security

now browsing by tag

 
 

Information Security Compliance Associate

The nature of audit is changing as the systems which underlie our operations become more sophisticated and robust. With this increased sophistication comes increased reliance on technology-related controls to mitigate operational and financial risk, as well as increased access to transaction-level data. You will be responsible for assisting in all aspects of execution: from identifying opportunities for us to focus on, to developing the infrastructure and analyses to make progress in those areas. Further, you will serve as an Information Technology subject matter specialist and support the execution of Operational, Financial and Technology-related reviews. 

In this capacity you will execute planned audit procedures, working to identify any issues and solve problems at the root cause. You’ll help the team understand how the audit function supports our overall business objectives and participate in scoping internal audits and risk assessments through an established process. You’ll be on top of deadlines and will create scalable reporting systems to communicate results of audits to both internal audiences and regulatory compliance agencies. You have a hands-on, tactical approach for resolving issues, and an eye for detail ensures that everything is balanced at the end of the day.

https://www.indeed.com/viewjob?jk=4935c12a6c9c3e00&tk=1ci6t2i20b960c6c&from=serp&vjs=3

advertisement:

The post Information Security Compliance Associate appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mimecast acquires Ataata to improve #cyber #security #training

Mimecast Limited today announced it has acquired cyber security training and awareness platform Ataata The acquisition aims to allow customers to measure cyber risk training effectiveness by converting behavior observations into actionable risk metrics for security professionals.

According to research Mimecast conducted with Vanson Bourne, 90 percent of organizations have seen phishing attacks increase over the last year, yet only 11 percent responded that they continuously train employees on how to spot cyberattacks.

The acquisition of Ataata will offer customers a single, cloud platform that is engineered to mitigate risk and reduce employee security mistakes by calculating employee security risk based on sentiment and behavior, while connecting them with relevant training that is content based on their score and recommended areas for improvement.

“Cybersecurity awareness training has traditionally been viewed as a check the box action for compliance purposes, boring videos with PhDs rambling about security or even less than effective gamification which just doesn’t work. As cyberattacks continue to find new ways to bypass traditional threat detection methods, it’s essential to educate your employees in a way that changes behavior,” said Peter Bauer, chief executive officer and founder of Mimecast.

“According to a 2017 report from Gartner, the security awareness computer-based training market will grow to more than $1.1 billion by year-end 2020.  The powerful combination of Mimecast’s cyber resilience for email capabilities paired with Ataata’s employee training and risk scoring will help customers enhance their cyber resilience efforts.”

Source: https://www.techradar.com/news/mimecast-acquires-ataata-to-improve-cyber-security-training

advertisement:

The post Mimecast acquires Ataata to improve #cyber #security #training appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

IT Security Analyst Intern

Chenega Professional & Technical Services (CPTS) is seeking an IT Security Analyst, Intern to provide support to NASA – AMES Research Center (ARC) within the Information Technology Services.
Essential Duties and Responsibilities:(Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions of this position)
  • Under direct supervision, performs packet analysis, identifies malformed packets, and analyzes the payload of a pack of network protocols and routing.
  • Writes and maintains processes, procedures, test/assessment results, presentations, papers, articles, and other types of documents as required.
Non-Essential Duties:
  • Other duties as assigned.
Supervisory Responsibilities:
  • None.
Minimum Qualifications:(To perform this job successfully, an individual must be able to perform each essential duty satisfactorily.)
  • High School Diploma or GED.
  • Zero (0) to Two (2) years of related experience.
  • Must have an understanding of commonly used network services (e.g. domain name server (DNS), mail, web, and other less common network services)
  • Must be able to obtain required NASA badge.
  • Must be able to provide a certified Birth Certificate (with state seal), Passport, or INS Citizenship documents on date of hire (candidate will be sent home if this paperwork is not provided upon arrival on date of hire).
  • Must have, and maintain, a valid driver’s license.
Knowledge, Skills and Abilities:
  • Good organizational and planning skills
  • Excellent communication skills
  • Proven ability to pay close attention to detail
  • Ability to work independently but follow specific detailed instructions
  • Ability to interface with various levels of personnel in a multi-cultural, team- oriented environment
Diversity:
  • Shows respect and sensitivity for cultural differences; Educates others on the value of diversity; Promotes a harassment-free environment; Builds a diverse workforce.
Ethics:
  • Treats people with respect; Keeps commitments; Inspires the trust of others; Works with integrity and ethically; Upholds organizational values.
Physical Demands:
  • The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
  • While performing the duties of this Job, the employee is regularly required to sit and talk or hear. The employee is frequently required to walk; use hands to finger, handle, or feel and reach with hands and arms. The employee is occasionally required to stand; climb or balance and stoop, kneel, crouch, or crawl. The employee must occasionally lift and/or move up to 25 pounds. Specific vision abilities required by this job include close vision.
Work Environment:
  • The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job.
  • The employee will normally work in a temperature-controlled office environment, with frequent exposure to electronic office equipment.
  • During visits to areas of operations, may be exposed to extreme cold or hot weather conditions. Is occasionally exposed to fumes or airborne particles, toxic or caustic chemicals, and loud noise.
Chenega Corporation and family of companies is an EOE.
Equal Opportunity Employer Minorities/Women/Veterans/Disabled/Sexual Orientation/Gender Identity
Native preference under PL 93-638.
We participate in the E-Verify Employment Verification Program.

