. InformationWeek, January 20, 2012

Anonymous tricked people into joining Web site attacks: If you clicked a link distributed by Anonymous yesterday, you may have unwittingly helped the online activists in their attacks against U.S. government and entertainment industry sites that were organized to protest proposed antipiracy legislation. Cnet, January 20, 2012

New Report Shows Malware 'Sleeps' on Computer for Average of 8 Months, Collecting Data: In a new investigative report from Daily Safety Check ™, the average time before 'activation' of malware before committing cyber crimes - such as bank transfers, fraud and information theft - is 8 months. SFGate, January 18, 2012

Facebook exposes hackers behind Koobface worm: As expected, Facebook today started to release information about the Koobface worm (its name is an anagram of "Facebook") and those behind it. The update comes almost a year since Facebook's last post about the infamous piece of malware. After more than three years and numerous hours of working closely with industry leaders, the security community, and law enforcement, Facebook has announced its social network has been free of the virus for over nine months. ZDNet, January 17, 2012

Web Gang Operating in the Open: Five men believed to be responsible for spreading a notorious computer worm on Facebook and other social networks - and pocketing several million dollars from online schemes - are hiding in plain sight in St. Petersburg, Russia, according to investigators at Facebook and several independent computer security researchers. The New York Times, January 16, 2012

Cyber Security Management

Clamor for Cloud Apps Increases Corporate Data Breach Risk: Employees bringing in their own devices and choosing their own application services is significantly increasing the risk to enterprise data. PC World, January 17, 2012

Regulators push banks to improve online security: According to a report in the New York Times , the Federal Deposit Insurance Corporation wants financial institutions to add a new security layer that detects unusual patterns of online activity - such as a volley of transfers to an account in Russia - in real time, starting this month. However, the Financial Times reported that a poll by a bank technology firm in November suggested that 40 percent of banks weren't even aware that regulators want them to adopt new measures. Atm Marketplace, January 17, 2012

Even Big Companies Cannot Protect Their Data: Barbara Scott just hit the trifecta of computer security breaches. Since the New Year, Ms. Scott has been a victim of three separate cyberattacks. Two weeks ago, the online auction site eBay said in an e-mail to her that there had been suspicious activity on her account. On Monday, she received an e-mail from Zappos and another from 6PM, two online shoe retailers owned by Amazon. Both messages alerted her that - once again - her information had been compromised. The New York Times, January 17, 2012

Kids and Families Cyber Security

Hackers Target Children as Adults Wise Up to Spam: Hackers are targeting websites aimed at children, by embedding malicious software in free gaming sites, praying on the young as adults grow wise to their strategies. Forbes, January 19, 2012

Hackers spread malware via children's gaming websites: Hackers are increasingly targeting child-focused gaming websites, according to a leading anti-virus firm. BBC, January 16, 2012

Hactivism

'Anonymous' hackers attack Brazilian websites: RIO DE JANEIRO - The computer hacker group Anonymous attacked websites of Brazil's federal district Saturday as well as one belonging to a Brazilian singer to protest the forced closure of Megaupload.com. AFP, January 21, 2012

Hackers disrupt websites of Israel's stock exchange, national air carrier: JERUSALEM - A hacker network that claims to be based in Saudi Arabia paralyzed the websites of Israel's stock exchange and national airline on Monday, escalating an international cyber war that has jolted this security-obsessed country. The Washington Post, January 16, 2012

Critical Infrastructure Security

Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software: MIAMI, Florida - A group of researchers has discovered serious security holes in six top industrial control systems used in critical infrastructure and manufacturing facilities and, thanks to exploit modules they released on Thursday, have also made it easy for hackers to attack the systems before they're patched or taken offline. Wired, January 19, 2012

Cyber War - The Middle East

Israel in the frame after rapid rise in cybercrime: There has been a huge and sudden rise in online attacks in the region that seem to originate in Israel, a major anti-virus company warns. The National, January 22, 2012

Israeli and Palestinian hackers trade DDoS attacks in rising cyber-gang war: Pro-Palestinian and pro-Israeli hackers are waging a cyber street-fight in a tit-for-tat exchange of posturing, threats of mass credit card exposures, and denial-of-service attacks. As Hamas has egged on hackers in recent weeks, promoting more "hacktivist" attacks against Israeli targets, pro-Israel hackers have responded in kind, today taking down the websites of stock exchanges in Saudi Arabia and the United Arab Emirates. Both sites appear to be back online. ars technica, January 17, 2012

Cyber Irony

PSA: McAfee computer security patches flaw: are you fixed?: Earlier this week, the McAfee group began sending out a fix to stopper up a flaw which turned their protection service into a hijacked spam festival. The flaw, they say, was allowing hackers to attach themselves to your computer specifically and shoot spam throughout your machine - hijacking that which was supposed to be protected using a flaw in the system that was supposed to be doing the protecting. The exploit was reported earlier this week by two customers who were taken aback by the flaw earlier this week, McAfee responding with a fix now here at the end of it. SlashGear, January 20, 2012

Ray of Sunshine

Alleged Muscovite cybercrime daddy hauled in to face US court: A suspected Russian cyber-crook has arrived in the US to face charges of security fraud, computer hacking and ID theft following his deportation from Switzerland. The Register, January 18, 2012

SecurityRecruiter.com's Security Recruiter Blog

Jeff Snyder Interviewed by SecurityInfoWatch.com

noreply@blogger.com (Jeff Snyder) — Fri, 20 Jan 2012 14:00:00 +0000

Opportunities Flat, Compensation Up In The Corporate Security Industry

My thoughts are squeezed in at the bottom of page 2 in this article. Since I was interviewed by a magazine editor, I did not get to pick and choose which of my comments ended up in the final article. And, I had no idea that my comments would be bundled with those of several other recruiters and/or industry analysts.

Here is part of what I had to say if you don’t feel like reading the entire article:

So, what is the key characteristic for a security executive looking to advance or get a raise? According to Jeff Snyder, president of securityrecruiter.com, the most important thing a security executive can do for advancement is contribute to the business' bottom line – that means understanding the business and the risk landscape – and being able to communicate with the C-level executives in the organization.

"Companies are asking me for business people," Snyder says. "When a company calls me (looking for a recruit), they are looking for someone who has 5-10 years business experience at least, and they frequently ask for an MBA — not necessarily for a CPP.

"Those who want to advance need to do some remedial work on their communications skills," Snyder continues. "You can't do it all with a bucket of just technical skills — security has evolved and the people who get the good jobs are enterprise risk management experts, not technology experts.

I have no argument with what the writer used to quote me although there are definitely positions out there that require technology experts and there are positions that require finely tuned business understanding and business acumen.

Security Recruiting Requirements

Companies that call on me to recruit both cyber security and corporate security leaders call at the moment they realize there is a highly strategic position in their organization to fill. They call me before doing anything else because they recognize the importance of having their search conducted in a precise manner.

Other companies call on me when they’ve had a highly strategic search open for 6-18 months and they simply can’t seem to find the candidates they really want to interview. The first step when this kind of call arrives is to determine WHY the job has been open for 6-18 months. More often than not, there is a gap between what hiring decision makers are expecting and what they're actually seeing in the security job candidates they interview.

