Cybersecurity

 

 

https://sm.asisonline.org/Pages/The-Problem-with-Bots.aspxThe Problem with BotsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-04-01T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​It all started with a video game. Three college-age friends—Paras Jha, Josiah White, and Dalton Norman—wanted to gain an advantage in Minecraft, so they developed a powerful, and elaborate, method to do so.</p><p>Minecraft is a game where users create their own worlds and experiences by digging and building 3D blocks. One unique element of the game is that within the platform itself, players can link to individual-hosted servers to play in a multiplayer mode.</p><p>Hosting a server and renting space to other players is a lucrative business; some individuals make $100,000 a month, according to an investigation by WIRED.</p><p>To tap into this market, Jha, White, and Norman created a malware that scanned the Web for Internet of Things (IoT) devices that used default security settings for usernames and passwords. The malware then infiltrated the devices, which became part of a botnet army made up of 600,000 devices at its peak strength. </p><p>That botnet was dubbed Mirai, and it was used to launch a distributed denial of service (DDoS) attack against French hosting provider OVH in September 2016. It was so powerful that traditional DDoS mitigation techniques were ineffective against it. </p><p>Then, just after the OVH attack, Mirai hit security reporter Brian Krebs' website, Krebs on Security, kicking it offline for more than four days with an attack that peaked at 623 gigabytes per second, according to Krebs' account.<img src="/ASIS%20SM%20Callout%20Images/0418%20Cyber%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:305px;" /></p><p>Authorities and researchers began to investigate the Mirai botnet, and soon began asking why—in addition to its targets—it was hitting Minecraft servers. They later determined that OVH was hit because it provided a service that helped mitigate DDoS attacks against Minecraft, and they ultimately discovered the three friends behind the botnet.</p><p>They confessed to creating the botnet as part of a scheme to allow people to pay to use it to push players off specific Minecraft servers in hopes that they would then pay to use an alternative server. Jha, White, and Norman all pled guilty to a variety of charges in December 2017, after Mirai's source code was released on the Internet. </p><p>While Mirai was unique in its scope, it was just one of hundreds of botnets that are active today and impacting organizations' networks in real time. For instance, cyber firm Fortinet's​ Threat Landscape Report Q2 2017 detected 243 unique botnets that were active, with 993 daily communications per firm.  </p><p>Fortinet found that approximately 45 percent of firms detected one type of botnet in their environment, while 25 percent saw two, and 10 percent saw three. Most of these botnets were detected in the telecommunications and carrier sector. </p><p>"Our data shows the majority of firms in our sample have one or two different botnets active in their environment at any given time," according to Fortinet's report. "Some, however, have 10 or more. And many of those frequently communicate with external hosts."</p><p>Because of this widescale activity, U.S. President Donald Trump included a section in his May 2017 cybersecurity executive order directing the secretaries of homeland security and commerce to assess actions that could be taken to "drastically reduce" the number of botnet attacks.</p><p>The secretaries were instructed to identify and promote action by stakeholders to improve the resilience of the Internet and communications ecosystem, and to "encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks," in other words, botnets, according to the executive order.</p><p>In January 2018, the secretaries completed the first step of that process by issuing a draft report for public comment, Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.</p><p>The secretaries solicited input for the report by hosting a workshop, publishing a request for comment, and initiating an inquiry through the president's National Security Telecommunications Advisory Committee (NSTAC). They also consulted with the U.S. Departments of Defense, Justice, and State, as well as the FBI, the Federal Communications Commission, the Federal Trade Commission, and others.</p><p>"Botnets threaten to undermine the Internet ecosystem, as well as the promise of next-generation technologies," said David Redl, assistant secretary for communications and information and the administrator for the National Telecommunications and Information Administration, in a statement. "This report clearly demonstrates the urgency of the problem, and this administration's commitment to taking on these threats and creating a more secure and sustainable Internet."</p><p>For instance, the report found that botnets are being used for a variety of malicious activities, including DDoS attacks, ransomware attacks, and propaganda campaigns carried out via social media.</p><p>These attacks, according to the NSTAC, threaten the "security and resilience" of U.S. communications ecosystems and the Internet, as well as its critical infrastructure. The NSTAC also assessed that IoT devices will be used by threat actors to launch global automated attacks.</p><p>"With new botnets that capitalize on the sheer number of IoT devices, DDoS attacks have grown in size to more than one terabit per second, outstripping expectations," according to the report. "As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved."</p><p>One prime example of the impact botnets have on the Internet is the Mirai botnet. In addition to its attacks on Minecraft servers, it was used to launch a massive DDoS attack on domain name service provider DYN, effectively shutting down the Internet on the East Coast of the United States for several hours.</p><p>"While the original Mirai variant was relatively simple, exploiting weak device passwords, more sophisticated botnets have followed; for example, the Reaper botnet uses known code vulnerabilities to exploit a long list of devices," the report explained. "The Mirai and Reaper botnets clearly demonstrate the risks posed by botnets of this size and scope, as well as the expected innovation and increased scale and complexity of future attacks."</p><p>The report identified six themes that pose opportunities and challenges to reducing the threat of automated, distributed attacks carried out by botnets, including that they are a global problem; effective tools exist to combat them, but are not widely used; products need to be secured at all stages of their lifecycle; education and awareness are needed; market incentives are misaligned; and botnet attacks are an ecosystemwide challenge.</p><p>"Botnets represent a systemwide threat that no single stakeholder, not even the federal government, can address alone," said Walter G. Copan, undersecretary of commerce for standards and technology, in a statement. "The report recommends a comprehensive way for the public and private sectors, as well as our international partners, to work together and strengthen our defenses."</p><p>These actions take the form of five goals in the secretaries' report: identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace; promote innovation in the infrastructure for dynamic adaptation to evolving threats; promote innovation at the edge of the network to prevent, detect, and mitigate bad behavior; build coalitions between the security, infrastructure, and operational technology communities; and increase awareness and education across the ecosystem.</p><p>One of the main points in the report is the lack of security built into the increasing number of IoT devices on the marketplace. Many manufacturers continue to release unsecure devices because there are no requirements—or incentives—for them to release better products.</p><p>To combat this, the report recommends that the U.S. federal government adopt security standards for all devices it purchases. Doing so, the report argues, would push the marketplace to create more secure products without imposing new regulations or relying on a legislative solution.</p><p>"The federal government can use acquisition rules and procurement guidelines to amplify the market signal by requiring certain security features or properties," the report explains. "The private sector could establish an assessment and labeling mechanism for products that comply with the home profile. The private sector could also work with existing programs or establish new programs to evaluate products that comply with the industry profile."</p><p>While this is a move in the right direction, Michael Marriott—research analyst at Digital Shadows—says it is not enough to change the marketplace because so many IoT devices are developed outside of the United States. These products are then sold to an international market where they can be compromised to become part of a botnet.</p><p>"Making sure manufacturers are thinking about these types of considerations is important," Marriott says. "But there are devices developed outside the United States, so other approaches are needed as well."</p><p>John Dickson, CISSP, principal at Denim Group and a former U.S. Air Force officer who served in the Air Force Information Warfare Center, also expressed disappointment in the report, saying it was "completely devoid of specific policy ideas and recommendations."</p><p>For instance, Dickson says he would have liked to have seen more specific recommendations for the telecommunications and Internet service providers (ISPs) who have a major role in mitigating DDoS attacks carried out by botnets.</p><p>The report touches on the role that ISPs play, and it limits its recommendations to increased information sharing between ISPs and their partners to "achieve more timely and effective sharing of actionable threat information both domestically and globally."</p><p>This, Dickson says, is not enough. Instead, he would have preferred to see recommendations to block specific types of traffic or to monitor traffic to prevent botnet attacks. </p><p>"There is an incentive for telcos to do this—reducing spurious traffic on their networks," according to Dickson. "But they're likely to say there's a cost associated with doing that, which will be passed on to users."</p><p>Countries with more government control of ISPs have shown how this can work, Dickson says. For instance, countries like China and Saudi Arabia—which have greater government control of the Internet in general—have been more effective in preventing botnet attacks because they're able to block them from getting in.</p><p>"We don't have government control of our telcos anymore—it's much more Wild Wild West with more players and a bigger network," Dickson says of the U.S. system, making it more vulnerable to botnet attacks. </p><p>Security Management reached out to AT&T and Verizon for their reactions to the report, but neither of the companies responded. And as of press time, there were no public comments on the draft report.</p><p>The report was open for public comment until February 12, and its final recommendations are due to be submitted to President Trump by May 11.   ​</p>

