PROFESSIONAL InfoSecurity - Securing Cloud Endpoints Dialing in - ISC2
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
TIPS FOR HARDENING MULTI-CLOUD ENVIRONMENTS
InfoSecurity
PROFESSIONAL MARCH/APRIL 2021
Reining in
IoT Risks
+
Securing Cloud
Endpoints
Dialing in
(ISC)
2®
A Publication for the (ISC)2 Membership Smishing
(ISC) ² VISION: INSPIRING A SAFE AND SECURE CYBER WORLD
CONTENTS • MARCH/APRIL 2021 • VOLUME 14 - ISSUE 2
Managing cloud
endpoints can be
difficult but is
doable with the
right approach.
PAGE 26
FEATURES DEPARTMENTS
21 Reining in the Risk 5 Editor’s Note
BY M AT T GILLESPIE
An unintended consequence of vishing.
BY ANNE SAITA
The IoT universe comprises billions of small-footprint
devices that are not designed or manufactured to enter-
prise-grade security standards. Understanding and miti- 8 Executive Letter
gating the risk requires revisiting what’s on the network, Continuing education and the pandemic pressure test.
what it’s doing, and whether it should be there at all. BY DR . C A SE Y M ARKS, (ISC)2 CHIEF PRODUC T
OFFICER AND VP
26 Tips for Managing Vulnerabilities 10 Field Notes
on Cloud Endpoints How to harden multi-cloud environments; top-rated
BY ÓSC AR MONGE ESPAÑA , CISSP (ISC)2 webcasts; Singapore and Japan chapters celebrate
Typically, on-prem vulnerability assessments involve a successful Secure Summits; ‘How I Got Here’ with system
network vulnerability scanning solution. This approach engineer and career coach Katia Dean; and more.
we’re all familiar with, but cloud networks can be
dynamic and carry restrictions to network scans. 19 Help Wanted
So, what can you do? Before you head into a job interview, here are some tips
to make that video conference call a success.
29 Dialing in Vishing BY DEBOR AH JOHNSON
and ‘Smishing’ Attacks
BY DANIEL ADDINGTON, CISSP; 34 Center Points
MIKE M ANROD, CISSP; AND RYAN M AULDIN, CISSP How we delivered on our mission despite a pandemic
Bad actors are exploiting a fundamental flaw within keeping us far from each other.
telecommunications trust to impersonate callers on BY PAT CR AVEN
phone and text messages. It’s time to build a trust
hierarchy to shut them down. 35 Buzzworthy
A roundup of what’s being said and heard around
(ISC)2 channels.
Cover illustration by Jeff Mangiat
Illustration (above) by Raul Allen 7 ADVERTISER INDE X
›
LEARN
HOW
InfoSecurity Professional 3 March/April 2021 CONTENTS
TO EARN
FREE CPE
CREDITS
Cybersecurity is
Only as STRONG
as its WEAKEST Link
The cybersecurity of your organization can be thought of as a chain. And
every chain is only as strong as its weakest link. How strong are the links
in your organization’s cybersecurity?
Stronger Cybersecurity Starts with CISSP
CISSP certification arms your employees with the expertise to design,
engineer, implement and run a premier information security program. Make
your people your greatest strength and protection. Certify them with CISSP.
Get The Definitive Guide for
Cybersecurity and Business Prosperity
Become CISSP Strong
EDITOR’S
CONTRIBUTORS
Matt Gillespie is
an independent
NOTE
technology
writer working
out of Chicago.
In addition to
cybersecurity,
ANNE SAITA EDITOR-IN-CHIEF
he’s most
recently focused on multi-cloud
computing, machine learning,
IoT, IT Ops, analytics, HPC and
software-defined infrastructure.
He can be found at www.linked
Don’t Call Us;
in.com/in/mgillespie1/.
We’ll Call You Óscar Monge
España, CISSP,
CCSP, is a sea-
soned informa-
IF YOU OWN A PHONE—any phone—eventually you start getting vished. tion security
professional
These phone calls and voice messages appear to come from trusted numbers in
with more
an attempt to gain sensitive information. These scams really ramped up once we than 17 years of
all were at home and felt compelled to answer unknown or local numbers that experience. He currently works
may belong to co-workers, clients or prospective employers. as a security solutions architect
for Rabobank, helping shape the
One of this issue’s features takes on this topic. While reading it, I keyed in on
security monitoring direction
a warning that any new policy or protocol to curb vishing and number spoofing for both on-premises and cloud
could also impact legitimate business operations. I immediately thought of such and its technology integration.
a staple: cold calling.
No one likes cold calling. No one. But if you work in certain fields, like sales
A trio of CISSPs from Grand
and marketing, you know it’s a part of the job. And if you work in IT, you should Canyon Education in Phoenix
know how sales and marketing functions influence your security posture. Know round out our roster of authors
too that an inability for sales to do comprehensive outreach limits efforts and, this issue. CISO Mike Manrod,
ultimately, revenues, which eventually trickles down to resource reductions. IT Security Manager Daniel
Addington and Senior Tele-
We’re now so conditioned to expect robocalls that we usually let any unso- communications Engineer
licited or unanticipated call go to voicemail as a screen. But that hasn’t stopped Ryan Mauldin collectively
Google Business from hounding me daily about lost opportunities (despite call have decades of strategic and
blocks) or to hear a live voice allegedly from Microsoft alerting our all-Mac shop operational IT experience that
they are eager to share with
that they’ve detected serious issues with our operating systems. colleagues.