In my experience, organizations most frequently struggle to find security professionals who understand business and security professionals whose communication skills are advanced to the level where they’ll be successful as part of an organization’s “C” suite of executives.

The good news is that various aspects of how a business operates can be learned. Some of this learning happens on the job and some of this learning can be gained through an MBA program.

Communication skills, soft skills can be coached, developed and improved upon.

A Wikipedia definition of Soft Skills reads like this:

“Soft skills is a sociological term relating to a person's "EQ" (Emotional Intelligence Quotient), the cluster of personality traits, social graces, communication, language, personal habits, friendliness, and optimism that characterize relationships with other people.^[1] Soft skills complement hard skills (part of a person's IQ), which are the occupational requirements of a job and many other activities.”

There is a Gap

The reason most companies need outside help with their security recruiting is that they’re looking for certain subject matter expert skills, a certain amount of business skill or a candidate’s ability to understand the business and a certain level of soft skill development that matches well with the company’s culture.

When companies set an expectation for the various skills, traits and characteristics they expect to see in security job candidates and then fail to find candidates who match their expectations, there is a gap.

Identifying the Gap

In coming months, I’ll be taking a deep dive with business leaders to identify precisely what business leaders across many different industries are expecting security professionals to deliver to their organizations.

I’ll turn the findings of this research into blogs and articles that will be designed to help security professionals see the gap between what they’re currently delivering to the business and what the business is expecting from security professionals.

Eliminating the Gap

As the gap is identified, I suspect that the solutions to eliminating the gap will include a mix of hard skill development, education, training, certification and coaching.

SecurityRecruiter.com’s Security Recruiter Blog

More Discussion: Transitioning to a Corporate Security Career

noreply@blogger.com (Jeff Snyder) — Wed, 18 Jan 2012 23:42:00 +0000

Another article was pushed in my direction by a direct LinkedIn connection. The ideas Dan shared with me were intelligent, well-written and professionally delivered.

Dan challenged the blog I wrote earlier today where I shared some of the thoughts shared with me by a VP of Corporate Security regarding a recent article addressing “Shifting Trends in the Public to Private Transition”

Dan Wrote:

I saw your post on LinkedIn referencing the article that Jerry Brennan wrote. Because of my extensive corporate background (I’ve been in the private sector my entire career) I do quite a bit of work with people transitioning from the public sector to the private sector through my consulting entity Fraud Solutions. In fact, I’m currently working with several senior federal agents on their career transitions right now. I’m also in the process of designing some transition training that I hope to roll out to several agencies because there really is none offered to them other than to talk about their retirement benefits. I understand the comments being made by the person you went to and there is some real truth to that… however on the other hand I’ve also been fortunate enough to work with some people at very high levels of government agencies (public sector) that could (and have) made the transition to very large (private sector) organizations very successfully and the companies significantly benefitted from their public sector expertise.
So, the truth of the matter in my mind about whether a public sector employee makes a good private sector employee is a qualified…it depends on the individual, their background, skill sets, planning, preparation, education, training and experience. I do not see it as fair to say that because the government is inefficient… the employees who work for it are as well and that doesn’t make them good private sector employees. Do public sector employees have challenges making this transition, some do, absolutely but if they bring the right attitude and approach, they can make for very good employees in Corporate America. That’s my .02 worth on the topic. I can clearly see both sides of this fence and recognize that there is not a one size fits all, right or wrong opinion to this issue.
Hope you are well and happy new year!

Because of the way Dan positioned his well-written ideas, after reading his email and reading the article he brought to my attention, I immediately picked up the phone and shared a highly invigorating conversation.

Here is Dan’s article entitled ” The Top Ten Steps Law Enforcement Personnel Should Take to Ensure Success When Transitioning to the Private Sector”.

In the article, Dan provides sound ideas for what Law Enforcement professionals should do in preparation for retirement. I find Dan’s recommendations to be sound and full of good advice.

Dan makes the following three suggestions when a law enforcement is in pre-retirement mode:

Prepare For Success
Get A Professionally Prepared Resume
Consult With Industry Sources

I’m not here to take anything away from Dan’s article so I suggest that you read it (Link Posted Above)

Dan offers more advice in his article:

Post Hire: Once You Land The New Job…

Don’t Be A Silo
Learn The Regulatory/Compliance Lingo
Understand The Bottom Line
Learn to operate within the “C Suite”
Adapt Your Communication Styles To Fit
Seek Additional Training And Professional Development
Learn the Culture

Dan believes that one size does not fit everybody when it comes to professionals transitioning from government / law enforcement or federal agency employment to the corporate sector. I agree with Dan 100%.

There is definitely a transition from the aforementioned first careers to corporate security. With the right preparation, understanding, mentoring, coaching, training and mindset, great opportunities exist in the corporate security sector.

Thanks to Dan for sharing his point of view in such a clear way.

SecurityRecruiter.com’s Security Recruiter Blog

Challenging: “Shifting Trends in the Public to Private Transition”

noreply@blogger.com (Jeff Snyder) — Wed, 18 Jan 2012 18:40:00 +0000

Yesterday, a corporate security professional I’m connected to on LinkedIn sent an article to me that I had not seen. I always appreciate when good information is pushed in my direction because it is impossible to keep up with everything that is written every day.

The article is found on SecurityInfoWatch.com, a website where I’ve recently been interviewed and mentioned an article. The article that was sent to me was:

CareerLink: Shifting Trends In ThePublic To Private Transition

This article talks about trends that the author sees in hiring practices within companies that either do or do not make a habit of hiring professionals coming out of military, government, law enforcement or federal agency careers and placing them into positions in the private sector.

Found an Educated Opinion

I read the article that was sent to me and immediately sent it to a Vice President of Corporate Security in a large global high-tech organization to get his point of view. I personally had an immediate reaction to the article but more important than my point of view are the points of view of corporate security professionals with whom I’m fortunate to work who are actually doing the work of a security professional on the inside of large corporations on a daily basis.

You might want to go read the full article (link provided above) and then come back to read these unedited comments that were shared with me by the Vice President of Corporate Security.

Well, it sounds to me as if the author is trying to make us believe that he has seen many successful transitions from government to corporate security. However, it is misleading. How many has he witnessed, one, two, four hundred? In what role? What is the author’s measure of success? Are there any factual numbers and statistics behind his statements or are they simply his opinion?
This article has a clear agenda and he will likely do a great job in pulling the wool over most people in the security community’s eyes. That being said, a good portion of the corporations specifically in high-tech will generally not find a good fit with the average employee the author speaks of.

If I look at the government as a business, then it is one of the most inefficient businesses in history. The reason it does not fail is in the fact that it is a monopoly. Even as a monopoly it is having trouble staying afloat. The author makes note of government security execs who have handled large budgets, but I would like some data on how effectively and efficiently that money was deployed?

It is easy to handle a budget when no one cares what you do with it. What business skills and experience do they have to enter the real world? If I ran my household like the government I’d be in jail. Do I really want someone who may be like that at my company?
I’m not trying to say that these types of employees are all bad, but it is safe to say if a person has been doing something one way for most of their life, they usually fall back in to that mode, especially when under pressure.

They would do well at an electric company or some other monopoly. Also, most high-tech firms would likely not want someone on their second career or retirement – they would have little in common with the average employee. For example the average age at Microsoft is 38.
Sorry for the length of this email, but it is frustrating to see how many people just have no clue in the security world. My two cents.