 

 

https://sm.asisonline.org/Pages/The-Problem-with-Data-.aspx2017-09-27T04:00:00ZThe Problem with Data
https://sm.asisonline.org/Pages/An-Education-Connection.aspx2017-09-01T04:00:00ZAn Education Connection
https://sm.asisonline.org/Pages/Book-Review---Network-Interview.aspx2017-08-01T04:00:00ZBook Review: Network Video

 

 

https://sm.asisonline.org/Pages/Missed-Deadline.aspx2018-03-01T05:00:00ZMissed Deadline
https://sm.asisonline.org/Pages/Cybersecurity-for-Remote-Workers.aspx2018-02-12T05:00:00ZCybersecurity for Remote Workers
https://sm.asisonline.org/Pages/A-Cyber-Pipeline.aspx2018-02-01T05:00:00ZA Cyber Pipeline

 

 

https://sm.asisonline.org/Pages/How-to-Hack-a-Human.aspx2018-01-01T05:00:00ZHow to Hack a Human
https://sm.asisonline.org/Pages/A-New-Social-World.aspx2017-12-01T05:00:00ZA New Social World
https://sm.asisonline.org/Pages/The-Internet-And-The-Future-of-Online-Trust.aspx2017-08-11T04:00:00ZThe Internet And The Future of Online Trust

 

 

https://sm.asisonline.org/Pages/The-Problem-with-Bots.aspx2018-04-01T04:00:00ZThe Problem with Bots
https://sm.asisonline.org/Pages/Global-Cyber-Awareness.aspx2018-01-01T05:00:00ZGlobal Cyber Awareness
https://sm.asisonline.org/Pages/Held-Hostage-.aspx2017-12-01T05:00:00ZHeld Hostage

 

 

https://sm.asisonline.org/Pages/Cybersecurity-for-Remote-Workers.aspx2018-02-12T05:00:00ZCybersecurity for Remote Workers
https://sm.asisonline.org/Pages/Mobile-Mayhem.aspx2017-10-01T04:00:00ZMobile Mayhem
https://sm.asisonline.org/Pages/AI-The-Force-Multiplier.aspx2017-09-01T04:00:00ZAI: The Force Multiplier

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Take-No-Chances.aspxTake No Chances<p>​Security processes are working properly if nothing happens, as the adage goes—much to the chagrin of the security manager looking for buy-in from the C-suite. But if something does go wrong at an organization, the error lies in either the company's risk profile or its implementation of mitigation procedures. Using risk management principles to create a risk profile and implement procedures to mitigate those risks should leave no gray areas for an incident to occur, says Doug Powell, CPP, PSP, security project manager at BC Hydro. Security Management sat down with Powell, the 2017 recipient of the Roy N. Bordes Council Memb er of Excellence Award, to discuss how to create a mitigation program that only gets stronger after a security incident.​</p><h4>Weigh the Risks…</h4><p>A basic tenet of risk management principles is understanding what risks an organization faces by conducting a thorough risk assessment. "For me, nothing should happen in the security program in terms of making key decisions around protection principles until you've been through your risk management exercise, which will do two things for you: tell you where you have gaps or weaknesses, and what the priority is for addressing those," Powell says. </p><p>Look for the risks that are high-probability, low-impact—such as copper theft—and low-probability, high-impact—such as a terror attack—and build a protection plan that primarily addresses those, Powell says. </p><p>"You use that prioritization to get funding," he explains. "I tell people there's a broad spectrum of risks you have to consider, but there are two that you focus on that I call the board-level risks—the ones the board would be interested in because they could bring down the company."​</p><h4>…And Use Them to Build a Strategy</h4><p>Establishing those risk categories will not only help get buy-in from the C-suite but frame the company's security strategy.</p><p>"You should never say something like, 'well, the copper losses are so small that we're not going to deal with this at all,' in the same way you're not going to say that you'll never likely be attacked by terrorists so let's not worry about it," Powell says. "With that in place, you should have an effective mitigation strategy on the table."​</p><h4>Flesh Out the Baseline…</h4><p>While getting buy-in may rely on emphasizing the impact a risk can have on business operations, the security team needs to have a well-rounded understanding of the risk itself. Powell illustrates the distinction by using an example of how protesters might affect critical infrastructure.</p><p>"It's one thing to say that there's risk of work being disrupted or of a pipeline being taken out of service by protesters, but it's quite another thing to say that in the context of who these protesters are," according to Powell. </p><p>"You have one level of protesters who are just people concerned about the environment, but all they really do is write letters to the government and show up and carry picket signs to let you know they are concerned. The more extreme groups are the ones that would come with explosives or physically confront your workers or who would blockade machinery," Powell explains.</p><p>While these two groups of people both fall under the protester category, the risks they present—and how to respond to them—are vastly different.</p><p>"You have to understand the characteristics of your adversaries before you can adequately plot the seriousness of the risk," Powell explains. "Would it be serious if our pipeline got blown up? You bet it would. But who has the capability to do that? Are they on our radar? And what's the probability that we would ever interact with them? There's a bit more than just saying it's a bad thing if it happens."​</p><h4>…And Keep It Updated</h4><p>Don't let an incident be the impetus for conducting a new risk assessment. Creating a governance model will facilitate regular reviews of the risk assessment and how it is conducted.</p><p>"If you do it well at the head end, you should be mitigating to those standards," Powell says. "Risk doesn't happen once a year, it's an ongoing process where you establish the baseline, mitigate to the baseline, and start watching your environment to see if anything bad is coming at you that you should be taking seriously because the world is dynamic."</p><p>Consistent monitoring of threats allows the mitigation strategy to be adjusted before weaknesses are discovered and exploited.</p><p>"The monitoring aspect is critical, and after an incident you might say that the reason your mitigation plan failed is you simply didn't monitor your environment enough to realize there were new risk indicators you should have picked up," Powell says. "The risk management process is dynamic, it never stops, it's continually evolving, and whether something happens to cause you to reevaluate or whether you reevaluate because that's your normal practice, that has to happen."</p><h4>Establish a Process…</h4><p>Through risk management, a security incident occurs when the risk assessment was not accurate, or the mitigation processes were not properly carried out. After an incident, security managers should never feel blindsided—they must identify the shortcomings in their processes.</p><p>"When something critical happens, the first thing you will do is go back to your risk profile and ask yourself some key questions," Powell advises. "Did we get it right? Did we miss something? How did this incident occur if in fact we had our risk profile correct? Or did our mitigation planning not match well with the risk profile we had developed? If we had this assessed as low-risk but it happened anyway, maybe we got something wrong. If it was high-risk and it happened anyway, what was the cause?"</p><p>If the security program matches the risk profile and an incident still occurred, it's time for the organization to change the baseline.</p><p>"Did we understand our adversary?" Powell asks. "Was it someone we anticipated or someone we didn't anticipate? If it was someone we anticipated, how did they get in to do this thing without our being able to stop it or understand that they were even going to do it? Do we have the right security in place, did we do the right analysis on the adversarial groups in the first place? What did we miss? Are there new players in town? Is there something going on in another country that we weren't aware of or ignored because we didn't think it impacted us over here in our part of the world?"</p><p>And, if it turns out that the risk profile was inaccurate despite proper governance and maintenance, don't just update it—understand why it was wrong. "Look at whether your intelligence programs or social media monitoring are robust enough," Powell suggests.</p><p>"If you had 10 or 100 metal theft incidents in a month, you want to go back and ask why this is continuing to happen," Powell notes. "We've already assessed it as a risk and tried to mitigate it. For me, the two things are intrinsically connected. If you're performing risk management well, then your mitigation programs should mirror that assessment. If it doesn't, there's a problem, and that's what this review process does, it gets you into the problem."​</p><h4>…And Use It Consistently</h4><p>Whether it's copper theft or a terrorist attack, the incident management process should be carried out in the same way.</p><p>"That should always be a typical incident management process for any kind of event," Powell says. "What varies is input, but the methodology has got to be identical. If it's metal theft, it's a pretty simple thing—we have some thieves, they broke into a substation, removed ground wires, and as a result this happened. What can we do to mitigate that happening at other substations in the future? </p><p>If it's a terrorist attack, of course a lot more people will be involved, and you'll be asking some very challenging questions. The process becomes a lot more complex because the potential for damage or consequence value is much higher, but the methodology has to be the same all the time."</p><p>"Overall, whether you're looking at a security breach that happened because you exposed your cables and the bad guys were able to cut them or whether it was a new, more dangerous group coming at you that you weren't aware of, or because you neglected to identify the risk appropriately—all of this has to go into that evaluative process after something happens," Powell says. "Then you have to reestablish your baseline, so you're going back into that risk analysis and move to mitigate it according to what that new baseline is. If something bad happens that's what you do—go back to the baseline and discover what went wrong, and once you know, you seek to mitigate it to the new baseline." </p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/A-Cyber-Pipeline.aspxA Cyber Pipeline<p>​​It was a tense moment. Twenty minutes before taking the stage at the 2016 RSA Conference in San Francisco, U.S. Secretary of Defense Ash Carter had signed an agreement to create the first U.S. government bug bounty program.</p><p>"I was sitting in the front row there, just shaking my head and praying everything would work out the way it was supposed to," says Lisa Wiswell, former U.S. Department of Defense (DoD) bureaucracy hacker who oversaw the bug bounty program.</p><p>And work, it did. Dubbed "Hack the Pentagon," the program allowed 1,400 security researchers to hunt down vulnerabilities on designated public-facing DoD websites. More than 250 researchers found and reported those vulnerabilities to the DoD, which paid them a total of $150,000 for their efforts.</p><p>"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," Carter said in a statement. </p><p>Based on the program's success, the DoD launched "Hack the Army" in 2016, followed by "Hack the Air Force" in 2017, to continue to address security vulnerabilities in its systems. This method of crowdsourcing cyber­security is one that many organizations are turning to as they continue to struggle to recruit and retain cyber talent.</p><p>According to the most recent Global Information Workforce Study, the cybersecurity workforce gap is on pace to increase 20 percent from 2015—leaving 1.8 million unfilled positions by 2020.</p><p>"Workers cite a variety of reasons why there are too few information security workers, and these reasons vary regionally; however, globally the most common reason for the worker shortage is a lack of qualified personnel," according to the report's findings. "Nowhere is this trend more common than in North America, where 68 percent of professionals believe there are too few cybersecurity workers in their department, and a majority believes that it is a result of a lack of qualified personnel."