I unlisted a landline years ago after discovering the number’s previous owner
had absconded with a lot of people’s money and everyone thought I was her just
using a new alias. I now alert people ahead of time, regardless of which phone Did the 1980s
number I use, when to expect a call from me no matter how it shows up on toy and cartoon
series Trans-
caller ID. formers once
Many of us now ignore calls from all but select family, friends, co-workers capture your
and service providers. That strategy worked for me until imagination?
one day a phone number from my old area code popped This month’s
cover illustra-
up on my personal phone and I let it go to voicemail. The tor, Jeff Mangiat, created the
caller hung up and tried once more. This time I picked original box art for toymaker
it up, heard initial silence and hung up believing it was Hasbro. Mangiat has illustrated
another voice-activated vishing call. I thought nothing of in a photo realism style for na-
Photograph by Louise Roup
tional magazines, advertising,
it until months later when an old friend I hadn’t talked to book and product art industries.
in years died. That mysterious call had been him wanting His new graphic style depicts a
to say goodbye. He died thinking I didn’t want to hear cowboy reining in IoT icons—all
Anne Saita lives from him, when, really, quite the opposite was true. Yes, with a nod to Western-style art.
and works in San Mangiat was also the illustrator
Diego. She can be
unsolicited phone calls can be annoying, even dangerous. for our 2019 award-winning arti-
reached at asaita@ Sometimes, though, they carry unintended yet painful cle “Beyond Blockchain Hype.”
isc2.org. consequences. ○
InfoSecurity Professional 5 March/April 2021
›
CONTENTS
EXPERT SECURITY
to Command the Cloud
Gain more credibility, recognition and versatility with the CCSP certification. Considered the
industry’s premier cloud security certification, the CCSP broadens your operational knowledge
beyond vendor-specific platforms, differentiating you as a leader in cloud security architecture,
data security and infrastructure. As a CISSP, you meet all CCSP experience requirements and are
immediately eligible to sit for the exam. Elevate your skill set to realize…
• Instant differentiation as an authority figure on cloud CCSP was just named
security, proving proficiency to keep up with new technologies, "The Next Big Thing"
by Certification Magazine!
developments and threats.
• Unique recognition for achieving the highest standard of cloud
TION MA
security expertise. I CA GA
IF
• Enhanced acumen to stay ahead of cloud security best practices,
RT
ZI
NE
CE
2021
evolving technologies and mitigation strategies.
• Versatility to apply knowledge and skills across a variety of
cloud platforms.
CCSP
• Career advancement opportunities by expanding into cloud
services or moving into more strategic roles. H
G
T
E
NE H IN
XT BIG T
The cloud allows businesses of all sizes to increase efficiency, agility and
deployment speed. But security concerns remain high, especially with the
accelerated shift to remote work environments. Now, more than ever, companies
need expert security professionals, like you, to command the cloud. Dive in now.
Lead the Way
²
InfoSecurity (ISC)2 MANAGEMENT TEAM
EXECUTIVE PUBLISHER
PROFESSIONAL
Timothy Garon
571-303-1320
tgaron@isc2.org
DIRECTOR, CORPORATE
A Publication for the (ISC)2 Membership COMMUNICATIONS
(ISC)2®
Jarred LeFebvre
INSPIRING A SAFE AND 727-316-8129
jlefebvre@isc2.org
SECURE CYBER WORLD
CORPORATE PUBLIC
RELATIONS MANAGER
isc2.org community.isc2.org Brian Alberti
617-510-1540
balberti@isc2.org
MANAGER, MEMBER
READ. QUIZ. EARN. COMMUNICATIONS
Kaity Pursino
727-683-0146
Earn Two CPE Credits for Reading kpursino@isc2.org
COMMUNICATIONS
This Issue and Taking the Online Quiz COORDINATOR
Dimitra Schuler
In order to earn the two CPE credits, you must pass the 727-316-9395
issue quiz. Please provide your name and (ISC)2 member dschuler@isc2.org
number so that we can award the two CPE credits to your
account. This typically takes up to 15 business days to be EDITORIAL ADVISORY BOARD
added to your account. Brian Alberti, (ISC)2
https://www.isc2.org/InfoSecurity-Professional/Magazine-Archive/ Anita Bateman, U.S.
Quiz/March-April-2021
Felipe Castro, Latin America
Learn about more opportunities to earn CPE credits. Brandon Dunlap, U.S.
Rob Lee, EMEA
Jarred LeFebvre, (ISC)2
ADVERTISER INDEX
SALES
For information about advertising in this publication, please contact Vendor Sponsorship:
Lisa Pettograsso, lpettograsso@isc2.org. VENDOR SPONSORSHIP
Lisa Pettograsso
Center for Cyber Safety and Education.............2 Penn State University..............................................11 lpettograsso@isc2.org
(ISC)2 Stronger Cybersecurity Security Engineered Machinery (SEM)..........12
Starts with CISSP....................................................... 4 Securonix..................................................................... 18
TWIRLING TIGER MEDIA
(ISC)2 Expert Security (ISC)2 Commit to Certification..........................20 MAGAZINE TEAM
to Command the Cloud ...........................................6
Galvanize..................................................................... 28 EDITOR-IN-CHIEF
(ISC)2 Professional Development Institute..... 9
Armis............................................................................. 36 Anne Saita
asaita@isc2.org
InfoSecurity Professional is produced by Twirling Tiger® Media, 10 Brassie Way, Mashpee, MA 02649. Con-
ART DIRECTOR, PRODUCTION
tact by email: asaita@isc2.org. The information contained in this publication represents the views and Maureen Joyce
opinions of the respective authors and may not represent the views and opinions of (ISC)2® on the issues mjoyce@isc2.org
discussed as of the date of publication. No part of this document print or digital may be reproduced, stored
in, or introduced into a retrieval system, or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise), or for any purpose, without the express written permission of (ISC)2. Twirling Tiger Media is a women-
(ISC)2, the (ISC)2 digital logo and all other product, service or certification names are registered marks or
owned small business. This partner-
trademarks of the International Information Systems Security Certification Consortium, Incorporated, in
ship reflects (ISC)2’s commitment to
the United States and/or other countries. The names of actual products and companies mentioned herein
may be the trademarks of their respective owners. For subscription information, please visit www.isc2.org. supplier diversity.
To obtain permission to reprint materials, please email infosecproeditor@isc2.org. To request advertising
information, please email lpettograsso@isc2.org. ©2021 (ISC)2 Incorporated. All rights reserved.
InfoSecurity Professional 7 March/April 2021
›
CONTENTS
EXECUTIVE LETTER ( ) The latest from (ISC)2 leadership
How Did Continuing to support our members’ continuing pro-
fessional education needs at a time when
Cybersecurity
in-person events and other learning oppor-
tunities were not accessible. Throughout
2020, we added more course material and
Education Stand to date more than 75,000 courses have
been completed, with a value in excess
Up to the Pandemic
of U.S. $20 million.
Additionally, our official training
courses were available digitally through
Pressure Test? our Official Training Providers all around
the globe, enabling exam candidates to
continue their preparation throughout the
BY DR. CASEY MARKS, CHIEF PRODUCT OFFICER year. Many of our members are now pursu-
AND VICE PRESIDENT, (ISC)2 ing additional certifications, including the
increasingly popular CCSP and CSSLP.