This Vice President of Corporate Security in a high-tech firm seems to have a different point of view than the author of the article.

What do you think?

SecurityRecruiter.com’s SecurityRecruiter Blog

Security Executive Leadership Coaching, Security Career Consulting

noreply@blogger.com (Jeff Snyder) — Tue, 17 Jan 2012 15:00:00 +0000

If you’ve reached out to me via telephone or email this past week and I haven’t gotten back to you yet, it is because I was deeply engaged in an exciting on-site training opportunity in Park City, UT. Park City, UT typically has received significant snow by this time of the year. This year is different.

The area around my hotel had no snow on the ground and no snow even piled up in the corners of the parking lot. Park City has received less than 40” of snow for the entire ski season and is operating primarily on man-made snow so this wasn’t a ski trip as I would normally be reporting on in January.

Had conditions been normal in Park City, I’d likely be writing to tell you about the great skiing. That wasn’t the case this past week. In fact, I didn’t take skis with me on this trip.

Stakeholder Centered Coaching ™

I took a mind to Park City that was eager to learn about Marshall Goldsmith’s Stakeholder Centered Coaching ™ process and that is what I did. If you’re not familiar with Marshall Goldsmith, you might recognize a couple of his more recent books such as “Mojo” or “What Got You Here Won’t Get You There”.

I now hold a Certificate of Initial Mastery in Marshall Goldsmith’s methodology. What this means is that I am fully educated to deliver this unique style of executive leadership coaching and that is precisely what I set out to do this week.

I’ll share much more information about this and other facets of executive leadership coaching I’ve been engaged in studying in order to bring these services to the security profession. Very soon, new services will be launched by SecurityRecruiter.com that will include elements of Security Career Consulting and Security Executive Leadership Coaching.

What’s the difference between Security Career Consulting and Security Career Leadership Coaching you might ask? Let’s explore the differences.

Security Career Consulting:

For many years, security professionals have come to SecruityRecruiter.com in search of advice, assistance, career help and guidance. These requests cover topics such as but not limited to:

Security resume writing
Cover letter writing
Security interview preparation
Security education guidance
Security certification guidance
How do I grow my LinkedIn network and then what do I do with LinkedIn?
LinkedIn profile optimization
I see a job at ______, how do I make a strong contact at that company and avoid getting caught in the shuffle of hundreds of resume responses?
How do I most effectively network using LinkedIn for job search or business development?
Security career planning
How do I transition from Law Enforcement, Military or Federal Agency career into Corporate Security?

Did I neglect to include a topic that is on your mind? Bring your topic and we’ll craft a custom solution. For 2012, we’re building solutions to address these requests and many more that have come to us for many years.

In the final quarter of 2011, I was busy with several public speaking engagements with ISSA and ISACA groups as well as a private LinkedIn for Business training session with a group of technology sales professionals. Here is what the attendees had to say:

“Jeff is a proven leader in the IT industry, and specifically the area of security and coaching. I have had the opportunity to get to know Jeff the past 5 years, and he has provided valuable insight to me as an IT professional. Having over 20yrs of IT and business experience myself, I have rarely met anyone with the knowledge and experience Jeff has and the ability to deliver this information to his audience…Jeff has a strong business background and outstanding presentation skills. I would highly recommend bringing Jeff in as a speaker for your group for coaching or the use of industry tools like LinkedIn to help your professionals.”

"I was impressed by what you had to say at the ISSA-LA meeting. I had almost given up on working with anyone in recruiting. I'm glad there are still folks like yourself out there working with candidates in such a positive way."

"I would be happy to recommend you as a speaker at other ISSA chapters. Let me know what i can do to help" ISSA-LA President

"It was great to meet you today at the ISACA North Texas meeting. Your presentation was great!!! I learned a lot from you. ISACA North Texas - VP Membership"

"Thank you so much for your time last week. The information and trending insight were invaluable. I look forward to following up with you regarding the possibility of extending the discussions and partnership with Evanta and the CISO / CIO Executive Summits."

Security Executive Leadership Coaching:

While the topics listed under Security Career Consulting are somewhat event driven and are more tactical in nature, Executive Leadership Coaching is a longer-term investment that under the Stakeholder Centered Coaching ™ process involves:

Behavioral change that is sustainable, measurable and recognizable by others

This coaching process is appreciated by Human Resources and by Executive Management because we have a clear and concise way of Measuring Progress and thereby showing Return on Investment.

Below are the most often worked on leadership / communication skills from “C” suite leaders to critically important individual contributors in the vast majority of leadership coaching engagements performed by The Marshall Goldsmith Group:

· Treat others with respect

· Build Trust

· Listen to different points of view with an open mind before giving my opinion

· Delegate more effectively

· Stand up to individuals who undermine teamwork

· Deal with performance problems in a timely manner

· Develop executive presence

· Address conflict constructively and timely

· Collaborate with others

· Develop and link team strategy to business strategy

· Stand up for what I believe in

· Hold others accountable

· Present self with confidence

· Focus on the critical few issues

· Become more assertive

· Take appropriate risks

· Build cross-functional relationships

· Become a better coach and mentor

· Proactive use the situational leadership model as a diagnostic tool to manage

· Present my point of view persuasively

· Become more decisive

While the topics listed above have been collected over the period of twenty-plus years and hundreds of executive leadership coaching engagements, I believe that security professionals who set out to master these and similar topics are the security professionals who will rise to the “C” suite.

We’re ready to discuss each of the topics listed above under Security Career Consulting and Security Executive Leadership Coaching. Upon request, we’ll provide a documented list of available services and pricing structure attached to each service. We’re working on packages to deliver services to address all of the topics you’ve read about and many more in the months ahead.

The next Security Recruiter Blog will contain a brand new cutting edge iPhone / Android Developer role that represents a new flavor of security job opportunity for 2012. Stay tuned!

Jeff Snyder, SecurityRecruiter.com’s Security Recruiter Blog

Cyber Vulnerability and Patch Report, January 16, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 16 Jan 2012 18:19:00 +0000

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Microsoft Windows Media Player: Microsoft has released patches for several highly critical vulnerabilities. Updates are available through the update feature of the Windows control panel.

HP LaserJet P3015: HP has released version 07.080.3 to patch a less critical vulnerability. The update is available from HP's website.

Yahoo Messenger: Yahoo has released version 11.5.0.155 to patch a moderately critical vulnerability. The update is available through the program.

Current Software Versions

Adobe Flash: The current version is 11.1.102.55 [Warning; see below]

Adobe Reader:The current version is 10.1.2 [Warning; see below]

Apple QuickTime: The current version is 7.7.1

Apple Safari: The current version is 5.1.2 (7534.52.7) [Warning; see below]

Google Chrome: The current version is 16.0.912.75

Internet Explorer: The current version is IE9.0.8112.16421

Java: The current version is SE 6 Update 30

Mozilla Firefox: The current version is 9.0.1 [Warning; see below]

Newly Announced Unpatched Vulnerabilities

For Your IT Department

None

Important Unpatched Vulnerabilities

ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.

Adobe Flash: The highly critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11 remains unpatched. We recommend users disable the Flash player in their browsers.