Qualifications

Minimum Qualifications:(To perform this job successfully, an individual must be able to perform each essential duty satisfactorily.)
  • High School Diploma or GED.
  • Zero (0) to Two (2) years of related experience.
  • Must have an understanding of commonly used network services (e.g. domain name server (DNS), mail, web, and other less common network services)
  • Must be able to obtain required NASA badge.
  • Must be able to provide a certified Birth Certificate (with state seal), Passport, or INS Citizenship documents on date of hire (candidate will be sent home if this paperwork is not provided upon arrival on date of hire).
  • Must have, and maintain, a valid driver’s license.
JobInformation Security
Primary LocationUnited States-California-San Francisco
OrganizationChenega Professional & Technical Services
RecruiterAnne Goldberg

Source:https://nationalcybersecurity.com/it-security-analyst-intern

advertisement:

The post IT Security Analyst Intern appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Enterprise Security IT Intern

As an Enterprise Security IT Intern you will assist in driving a global Identity Access Management program, and will be responsible for fulfilling access requests, revoking access rights, troubleshooting incidents and user issues, and completing projects as determined by the Team Lead and Manager.
This position has responsibility for ensuring successful completion of user access requests across Diebold Nixdorf globally, and at all levels of the organization. This position has responsibility for the entire life-cycle of access management, including access provisioning, modification, and revocation.
  • Quickly, accurately, and appropriately provision access rights for users according to access requests
  • Quickly, accurately, and appropriately work through the termination process for users who have left the Company, including identifying all access rights for terminated users in all disparate systems, and disabling those rights to prevent unauthorized access
  • Troubleshooting user access related issues and incidents to ensure end users are successfully able to use systems and perform job functions
  • Completing projects as determined by Team Lead and/or Manager, possibly including audit remediation efforts, system access clean up efforts, analysis of inappropriate access rights, process/procedure improvement projects, etc.

Qualifications

Requirements:
  • Must be currently attending a college or university pursuing an Information Technology, Cyber Security or related degree
  • Must have and maintain a 3.0 GPA or above
  • Experience in PC hardware and software – installing, troubleshooting, resolving issues
  • Microsoft Office (Word, PowerPoint, Excel, Outlook)
  • Interest in troubleshooting issues and resolving problems and being mentally capable of dealing with problems and challenges on a daily basis
  • Ability to communicate effectively verbally (face to face and over the phone) as well in writing (Email, instant messaging, documents

Diebold Nixdorf, Incorporated is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, marital status, age, national origin, genetic information, disability or protected veteran status.

Source: https://www.indeed.com/viewjob?jk=dfc04d90556f95ce&tk=1ci5atlsobv0mbt5&from=serp&vjs=3

advertisement:

The post Enterprise Security IT Intern appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

US #Gov’t #Agencies Fail to #Implement #Anti-Hacking #Security #Measures

Chief Information Officers (CIOs) at 24 US government agencies have yet to act on hundreds of recommendations to improve cybersecurity and protect personal information, the Government Accountability Office (GAO) said in a report on Wednesday.

“GAO’s preliminary results suggest that none of the 24 selected agencies have policies that fully address the role of their CIO, as called for by federal laws and guidance,” a press release summarizing the report said.

In recent years, the GAO has made 2,700 recommendations to improve the security of US federal information systems, the release explained.