To say that last year was unexpected would be Throughout 2020, we
added more course mate-
an understatement of generous proportions. Almost
rial and to date more than
overnight, organizations migrated their operations
75,000 courses have been
to remote work environments and canceled travel completed, with a value in
budgets for their staff. Cybersecurity professionals excess of U.S. $20 million.
were faced with the task of seeking out continuing
education opportunities online in the wake of event
One of the biggest continuing education
cancellations throughout the year. opportunities we offer each year is our
Looking back at how our own con- annual (ISC)2 Security Congress. When
tinuing education processes and offerings it became clear that holding a physical
withstood the unique challenges of a global event would not be possible in 2020, we
pandemic, we are now better prepared for examined some of the informal learning
whatever comes in the future. elements of our award-winning webinar
Fortunately, the shift from in-person program in order to transform our event to
to online learning did not catch us unpre- a fully virtual one. It took a lot of ingenuity
pared. While we did need to make some to reimagine the event, stand up a brand
changes to accommodate remote activities, new online platform and deliver the type
many of the tools were already in place of conference our members are accustomed
to do so. (ISC)2 had foreseen a globalized to, but the end result was wildly successful.
world in which much of its educational Attendance more than doubled from the
product catalog would eventually be deliv- previous year, and the engagement and
ered virtually, and we had been gradually feedback were outstanding.
Dr. Casey Marks moving that way already. If anything, 2020 highlighted the
is chief product The launch of the Professional robust capacity of (ISC)2 learning oppor-
officer and vice
Development Institute (PDI) in 2019 tunities and showed us that we are on the
president of (ISC)2.
He can be reached meant that we already had a library of right path for continuous delivery now
at cmarks@isc2.org. more than 30 on-demand courses available and in the future. ○
InfoSecurity Professional 8 March/April 2021
›
CONTENTS
40+ Courses
120+ CPE Credits
FREE
Member Benefit
Seeking more accessible ways to keep cybersecurity skills sharp and knowledge
refreshed? (ISC)2 Professional Development Institute (PDI) has you covered with
the flexibility of online, self-paced courses. Dive into our portfolio of more than
40 online courses – FREE for (ISC)2 members and available for purchase by
non-members. Build skills and earn CPE credits, no travel required.
Stay on top of your craft with…
• Express learning courses on emerging topics and trends in 2 hours or less
• Immersive courses covering a variety of cybersecurity and IT security topics
• Lab courses that put specific technical skills to the test
Explore FREE Courses
To receive communications when new courses are released, add Continuing Education
and Professional Development to your preferred communications at isc2.org/connect.
FIELD NOTES
A ROUNDUP
OF WHAT’S
HAPPENING
IN (ISC)2
COMMUNITIES
5 TIPS FOR HARDENING MULTI-CLOUD ENVIRONMENTS
BY PAUL SOUTH
Jeremy Snyder of DivvyCloud
traveled the globe for several
years learning how companies
large and small secure their
multi-cloud environments.
The result is a list of recom-
mendations, which were
broadcast in an (ISC)2 web-
cast, for how to improve your
multi-cloud security posture.
That goal is now more import-
ant than ever with the mass
shift to remote work and bad
actors seeking novel ways to
infiltrate public, private and
hybrid cloud infrastructures
accessed from so many more
entry points.
1. Gain visibility and define workloads the campaign ends, the site is now an “orphan,” a workload
no longer serving a useful purpose while spreading an
We’ve all heard it before, but it’s worth repeating: If you
organization’s attack surface.
don’t know an asset exists, you can’t secure it. This is why
Snyder ranks gaining visibility as a top priority. “There’s 4. Pay close attention to perimeter security
no way that you can’t have that visibility, know whether More multi-cloud mistakes come from failing to properly
it’s in a secure state, whether it’s properly configured, follow the aforementioned recommendations. Once better
properly secured, etc.,” he said. “So, you really have to cyber hygiene is established, along with better visibility
have visibility in order to gain security around it.” and inventory building, it’s time to tighten your cloud secu-
2. Focus on password policies, MFA and logs rity perimeter just as you would an on-premises data cen-
ter. This means closing buckets and locking down ports.
Just as with on-premises data centers, all cloud environ-
ments demand established and enforced identity and 5. Encrypt where needed
access management systems that incorporate strong While the complexity of a cloud environment can make
passwords, multi-factor authentication and auditable previously mentioned recommendations difficult, one
logs. Despite being a best practice, it’s one that often suggestion that is actually easier in the cloud is encryp-
gets overlooked. tion. All cloud providers now offer multiple encryption
3. Clean up attack surfaces options, depending on workloads and the location of
Photograph by Getty Images
key data assets. This harkens back to earlier points about
While he acknowledged that he has sometimes received
defining workloads and knowing a firm’s data assets. ○
pushback about how hygiene impacts cloud security,
Snyder points out that when larger firms go to the cloud, Paul South is an Alabama-based freelance writer and regular
they sometimes tend to open their clouds more broadly. contributor. An expanded version with more tips appeared
For example, a website is established to generate leads in the November Cloud Security Insights newsletter. Both
during a 30- or 60-day marketing campaign. But when are based on a 2020 webcast on the same subject.
InfoSecurity Professional 10 March/April 2021
›
CONTENTS()()()()()()()()()()
()()()()()()()()()()
()()()()()()()()()()
FIELD NOTES
Transport Layer Top Ten Rated 2020 North American (ISC)2 Webcasts
Security, Threat Gigamon #1: Transport Layer Security (TLS) 1.3: A New Private World
Intelligence https://www.isc2.org/News-and-Events/Webinars/Security-Briefing?commid=382117
Gigamon #2: Encrypted Things – Finding Threats in an Obscure World
Among Top-Rated https://www.isc2.org/News-and-Events/Webinars/Security-Briefing?commid=385629
(ISC)2 Webcasts Gamechanger! What We’ve Learned (So Far) from the COVID-19 Outbreak
https://www.isc2.org/en/News-and-Events/Webinars/ThinkTank?commid=398917
If you’re curious about what Key Insights from CyberEdge’s 2020 Cyberthreat Defense Report
your peers were most inter- https://www.isc2.org/News-and-Events/Webinars/Security-Briefing?commid=397069
ested in last year, we’ve com- Imperva #1: How Automated Attacks Can Derail Your Company’s Business
piled the top-rated/attended https://www.isc2.org/News-and-Events/Webinars/Security-Briefing?commid=410529
(ISC)² webinars for North
Navigating the Career Maze – Where Do I Go Next?