Adobe Reader and Acrobat: Adobe continues to be struggling with various vulnerabilities within Reader and Acrobat. Update to version 9.5 or 10.1.2 for the latest versions, Macintosh or Windows, respectively. Users may also want to consider alternative PDF readers such as Foxit, PDF-Xchange Viewer or Nitro PDF.

Apple Safari: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected.

Firefox version 7 and Thunderbird version 7: As we reported in Weekend Vulnerability and Patch Report, November 13, 2011, multiple unpatched security vulnerabilities, several of them highly critical, have been reported in version 7 of Firefox and Mozilla. Mozilla recommends users upgrade to version 8.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

Microsoft Office Publisher 2007: A moderately critical vulnerability has been reported in Microsoft Office Publisher. No patch is available at this time. Readers are advised to not use content from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 23, 2011.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.

Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user's computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.

Multiple Browser Vulnerabilities: The non-critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11 remains unpatched. Affected web browsers include Internet Explorer, Opera, Google Chrome and Firefox. We have no information at this time whether other browsers are affected. The vulnerability can be exploited by a malicious website to enumerate other sites visited by the user. Users may want to enable"Private Browsing" when visiting untrusted websites.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user's system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.

VLC Media Player: VLC has released an advisory regarding a highly critical unpatched vulnerability in versions 0.9.0 through 1.1.12. VLC has announced that media player 1.1.13 will address the issue. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

SecurityRecruiter.com's Security Recruiter Blog

Cyber Security News for the Week of January 16, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 16 Jan 2012 17:58:00 +0000

Cyber Security Story of the Week - When Will US Companies Learn?

From our friends at Citadel Information Group

Defenses Against Hackers Are Like the 'Maginot Line,' NSA Chief Says: U.S. companies still aren't taking the threat of computer attacks seriously enough, despite a recent string of high-profile security failures, top government cybersecurity officials said this week. The Wall Street Journal, January 13, 2012

Information at Risk

Viruses stole City College of S.F. data for years: Personal banking information and other data from perhaps tens of thousands of students, faculty and administrators at City College of San Francisco have been stolen in what is being called "an infestation" of computer viruses with origins in criminal networks in Russia, China and other countries, The Chronicle has learned. SFGate, San Francisco Chronicle, January 13, 2012

Tax Department computer glitch inadvertently displayed Social Security numbers: The Vermont Department of Taxes (VDT) inadvertently displayed personal data from a weekly batch of Property Transfer Tax Returns for less than two hours on a vendor portion of its website on January 9th. A computer error began a process that resulted in an extra field added to a routine public report. The social security numbers of 1,332 individuals and the Federal Employee Identification Number of 245 businesses were involved. VTDigger, January 10, 2012

DuPont, Makhteshim, Kodak, News Corp: Intellectual Property: China-based hackers rifled the computers of DuPont Co. at least twice in 2009 and 2010, hunting for technological secrets that made the company one of the world's most successful chemical makers. Bloomberg, January 11, 2012

Internet Badlands

FBI Warns of Malware Phishing Scam: So long as people click on unsolicited attachments in e-mail, scammers will invent new ways to take their money, identities and more. The FBI last week issued a warning on one such new Internet blight called "Gameover," which, once ensconced on your PC, can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. PC World, January 8, 2012

Malicious Software Attacks Security Cards Used by Pentagon: Chinese hackers have deployed a new cyber weapon that is aimed at the Defense Department, the Department of Homeland Security, the State Department and potentially a number of other United States government agencies and businesses, security researchers say. The New York Times, January 12, 2012

Phishing Campaign Using Spoofed US-CERT Email Addresses: On January 10, 2012, US-CERT received reports of a phishing campaign that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot Trojan known as Ice-IX. This campaign appears to be targeting a large number of private sector organizations as well as federal, state and local governments. US-CERT, January 12, 2012

Cyber Security Management

Lawsuit Claims Symantec "Scareware" Warns Of Fake Threats To Sell Upgrades: Security firms often warn users about "scareware": malicious software that performs fake antivirus scans and then demands the user pay for a cleanup. Now a lawsuit claims that the world's top antivirus firm, Symantec, is itself a scareware scammer. Forbes, January 11, 2012

Hack Attacks Now Leading Cause Of Data Breaches: The majority of data breaches stem from hack attacks, followed by data that's lost while physically in transit. That's according to a forthcoming study from the Identity Theft Resource Center (ITRC), which assessed all known information relating to the 419 breaches that were publicly disclosed in the United States in 2011. A copy of the report was provided to InformationWeek in advance of its release. InformationWeek, January 12, 2012

Hacking of DuPont computers won't go unreported anymore: China-based hackers rifled the computers of DuPont Co. at least twice in 2009 and 2010, hunting the technological secrets that made the company one of the world's most successful chemical makers. DelawareOnline, January 14, 2012

Cyber Security Management - Online Bank Fraud

Banks Unite to Battle Online Theft: Rising cybersecurity threats are pushing big banks to do something that doesn't come naturally for these secrecy-steeped institutions: share information with one another. The Wall Street Journal, January 10, 2012

Legal Actions - PCI Dispute

Rare Legal Fight Takes On Credit Card Company Security Standards and Fines: A small celebrity-friendly restaurant in Utah is finally doing what many merchants have only dreamed of doing for a long time - taking on a part of the payment card industry's powerful but flawed system for securing card data by fining merchants for failing to secure their data. Wired, January 11, 2012

Park City Eatery Balks at Credit Card Fines in Rare Court Fight: Stephen and Cissy McComb say they managed their Italian eatery in Park City, Utah, for more than two decades without running afoul of security rules of Visa Inc. and MasterCard Inc. - until they were accused of mishandling data and opening the door to $1.26 million in fraud. SFGate, San Francisco Chronicle, January 9, 2012

National Cyber Security

Israel warns against computer-hacker vigilantism: Israel Thursday called on computer hackers not to take the law into their own hands to avenge attacks on Israeli credit card companies, and said the authorities were capable of countering all cyber threats. Reuters, January 12, 2012

DISA OKs secure Android mobile system for DOD: The Defense Information Systems Agency has certified a secure Android-based mobile system for use by Defense Department agencies. The system allows DOD personnel to sign, encrypt and decrypt e-mail, and securely access data from a smart phone or tablet computer. GCN, January 5, 2012

Israeli, Saudi Hacker Battle Escalates: A war of words and website hacks is escalating in Israel over the purported hack of credit card data by a hacker from Saudi Arabia. InformationWeek, January 11, 2012

Cyber crime a major risk to stability, warns WEF: The survey, which points to a bleak outlook just two weeks before the start of the WEF's annual meeting in Davos, warns that although the "impacts of crime, terrorism and war in the virtual world have yet to equal that of the physical world but there is a fear that this could change." The Telegraph, January 11, 2012

Shifting Priorities: Investing in Cybersecurity: Cyber-based threats against information infrastructures in the United States have generated an increasing concern for national security. Understanding these real threats against our nation enforces the need for a shift in prioritization and funding to address any future cyber security threats in all capacities. Partnership in a Secure America, January 13, 2012

Ray of Sunshine

NJ ringleader of ID theft, fraud ploy admits guilt: The leader of an identity theft and fraud ring has pleaded guilty in a scheme that federal authorities said operated as a veritable "crime superstore" that reached from northern New Jersey to U.S. territories in the Pacific. Newsday, January 10, 2012

SecurityRecruiter.com's Security Recruiter Blog

Security Careers: What Employers Look For in Security Professionals

noreply@blogger.com (Jeff Snyder) — Wed, 11 Jan 2012 14:00:00 +0000

A VP of Information Security Shares

A recent conversation with a VP of Information Security provided me with information I must pass along. While talking to this VP of Information Security, she was kind enough to share her point of view that is put into motion when she is hiring to fill cyber security jobs in her organization.