“These recommendations identified actions for agencies to take to strengthen their information security programs and technical controls over their computer networks and systems,” the release said.

As of May 2018, about 800 of the information security-related recommendations had not been implemented, the release concluded.
In April, the Democratic National Committee (DNC) sued the Trump campaign, WikiLeaks and Russia over the 2016 hack of its emails.

The sphere of cybersecurity gains importance in the modern world, as with the development of technology states’ critical infrastructure increasingly depends on data security. In July 2017, Donald Trump’s administration announced it was finalizing plans to revolutionize the US’ military command for defensive and offensive cyber operations, in hopes of intensifying America’s ability to wage cyberwar against foes.

advertisement:

The post US #Gov’t #Agencies Fail to #Implement #Anti-Hacking #Security #Measures appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Information Security & Privacy Associate Analyst

Partners HealthCare(PHS) – Somerville, MA

As a not-for-profit organization, Partners HealthCare is committed to supporting patient care, research, teaching, and service to the community by leading innovation across our system. Founded by Brigham and Women’s Hospital and Massachusetts General Hospital, Partners HealthCare supports a complete continuum of care including community and specialty hospitals, a managed care organization, a physician network, community health centers, home care and other health-related entities. Several of our hospitals are teaching affiliates of Harvard Medical School, and our system is a national leader in biomedical research.

We’re focused on a people-first culture for our system’s patients and our professional family. That’s why we provide our employees with more ways to achieve their potential. Partners HealthCare is committed to aligning our employees’ personal aspirations with projects that match their capabilities and creating a culture that empowers our managers to become trusted mentors. We support each member of our team to own their personal development—and we recognize success at every step.

Our employees use the Partners HealthCare values to govern decisions, actions and behaviors. These values guide how we get our work done: Patients, Affordability, Accountability & Service Commitment, Decisiveness, Innovation & Thoughtful Risk; and how we treat each other: Diversity & Inclusion, Integrity & Respect, Learning, Continuous Improvement & Personal Growth, Teamwork & Collaboration.

General Overview

With guidance from senior members of the team, this individual assists with the Partners HealthCare enterprise-wide information security risk management program through active engagement with business owners including information gathering, risk analysis, and reporting.

The Information Security & Privacy Associate Analyst (ISPAA) is responsible for coordinating and scheduling information security & privacy assessments with business owners, working with team members to conduct assessments and develop remediation plans using evolving business processes and tools, documenting the effort in Archer, and following up with business owners on remediation plans.

Principal Duties and Responsibilities

1. Work with team members to coordinate and perform information system and third-party risk assessments, following a NIST-based methodology.

2. Assist in guiding business owners and end-users on the implementation of solutions that comply with IS security policies and standards.

3. Assist in prioritizing departmental tasks including new risk assessments and cybersecurity variance requests according to departmental processes.

4. With guidance from other team members, document assessments, variances, findings, and remediation plans in Archer.

5. Maintain a current knowledge of applicable federal and state privacy laws and accreditation standards, and monitor advancements in information privacy and security technologies to ensure adaptation and compliance.

6. Maintains awareness of new technologies and related opportunities for impact on system or application security.

7. Conduct information security research in keeping abreast of latest security issues and keeps abreast of testing tools, techniques, and process improvements in support of security event detection and analysis.

8. Uses the Partners HealthCare values to govern decisions, actions and behaviors. These values guide how we get our work done: Patients, Affordability, Accountability & Service Commitment, Decisiveness, Innovation & Thoughtful Risk; and how we treat each other: Diversity & Inclusion, Integrity & Respect, Learning, Continuous Improvement & Personal Growth, Teamwork & Collaboration.

9. Local travel to PHS Sites

10. Performs other duties as assigned.

Qualifications
Bachelor’s degree (B.A. / B.S.) or equivalent in computer science, business administration, or equivalent discipline from an accredited college or university required.

