The U.S. Monday joined Russia, North Korea and China in declining to sign a cybersecurity pact supported by 50 countries and aimed at fighting both cyberwarfare and cybercrime.

The Paris Call for Trust and Security in Cyberspace agreement, part of the Paris Peace Forum, seeks to create a cyber Geneva Conventions of sorts, laying out international laws and guidelines for cyberwarfare as well as support human rights online. It was signed by 90 charities and universities as well as more than 150 tech companies, including Google, Microsoft, IBM and Facebook.

GDPR has now been in effect for a few months, which has been very evident from the amount compliance statements and tick boxes we all must review to access online services. While informing users about data processing, requesting their consent and complying with it is important, there are also many practical organizational and technical security measures which must be implemented to truly pass the bar of GDPR.

Many of today’s massive data breaches are linked to compromised credentials belonging to remote workers, third parties, and outsourced IT contractors. While telework and outsourced services have become commonplace in the commercial and public sector, organizations still have work to do when it comes to establishing security practices to support these new business models.

The FIDO Alliance has expanded its certification program to include multi-level security certifications for FIDO authenticators (such as physical security keys and biometrics).

With the authenticators, online service providers can choose the security level appropriate for their business, such as requiring higher FIDO certification for financial transactions than for general account information.

Oracle has released its first update round of the year, which includes fixes for products affected by one of the recently disclosed Spectre CPU vulnerabilities.

The database giant had the following:

“The January 2018 Critical Patch Update provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities. Please refer to this Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note.”

A 19-year-old vulnerability has been re-discovered in the RSA implementation from at least 8 different vendors—including F5, Citrix, and Cisco—that can give man-in-the-middle attackers access to encrypted messages.

Dubbed ROBOT (Return of Bleichenbacher’s Oracle Attack), the attack allows an attacker to perform RSA decryption and cryptographic operations using the private key configured on the vulnerable TLS servers.

ROBOT attack is nothing but a couple of minor variations to the old Bleichenbacher attack on the RSA encryption protocol.

We can pull out two small threads from this week’s episode to examine. Both deal with unauthorized access.

When we’re talking about information security, and not just cybersecurity, physical security is also part of the picture. We saw Elliot take advantage of small loopholes in the E-Corp NYC building security to infiltrate it rather easily. While employees were filing back in to the building after an evacuation, Elliot took advantage of the minor chaos and the crowds to steal a badge from a security guard, and then use it to get access to several different areas of the building – including rooms where he could connect directly to the (presumably secure) corporate network via ethernet.

The rise of the internet of things (IoT) and operational technology (OT) is causing serious anxiety for security and line of business (LoB) leaders, thanks to the negative business ramifications a security failure can have on critical business operations. Yet most organizations in a survey from Forrester Consulting lag when it comes to their security profiles in these areas.

A global study indicates that disgruntled former employees (or threat actors taking advantage of them) have a widespread opportunity to cause harm within companies—because their IT accounts remain active, often months after they leave their jobs.

One of the easiest ways for malicious outsiders, or even insiders, to gain access into an organization’s IT network is by stealing user credentials such as user names and passwords. Once access is secured, a series of lateral movements and privilege escalation activities can procure access to the type of information and systems that are most coveted by bad actors, such as a CEO’s email, customer or citizen personally identifiable information or financial records. The more time inactive accounts are available to bad actors, the more damage can potentially be done, including data loss, theft and leakage.

Finding a good candidate, or possibly any candidate, to fill one of the thousands of open cybersecurity positions available is one of the greatest challenges facing security executives today.
So with that in mind, SC asked some of the top names in the industry what traits they look for in a job applicant.

1. Continuous Learner

Shamla Naidoo, Chief Information Security Officer, IBM
The cybersecurity landscape is evolving continuously and rapidly, and therefore the most important quality I look for in a security hire is someone who can do the same – someone with natural curiosity that will lead to continual learning. The security workforce needs people who will be a part of inventing the solutions that will keep us safe not only today but in the future. For me, it’s about hiring someone who has intellectual depth but is willing to learn from others, without ego – not just experience to perform the role. I look for demonstrable willingness to learn new things and think outside of the box, with specific examples of where they’ve done this successfully in the past.