Company Profile

Let me provide a little background information before getting to the specific list of attributes this decision maker looks for when filling security jobs.

This VP of Information Security is in a company that is broken down into 33 distinctly different business units in the financial services sector. Security professionals who work in this organization do not survive unless they have highly developed interpersonal skills.

Security Certifications -vs- Business Skills

While there is ongoing debate regarding the value of security certifications, this VP specifically stated that while a CISSP is an interesting certification for a prospective new hire to bring to the table, she looks for highly developed Soft Skills.

She looks for candidates who have strong Business Sense and she always puts more emphasis on measuring a candidate’s Business Acumen than she places on an individual’s list of certifications.

Security’s Value Proposition

Why? Because every role on this VP’s team is customer-facing in a fast-paced financial services organization that has to be customer-focused. Her department exists to provide value to 33 different business units. The business people she and her team serve in each business unit don’t want to know only about bits and bytes when they hear from a security professional.

They want to know how their customer’s data is going to be protected and they want to understand how they can operate their business without having to worry about roadblocks put in place by security professionals.

As a Vice President of Security for North America in a 125,000 person global high-tech company recently told me:

"You can’t protect what you don’t understand"

Security Professionals Who Have Chops

This VP of Information Security told me that she specifically looks for information security professionals who “have the chops to talk information security with clients”. She looks for security professionals who understand how to follow the money. What she means by that is that she looks for people who understand the various lines of business in her company to the extent that they can see the flow of money across the organization. Her group’s job is to protect the money the company already brings in while also coming up with ways to assist line of business owners in making new money.

Where Do “Soft Skills” and “Business Acumen” Come From?

Through my work with David Lam, Vice President of ISSA-LA, I’ve found an information security leader who recognizes that there is a gap between the hard technical skills information security professionals concentrate hardest on developing and the combination of hard skills and soft skills that employers actually need in the business environment.

David has worked with the president of his chapter, Stan Stahl, PhD, to build the vision of the information security community of the future. That vision includes human skills which will help security professionals become ever so much better at their jobs.

It is most often the soft skills that don’t receive enough attention as security professionals grow. The leadership at ISSA-LA recognizes that development of soft skill and business acumen in information security professionals must receive more attention. Do you?

SecurityRecruiter.com’s Security Recruiter Blog

Cyber Vulnerability and Patch Report, January 8, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 09 Jan 2012 14:30:00 +0000

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Microsoft .NET Framework: Microsoft has updated .NET to patch 4 moderately critical vulnerabilities. Updates are available through the update feature of the Windows control panel.

Google Chrome: Google has released version 16.0.912.75 to patch several highly critical vulnerabilities. The update is available through the program.

Current Software Versions

Adobe Flash: The current version is 11.1.102.55 [Warning; see below]

Adobe Reader:The current version is 10.1.1 [Warning; see below]

Apple QuickTime: The current version is 7.7.1

Apple Safari: The current version is 5.1.2 (7534.52.7) [Warning; see below]

Google Chrome: The current version is 16.0.912.75 [New Update this week]

Internet Explorer: The current update version is IE9.0.8112.16421

Java: The current version is SE 6 Update 30

Mozilla Firefox: The current version is 9.0.1 [Warning; see below]

Newly Announced Unpatched Vulnerabilities

For Your IT Department

None

Important Unpatched Vulnerabilities

ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.

Adobe Flash: The highly critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11 remains unpatched. We recommend users disable the Flash player in their browsers.

Adobe Reader and Acrobat: While Adobe has released Adobe Reader 9.4.7 and Adobe Acrobat 9.4.7 to address the extremely critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11, it doesn't plan to update Reader X and Acrobat X until its next quarterly update scheduled for January 10, 2012. Until then the vulnerability still remains in Reader X and Acrobat X. Adobe has stated that other security technology in these products makes it more difficult to successfully exploit the vulnerabilities. Nevertheless, we continue to recommend users exercise extreme caution, opening PDF files only from trusted sources. Users may also want to consider alternative PDF readers such as Foxit, PDF-Xchange Viewer or Nitro PDF. See our Cyber Security News of the Week for more information on this vulnerability.

Apple Safari: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected.

Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user's computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user's system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

SecurityRecruiter.com's Security Recruiter Blog

Cyber Security News of the Week of January 8, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 09 Jan 2012 14:00:00 +0000

Cyber Security Story of the Week

From our friends at Citadel Information Group

Expect more cyber-espionage, sophisticated malware in '12, experts say: The security industry expects the number of cyber-espionage attacks to increase in 2012 and the malware used for this purpose to become increasingly sophisticated. ComputerWorld, December 26, 2011

Citadel In The News
6 Credit Card Mistakes that can ruin your holidays: Credit cards can help make a breeze out of holiday shopping. A few missteps, though, and that breeze can turn into a storm of financial headaches. Dr. Stahl is quoted in this story. creditcards.com, December 2011

Using Starbucks' WIFI? Security Pro Issues Warning and Security Checklist, an article featuring Dr. Stahl, has been the number one article on Terry Corbell's site 'The Biz Coach' since the portal was launched in 2009.

Information at Risk
Double wham bam: AntiSec hacks, dumps CA & NY law enforcement emails: Almost like an echo from retired hackers, those from the 90s who long ago faded into the ether, the motto for 2011 may have been along the lines of "hack the planet." Yet there are some who obviously learned nothing about the consequences of maintaining sloppy security in 2011. In the cyber world, 2012 was not greeted by the boom of fireworks but by a double wham bam to law enforcement in California and New York. ComputerWorld, January 3, 2012

Saudi hackers leak personal information of thousands of Israelis: Saudi hackers who identified themselves as members of the online Anonymous network claimed on Monday to have leaked files containing personal information, including credit card numbers and expiration dates, belonging to more than 400,000 Israelis. Ynet News, January 3, 2012

Huge Security Breach at Security Firm Symantec No Threat to Consumers, Analyst Says: One of the biggest security firms in the world may need to boost its own security: A hacker stole the source code behind Symantec's industry-leading antivirus program. Fox News, January 6, 2012

Information at Risk - Stratfor Breach
Hackers reveal personal data of 860,000 Stratfor subscribers: A computer hacking group has revealed email addresses and other personal data from former Vice President Dan Quayle, former Secretary of State Henry A. Kissinger, and hundreds of U.S. intelligence, law enforcement and military officials in a high-profile case of cyber-theft. LA Times, January 4, 2012

Army warns of ID theft from Stratfor hack: The Army is warning users of its Army Knowledge Online portal to beware of identity theft following the recent Anonymous hack of intelligence analysis company Strategic Forecasting. GNC, January 3, 2012

Questions About Motives Behind Stratfor Hack: When hackers used the Christmas holiday to attack Stratfor, a security group based in Austin, Tex., they initially said they were aiming to steal the credit card numbers of its clients and use them to make $1 million in donations to charity. New York Times, December 27, 2011