America and the EMEA regions. https://www.isc2.org/en/News-and-Events/Webinars/ThinkTank?commid=421421
All are available on demand
through the BrightTALK Gigamon #2: What Zero Trust Networking Means for Network Visibility
https://www.isc2.org/News-and-Events/Webinars/Security-Briefing?commid=430277
platform and qualify for
CPE credits. Gigamon #3: Network Visibility in Today’s Complex World
a
https://www.isc2.org/News-and-Events/Webinars/Security-Briefing?commid=433506
Earn your cybersecurity
degree online
s
ss
s/
/s
m
92
Strengthen your skills and gain C-
05
-W
21
expertise to help you succeed.
worldcampus.psu.edu/isc2
A world of possibilities. Online.
InfoSecurity Professional 11 March/April 2021
›
CONTENTS()()()()()()()()()()
()()()()()()()()()()
()()()()()()()()()()
FIELD NOTES
Your Data Held Hostage: Understanding Managing Shadow IT Realities with a Remote Workforce
the Extensive Ransomware Threat https://www.isc2.org/News-and-Events/Webinars/EMEA-
https://www.isc2.org/en/News-and-Events/Webinars/ Webinars?commid=425016
ThinkTank?commid=443840
TLS1.3: Two Years On
The Infinite Variety of Phishing Attacks https://www.isc2.org/News-and-Events/Webinars/EMEA-
Webinars?commid=405854
and the Security Controls to Address Them
https://www.isc2.org/en/News-and-Events/Webinars/ Minimizing Security Impacts of a Growing Remote Workforce
ThinkTank?commid=451089 https://www.isc2.org/News-and-Events/Webinars/EMEA-
Webinars?commid=396642
Encrypted DNS: Friend or Frenemy?
https://www.isc2.org/News-and-Events/Webinars/EMEA-
Top Ten Rated 2020 EMEA (ISC)2 Webcasts Webinars?commid=388560
Maximizing the Value of Threat Intelligence 10 Ways to Harden Your Multi-Cloud Security Posture
https://www.isc2.org/News-and-Events/Webinars/EMEA- https://www.isc2.org/News-and-Events/Webinars/EMEA-
Webinars?commid=450938 Webinars?commid=431552
Ransomware: New Variants and Better How to Get the Most Out of Your Security Investments
Tactics to Defend and Defeat These Threats https://www.isc2.org/News-and-Events/Webinars/EMEA-
Webinars?commid=433272
https://www.isc2.org/News-and-Events/Webinars/EMEA-
Webinars?commid=440633 The Industrialization of Cybercrime and Evolution
Is Encrypting Everything a Good Idea? of Cybercrime Syndicates
https://www.isc2.org/News-and-Events/Webinars/EMEA- https://www.isc2.org/News-and-Events/Webinars/EMEA-
Webinars?commid=436867 Webinars?commid=446997
If you trust a third party with your end-of-life
data, be prepared to pay the (staggering) cost.
Organizations are liable for data breaches caused by their third party ITAD vendors.
PL LIST
There have been countless instances of third party negligence with regard to data AE E
NS
disposal, and the resulting costs are staggering — millions of dollars in lawsuits and
fines, as well as legal fees, administrative costs, and lost consumer confidence. D
FO
ON
The answer is to destroy end-of-life data in-house using high security data destruction
R
LA
TI
UC
C
equipment. In business since 1967, SEM has earned a distinctive reputation as SS
IFIE D D E ST R
the industry leader and trusted source for all things data destruction. Our paper
and IT shredders, disintegrators, crushers, and degaussers can be found throughout the DoD and
Intelligence Community, US Embassies, US Treasury, and countless other government agencies, as
well as in security-focused commercial organizations and data centers worldwide.
NSA/CSS Listed | NIST 800-88 Compliant
Low to High Volume | Office or Industrial
Custom Solutions for Complex Environments
800.225.9293 | www.semshred.com
InfoSecurity Professional 12 March/April 2021
›
CONTENTS()()()()()()()()()()
()()()()()()()()()()
()()()()()()()()()()
FIELD NOTES
Q&A HOW I GOT HERE
A MID-COURSE CORRECTION
LEADS TO NEW GOALS INTERVIEWED BY DEBORAH JOHNSON
Katia Dean, system engineer and career coach, received
the 2020 (ISC)2 Rising Star Professional Award
What were your earliest interests that led you to
the tech world?
When I was younger, my mom always had me in some kind of
engineering or educational program in the summer. I knew that
I was very analytical, structured, and liked to work on projects to
stimulate my mind. However, in college, I was weak in math and
science. I had a professor tell me that I needed to give up. Despite
that advice, I was able to graduate with my engineering degree.
What led you to shift your career focus from electronic
engineering to cybersecurity?
I had moved from Cleveland, Ohio, to Lexington Park, Md., where
my dad lived and obtained my first job as a system test engineer. I
volunteered at a STEM-ING (STEM-Inspiring the Next Generation)
event for middle school and high school girls. The workshops on KATIA DEAN
cybersecurity sparked my interest, so I searched out master’s programs. A friend
With a 2013 bachelor’s
recommended the University of Maryland University College; I went there and degree in electronic engi-
earned my master’s degree. neering from Cleveland
State University, and
What were/are some of the struggles you faced in your career that led a position as a system
you to write your book and start your website? engineer, Katia Dean
The main struggle was being laid off for nine months. Despite having six years decided to shift focus
to cybersecurity. She
of experience and two STEM degrees, it was difficult finding employment again. earned a master’s degree
I started to blog about my job-searching experience, what I learned from dealing in cybersecurity technol-
with various recruiters, documenting the interview process and writing down ogy 4.0 from University
goals. Even though I was going through a storm of my own, I was assisting other of Maryland University
College in 2017 and is cur-
people in their careers. That kept me sane and helped me turn my negative situa- rently a system engineer
tion into a positive experience. at AnaVation LLC. She
founded a website and
You talk about the strong mentors you’ve had. How did they help you? blog, www.Katiascylife.
Having a mentor in your field will help you build confidence. During my gradu- tech, and has written The
Struggle is Real: A Blue-
ate studies, I had a professor, a Black woman. This was the first time in my career print to Excelling into the
that I saw someone who looked like me. She instilled in me that I had transferable Cybersecurity Discipline
skills to get into cybersecurity. Another mentor has assisted me throughout my to help others build their
career with various speaking engagements and building my personal brand. careers.
What’s next for you in both your cybersecurity and coaching endeavors?
Whatever the universe has for me will be a major blessing. ○
InfoSecurity Professional 13 March/April 2021
›
CONTENTS()()()()()()()()()()
()()()()()()()()()()
()()()()()()()()()()
FIELD NOTES
RECOMMENDED READING
Suggested by LARRY MARKS, CISSP,
CISA, CISM, CFE, PMP, CRVPM, CRISC,
CGEIT, ITIL, CDPSE
Third Party Risk Management:
Complete Self-Assessment Toolkit
BY GERARDUS BLOKDYK
(The Art of Service, 2020)
TO ASSIST ORGANIZATIONS in develop- its third-party program. Not covered are
ing a third-party risk prevention program, contract and other legal issues involving
The Art of Service, an Australia-based business with third parties. But the book
management consulting firm, has produced provides the guidance to find the answers
a comprehensive guide. Third Party Risk to these questions.
Management: Complete Self-Assessment Toolkit Third Party Risk Management is high level
identifies the tools needed to implement and may be supplemented with other guid-
a third-party vendor risk program. It ance such as onboarding a cloud provider.
includes a detailed checklist and a self- The controls and processes are the same,
assessment tool scorecard. The checklist it’s the tactics and implementation that will
is organized by listing the key steps of differ. To promote best practices, the authors
To promote best identifying and controlling risk: recognize, have created a useful tool to ensure that
practices, the
define, measure, analyze, improve, control a user has evaluated the KPIs and risks of
authors have
created a useful and sustain. their program. This is a hefty book with a
tool to ensure Firms that already have a risk manage- hefty price tag. However, this is one of the
that a user has ment system will benefit from the detailed most unique and valuable tools that I have
evaluated the tactics that can prompt further evaluation seen. ○
KPIs and risks of a third party or project. The 665 questions The author of Recommended Reading did not receive financial
of their program. offered in the checklist can be expanded compensation from the book publisher, nor a free copy of this
to help a firm evaluate the maturity of book. All opinions are his alone.
CISSP RECEIVES 2020 DOD DIGITAL
MODERNIZATION AWARD
Mark Santaw honored for creating criminal data automation tool
Photograph by Ronna Weyland, U.S. Army
MARK SANTAW, CISSP, recently received Army Criminal Investigation Command.
one of three individual 2020 Department of He was commended for developing a DOD
Defense CIO Awards for creating a tool to cybersecurity-compliant 1MB system-agnos-
automate the importation of electronic crim- tic tool that enables law enforcement agen-
inal disposition data from military, state and cies to easily convert 10,000 offender entries
federal law enforcement agencies to the FBI. at a time into the proper format—within
That data currently is used as part of nation- seconds. The same task previous took 15
Mark Santaw, CISSP,
wide federal criminal history and weapons minutes per offender. This more modern
Chief Information
Officer, U.S. Army prohibition background checks. process has saved more than 20,000 man-
Criminal Investigation Santaw, who earned his CISSP in 2003, ual processing hours across DoD Law
Command is the Chief Information Officer for the U.S. Enforcement thus far. ○
InfoSecurity Professional 14 March/April 2021
›
CONTENTS()()()()()()()()()()
()()()()()()()()()()
()()()()()()()()()()
FIELD NOTES
CHAPTER SPOTLIGHT
(ISC)2 SINGAPORE AND JAPAN CHAPTERS
ORGANIZE SUCCESSFUL VIRTUAL SUMMITS
Secure Singapore draws 130 attendees to Saturday half-day event
(ISC)2 SECURE SINGAPORE, which in the Among the panel discussions:
past was held in conjunction with Singapore’s
• Quantification, Measurement and
GovWare conference during the Singapore
Prioritization of Technology Risks and
International Cyber Week, went from a spon-
Investment, facilitated by Paolo Miranda,
sored in-person event to an all-virtual, stand-
the Singapore Chapter’s Volunteers
alone one on a shoestring budget. The (ISC)2
Director and Associate Director at
Singapore Chapter’s executive committee and
KPMG. The panel members consisted
organizing team were up to the challenge.
of Keyaan Williams, Founder and
The half-day Saturday date let members
Managing Director, Cyber Leadership &
attend without taking time from their busy
Strategy Solutions, LLC; Dr. Meng-Chow
schedules. The program was compressed to
Kang, Head of Security Assurance, Asia
a half day and funded only by a small fee
Pacific and Japan, Amazon Web Services;
collected from each registration.
and Neha Malhotra, VP, Cybersecurity
The conference kicked off with opening
Program Manager, Credit Suisse. She’s
addresses by (ISC)2 CEO Clar Rosso; Singapore
also the Communications Director of
Chapter president Victor Yeo; and guest of
the Singapore Chapter.
honor Melvin Yong, Assistant Secretary-
General of National Trades Union Congress • Safer Cyberspace Masterplan 2020 from the
(ISC)2 CEO (NTUC) and a member of Parliament for Radin Cybersecurity Agency of Singapore (CSA)
Clar Rosso Mas SMC. The remainder of time was spent in was facilitated by the Singapore Chapter’s
(below)
town hall–style panel discussion segments. Vice President, Garion Kong. The panel
was among
those to Although this meant members couldn’t members consisted of Gwenda Fong,
open the interact and catch up in person, the virtual Assistant Chief Executive, Cybersecurity
Singapore event also meant more members could attend Agency of Singapore (CSA); Huang
Chapter’s since there were no physical constraints. In Shaofei, CISO, Land Transport Authority
virtual
the end, 130 people attended the chapter’s (LTA) of Singapore; and Victor Yeo,
summit.
first major virtual event. Regional Director/GM (international
government) at BAE Systems Applied
Intelligence.
Overall, the town hall format worked well
for the attendees, based on the positive feed-
back the chapter received in post-event surveys.
Japan Chapter acquires 17 new
members through its virtual event
The (ISC)2 Japan Chapter’s biggest event,
Secure Japan 2020, drew 300 attendees to the
eight-hour virtual event in mid-December. The
InfoSecurity Professional 15 March/April 2021
›
CONTENTS()()()()()()()()()()
()()()()()()()()()()
()()()()()()()()()()
FIELD NOTES
Keiichiro Oguma,
Fumiko CISSP, (ISC)2
Noma, Director of
CISSP, Business
(ISC)2 Japan Development,
Chapter Japan, during
President, his live studio
moderating presentation.