1-2 years of experience in IT/IS required.
1-2 years of exposure to information security or information privacy functions.
Knowledge of HIPAA, HITECH, Mass ID Theft regulation 201 CMR 17, and other appropriate information security and information privacy regulatory requirements for healthcare entities a plus.
Knowledge of NIST 800-53, ISO 27K, GDPR, PCI-DSS is desirable.
Legal background is desirable.
Any of the following certifications is a plus:
ITIL, any of the following Information Security Certifications: CISSP, HCISSP, CISM, CISA, CIPP, CIPM, CIPT, CPHIMS, PCIP, GSEC, GCIH, GCFE, GCFA, CEH, GPEN, and PMP

Skills, Abilities and Competencies

1. The candidate for this role must have very strong business and analytical skills to represent the information security & privacy office policies.
2. Outstanding time management and organizational skills required.
3. An ability to work under the required guidelines and deliver on business/project requirements.
4. Ability to work with both team members and staff in a professional manner.
5. Comfortable working in a dynamic environment with multiple work streams, goals, and objectives.
6. Possess ability to recommend to ISPO leadership team to prioritize project related tasks.
7. Excellent written and verbal communication and effective interpersonal skills is critical.
8. Understanding of Windows, Unix/Linux operating systems, security administration, virtualization, and TCP/IP networking.
9. Ability to work independently with minimal supervision.

EEO Statement Partners HealthCare is an Equal Opportunity Employer & by embracing diverse skills, perspectives and ideas, we choose to lead. All qualified applicants will receive consideration for employment without regard to race, color, religious creed, national origin, sex, age, gender identity, disability, sexual orientation, military service, genetic information, and/or other status protected under law.

Primary Location
: MA-Somerville-Assembly Row – PHS
Work Locations
:
Assembly Row – PHS
399 Revolution Drive
Somerville 02145
Job
: Information Security
Organization
: Partners HealthCare(PHS)
Schedule
: Full-time
Standard Hours : 40
Shift
: Day Job
Employee Status
: Regular
Recruiting Department : PHS Information Systems
Job Posting
: May 24, 2018

advertisement:

The post Information Security & Privacy Associate Analyst appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Pen #testers #break down #bank security #flaws

While banks have built effective barriers for external attacks, researchers warn they have not done nearly as much work to fight threats on their internal networks.

Earlier this month, a third-party software vulnerability resulted in a Mexican bank heist that scored at least $15.4 million.

In early 2017 there was a surge of attacks targeting card processing in Eastern Europe which scammed nearly $100 million and later that year, intruders attacked the Far Eastern International Bank in Taiwan by making transfers to accounts in Cambodia, Sri Lanka, and the U.S which totaled at $60 million.

Positive Technologies researchers examined how cybercriminals are able to pull off such massive financial heists from behind their keyboards and acted like cybercriminals to gain insight on common vulnerabilities shared among banks.

The firm said it found vulnerabilities in all of the banks they have performed penetration tests on and that half of the banks had insufficient protection against recovery of credentials from OS memory, a quarter used dictionary passwords, and nearly a fifth, 17 percent, had sensitive data stored in cleartext.

Positive Technologies would not specify the number of banks in its study but did emphasize the need for banks to enact strong password policies as 50 percent of those tested used dictionary passwords.

Researchers added that a quarter of these banks used the password “P@ssw0rd” as well as such common combinations as “Qwerty123,” empty passwords, and default passwords such as “sa” or “postgres”.

The most common vulnerabilities were outdated software which were found in 67 percent, sensitive data stored in clear text, 58 percent, dictionary passwords, 58 percent, use of insecure data transfer protocols, 58 percent, remote access and control interfaces available to any user, 50 percent.

Less common vulnerabilities included anti-dns pinning, sql injection, arbitrary file upload, XML external entity, and cross-site scripting 25 percent.

Other common vulnerabilities that allow infections usually consist of use of outdated software versions and failure to install OS security updates, configuration errors, and absence of two-factor authentication for access to critical systems

As a result of these vulnerabilities, attackers would be able to obtain unauthorized access to financial applications at 58 percent of banks and penetration testers were able to compromise ATM management workstations used at 25 percent of the banks studied.

Researchers were also able to move money to criminal-controlled accounts via interbank transfers at 17 percent of the banks tested.

It’s important to realize that banks suffer from the same problems as other companies and typical attack vectors stem from a weak password policy and insufficient protection against password recovery from OS memory.

Similar to physical bank robberies, cybercriminals survey and prepare in advance to attack their targets sometimes leveraging insider personnel.

“Since use of external resources can be detected by security systems, in order not to get caught during this initial stage, criminals resort to passive methods of obtaining information: for example, identifying domain names and addresses belonging to the bank,” researchers said in the report. “At the survey stage, unscrupulous bank employees are actively engaged as well.

Researchers found numerous on web forums from insiders looking to disclose their employers’ information for a fee.