Security Alert - Serious Wireless Router Vulnerability
Major security hole in most modern wireless routers: According to a vulnerability notice issued by the US Computer Emergency Readiness Team (US-CERT) on December 27th, just about every Wi-Fi router that supports Wi-Fi Protected Setup (WPS) is vulnerable to a brute force attack. IT Wire, December 27, 2011

New Tools Bypass Wireless Router Security: Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use. KrebsOnSecurity, December 28, 2011

Internet Badlands

Ramnit Computer Worm Compromises 45K Facebook Logins: A computer worm that has traditionally targeted the financial industry has set its sights on social networking, recently stealing over 45,000 Facebook login credentials, according to security firm Seculert. PC Magazine, January 5, 2012

Report: Phishing attack targets Apple customers: A "vast phishing attack" that attempts to capture the credit card information of Apple customers was launched on Christmas day, according to a report from Mac security-software company Intego. ComputerWorld, December 26, 2011

Turkish hackers avenge France's 'genocide bill': The websites of the French Senate and a National Assembly lawmaker who introduced a bill that would outlaw the denial of the 1915 Turkish 'genocide' of Armenians, have been attacked by Turkish hackers. France24, December 29, 2011

Spam Campaign following Kim Jong-il's Demise Serves Malware: The telecommunications regulator of South Korea alerted that a malicious spam campaign, by capitalizing on Kim Jong-il's death who was the Workers Party of Korea's general secretary in North Korea, is striking users' mailboxes. Help Net Security published this, December 20, 2011. Spamfighter.com, December 27, 2011

Websites targeting Olympics visitors closed down by police: Detectives from the UK's leading cyber crime unit have identified hundreds of websites that could be used to dupe visitors to next year's London Olympics. The Guardian, December 26, 2011

Mobile Phone Security
GSM phones vulnerable to hijack scams -researcher: Flaws in a widely used wireless technology could allow hackers to gain remote control of phones and instruct them to send text messages or make calls, according to an expert on mobile phone security. Reuters, December 27, 2011

Cyber Security Management - Legal
Chamber of Commerce Cyber Attack a Wake-Up Call for In-House Counsel: The extent of the cyber-damage caused by China-based hackers who tapped into the U.S. Chamber of Commerce in 2010 is not yet known. But following the recently publicized information about the attack, the message to in-house counsel is clear: protect yourselves. And that may mean having your company work more closely with the government. Law.Com, December 23, 2011

National Cyber Security
Cyber strike rampage: White-hot Israel vows to treat hackers like terrorists: In the wake of a massive online dump of Israeli credit card details by "Saudi" hackers, Tel Aviv says it will treat cyber attacks as acts of terror. It has also commended the US, who has hinted at retaliating for such assaults with military action. RT News, January 7, 2012

Dept. of Energy developing project to reinforce grid cybersecurity: The government is trying once again to whip the key players behind the country's electrical grid into a security force that can defend against mounting cyber threats. Network World, January 5, 2012

Ray of Sunshine
Happy 2nd Birthday, KrebsOnSecurity.com!: This past year, KrebsOnSecurity.com has featured more than 200 blog posts, and attracted 5,000+ reader comments. It has been humbling to watch the audience here steadily grow and mature into a community. The expertise and conversations offered by readers in the blog comments have added immeasurably to the value and usefulness of this site. KrebsOnSecurity, December 25, 2011

SecurityRecruiter.com's Security Recruiter Blog

Information Security Director, System Integration, US Work From Home, Telecommute

noreply@blogger.com (Jeff Snyder) — Mon, 09 Jan 2012 00:56:00 +0000

SecurityRecruiter.com has been retained by a leading and fast-growing banking and financial services organization to help build their cyber security department. This role will allow for a work-from-home telecommuting set-up where the qualified candidate can work from a virtual location inside the continental United States. Visa sponsorship is not available.

This role presents an opportunity to own a new security product systems integration / implementation and process creation in support of infrastructure changes that will lead to PCI-DSS compliance. While this role has no direct reports, it is responsible for bringing a new technology into our client’s fast growing on-line banking environment. Think of it as a security technology lead role.

If you demonstrate the discipline to work independently from a remote location, you’ll only be required to visit the corporate headquarters one time per month on average.

Compensation is competitive and the bonus structure is something to pay attention to. The bonus opportunity has multiple tiers and is based on both company performance and individual performance. The company’s side of the performance has been met since the early 1990s.

Think of this role as an entrepreneurial start-up role within a well-established and growing company. In many ways, this role embodies the look and feel of a start-up company but it also offers the stability of a sound financial services organization that provides numerous avenues a security professional can travel in order to grow. One more thing, how about going to work for a company that introduces new hires to an internal university where employees can pursue new education and certification with the company’s backing? This introduction happens when you first get started.

Requires:

This role requires a minimum of 5 years of experience in information technology, system development and / or system integration. Within your 5 years of experience, you must demonstrate at least 1 year of Java development combined with 2 or more years of UNIX / Linux system administration.

A CISSP certification is required. Additional security certifications are preferred.

A BS/BS is strongly preferred and a Master’s degree in computer science, math or a technical discipline is deeply appreciated.

Additional requirements include:

• Solid knowledge of information security practices and principals
• Recent hands-on experience with UNIX / Linux administration and configuration
• Recent hands-on experience with application integration using Web Services, API, and/or Command Line Utilities
• Basic knowledge of database technology (DB2 experience preferred)
• Basic knowledge in networking, load balancing and system recovery
• Strong interpersonal communication skills required to work within large / complex IT and business environments
• Experience with encryption technology support and integration preferred
• Knowledge in Voltage SecureData technology is a strong plus
• Experience in PCI DSS compliance a strong plus
• Knowledge in banking and credit card business operations a plus

Location: Virtual, Telecommute, Continental United States
Compensation: $90,000 - $100,000+ Base Range, Attractive Bonus
Relocation: NO
Education: BA/BS, Master’s Preferred

Apply Directly: http://misjobs.com/cgi-bin/securityrecruiter/showjob.cgi?actiontotake=ShowRecord&JobID=200134

Working for Free, No Thank You

noreply@blogger.com (Jeff Snyder) — Fri, 06 Jan 2012 21:59:00 +0000

The reasons to write blog stories seem to never stop flowing in my direction.

Magazine Editor Discussion

I just finished an hour long interview with a magazine Managing Editor in which we discussed employment trends for both information security and corporate security professionals in 2012. While I don’t have a crystal ball of any kind, I work with hiring decision makers all day every day and have the ability to see where Security Jobs and enterprise risk management jobs may or may not exist in the near-future. I can also see what the available pool of security and risk management talent looks like.

Just in from the Managing Editor of the magazine:

Thanks again for your time this afternoon. I know that I will not be able to give “all” of what you said justice throughout my article; however, xxxx xxxx , editor of our magazine, told me he would be interested in potentially running a guest column on the website where you can go into more depth on your ideas.

Gap Analysis

Our conversation this today evolved into one where the editor was asking me to talk about gaps. Gaps in this case represent the distance between what employers are expecting security professionals to bring to their business environments and what security professionals are actually bringing to the business environment. Before I take on any search, I conduct a Gap Analysis to make sure everyone on the client side of the discussion is operating with the same expectations.