Secure
Japan 2020.
chapter also acquired 17 new chapter members
from the free event, which was sponsored by
Tokio Marine & Nichido Risk Consulting, NTT
Security, Global Security Experts (GSX) and
Yu Arai, CISSP, NTT
NRI Secure Technologies. Data, during his live
The video conferencing infrastructure was studio presentation.
operated by Yurika Kakiuchi, CISSP; Hiroyuki
Komachi, CISSP; Hiroko Oogane, CISSP; and
Rui Kanazawa, CISSP. Because of so much
support, the event was successful at a minimum
cost.
Secure Japan 2020 kicked off with opening
addresses by new (ISC)2 board member Eiji
Kuwana, CISSP, and (ISC)2 CEO Clar Rosso,
whose speech and some of the other presenta-
tions were delivered with Japanese subtitles.
Presentations included:
• International Cyber Crime Investigation - • Japan Cyber Security: Protecting the
The Days of Distressing, presented by FinTech Epicenter before the Olympics,
Naruomi Ebitani, CISSP a roundtable discussion led by Felix Beatty,
• Overview of U.K. Cyber Essentials Scheme CISSP, CCSP, and colleagues Amit Ranjan
by Emma Philpott MBE and John Ghanotakis
• Cyber-Physical Fusion and Cyber Security • Cyber Risks that Japanese Companies
by Junpei Watase May Face in the Future and Trends in
Visualization - The Cyber Insurance
Developer Speaks Out, delivered by
Daisuke Kyogaku
• Observing the Movements of Cyber
Criminals - Anti-Ransomware by
Naruomi
Yu Arai, CISSP
Ebitani, • The Future of Familiar Problems
CISSP,
American
Everywhere, led by Hiroshi Aido,
Express CISSP
Interna-
tional, Secure Japan 2020 was voluntarily supported
during his and operated by numerous team members. The
live studio
presenta-
chapter is grateful to all the volunteers who
tion. helped to ensure this virtual event was well
attended and valuable for attendees. ○
InfoSecurity Professional 16 March/April 2021
›
CONTENTS()()()()()()()()()()
()()()()()()()()()()
()()()()()()()()()()
FIELD NOTES
MEMBER’S CORNER
BUILD TRUST IN PRODUCTS THE RIGHT WAY—
THE SECURE WAY BY WILL RAINWATER, CISSP
I
n my 31 years in IT across multiple verticals includ- less cybercrime because it would no longer be profitable
ing government/military, financial services and for the criminals.
healthcare, I have seen a similar pattern following a Sure, there are costs associated with that, especially
massive data breach. First comes the headlines and in the short term. But if your product is truly secure, can
then an email or letter from a company’s CEO expressing protect the data it is designed to protect, and perform the
a commitment to do better by its customers. functions to solve the need and the expectation, then the
We don’t have to keep repeating this pattern. We could profits will come.
shore up a lot of these ongoing issues by having a com- Everyone who buys a product (consumer- or enter-
pany’s leadership and management provide more than prise-grade) expects the product to work as advertised,
lip service to creating tamper-free solutions by making as well as protect them from harm. What no one should
cybersecurity a top priority across the entire corporate expect is for it to remain
spectrum. secure forever. I don’t
Deadlines put into
Let’s first recognize that a cornerstone of capitalism know of anyone in the
is filling a need, but that need also comes with the expec- IT community who place at every step
tation that the solution to that need does not cause harm has that expectation. of the systems
or facilitate harm to the consumer. I think that concept Security vulnerabilities development pro-
sometimes gets lost, or is at least less visible, in this era of pop up by the second. cess are the biggest
globalism, immediate gratification, and intense pressure You have to adapt, and
barrier to secure
to generate profits quickly and frequently. that also costs money.
I believe we are on the precipice of an incredibly scary But the ongoing costs software and hard-
time where individual privacy is suffering despite the of maintenance would ware, hands down.
rise of regulation or government intervention. From my be greatly reduced if
vantage point, too many companies appear to still not software makers did it
understand the cost savings in relation to bad press and right the first time, so you only have to cover changes in
class-action lawsuits when products are built securely. the security environment moving forward, not vulnerabil-
Deadlines put into place at every step of the systems ities known two decades ago.
development process are the biggest barrier to secure “Do it right the first time” should be the new mantra,
software and hardware, hands down. If deadlines were and it should be spoken and honored and extended to
dropped and security was truly a focus, where full everyone in the company, especially management. The
spectrum vulnerability testing was performed at every systems development lifecycle does not just include
step in the lifecycle, we would not programmers, testers and quality assurance personnel.
be having the issues we do. Time Your entire management infrastructure has a hand in the
could be spent covering all aspects responsibility of ensuring that their product does no harm
of both functionality and security or does not facilitate harm.
instead of just functionality alone. Moving forward, remember that customer loyalty
Developers must get past this “get is a two-way street. We, as customers, will remain loyal
it done so we can get to market to a company if we feel that that loyalty is valued and
ASAP” (and make a profit sooner) reciprocated. Transparency and an ethical approach to
Will Rainwater, CISSP, mindset and instead embrace the development are two aspects that have a huge impact
is an Information “it will be released when it is ready” on long-term loyalty. I cannot speak for everyone, but I
Technology Director. mindset. Doing so means we, as a have to believe that my opinions are shared by more than
He can be reached
at wrainwater@ society, would see fewer issues with just me. You cannot be ethical if you put profits first.
levihospital.com. privacy, fewer data breaches, and You just can’t. ○
InfoSecurity Professional 17 March/April 2021
›
CONTENTSSEARCHMORE Find Threats that are Already in Your Environment With Long-Term Search, organizations can reduce the time needed to investigate and find threats that are already in their environment. www.securonix.com Copyright ©2021 Securonix Inc. All rights reserved. 0121
HELP WANTED ( ) Navigating job markets
Lights! Camera! missing the rapport-building part,” says
Kris Rides, co-founder and CEO of Tiro
Interview!
Security, a cybersecurity staffing and
services organization. “Because, in person,
we’re better at just talking, a little bit of
HOW TO GET THE MOST OUT OF YOUR VIRTUAL small talk,” he said in a phone interview.
NEW JOB DISCUSSION. BY DEBORAH JOHNSON Don’t forget traditional interviewing
techniques. “Big, open questions can draw
out their feelings,” Rides advises. “Big
questions like ‘Where have you found
you’ve been most successful?’ ‘What did
Interviewing a candidate for your cybersecurity team you enjoy most about your job?’ [and]
now relies on virtual communications technology more than ‘What do you want from your next place?’”
ever, primarily thanks to the pandemic. In an April 2020 Rides warns: “Passion is something that
a lot of people ask for, but it’s an intangi-
report, Gartner reported that 86% of 334 human resource lead- ble. If their passion is cybersecurity and
ers surveyed were “incorporating new virtual technology to they’ve made a job out of it, then they’re
interview candidates.” Cybersecurity pros, while familiar with probably doing bug bounties, they’re doing
Zoom meetings and online presentations, may need some webinars, joining the Cloud Security
Alliance, the local (ISC)2 chapter, and
guidance to get the most out of a virtual candidate interview. they’re working on a certification they
The nuts and bolts of the candidate’s don’t need for their job. They are just
skills can be determined through a resume. genuinely interested in it.”
But what is the person really like? Will The successful remote interview is a
they fit in with the current team? Will combination of reliable technology and
they mesh with corporate culture? The positive personal interaction. Robert Half
camera can make these intangible attri- Business offers these tips on its blog:
butes more difficult to assess. • Be prepared. Don’t try to wing it.
First, make sure you have the “right
• Test your video conferencing plat-
technology that’s fully functional,” says
form (i.e., Zoom, Skype, WebEx, etc.)
Dan Schawbel, managing partner of
in advance.
Workplace Intelligence, an HR research
and advisory firm, in an email exchange. • Have a backup plan to your platform
“You should plan for a remote interview in case there is a problem on either
the same as you would in person. The end.
interviewer should present themselves the • Find a quiet, well-lit space and mini-
same as in-person. If you don’t take the mize distractions (e.g., silence mobile
interview seriously, then [the candidate] phones).
won’t either.” • Look professional.
And don’t let your environment distract • Pay attention to facial expressions
you, he advises. “Look at the camera and and tone of voice.
Deborah Johnson not at your phone, which should be turned
lives and works in off. Make sure you’re in a quiet place with A good interview is successful whether
San Diego. She good lighting.” it’s in person or remote. Just because the
can be reached
at djohnson@
Next: Get a good “read” on your can- candidate isn’t in the same room doesn’t
twirlingtigerme- didate. “One of the biggest issues we see mean you can’t discover if they are the
dia.com. now that everything’s gone remote—we’re right person for your team. ○
InfoSecurity Professional 19 March/April 2021
›
CONTENTSMake This Your Year for
CERTIFICATION
Here’s Everything
You Need to Succeed
You know that preparing for an (ISC)2
certification is a BIG commitment. You also
know that CCSP will help you stay on top
of growing cloud security demands and
build critical skills. Maybe you’ve started
studying, but unforeseen challenges
interrupted your progress… We get it!
We’re here to help you get back on
track for success.
Get back on track for success.
(ISC)2 Exam Action Plan
(ISC)2 | Inspiring a Safe and Secure Cyber WorldREINING
IN THE
isk
What’s at stake in securing IoT’s massive attack
surface, made up mostly of lightweight devices
with few security protections. BY MATT GILLESPIE
IoT creates nooks and crannies in your
network where the light never reaches.
You can’t easily see the vulnerabilities
there, and it may be impossible to know
where to look. a ILLUSTR ATIONS BY JEFF MANGIAT
InfoSecurity Professional 21 March/April 2021
›
CONTENTSThe IoT universe comprises billions of small-footprint devices that are not designed or manu-
factured to enterprise-grade security standards. Understanding and mitigating the risk requires
revisiting what’s on the network, what it’s doing, and whether it should be there at all, for a start.
“Segmentation Devices may appear unannounced and stay hidden, resisting conventional attempts at
between IoT discovery and monitoring. In its immature state, IoT lacks standardized protocols, which can
make a unified view difficult or impossible. Global bodies are developing standards, but final-
and OT is an ization and widespread adoption are still far off.
absolute best Even when familiar IT best practices are followed, securing environments in the face of
practice. They these complexities poses new challenges.
should never
be on the same
IOT DEVICES CAN BE LIKE SNEAKY, SPOILED CHILDREN
network.”
The threat associated with IoT devices is often made worse by inappropriate levels of elevated
—John Powell, privilege and a lack of control. Those devices may make their way onto the network without
principal notice by IT, especially when they are implemented by business units that don’t suspect the
consultant, Optiv danger.
ccccccccccccc As with any technology, the potential exists for security to be relegated to the status of
an afterthought or ancillary concern. Part of the issue is that IoT devices are often deployed
without recognizing that they are network endpoints.
Ken Munro, a partner at Pen Test Partners, describes one such case involving wireless
screencasters, which are small-footprint devices that let users cast the displays of their
personal mobile devices to large presentation screens. Munro recalls, “We found these little
devices also have network ports, and the installers have been going into firms and not just
putting in a standalone screencaster; they connected it to the network, too.”
While these screencasters are directly connected to the network, they don’t conform to
the firms’ security requirements for network endpoints, and they are typically not manageable
by IT. Making matters worse, they may host wireless networks for the devices used with them,
offering WiFi that is often left open or minimally secured using intentionally weak passwords
for convenience.
A similar example concerns digital signage that displays information such as meeting
room schedules drawn from the
corporate network. These low-end,
rebadged consumer Android tablets
often appear in public areas, where
an interested party could steal them
and make off with a device that
potentially has discoverable Active
Directory credentials cached on it.
This inadvertent, side-door instal-
lation onto the network highlights
the necessity of isolating IoT devices,
BEWARE OF with physical separation or at least
UNTAPPED POTENTIAL on a separate subnetwork. As Munro
said, “The first thing to do is keep
To enforce least privilege in a zero-trust model, IoT
them off your network to start with.”
devices must be locked down to their least required
functionality. A particular complication is that interfaces John Powell, principal consultant
may be available on the system hardware that are unused with Optiv, concurs: “Segmentation
and undocumented. between IoT and OT is an absolute
The system-on-chip (SoC) at the heart of a device may have best practice. They should never be
disabled Bluetooth or Wi-Fi onboard, for example, that on the same network.”
attackers could attempt to enable and exploit. That necessity is largely because
—M. Gillespie of the limited capabilities of many
InfoSecurity Professional 22 InfoSecurity
March/April 2021 Professional 22 March/April 2021
›
CONTENTSIoT devices themselves. Security agents or antivirus, for example, can’t typically be installed
on an IP camera. So how do you safely allow such a thing onto the network? One source
advises, “Don’t trust the thing in the first place. This is kind of a glaring poster child for
the zero-trust model.”
One aspect of that zero trust is to have an intermediary such as a router or gateway between
IoT devices and the network. The intermediary acts as the endpoint, and the devices them-
selves are not on the network. Security controls are applied to the intermediary, which has
sufficient resources such as compute and memory that it can conform to the organization’s
“A lot of the cyber standards.
IoT devices Another best practice is to lock down the types of traffic allowed to devices. For example,
that are out an IoT camera only needs to receive commands such as pan up, pan down, and zoom; only
there right that data should be allowed to flow into it.
Those traffic restrictions are a reflection of the very limited role that the device should play
now have on the broader network.
hard-coded Rather than using persistent sessions, IoT devices should also be treated as untrusted and
passwords, potentially hostile entities, with every access request verified and authorized individually.
usernames, all This is particularly true in the large proportion of IoT implementations where the device
of that stuff. is physically located in an uncontrolled remote location.
In sum, unlike actual spoiled children, the proper course for IoT devices is to keep them
The only way in an environment of zero trust and isolation.
that you can
really check …
is when you’re SECURING ELEMENTS THAT AREN’T BUILT THAT WAY
ready to Shortcomings in the security of many IoT devices is baked in at the time of manufacture.
“The biggest issue is that these little, small devices are programmed at a factory and shipped.
deploy it.” If they’re not built with security in mind, then it’s impossible to change them later,” Powell
—Penny McKenzie, says.
cybersecurity Indeed, cost constraints and the need to get a revenue-producing offering out the door can
engineer, Pacific lead to corners being cut in security during product development. Many are built without
Northwest National even rudimentary access-control measures.
Laboratory
Penny McKenzie, a cybersecurity engineer at Pacific Northwest National Laboratory,
ccccccccccccc suggests: “The first thing that I would consider before purchasing any IoT device is whether
or not … admin credentials have the capability of being changed. A lot of the IoT devices that
are out there right now have hard-coded passwords, usernames, all of that stuff. The only way
that you can really check … is when you’re ready to deploy it.”
Likewise, many small, inexpensive IoT devices lack the ability to be updated with security
patches or other necessary changes. Checking for that capability and understanding how updates
are performed is important pre-planning for how future vulnerabilities can be addressed.
Keeping track of these devices and their security states requires mapping their presence
and function on the network, a task that is made more complex by the tangle of communica-
tion protocols involved. Likewise, detecting Bluetooth communication or RFID tags can be
of limited value; they are unlikely to identify the broadcasting device.
Operators are often left with patchy understandings of their IoT environments that can
make it impossible to identify and track threats.
In cases where the functionality of IoT devices is limited by not being on the main corpo-
rate network, business needs may be at odds with security requirements. In others, the main
requirement may be cloud connectivity, either through a gateway to the corporate network
or directly to a third party using means such as 5G.
Emerging capabilities for private 5G networks may play into secure IoT deployments,
especially for widely dispersed ones such as utility infrastructure or oil fields. On the other
hand, the cost and complexity of hosting these networks make it untenable for any but the
largest enterprises.
InfoSecurity Professional 23 March/April 2021
›
CONTENTSIn terms of outside connectivity, McKenzie points out potential differences between pass-
ing data to one of the top-tier cloud providers for processing versus a point solution vendor.
The latter case most likely has less rigorous security measures in place than the former.
In particular, the major cloud vendors provide integrated sets of solutions that protect
data from the device to the edge to the cloud. By contrast, the capabilities offered by smaller
vendors may be less comprehensive.
This exposure can have implications for both the privacy and the integrity of the data. And
as McKenzie notes, “You get all that information, but the vendor also gets that information …
There are no regulations out there to say that it has to be secure.”
The need for these data-protection assurances emphasizes the criticality of due diligence,
vetting vendors for security readiness. They should be able to provide a detailed description
of how they lock down their embedded systems, for example. They should be able to produce
(and willing to share) penetration testing reports. They should also be able to discuss security
issues they’ve had in the past and how they handled them.
Ken Munro points out the value of discussing security weaknesses as well as strengths with
a vendor: “The companies I respect the most [are the ones] who are honest and admit that they
haven’t got it completely nailed in the couple of areas they’re worried about, but they’ve got a
plan.”
Establishing how the vendor positions itself in conversations such as this lends insight
about what level of support they can be expected to provide if vulnerabilities or other prob-
lems arise. Likewise, building in security considerations at the outset of a project is always
preferable to trying to bolt them on later.
THE IOT SECURITY
LANDSCAPE BEYOND
DEVICES
The most tangible and distinct
part of an IoT implementation
is its array of devices, and most
discussions of IoT security
(including this one) begin there.
Notwithstanding their potential
OLD vulnerabilities, and the need to
VULNERABILITIES isolate them from the rest of the
ARE NEW AGAIN network, compromise of devices
themselves is likely not the pri-
There is a “Groundhog Day” feel to certain aspects of mary area of concern.
securing IoT, as old vulnerabilities and methods re-emerge. Working outward from the
Compared to conventional IT or OT systems, IoT devices tend device level, the vast majority are
to be far earlier on the maturity curve. Management and secu- connected wirelessly. Verifying
rity for regular Windows and Linux operating systems have been
simple measures such as Wi-Fi
developing for decades, whereas IoT and embedded systems are
security and use of the latest
substantially more nascent.
versions of drivers and Bluetooth
As a result, Pen Test Partners’ Ken Munro reports, “I’m finding
technology should not be over-
vulnerabilities that we forgot about 10 years ago; now it’s finding
exploitable issues in Telnet on an IoT tea kettle! I was finding a looked.
use for the Hayes AT modem command set.” The platforms that are used to
access data from IoT platforms are
Security practitioners are finding that they must turn
back the clock a decade or more as they conceive IoT a specific locus for vulnerabilities
protections, while at the same time dealing with and potential compromise of a
cutting-edge capabilities and threats. broad swath of the environment.
—M. Gillespie The APIs used by those platforms
InfoSecurity Professional 24 InfoSecurity
March/April 2021Professional 24 March/April 2021
›
CONTENTSYou can also read