</p><p>To help address this issue, study respondents reported that more than one-third of hiring managers globally are planning to increase the size of their departments by 15 percent or more. However, the report found that historically, demand for cybersecurity talent has outpaced the supply—which will continue to exacerbate the current workforce gap if the trend continues.</p><p>"It is clear, as evidenced by the growing number of professionals who feel that there are too few workers in their field, that traditional recruitment channels are not meeting the demand for cybersecurity workers around the world," the report explained. "Hiring managers must, therefore, begin to explore new recruitment channels and find unconventional strategies and techniques to fill the worker gap."</p><p>One technique to fill the worker gap is being used by the FBI, which has a long history of workforce training and development to keep agents—and Bureau staff—at the top of their game to further its mission.</p><p>In an appearance at ASIS 2017, FBI Director Christopher Wray explained that the Bureau has created a training program to identify individuals with cyber aptitude and train them so they have the skills necessary to identify and investigate cybercrime.</p><p>"We can't prevent every attack or punish every hacker, but we can build our capabilities," Wray said. "We're improving the way we do business, blending traditional techniques, assigning work based on cyber experience instead of jurisdiction, so cyber teams can deploy at a moment's notice."</p><p>In an interview, Assistant Section Chief for Cyber Readiness Supervisory Special Agent John Caliano says the FBI is looking internally to beef up all employees' cyber abilities.</p><p>"There is a notional thought that all the cybersmart people are in the Cyber Division," he adds. "There are a lot of very talented people outside the Cyber Division, some have worked in other areas…the goal is to start to pick up in the investigative realm and lift the abilities of all employees, so they have a basic understanding of cyber and digital threats today."</p><p>To do this, the FBI has employees undergo a cyber talent assessment which looks at the skill sets they brought with them when they were hired, the skills they have learned on the job, and their aptitude for formalized and informalized training on cybersecurity and technology. </p><p>The FBI then sorts employees into three categories: beginners, slightly advanced, or advanced. Employees are then sent to outside educational courses, such as those provided by the SANS Institute or partnering universities, to learn more about cybersecurity and bring that knowledge back to the FBI. The FBI also works with the private sector to embed employees to teach them specialized skills, such as how SCADA networks operate.</p><p>In 2016, Caliano says, the FBI identified 270 employees for cyber training who were not part of the Cyber Division. Approximately two-thirds of those employees were categorized as beginners at the outset, and Caliano says the Bureau plans to continue the assessments and training for the foreseeable future.</p><p>And for its specialized teams, the FBI is continuously developing in-house training that will eventually be offered to the entire FBI. </p><p>"One day, all FBI employees will take these courses and pass these courses," he says. "People will understand what depth and defense mean, how to secure networks, and trace IP addresses."</p><p>These specialized teams include its Cyber Action Team (CAT), which is made up of employees who deploy when a major cyber incident occurs. For instance, when the Sony hack occurred in 2013 the initial FBI response team had a few members who were also CAT members who were sent to the scene.</p><p>Once the FBI became aware of the severity of the incident, it sent a full CAT to Sony's headquarters to sit with the network operators to comb through their logs to see how the attack spread.</p><p>While this training provides professional development opportunities to current employees, the FBI is also focused on identifying future talent that can be recruited into the FBI. </p><p>"We can't compete with dollars, but we can compete on mission," Caliano says, adding that the FBI often gets to look at cyber threats and address them in a way that the private sector does not, providing employees a "deeper sense of fulfillment."</p><p>To attract talent, the FBI has a variety of initiatives including an Honors Intern Program open to all college students. It also has a postgraduate program where the FBI will pay for a graduate or doctoral student's degree. It's also reaching out to students at the high school level through its Pay It Forward program, which engages students in math, science, and technology who might show cyber aptitude.</p><p>"We are, as a workforce planning objective, training at schools—driving down to the high school level," Caliano tells Security Management.</p><p>Another new recruiting channel has been championed by Wiswell since she left the DoD in 2017. After leaving the public sector, she went to work at GRIMM, a cybersecurity engineering and consultant firm, as a principal consultant. One of her main responsibilities is to oversee its GRIMM Academic Partnership Program that runs the HAX program.</p><p>Through HAX, undergraduate cybersecurity clubs can participate in friendly competitions and gain hands-on cyber experience. GRIMM has partnered with Penn State University at Altoona's Security Risk Analysis Club and Sheetz Entrepreneurial Fellows Program, the Michigan Technological University (MTU) Red Team, George Mason University Competitive Cyber Club, and the Rochester Institute of Technology's Rochester Cybersecurity Club.</p><p>Throughout the academic year, participants in HAX break into teams to complete programs designed by GRIMM engineer Jamie Geiger that are similar to computer Capture the Flag challenges. While participants have the option to compete individually, Wiswell says she encourages students to create a team to hone their communication skills.</p><p>"A lot of this field has an individualist focus a lot of the time, and what's really needed is the ability to communicate well, both up and down, to work well on teams, and to have effective analytical skills," she explains. "The kinds of things that you learn well by doing these kinds of team-based challenges."</p><p>GRIMM chose these programs in particular to create a talent pipeline for the company, which has offices in the Washington, D.C., area and in Michigan—near two of the universities it's partnered with. By engaging college students through HAX, GRIMM hopes to create a talent pipeline and increase diversity on its own staff.</p><p>"HAX is an effort to do both those things," Wiswell says. "We are kind of do-gooders on one hand. If folks that are participating in the program have no interest in coming to work for GRIMM, that's fine. We just hope that they use their talents and go somewhere."</p><p>That's why the challenges and the experience to connect with people working in cybersecurity are important, according to Wiswell, because it helps students make informed decisions about what they would like to do after graduation.</p><p>"We're trying to think outside the box in ways that students feel very well rounded, so students can make decisions on what sliver of this workforce is most interesting," Wiswell says, explaining that current challenges are focused on Linux and Microsoft systems, but in the future, might include hardware and other areas. </p><p>And to gain even more experience before graduation, Wiswell says she encourages students to take part in bug bounty programs to get connected to companies that might one day hire them.</p><p>"If you already have a lot of good skill and you're trying to hone skill—and make some cash—we think that bug bounty programs are a great way to do that," Wiswell explains to Security Management. "GRIMM is partnered with a couple bug bounty as a service providers to help them get in a broader group of individuals who are interested in participating, as well as companies that could benefit from hosting bug bounties themselves."   ​</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/book-review-managers-guide-to-esrm.aspxBook Review: The Manager's Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security. <p>​<em>Rothstein Publishing; Rothstein.com; ebook; $14.49.</em></p><p>The security landscape is evolving at an enormous speed. Volatility, uncertainty, complexity, and ambiguity are the new normal. So, how do you address security challenges in such an environment? The answer is through enterprise security risk management (ESRM), an integrated risk-based approach to managing security risks. It brings together cyber, information, physical security, asset management, and business continuity. ASIS has made ESRM a global strategic priority.</p><p>In the <em>Manager's Guide to Enterprise Security Risk Management,</em> authors Allen and Loyear provide a comprehensive overview of the principles and applications underlying the ESRM philosophy. They set the stage in the first part of the book with an introduction to ESRM and share some important insights on the differences between traditional security and the ESRM approach, illustrating their points with examples.</p><p>The second part of the book guides the reader through the implementation of an ESRM program. One excellent chapter promotes design thinking as a conceptual model for ESRM. A design thinking approach can provide a unique platform for innovation and overcoming new security challenges.</p><p>Finally, the book provides insights and strategies to ensure the success of the ESRM program. It explains what an executive needs to know about ESRM, and gives readers the tools to succeed.</p><p>In sum, this guide accomplishes exactly what it set out to do—provide security leaders and managers with the principles and applications to explore, design, implement, and secure the success of an ESRM program.</p><p>Note: The authors of this book recently published a more detailed look at ESRM in <em>Enterprise Security Risk Management: Concepts and Applications</em>, also published by Rothstein.</p><p><em>Reviewer: Rachid Kerkab has almost two decades of experience in criminology, security strategy, risk, and resilience. He is a member of ASIS. ​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465