Our conversation covered significant ground so I’ll be interested to see what kind of article this editor comes up with and which parts of our discussion he attaches my name to in his article. I hope he gets the context of my comments correct. This was a bright guy on the other end of my phone so I have high expectations that he’ll get it right.

Information Sources

The information I share in these situations may be information I believe to be true but my comments always reflect what business leaders such as CEOs, Chief Compliance Officers, Vice Presidents of Human Resources, etc. share with me when they’re describing what they expect a security, risk, compliance, audit or privacy professional to bring to the table.

There is a Gap

There is in fact a gap. The gap isn’t just found in what security professionals are not bringing to the table. The gap is also frequently found on the hiring decision maker side of this discussion. Very frequently, companies that are hiring security professionals do not understand what they’re looking for in a security professional. Multiple decision makers are frequently involved in the interview process when either an information security or corporate security professional is to be hired.

Having consulted with many companies that have had high-level security jobs open for anywhere from 6 to 18 months, I’ve had to determine why these jobs were open so long. There is frequently a gap between one decision maker expectations and/or understanding and another decision maker’s expectations and understanding on the corporate side of the hiring discussion.

Once this gap is identified by someone who can objectively see the gap and can come up with a way to get decision makers on the same page, security recruiting can begin. The alternative of starting a search with the hope that when the right person arrives, everyone will know they’ve arrived, frequently creates a situation where a job is open for 6 to 18 months and nobody can articulate the reasons why.

A Major Wall Street Financial Company

One minute after the magazine editor’s call ended this morning, my phone rang. A major financial company in New York called to determine if I had the capability to help them find an Enterprise Risk Management Security Analyst who could help them to assess risk in the Middle East, in Latin America and in South America. I do in fact have plenty of resources and plenty of experience under my belt that would enable me to deliver this type of talent.

In this brief discussion, I learned that this company has a candidate identified that the decision making team isn’t thrilled about hiring. The HR Manager who called was hoping that I would take on their search on a free basis to enable the company to interview additional candidates.

Sort of like walking into Baskin-Robbins and asking for multiple ice cream samples. This is an acceptable practice when buying a $1.50 ice cream cone but not when addressing the complexities in acquiring the right human talent where the stakes for everyone involved are higher.

Risk Mitigation

I’ve recruited since 1990. On more than one occasion in the past, I’ve taken on a search with a well-intentioned client on the other end of my phone who wants to look at additional candidates above and beyond the one or more they have in hand. In nearly every situation, the company has been unsuccessful on their own in finding the right candidate.

Many times, the root cause of this problem is because there is not a unified agreement on the company side as to what the right candidate will bring to the table when they are identified.

Opportunity Cost, Working for Free

In this case, the HR person wanted to hand their job description out to a couple of search firms to see what could be produced. Once I understood what the HR person was looking for, I asked him why he thought I should do this work for free.

He responded by telling me that I would be paid if I delivered the right candidate. Yes, I might be paid but what happens if three weeks from now, the company decides they really like the candidate they currently have more than they originally thought they did. I've seen this happen more than once.

Then, we’re not paid a search fee and we've just burned three weeks of time working for nothing that can be taken to the grocery store and exchanged for food. Yes, I'm being literal on purpose because this is precisely what happens in real life.

There is a term that captures the essence of this situation and I’ve once again turned to Wikipedia for a convenient definition:

Wikipedia Says:

Opportunity cost is the cost of any activity measured in terms of the value of the best alternative that is not chosen (that is foregone). It is the sacrifice related to the second best choice available to someone, or group, who has picked among several mutually exclusive choices.^[1] The opportunity cost is also the cost of the foregone products after making a choice. Opportunity cost is a key concept in economics, and has been described as expressing "the basic relationship between scarcity and choice".^[2] The notion of opportunity cost plays a crucial part in ensuring that scarce resources are used efficiently.^[3] Thus, opportunity costs are not restricted to monetary or financial costs: the real cost of output foregone, lost time, pleasure or any other benefit that provides utility should also be considered opportunity costs.
The HR person argued that we weren’t actually working for free. Help me here. If you don’t get paid for your hard work, haven’t you worked for free? I know how this has worked because I’ve walked in these shows before.

This is Real Life

I don’t make up these situations or the outcomes. My phone really did ring today. I really was asked to work for free and I really have been down this road before in terms of a company going back to the candidate they didn’t think they wanted to hire several weeks after we’ve burned unrecoverable time, energy and resources. (Opportunity Cost)

A Solution

· I’m happy to work with this company or any other company for that matter to help them more closely define their need if that is what they need help to do.

I’ll help this company to write a job description that more closely resembles their actual need so that when they put the bait in the water (the job description), they have a fighting chance of attracting the right security professional.
I’m happy to create an arrangement where we’re paid to do research work but maybe not full cycle recruiting.
I’m happy to do research work and some level of screening if the company wants a group of partially screened candidates to be delivered.
I’m happy to conduct a full-blown search where the SecurityRecruiter.com team does all the front-end research to identify the right security professionals to call on. Then, when candidates are identified who could potentially fit the job, we'll build a highly targeted recruiting process that is followed by a thorough interview process to determine precisely who can do the client's job.

After many hours have been invested in the front-end of the process we'll continue on to deliver the following services:

Invest appropriate time to properly package chosen candidates for our clients to review.
Help to coordinate interviews with the client's admin person.
Prep the chosen candidates for their interviews so they interview with proper expectations of what the client company can deliver.
Conduct post-interview debriefs on both the candidate and client sides of the equation to ensure that both parties are operating with the same set of expectations.
Ensure that precisely the right candidates are delivered primarily through direct recruiting and the job is filled to the client’s satisfaction.

Just not for free

Each of these options is possible and I’m willing to deliver in a manner that is most appropriate to address the client's needs.

However, each option represents an exchange of value. Anytime business value is exchanged, the person or company consuming the value should pay the deliverer of the value just like a mechanic is paid to fix a car, a dentist is paid to fill a cavity, a doctor is paid for their education and expertise and so on.

Need help to fill a security job and you're not quite sure how to do it? We're here to help.

Jeff Snyder, SecurityRecruiter.com 719 686 8810

PS: How well do we do what we do?

From an HR Director Client recently wrote:

"Our CEO has been very pleased with the quality of your candidates. Thank you. I’m sure that you’re aware of how challenging this industry is and your professional, results-oriented search firm has been a breath of fresh air."

Security Frequently Fails to Add Value to the Business

noreply@blogger.com (Jeff Snyder) — Mon, 02 Jan 2012 19:31:00 +0000

A stimulating conversation came my way last week when I was fortunate to learn from a Vice President of Security for North America in a fast moving global high-tech company. This VP is in charge of corporate security and enterprise risk management for a global company that has 125,000 employees around the globe.

To provide a little background, this individual’s career has progressed through various lines of business to a highly strategic corporate security role where has earned the opportunity to be invited to meetings with heads of marketing, sales, product development and more.

The fact that he has 20 years of business experience capped off with an MBA has definitely helped this corporate security executive to connect with the business units he serves.

The department heads this VP works with are typically the department heads in any company that do not have to include corporate security professionals in their meetings.

The reason these line of business leaders occasionally do include corporate security professionals in their strategy meetings is that the security professional has proven that they can add value to the business.

While our conversation covered a significant number of topics, one of the more significant topics I took notes on because I was learning from this VP’s experiences was that of security professionals absolutely needing to relate to and understand the business in which they work.

I've written about this topic in the past and this topic was part of a presentation I delivered to the North Texas ISACA in November. Information security and corporate security professionals need to improve their ability to work with the business they’re employed to serve or they'll never be invited to take a seat at the oval table where other "C" level executives commonly sit.

Though many different examples were discussed in this conversation, one example that was shared with me that really stands out in my mind was that of a security professional dealing with a marketing executive.

When I asked this VP how often he sees corporate security professionals being invited to strategy meetings with marketing executives, he admitted that he doesn’t this happen often. When I asked this VP to explain why corporate security professionals typically aren’t found in a meeting of marketing leaders in a high tech company like the one where he works, he said:

"You can’t protect what you don’t understand"

Ouch! Those words don’t require any interpretation. The VP’s point was clearly stated that he doesn't believe his peers in the corporate security profession do a good job of learning about the business they’re there to protect.

This is a topic I’ll continue to study because line of business owners continually share similar thoughts with me. There is a gap between the services both information security and corporate security professionals are delivering.

In coming weeks, I’ll deliver more evidence to show the gap that exists between security and the business and I’ll also offer solutions to begin to address this gap.

SecurityRecruiter.com’s Security Recruiter Blog

Active Listening and Interviewing for Security Jobs

noreply@blogger.com (Jeff Snyder) — Thu, 29 Dec 2011 20:12:00 +0000

Yesterday, for the first time, I added a question to the questions one can ask on LinkedIn.

I’m frequently asked how I come up with topics to write about in the Security Recruiter Blog. The truthful answer is that it is often difficult to come up with topics.

Some of my topics revolve around searches that land on my desk. Many of my topics revolve around conversations I have with CISOs, CSOs and business executives who are involved in the hiring process when a CISO or CSO is needed.

Today, I have a new topic that came to me in an unusual way. I’m in the process of writing five different eBooks. Four of these books will be highly detailed, granular, step-by-step guides for writing winning security focused resumes.

Another book carries a topic I’ll keep to myself for the moment but when the book is complete, I believe it will bring strong value to decision makers who are hiring security professionals.

LinkedIn Question

Can anyone recommend the best premium eBook Word document templates?
Google searches produce numerous results for eBook templates. Free templates appear to be rather vanilla to me. Premium templates appear to be much more interesting but finding the great ones is difficult. Can you help?

The first answer read like this:

e books do not read word format try Linkedin Wallace Jackson for e book guidance. He wrote the book on "Android Apps for the Absolute Beginner" published by Apress. It is sold on amazon.

This answer did not address my question at all. I am looking for a template to purchase so I don’t have to reinvent the wheel when it comes to formatting an eBook. My writing is being done in Microsoft Word so I’d like to find a nice looking eBook template for Word. I’m fully aware that once I complete the book, I’ll have to turn it into a PDF or some other format that plays nicely with Kindle, iPads, etc.

Since the first answer didn’t help me in the least bit, I went back to LinkedIn and offered this clarification:

Clarification added 13 hours ago:I am writing an eBook in Microsoft Word. I'm looking for a Word template to build the book in. I understand that the book will later become a PDF or something other than Word.

The first answer that came in after adding clarification to my question reads like this:

Jeff
In this situation, "best", "great" and even "interesting" are subjective criteria. Are you looking for a template:
that can accommodate images, charts, etc. in a certain way? that doesn't carry a steep learning curve to use? that distinguishes your book in a special way? that includes or doesn't include some special feature?
that this or that popular e-book used?
These questions are not exhaustive, of course.

You probably need to think about what you need, too: Will your book have pull-outs or sidebars? How are you ordering the chapters and sections? How much are you willing to pay for this template (and at what point should you just hire someone to provide you with what you want?)
And you may have better luck looking for a design firm that specializes in e-book design than you do with a generic search for "e-book templates." There are plenty of online designer forums online where you could post a query, once you know what is important to you.

I Still Don't Have An Answer

While the questions this person put on the table are all good questions, I still haven’t received any advice at all that answers my original question. I’m looking for the best premium template that will allow me to build an eBook in MS Word.

If I wanted a design firm recommendation, I would have asked a question about design firms.

So far, you’re probably thinking that I’m just sharing a year-end rant. To some extent I am but this situation made me think of what happens when candidates for security jobs sit in front of an interviewer who has a security job to fill.

This Experience Resembles a Security Job Interview

For the 22+ years that I’ve been in the recruiting profession, I’ve sent candidates to interviews where they’ve failed to answer the specific questions interviewers have asked them. When sitting in a live interview situation, I’ll admit that it is very easy for anyone, even the best interviewer, to get a little excited about the situation and lose a bit of focus.

One of things excellent interviewers do is to actively listen to the questions the interviewer asks. These individuals stick out from the crowd in a good way in that they nail the interview process and receive job offers. I interviewed someone who operated in this manner just the other day. He really did stand out from the crowd I'm evaluating for a $300,000 executive security job.

Critical Interview Mistake

The experience I’ve just had in asking a very specific question and getting valuable information but not the information I asked for reminds me how many times individuals go to interviews and talk about the agenda that is in their mind rather than focusing on the agenda of the interviewer.

What Causes Great Interviewers to Stand Out?

What do great interviewers do that poor interviewers do not? One of the traits of great interviewers is that they have highly developed active listening skills.

Wikipedia defines Active Listening in this manner:

Active listening is a communication technique that requires the listener to understand, interpret, and evaluate what they hear. The ability to listen actively can improve personal relationships through reducing conflicts, strengthening cooperation, and fostering understanding.

Real Observations

I’ve seen $300-500K job interviews won by individuals who have highly developed active listening skills. I’ve also seen $300-500K executive security jobs lost by individuals who consistently failed to answer questions specifically asked by the interviewer.

Your Personal Stock Value $$$$$$$

Want to increase your personal stock value in the security profession? Learn to actively listen.

SecruityRecruiter.com’s Security Recruiter Blog

M.I.T. Game-Changer: Free Online Education For All - Forbes

noreply@blogger.com (Jeff Snyder) — Thu, 29 Dec 2011 19:42:00 +0000

M.I.T. Game-Changer: Free Online Education For All - Forbes

Cybersecurity career experts: Mobile app security skills hot in 2012

noreply@blogger.com (Jeff Snyder) — Wed, 28 Dec 2011 22:39:00 +0000

Cybersecurity career experts: Mobile app security skills hot in 2012

Enterprises are going to be on the hunt for security professionals with the skills and certifications required to embrace the explosive demand for mobile devices and the cocktail of mobile security threats associated with them, according to several security industry career experts.

Security job recruiters and career advisors predict that in 2012 the swelling attraction to smartphones, tablets and other mobile devices will trigger substantial growth in jobs requiring IT security expertise. In particular, organizations are keen to nail down applicants with skill sets related to developing and maintaining mobile app security and enforcing mobile device security policies, according to Jeff Snyder, president of Woodland Park, Colo.-based SecurityRecruiter.com.......Continue to the techtarget article

SecruityRecruiter.com's Security Recruiter Blog