“The bottom line is, banks are not ready to defend attacks from the internal intruder today,” Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies told SC Media. “Despite the high level of protection of the network perimeter, attacks using social engineering techniques and so-called watering hole attacks allow attackers to enter the internal network of the bank”

Galloway went on to say that Cybercriminals can covertly be present in the infrastructure for a long time while learning the actions of employees and administrators all while hiding their attack from security systems under the guise of the legal actions of employees whose computers they hacked int

advertisement:

The post Pen #testers #break down #bank security #flaws appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

International Workshop on Future Information, Security, Privacy and Forensic for Complex Systems (FISP)

General Cybersecurity Conference

 August 13 – 15, 2018 | Gran Canaria, Spain

Cybersecurity Conference Description

Availability, integrity and secrecy of complex information systems are increasingly important requirements for modern society as well as nations as with every passing day computers control and administer more and more aspects of human life. We entrust much of our lives to information and computer technologies (ICT’s). However, it is difficult and challenging task to understand security risk and to provide effective security solution as attackers only need to find a single vulnerability but developers or system administrators need to find and fix all vulnerabilities. In addition, cyber space is considered as fifth battle-field after land, air, water and space.

The aim of FISP-2018 is to provide a premier international platform for wide range of professions including scholars, researchers, academicians and Industry people to discuss and present the most recent challenges and developments in “Information Security, Privacy and Forensics for Complex systems” from the perspective of providing security awareness and its best practices for the real world. After the high success of the previous edition (FISP’2017) in conjunction with 12th International Conference on Future Networks and Communications 2017 (FNC-2017), Belgium, the fourth International Workshop on Future Information Security, Privacy and Forensics for Complex systems (FISP-2018) will continue to open to submit novel and high quality research contributions as well as state of the art reviews in the field of information security and privacy. We anticipate that this workshop will open new entrance for further research and technology improvements in this important area.

advertisement:

The post International Workshop on Future Information, Security, Privacy and Forensic for Complex Systems (FISP) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

USENIX Workshop on Advances in Security Education (ASE)

General Cybersecurity Conference

 August 13, 2018 | Baltimore, Maryland, United States

Cybersecurity Conference Description

The 2018 USENIX Advances in Security Education Workshop (ASE ’18) will be co-located with the 27th USENIX Security Symposium, and is intended to be a venue for cutting-edge research, best practices, and experimental curricula in computer security education.

The workshop welcomes a broad range of paper and demo submissions on the subject of computer security education in any setting (K–12, undergraduate, graduate, non-traditional students, professional development, and the general public) with a diversity of goals, including developing or maturing specific knowledge, skills and abilities (KSAs), or improving awareness of issues in the cyber domain (e.g., cyber literacy, online citizenship). ASE is intended to be a venue for educators, designers, and evaluators to collaborate, share knowledge, improve existing practices, critically review state-of-the-art, and validate or refute widely held beliefs.

advertisement:

The post USENIX Workshop on Advances in Security Education (ASE) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

SANS Security Awareness Summit

General Cybersecurity Conference

 August 6 – 15, 2018 | Charleston, South Carolina, United States

Cybersecurity Conference Description

The 5th annual SANS Security Awareness Summit is on and it’s lining up to be bigger and better than ever. Every year, we strive to provide the very best forum for security awareness officers looking to take their program to the next level! Our promise is to provide actionable lessons you can take back and apply right away within your own organization, with a focus on your industry, employee base, and current maturity level. This two-day Summit includes expert awareness-focused talks, interactive discussions, networking events, and more!

The 2018 Security Awareness Summit will feature:
Video Wars: Watch the different training videos organizations have created and hear from them how they created the videos, what worked and did not work, and why.
Show-n-Tell booths: We have expanded the highly popular Show-n-Tell booths to support more booths and a dedicated session for attendees to interact with all the different awareness materials organizations have developed. This is a great opportunity to learn how organizations made the materials, which ones were the most effective and why.
Onsite lunches: Stay for lunch and mix/mingle with other attendees.
Interactive Workshops: In addition to industry leading talks we will host several hands-on workshops where you actually plan and build elements of your awareness program. From phishing assessments and ambassador programs to planning your own escape room, these highly interactive sessions are often the most popular of the summit.
Evening socials: Take a chance to unwind and socialize with your peers at organized social events every night.

advertisement:

The post SANS Security Awareness Summit appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures