Bitglass Security Spotlight: Uber, Apollo, & Chegg

By Jacob Serpa, Product Manager, Bitglass

man reading cybersecurity stories in newspaperHere are the top cybersecurity stories of recent weeks:

—Uber fined $148 million over cover-up
—Apollo database of 200 million contacts breached
—Chegg hack exposes 40 million users’ credentials
—Port of San Diego faces cyberattack

Uber fined $148 million over cover-up

In late 2016, Uber suffered a breach at the hands of hackers who were looking to infiltrate one of the company’s cloud services. However, instead of reporting the event (as they were supposed to), they instead paid the culprits $100,000 and elected to keep silent about the attack. Since then, all fifty states, as well as the District of Colombia, have sought legal action against the company, culminating in a fine of $148 million.

Apollo database of 200 million contacts breached

Apollo, a well-known sales engagement startup, recently had its database of 200 million contacts breached by malicious parties. Unfortunately, as detailed in the message that the company sent to the individuals whose information was exposed, the breach did take a number of weeks to detect. As massive damage can be done in a matter of moments, organizations must employ real-time security measures if they want to avoid a similar fate.

Chegg hack exposes 40 million users’ credentials

Chegg was recently found to have been breached by unauthorized users seeking to steal sensitive information. While it is believed that no Social Security numbers were stolen, data that was successfully exfiltrated included users’ names, usernames, passwords, email addresses, shipping addresses, and more. Unfortunately, the breach, which occurred in April of 2018, took months to detect, giving hackers plenty of time to pursue their malicious ends. The company has since reset the affected users’ passwords.

Port of San Diego faces cyberattack

Within a week of the cyberattack on the Port of Barcelona in Spain, another assault was launched upon the Port of San Diego. This pair of cyberattacks highlights the reality that hackers can target infrastructure and have widespread, adverse repercussions for organizations around the world. Fortunately, this particular attack affected only land-based operations at the port. The causes have yet to be discovered.

Learn about cloud access security brokers (CASBs) and how they can protect your enterprise from threats in the cloud and download the Definitive Guide to CASBs.

Bitglass Security Spotlight: Veeam, Mongo Lock, Password Theft, Atlas Quantum & the 2020 Census

By Jacob Serpa, Product Manager, Bitglass

man reading cybersecurity headlinesHere are the top cybersecurity headlines of recent weeks:
—440 million email addresses exposed by Veeam
—Unprotected MongoDB databases being targeted
—42 million emails, passwords, and more leaked
—Cold-boot attacks steal passwords and encryption keys
—2 billion devices still vulnerable to Bluetooth attack
—Atlas Quantum, cryptocurrency platform, breached
—Security concerns around the 2020 census
—Air Canada’s mobile app breached
—WellCare breach exposes data of 20k children

440 million email addresses exposed by Veeam

Data management company Veeam has ironically mismanaged hundreds of millions of users’ data. A public-facing database exposed 440 million users’ email addresses, names, and, in some circumstances, IP addresses. While this leak may seem innocuous, names and email addresses are all that is needed to conduct targeted spear phishing attacks.

Unprotected MongoDB databases being targeted

The rise of the Mongo Lock attack is seeing improperly secured, poorly configured Mongo DB databases being targeted in a ransomware-like fashion. In these attacks, hackers scan for publicly accessible databases, remove their contents, and demand a Bitcoin ransom in exchange for having data returned.

42 million emails, passwords, and more leaked

A public hosting service that allows individuals to upload files for free was recently found to contain a massive amount of personal data. Over 42 million email addresses and passwords, as well as partial credit card numbers, were found within the platform. As noted in the Veeam section, hackers can easily use this type of data to conduct targeted spear phishing campaigns and steal more sensitive information.

Cold-boot attacks steal passwords and encryption keys

A new cold-boot attack can take information in under two minutes from unsuspecting victims. The attack, which is further detailed at the above link, involves stealing information from RAM, or random access memory. Through this tactic, passwords and even encryption keys can be stolen. Fortunately, hackers need physical access to a computer to execute this kind of technique. Rather than allowing a system to sleep, forcing it to hibernate or shut down is a helpful defense.

2 billion devices still vulnerable to Bluetooth attack

One year ago, BlueBorne, a collection of vulnerabilities in devices that leverage Bluetooth, was revealed. Unfortunately, despite the fact that an entire year has gone by, 2 billion devices remain exposed. This is due to systems that have not been patched, systems that cannot be patched, and more.

Atlas Quantum, cryptocurrency platform, breached

Well-known cryptocurrency platform Atlas Quantum was recently found to have been breached. 261,000 of the company’s users had their names, account balances, email addresses, and phone numbers exposed. While the company initially declined to disclose the circumstances surrounding the breach, it did state that users’ cryptocurrencies were safe – it was merely information that was stolen.

Security concerns around the 2020 census

In the US, the Government Accountability Office has concerns about the cybersecurity of the Census Bureau. The bureau is reported to have thousands of security vulnerabilities – dozens of which are identified as highly risky and dangerous. Naturally, as conducting a census involves collecting data from countless citizens, these security gaps must be filled before the next census in 2020.

Air Canada’s mobile app breached

Late last month, Air Canada’s mobile app was found to have been breached. While it was only 1% of the application’s 1.7 million users that were affected, it was still 20,000 individuals who had their names, phone numbers, passport numbers, and dates of birth exposed.

WellCare breach exposes data of 20k children

In WellCare Health Plans’ recent breach, 20,000 children had their PHI (protected health information) exposed. The information’s security was compromised when WellCare accidentally mailed letters to the wrong addresses. Exposed data included children’s names, ages, and healthcare providers.

Learn about cloud access security brokers (CASBs) and how they can defend against the rising tide of data breaches.

 

Bitglass Security Spotlight: Yale, LifeLock, SingHealth, Malware Evolving & Reddit Breached

By Jacob Serpa, Product Manager, Bitglass

man reading cybersecurity headlinesHere are the top cybersecurity headlines of recent months:

—Future malware to recognize victims’ faces
—Reddit suffers breach
—6 million records of Georgian voters exposed
—RASPITE Group attacks US infrastructure
—Decade-old breach at Yale uncovered
—Bug exposes LifeLock customer data
—Patient data of 1.5 million exposed in SingHealth breach
—Tesla, GM, Toyota, and others expose 157 GB of data
—COSCO hit with ransomware attack

Future malware to recognize victims’ faces

Malware is poised to continue its evolution and deploy newer, more advanced capabilities. In particular, it is believed that threats will leverage artificial intelligence in order to become increasingly context aware. For example, malware may soon employ facial recognition that uses an individual’s appearance to trigger an attack.

Reddit suffers breach

Early last month, a hacker was discovered to have breached Reddit’s systems and stolen a variety of user data; for example, email addresses, passwords, private messages, and more. While the breached data came from an unsecured database containing information from 2005 to 2007, the incident still highlights the importance of maintaining constant visibility and control over data.

6 million records of Georgian voters exposed

Voters in Georgia recently had their personal information exposed when the office of the Secretary of State granted various parties access to voter registration data in an unsecured fashion. This data included dates of birth, drivers license numbers, and Social Security numbers. If the data were obtained by nefarious individuals, widespread identity theft could ensue very easily.

RASPITE Group attacks US infrastructure

Since 2017, the RASPITE Group has been a cybersecurity threat that has attacked nations around the world. Countries in the Middle East, Asia, and Europe have all suffered. Recently, the cybercriminal group was tied to Iran and found to be targeting electric utility companies in the US. Naturally, these organizations must have adequate defenses lying in wait

Decade-old breach at Yale uncovered

About ten years ago, Yale University suffered a breach. Unfortunately, at the time, the intrusion was not detected. Alumni and various faculty and staff had information like Social Security numbers exposed. This event highlights the need for proactive cybersecurity measures as well as constant threat monitoring.

Bug exposes LifeLock customer data

In an ironic twist of fate, LifeLock, an organization built upon defending customers from identity theft, was found to have exposed its users’ email addresses through a bug. The company’s users are now more vulnerable to targeted phishing attacks that imitate communications from LifeLock.

Patient data of 1.5 million exposed in SingHealth breach

Singaporean healthcare organization, SingHealth, was recently breached – much to the ire of those in the country pushing for Singapore to become a cloud-first nation. The cybersecurity incident exposed sensitive information belonging to 1.5 million, including 160,000 whose prescription details were stolen.

Tesla, GM, Toyota, and others expose 157 GB of data

Leading automotive companies (Ford, Volkswagen, and many others) were recently found to have extensive amounts of proprietary information publicly available online. The data was reportedly exposed by poor configurations around rsync protocol, demonstrating, once again, the importance of maintaining a robust and detail-oriented security posture.

COSCO hit with ransomware attack 

As one of the biggest shipping enterprises in the world, COSCO sends countless goods around the globe every day. Unfortunately, the company was recently hit with a ransomware attack that harmed some of its US operations. While the company has since responded to the attacks, ransomware continues to represent an imposing threat for businesses everywhere.

To learn about cloud access security brokers (CASBs) and how they can defend against malware, breaches, and more, download the Definitive Guide to CASBs.

Guideline on Effectively Managing Security Service in the Cloud

By Dr. Kai Chen, Director of Cybersecurity Technology, Huawei Technologies Co. Ltd.

cover of report on effectively managing cloud service securityThe cloud computing market is growing ever so rapidly. Affordable, efficient, and scalable, cloud computing remains the best solution for most businesses, and it is heartening to see the number of customers deploying cloud services continue to grow.

From the beginning of cloud’s existence, cloud service security has been among the top concerns of deployment. In order to deal with this, various organizations have invested huge efforts on cloud service security standards and researching best practices development and enforcement. Thanks to the efforts of cloud service providers (CSPs), cloud service security has reached an acceptable level. But from the cloud customers’ perspective, it is still somewhat lacking in best practices on how to secure their cloud services. The availability of such guidelines can be especially helpful for small and medium enterprises (SMEs) that constantly face shortages of professional security manpower. With this in mind, the Cloud Security Services Management (CSSM) Working Group developed the “Guideline on Effectively Managing Security Service in the Cloud” that applies to various cloud deployment models, from private, public, hybrid to community cloud.

The shared security responsibility model is no stranger to the cloud security community. Every leading CSP has published whitepapers or statements on shared security responsibility, explaining their roles and responsibilities in cloud provisioning. In other words, there are certain security responsibilities that are left to the cloud customers and are written down in cloud service agreements. The complexity is that in reality, given the same concept of shared responsibility, there are different interpretations and implementations among different CSPs. In many cases, it is challenging for cloud customers to clearly understand and bear their responsibilities in practice.

Cloud service security: A how-to

The Guideline provides an easy-to-understand guidance to cloud customers on how to design, deploy, and operate a secure cloud service with respect to different cloud service models, namely IaaS, PaaS, and SaaS, helping them ensure the secure running of service systems. With a distinct separation of responsibilities, cloud customers can clearly understand security responsibilities of their own and of CSPs, what security assurance features should be provided to bear these security responsibilities, existing gaps, and how to develop related capabilities to address such gaps.

Additionally, the Guideline provides guidance for CSPs in building cloud platform security assurance systems which can also be used by cloud service security integrators.

Not forgetting third-party security service providers that play important roles in securing cloud services, although according to the shared security responsibility model, they will have no responsibilities in cloud, these providers can leverage on the Guideline to better fit their services to CSPs and/or cloud customers.

The CSSM WG hopes that this effort allows for better understanding of cloud security responsibilities from both customers and CSPs, and through this create a more immaculate cloud security ecosystem.

Download the Guideline on Effectively Managing Security Service in the Cloud now.

Pwned Passwords – Have Your Credentials Been Stolen?

By Paul Sullivan, Software Engineer, Bitglass

hacker in a hoodie with credit cards, computer screenData breaches now seem to be a daily occurrence. In recent months, Have I Been Pwned (HIBP) introduced  Pwned Passwords, which allows you to securely check your password against a database of breach data. There are over 280 breaches in the database, and that’s only the tip of the iceberg. Breaches aren’t just a problem for the users who lose their data, but for the companies responsible for it.   

So how does all this data get breached?

Surely, it was some sinister character in a hoodie with extensive knowledge of computers, right? As it turns out, many of the data breaches came from misconfigured databases and Amazon S3 buckets that were left wide open for anyone who knows where to look. S3 is easy to use, which is great for security-conscious developers. However, it also makes it easy for someone who doesn’t understand security to toss some data into the cloud (so that it’s publicly viewable) and forget about it. As noted by Troy Hunt, the security researcher who runs HIBP, one company was breached because it stored personal data from IoT devices in MongoDB and Amazon S3 buckets with no credentials. It’s not just small, unorganized companies that make these mistakes either. Big corporations are losing track of their configurations, too.

Proper training is a good way to help with these problems, but it’s not always enough. Fortunately, a cloud access security broker (CASB) can help keep S3 and other cloud data secure by encrypting the data at rest. That way, even if data can be accessed by unauthorized parties, it is still unreadable and protected. A CASB can also provide auditing and analytics tools to help detect suspicious activity so that data breaches can be detected early as well as prevented from happening in the first place.

Avoiding Holes in Your AWS Buckets

AWS cloudEnterprises are moving to the cloud at a breathtaking pace, and they’re taking valuable data with them. Hackers are right behind them, hot on the trail of as much data as they can steal. The cloud upends traditional notions of networks and hosts, and it topples security practices that use them as a proxy to protect data access. In public clouds, networks and hosts are no longer the most adequate control options available for resources and data.

Amazon Web Services (AWS) S3 buckets are the destination for much of the data moving to the cloud. Given how important this sensitive data is, one would expect enterprises to pay close attention to their S3 security posture. Unfortunately, many news stories highlight how many S3 buckets have been mistakenly misconfigured and left open to public access. It’s one of the most common security weaknesses in the great migration to the cloud, leaving gigabytes of data for hackers to grab.

When investigating why cloud teams were making what seemed to be an obvious configuration mistake, two primary reasons surfaced:

1. Too Much Flexibility (Too Many Options) Turns Into Easy Mistakes

S3 is the oldest AWS service and was available before EC2 or Identity and Access Management (IAM). Some access controls capabilities were built specifically for S3 before IAM existed. As it stands, there are five different ways to configure and manage access to S3 buckets.

  • S3 Bucket Policies
  • IAM Policies
  • Access Control Lists
  • Query string authentication/ static Web hosting
  • API access to change the S3 policies

The more ways to configure implies more flexibility but also means that higher chances of making a mistake. The other challenge is that there are two separate policies one for buckets and one for the objects within the bucket which make things more complex.

2. A “User” in AWS Is Different from a “User” in Your Traditional Datacenter

Amazon allows great flexibility in making sure data sharing is simple and users can easily access data across accounts or from the Internet. For traditional enterprises the concept of a “user” typically means a member of the enterprise. In AWS the definition of user is different. On an AWS account, the “Everyone” group includes all users(literally anyone on the internet) and “AWS Authenticated User” means any user with an AWS account. From a data protection perspective, that’s just as bad because anyone on the Internet can open an AWS account.

The customer moving from traditional enterprise – if not careful – can easily misread the meaning of these access groups and open S3 buckets to “Everyone” or “AWS authenticated User” – which means opening the buckets to world.

S3 Security Checklist

If you are in AWS, and using S3, here is a checklist of things you should configure to ensure your critical data is secure.

Audit for Open Buckets Regularly:  On regular intervals check for buckets which are open to the world. Malicious users can exploit these open buckets to find objects which have misconfigured ACL permissions and then can access these compromised objects.

Encrypt the Data: Enable server-side encryption on AWS as then it will encrypt the data at rest i.e. when objects are written and decrypt when data is read. Ideally you should enable client side.

Encrypt the Data in Transit: SSL in transport helps secure data in transit when it is accessed from S3 buckets. Enable Secure Transport in AWS to prevent man in middle attacks.

Enable Bucket Versioning: Ensure that your AWS S3 buckets have the versioning enabled. This will help preserve and recover changed and deleted S3 objects which can help with ransomware and accidental issues.

Enable MFA Delete: The “S3 Bucket” can be deleted by user even if he/she does not login using MFA by default. It is highly recommended that only users authenticated using MFA have ability to delete buckets. Using MFA to protect against accidental or intentional deletion of objects in S3 buckets will add an extra layer of security

Enable Logging: If the S3 buckets has Server Access Logging feature enabled you will be able to track every request made to access the bucket. This will allow user to ability to monitor activity, detect anomalies and protect against unauthorized access

Monitor all S3 Policy Changes: AWS CloudTrail provides logs for all changes to S3 policy. The auditing of policies and checking for public buckets help – but instead of waiting for regular audits, any change to the policy of existing buckets should be monitored in real time.

Track Applications Accessing S3: In one attack vector, hackers create an S3 bucket in their account and send data from your account to their bucket. This reveals a limitation of network-centric security in the cloud: traffic needs to be permitted to S3, which is classified as an essential service. To prevent that scenario, you should have IDS capabilities at the application layer and track all the applications in your environment accessing S3. The system should alert if a new application or user starts accessing your S3 buckets.

Limit Access to S3 Buckets: Ensure that your AWS S3 buckets are configured to allow access only to specific IP addresses and authorized accounts in order to protect against unauthorized access.

Close Buckets in Real time:  Even a few moments of public exposure of an S3 bucket can be risky as it can result in leakage. S3 supports tags which allows users to label buckets. Using these tags, administrators can label buckets which need to be public with a tag called “Public”. CloudTrail will alert when policy changes on a bucket and it becomes public which does not have the right tag. Users can use Lambda functions to change the permissions in real-time to correct the policies on anomalous or malicious activity.

Convincing Organizations to Say “Yes to InfoSec”

By Jon-Michael C. Brook, Principal, Guide Holdings, LLC

security turned on in smartphoneSecurity departments have their hands full. The first half of my career was government-centric, and we always seemed to be the “no” team, eliminating most initiatives before they started. The risks were often found to outweigh the benefits, and unless there was a very strong executive sponsor, say the CEO or Sector President, the ideas would be shelved.

More recently, as a response to the security “no” team, IT staff started several “Shadow IT” projects. People began using cloud computing systems and pay-as-you-go strategies on a corporate credit card to quickly develop and roll-out projects before anyone in security could get a word in.

These “beg forgiveness” aspects hamstrung security on several projects, especially if a data leakage incident occurred or breach was in progress. What’s more, we weren’t unique in seeing shadow projects. These projects increasingly become the norm as IT staff looking to move initiatives forward come up against cybersecurity professionals hell-bent on maintaining security and, who know that in the event of a breach, heads could easily roll. Most likely theirs.

Tired of being seen as the “no” team? Here are three ideas that could reshape the value of security to your company as a whole:

Demonstrate Trust

Trust messages needs to come from outside of the department, even if it’s ghostwritten or created internally. Be it the CTO, CFO or CEO, there needs to be a bit of understanding that risk comes in many forms, and the Security Department takes all of those into account before approving or denying projects.

Many compliance frameworks have an HR or training domain, and some security departments successfully use this for mandatory training for topics like phishing. When a non-infosec colleague clicks on a fake attack, the trust point may be reiterated with a reminder of example fines and the costs. Breach notifications or PCI violations aren’t cheap after all.

Show Security as a Business Enabler

Share a couple of department wins, where the security team found involvement early in the process and added value to the program deployed. Look for examples like oAuth or Single Sign On (SSO) simplifying a portal’s usage or a project where business continuity planning or encryption helped pass an acceptance audit.

Demonstrating that security builds team success and is no longer the “no” department pays dividends.

Provide Educational Incentives

Lastly, extend the educational aspect beyond testing for ignorance. See if your organization offers reimbursement or even bonuses for security certifications, and stand-up internal lunch-and-learn or video conference preparation sessions. If your organization doesn’t provide an across-the-board financial incentive, maybe fund a raffle for five of the folks who pass the test to receive a spot bonus.

Hopefully, you’ll find these as an opportunity to impress upon the rest of the corporation the importance of the CISO’s office. There’s a long history of “no;” without efforts on the infosec staff’s part, that image will linger well past its truth.

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

Top Security Tips for Small Businesses

By Jon-Michael C. Brook, Principal, Guide Holdings, LLC

employees discussing top small business security tipsMost small businesses adopt some sort of cloud offering, be it Software as a Service like Quickbooks or Salesforce, or even renting computers in Amazon Web Services or Microsoft’s Azure, in an Infrastructure as a Service environment. You get Fortune 50 IT support, including things that a small business could never afford, like building security and power fail-over with 99.999-percent reliability.

While cloud has great advantages, you must know your supply chain. Cloud providers use something called the shared responsibility model. Their risks and vulnerabilities become yours, so choosing a discount provider may open you up to compliance issues you never thought possible. That said, cloud does allow small business to focus on their competitively different things, leaving the technical aspects to others for essentially a pay-as-you-go utility computing.

In today’s increasingly complex security environment, following these three top security tips will go a long way to letting small business owners concentrate on running their business rather than keeping up with the latest security issues.

Something you know

Let’s talk about authentication, typically referred to as passwords. The first thing to establish is “something you know,” like a pin or password. The worst thing anyone can do in today’s day and age is use one username with one password. If any one of the sites used becomes compromised, the username/password combination will be sold on the Dark Web as a known combination. The lists are huge, but infinitely faster on other banking or e-commerce sites that implement effective security. This happened in the Yahoo! breach that nearly scuttled the Verizon acquisition a couple years ago, sending ripples throughout the web and forced resets by nearly every company in the world.

At the very least, use a unique password with between eight and (preferably) 16 characters. Characters are more than numbers and letters. The more of the keyboard utilized, the longer testing every combination in a brute force attack becomes.

Password managers such as LastPass or KeePass will make keeping these organized easier, and they synch across the various phone, laptop and desktop devices through cloud providers like Dropbox, Box and OneDrive. Many of these are now tying in to the “something you are” such as fingerprint or facial recognition.

Something you have

The next step up is a technique known as one-time passwords. They are much more than one-step effective and take the something you know to also include “something you have” in your mobile device. That’s why banks and financial trading firms incorporated the technology a few years ago.

As security gets better, so, too, do the hackers. SIM-card duplication and other attacks gave rise to something call soft tokens from Google Authenticator and Authy. The apps use a synchronized clock and the same hard mathematics in cryptography to make a system where the next number is easy to compute in the valid minute of use but the previous is impossibly difficult before the timer clicks over to the next one.

Currently, the most secure consumer password scenario comes from mathematics developed in the late 70’s called public key cryptography. This is the same technology in the soft token apps but in a purpose-built device, typically seen as a key fob or USB from manufacturers like Entrust, RSA or Yubi. This takes the one-time password to the next level by self-erasing on any attempt to get to the originally entered number.

To recap, secure passwords should be a combination of something you know, something you have and something you are, with an order of strength: Same Passwords -> Unique Passwords -> Txt Messages -> Soft Tokens (Authenticator/Authy) -> Hard Tokens (SecureID/RSA/Yubi)

Built-in, not bolted on

Lastly, follow your industry/vertical’s rules early.

The typical adage of “built-in, not bolted on” holds true for small business if you really want to make it in the long haul. It’s always easier to include security in the beginning than shoehorn it in afterwards. A small business may be fined for non-compliance to the point of bankruptcy by a few of the below regulations:

  • US Securities and Exchange Commission’s Sarbanes Oxley (SOX);
  • Payment Card Industry’s Data Security Standard (PCI-DSS);
  • Health Insurance Portability and Accountability Act (HIPAA);
  • Privacy controls by the US Federal Trade Commission’s Fair Credit Reporting Act (FCRA) and Children’s Online Privacy Protection Act (COPPA); and
  • European Union’s General Data Protection Directive (GDPR).

 Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

Cybersecurity Trends and Training Q and A

cybersecurity word montageBy Jon-Michael C. Brook, Principal, Guide Holdings, LLC

Q: Why is it important for organizations and agencies to stay current in their cybersecurity training?

A: Changes accelerate in technology. There’s an idea called Moore’s Law, named after Gordon Moore working with Intel, that the power of a micro-chip doubles every 18 months. When combined with the virtualization aspects necessary for cloud computing, technology professionals tackle ideas seen as science fiction 30 years ago. You carry around more processing power in an Apple Watch than launched the space shuttle. Big Data, Blockchain, Internet of Things, AI and self-driving cars were inconceivable. Now you see advertisements for the NCAA trend analysis (Big Data), Bitcoin (Blockchain), Alexa and smart homes (Internet of Things), AI (Watson) and Tesla. Humans create all of this new technology; we’re flaw ridden, and cybersecurity researchers find exploitable bugs every day.

Training for developers is important —they’re a small population and make a huge impact limiting the types and quantities of flaws. Training for general users helps them avoid clicking malicious links, phishing schemes and opening files of unknown pedigree. Staying current keeps users only a half step behind the latest exploitation schemes; everything turns over entirely too fast for reliance on 10-year-old security knowledge. Ransomware wasn’t something we trained people on 15 years ago, even though the PC Cyborg virus demanded the first $378 payment in 1989. Now, people clicking a link could lock out a company’s entire data store.

Q: Do you find that most organizations and agencies employ a workforce that is woefully undertrained in cybersecurity?

A: There are companies like KnowBe4 and PhishMe that specifically target under-trained employees. KnowBe4 calls it the Human Firewall—accurate when it works properly. In the cybersecurity world, we’ve said for years two things about users—you have to trust someone, and users are the weakest link in any computer architecture. We made inroads limiting the damage by segmenting networks, limiting access privileges and better authentication capabilities, but training is a moving target and people forget or get careless.

Q: Is cybercrime on the upswing? Do you have statistics or studies to back this up?

A: The trends for cybercrime show increases in the total occurrences. Part of that is “who’s” doing the work for the majority of the takeovers. In many cases, self-replicating viruses and bots do the work—they don’t sleep. Some cybersecurity researchers find flaws and immediately publish their sample code. Not contacting the product manufacturer first is irresponsible. The sample code gets weaponized and added to existing exploit development kits and loaded into malware, including ransomware, for instance. Ransomware encrypts all the files on a drive and rose from 22nd to 5th-most-common malware between 2014 and 2016 (2017 Verizon Data Breach Investigations Report). Recently, the city of Atlanta was hit with a $51,000 demand.

Executives at a company the size and stature of Uber decided to pay a ransomware demand. They clearly didn’t have good backup and recovery processes, and we can’t expect the 718,000 other victims in 2016 to do much better. Uber, in turn, funded the next round of development. According to Symantec, the cyber criminals saw per-victim value increases of 266 percent from 2015 to 2017, and continue their efforts. There are over 50 families of ransomware alone. That’s families—not applications. Cracking a single variant in a family doesn’t necessarily eliminate that version’s effectiveness. An effort by Europol and several cybersecurity vendors to inform users and collect decryption keys started last year with the site nomoreransom.org.

Q: Which organizations are currently most targeted for cybercrime, and why?

A: There was a quote in the New Yorker during the 1950’s where Willie Sutton answered the question why he robbed banks. His response was straightforward:  “I rob banks because that’s where the money is.” This trend has held true throughout history, be it land during feudal times, stage coaches and trains during the Old West, and finally cybercrime today.

So where is the proverbial money in today’s cloud-connected, on-demand, app-everywhere world?

The industry most people think of with cybercrime and fraud is the credit card and banking institutions referred to as the Payment Card Industry (PCI). They really worked to lock everything down starting with the Payment Card Industry Data Security Standard (PCI-DSS) in December 2004. The rationale was simple —rampant fraud in the late 1990’s. They were losing every time someone called about a bad charge.

Credit card companies are steadily improving to the point now where your bank tracks your location and habits and will proactively block suspicious transactions, calling or sending a text message as an additional authorization step. I’ve seen it fail miserably (a friend of mine received a deny on a charge at the local Kroger after using the same card at the same store weekly for the past 18 months) and work stupendously (a $1 Burger King charge in Mexico while I was buying snacks at the Ft Lauderdale airport). The chip cards are also reducing fraud, as they prove to the card processors that you have the original card and not a fake copy. The Payment Card Industry does such a good job now that bulk credit card numbers on the Dark Web cost pennies per thousands.

That’s not the same for the healthcare industry, however. Personal Health Information (PHI) continues to be the most profitable data, running in the $0.50 to $7 range. That is down significantly from the $150 range less than 5 years ago. However, extensive health histories provide a treasure chest of fraud possibilities but are now purchased with additional information purchases like birth dates, Social Security numbers, and driver’s license data. Knowing a patient’s previous diagnosis of high cholesterol makes fake claims for heart procedures more plausible. CIPP Guide pointed out how common abandoned medical records were 10 years ago. Doctors place a premium on their time, but the HIPAA compliance actions for Electronic Health Records (EHR) and the ease of which the information may be destroyed eliminates the same sort of abandonment. It does open up a new situation, where a patient actually wants their previous health history to continue with a new practice. At that point, people must take personal responsibility and keep their own EHR.

Let’s investigate where the money isn’t … sort of. Cyberattacks were a significant part of the Russian attacks on Georgia and the Ukraine in 2017. One of the first nation-state attributed cyberweapons, Stuxnet, set back the Iranian nuclear program in 2010 by attacking power plant equipment—Supervisory Control and Data Acquisition (SCADA)—responsible for their uranium enrichment centrifuges. The Russian Government election interference in the US elections is a continued congressional topic. And early in 2018, the city of Atlanta experienced ransomware demands. While governments typically have big budgets, getting to them will prove more difficult.

Lastly, the area I’m most concerned about is transportation. Money is replaceable. More “intelligent” features are making their way into mass production, from braking assist and lane departure to auto-pilot. Two researchers demonstrated a remote automobile attack at the DEF CON hacking conference in 2015. The conference introduced a Car Hacking Village, where attendees could try the exploits themselves. Since that time, self-driving vehicles, including cars and semi-trucks are under development by Tesla, Uber and NVidia. Uber recently suspended self-driving car tests after a pedestrian accident in Arizona on March 19, 2018.

The possibility of a driverless future, where there is limited road rage and fewer traffic fatalities sounds promising. The fact of the matter is that the systems use external connections to download updates. History shows remote updates as a vulnerability. The automobile immobilizer/remote disablement feature flaws were demonstrated in 2016. The possibilities to stop a car suddenly are already part of police controls for theft prevention and recovery. Hollywood TV shows dramatize accelerating quickly. The prospects of ransom or terrorism are frightening at 60 MPH.

Q: How bad is cybercrime expected to be in the future?

A: Cybercrime success in the future depends on the diligence of everyone involved. Punishment for unacceptable behavior was documented in biblical times. Deterrence depends on risk versus reward similar to the drug trade. The main difference surrounds education—hacking requires access to computers and coding skills. In the US, our Bill of Rights and Constitution keeps American hackers from being executed with the exception of treason. Life in prison or heavy fines are the punishments of choice. If you don’t have money, the heavy fines don’t look as daunting. A serious prison term carries a bit more weight. That’s not how most of the US laws read currently. Kevin Mitnick, one of the best known hackers, received a 5-year sentence after breaking into several corporations’ networks, including Pacific Bell’s voice mail system. The main charge that got him jail time was wire fraud.

Folks outside of the US, especially organized crimes in the poorer nations of Africa and Asia, already show a great deal of interest in cybercrime–mostly phishing schemes. Eastern Europe also has several well-known hacking groups. Their tools are getting better and easier to use. That’s a double-edged sword—less knowledgeable users will probably make implementation mistakes that allow projects like NoMoreRansom work.

Cybersecurity protections will continue evolving. Organizations within the PCI are now asking for continuous access to your location data so they can correlate your spending with your charge card and ATM usage, the next logical evolution in their fraud detection. Until you forget your phone. And at that point, we need to adjust where the “money” is, and start examining what can be done with your location information and other low-hanging fruit. If criminals know you’re not in your residence, will the crime statistics show a spike in burglaries? Will social engineers or phishing scams target you based on the most susceptible device? Email scams work best on your tablet, text scams on your phone and click fraud on your laptop?

Q: Who are these cyber criminals and where do they come from?

A: In the past, we dealt a lot with individual hackers. There were hacktivists and folks who wanted to see how they could get in and what they could do in infiltration. That has since moved to organized crime, with the bulk of cyber criminals motivated by money, and how quickly they can turn whatever they find into cash. Most of the latest attacks are external, financially focused, and automated to increase return on investment.

Q: A lot is now being discussed about cyber criminals holding the data of individuals and organizations hostage. How is this possible and what can be done to prevent it?

A: The data hostage taking refers to a type of malware called ransomware. It is so named as a ransomware infected system will scramble all the stored data using encryption and demand payment for release of the decryption key. Most anti-virus companies will catch all but the latest 0-day hacks (those not yet discovered by cybersecurity professionals).

Keep the cybersecurity software up to date. Likewise, keep ALL your systems patched—most operating systems will automatically install them and unlike the old days for desktop systems at least, everything won’t crash. Mobile device users are slightly less accepting of auto-updates, for fear of favorite apps no longer working or battery draining updates. Keep in mind, the favorite apps could be part of the reason for the patch. Lastly, invest in some sort of backup software. Plenty of choices will automatically save all of your files—Apple has iCloud, Microsoft has OneDrive, you could use Google Drive or Amazon’s S3 cloud service. There are plenty of third-party solution providers, including Carbonite, CrashPlan and others. Make the best choice that fits with your lifestyle—if you own all Apple devices, that’s probably your best choice. And as mentioned on nomoreransom.org, paying the ransom equates to venture funding the next round of attacks.

Q: Besides cyber blackmail, are there other new schemes in cybercrime that organizations need to be aware of?

A: An emerging scheme involves stealing cycles from people’s web browsers, or cryptojacking. It’s a combination of Bitcoin mining and a “free” component— the advertising revenue stream is augmented or replaced with either pornography or a game depending on the user set. There is additional code on the page that uses your computer to mine Bitcoin for them. My kids were playing a tank game that crashed my system from heat. Bitcoin thefts a couple years ago (see Mt Gox, for instance) were popular because there was little risk of getting caught. With cryptojacking, people think it’s just a poorly written web page and restart their browser/computer. You never get something for nothing.

These examples highlight the negatives and shouldn’t all be seen as daunting. The technology behind Bitcoin opens up a new world of possibilities around worldwide money transactions. A company called Ripple, an “altcoin” using the same blockchain technology, based their whole business model on efficiently and effectively moving money between countries in Southeast Asia. IBM commercials tout the advantages for our food supply and eliminating “blood diamonds.” Even with all the accident reports on driverless cars, autonomous vehicles have the potential of saving millions of lives eliminating driving under the influence or distracted driving. EHR and smart watches, for instance, allow doctors access to continuous monitoring of vital signs, looking for abnormalities day-to-day rather than relying on just the annual patient screening. All of these were science fiction or unfathomable even 20 years ago. As a society, we need to be aware and diligent of criminal activity, but being aware shouldn’t scare the world into a techno-free cave.

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

Cybersecurity Certifications That Make a Difference

By Jon-Michael C. Brook, Principal, Guide Holdings, LLC

cloud security symbol overlaying laptop for cybersecurity certificationsThe security industry is understaffed. By a lot. Previous estimates by the Ponemon Institute suggest as much as 50 percent underemployment for cybersecurity positions. Seventy percent of existing IT security organizations are understaffed and 58 percent say it’s difficult to retain qualified candidates. ESG’s 2017 annual global survey of IT and cybersecurity professionals suggests the biggest shortage of skills is in cybersecurity for at least six years running. It’s a fast moving field with hacker’s crosshairs constantly targeting companies; mess up and you’re on the front page of the Wall Street Journal. With all of the pressure and demand, security is also one of the best paying segments of IT.

Cybersecurity is a different vernacular, with a set of acronyms and ideas far outside even its information technologies brethren. For the gold standard as a security professional, the title to have is the Certified Information Systems Security Professional (CISSP) from the ISC2 (isc2.org). The requirements grow increasingly strict since my testing in 2001. Not lax, mind you, but five-year industry minimums and certified professional attestation gives the credential even more heft. There is an associate version available, the Associate Systems Security Certified Practitioner (SSCP) that eliminates the time and sponsorship minimums and would be appropriate for someone new to the field.

Adding to the professional shortages are new IT delivery methods, a la cloud computing. Amazon Web Services is the giant in the space, offering several certifications for cloud architecture and implementation. Microsoft and Google round out the top three. These, too, are hot commodities, as cloud is a relatively nascent industry and not very well understood. Layer security onto the cloud platform, and you find certifications such as the Cloud Security Alliance’s Certificate of Cloud Security (CCSK) and, again, the ISC2’s Certified Cloud Security Professional (CCSP). In 2017, Certification Magazine listed cloud security certifications as some of the highest salary increases available to an IT professional.

One caveat to all of the excitement of underemployment: recruiters, headhunters and hiring managers. Position requirements are sometimes outlandish or poorly vetted, such as the requisition asking for 10 years of cloud and 20 years of security experience. Amazon Web Services started in 2006. Microsoft Azure and Google Compute Platform were seen as cannibalistic to existing revenue streams. Even five years of cloud industry experience is a lifetime, and the industry moves so fast that AWS’s Certified Solutions Architect (AWS-ASA) requires re-certification every two years vs. the standard three for the rest of IT. They, too, have a security exam recently out of beta, the AWS Certified Security Specialty, though it requires one of their associate certifications first.

If you have the appetite for learning, add privacy to the mix. The number of industry vertical regulations (healthcare’s HIPAA, Payment Card Industry’s PCI-DSS, finance’s FINRA/SOX, etc…) and regionally specific requirements (EU’s GDPR) have the International Association of Privacy Professionals (IAPP), offering eight Certified Information Privacy Professional (CIPP) certifications. As an IT professional in the US, the Certified Information Privacy Technologist (CIPT) and CIPP/US are probably the most attainable and attractive.

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

Microsoft Workplace Join Part 1: The Security Timebomb

By Chris Higgins, Technical Support Engineer, Bitglass

timebomb countdown to Workplace Join infosecurity riskIt’s no secret that enterprise users wish to access work data and applications from a mix of both corporate and personal devices. In order to help facilitate this mix of devices, Microsoft has introduced a new feature called Workplace Join into Azure Active Directory, Microsoft’s cloud-based directory and identity service. While the intent of streamlining user access to work-related data is helpful, the delivery of this feature has resulted in a large security gap—one that can’t easily be disabled. This is another example of an app vendor optimizing for user experience ahead of appropriate controls and protections—demonstrating the basis for the cloud app shared responsibility model and the need for third-party security solutions like cloud access security brokers (CASBs).

According to Microsoft, “…by using Workplace Join, information workers can join their personal devices with their company’s workplace computers to access company resources and services. When you join your personal device to your workplace, it becomes a known device and provides seamless second factor authentication and Single Sign-On to workplace resources and applications.”

How does it work?

When a user links their Windows machine to “Access Work or School,” the machine is registered in Azure AD, and a master OAuth token is created for use between all Microsoft client applications as well as Edge/I.E. browsers. Subsequent login attempts to any Office resource will cause the application to gather an access token and log in the user without ever prompting for credentials. The ideology behind this process is that logging in to Windows is enough to identify a user and give them unrestricted access to all Office 365 resources.

In plain language, this means that once you login to Office 365 from any device (Grandma’s PC, hotel kiosks, etc.), you, and anyone accessing that device, are logged in to Office 365 automatically moving forward.

Why is this such a big security issue?

Workplace Join undoes all of your organization’s hard work establishing strong identity processes and procedures—all so that an employee can access corporate data from Grandma’s PC (without entering credentials). Since Grandma only has three grandkids and one cat, it likely won’t take a sophisticated robot to guess her password—exposing corporate data to anyone who accesses her machine. Making matters worse, user accounts on Windows 10 don’t even require passwords, making it even easier for data to be exfiltrated from such unmanaged devices.

Workplace Join is enabled by default for all O365 tenants. Want to turn it off? You’ll have to wait for the next blog post to sort that out.

In the meantime, download the Definitive Guide to CASBs to learn how cloud access security brokers can help secure your sensitive data.

Speeding the Secure Cloud Adoption Process

By Vinay Patel, Chair, CSA Global Enterprise Advisory Board, and Managing Director, Citigroup

State of Cloud Security 2018 report coverInnovators and early adopters have been using cloud for years, taking advantage of the quicker deployment, greater scalability, and cost saving of services. The growth of cloud computing continues to accelerate, offering more solutions with added features and benefits, and with proper implementation, enhanced security. In the age of information digitalization and innovation, enterprise users must keep pace with consumer demand and new technology solutions ensuring they can meet both baseline capabilities and security requirements.

CSA’s new report, c This free resource provides a roadmap to developing best practices where providers, regulators, and the enterprise can come together in the establishment of baseline security requirements needed to protect organizational data.

The report, authored by the CSA Global Enterprise Advisory Board, examines such areas as the adoption of cloud and related technologies, what both enterprises and cloud providers are doing to ensure security requirements are met, how to best work with regulators, the evolving threat landscape, and goes on to touch upon the industry skills gap.

Among the report’s key takeaways are:

  • Exploration of case studies and potential use cases for blockchain, application containers, microservices and other technologies will be important to keep pace with market adoption and the creation of secure industry best practices.
  • With the rapid introduction of new features, safe default configurations and ensuring the proper use of features by enterprises should be a goal for providers.
  • As adversaries collaborate quickly, the information security community needs to respond to attacks swiftly with collaborative threat intelligence exchanges that include both providers and enterprise end users.
  • A staged approach on migrating sensitive data and critical applications to the cloud is recommended.
  • When meeting regulatory compliance, it is important for enterprises to practice strong security fundamentals to demonstrate compliance rather than use compliance to drive security requirements.

Understanding the use of cloud and related technologies will help in brokering the procurement and management of these services while maintaining proper responsibility of data security and ownership. Education and awareness still needs to improve around provider services and new technologies for the enterprise. Small-scale adoption projects need to be shared so that security challenges and patterns can be adopted to scale with the business and across industry verticals. This skills gap, particularly around cloud and newer IT technologies, needs to be met by the industry through partnership and collaboration between all parties of the cyber ecosystem.

The state of cloud security is a work in progress with an ever-increasing variety of challenges and potential solutions. It is incumbent upon the cloud user community, therefore, to collaborate and speak with an amplified voice to ensure that their key security issues are heard and addressed.

Download the full report.

Five Reasons to Reserve Your Seat at the CCSK Plus Hands-on Course at RSAC 2018

By Ryan Bergsma, Training Program Director, Cloud Security Alliance

man investing in Certificate of Cloud Security Knowledge courseThe IT job market is tough and it’s even tougher to stand out from the pack, whether it’s to your current boss or a prospective one. There is one thing, though, that can put you head and shoulders above the rest—achieving your Certificate of Cloud Security Knowledge (CCSK). CCSK certificate holders have an advantage over their colleagues and get noticed by employers across the IT industry, and no wonder.

It’s been called the “mother of all cloud computing security certifications” by CIO Magazine, and Search Cloud Security notes that it’s “a good alternative cloud security certification for an entry-level to midrange security professional with an interest in cloud security.” So it was no surprise when Certification Magazine listed CCSK at #1 on the Average Salary Survey 2016.

For those interested in taking their careers to the next level, we are offering the CCSK Plus Hands-on Course (San Francisco, April 15-16) at the 2018 RSA Conference.

Our intensive 2-day course gives you hands-on, in-depth cloud security training, where you’ll learn to apply your knowledge as you perform a series of exercises to complete a scenario bringing a fictional organization securely into the cloud.

Divided into six theoretical modules and six lab exercises, the course begins with a detailed description of cloud computing, and goes on to cover material from the official Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Controls Matrix v3.0.1 (CCM) documents from Cloud Security Alliance, and recommendations from the European Network and Information Security Agency (ENISA).

Still on the fence? Here are five reasons you need to register today.

  1. Get trained by THE best in the business. Rich Mogull, a prominent industry analyst and sought-after speaker at events such as RSAC and BlackHat, will be there to guide you through this 2-day, intensive cloud security course. Not only is he the most experienced CCSK trainer in the industry, but he created the course content. Need we say more?
  2. Gain actionable security knowledge. In addition to learning the foundational differences of cloud, you’ll acquire practical knowledge and the skills to build and maintain a secure cloud business environment right away. It’s good for you and good for your company.
  3. Make the boss sit up and notice. Your newfound knowledge will translate to increased confidence and credibility when working within the cloud, and just maybe a better job or dare we say, a raise?
  4. Move to the head of the class. By the end of the course, you’ll be prepared to take the CCSK exam to earn your Cloud Security Alliance CCSK v4.0 certificate, a highly regarded certification throughout the industry certifying competency in key cloud security areas. ‘Nuff said.
  5. Invest in your future. The course price includes the cost of the exam, a $395 value. That’s what we call a sound investment.

Still not convinced? Watch this and you will be.

Register.

CSA Summit at RSA Conference 2018 Turns Its Focus to Enterprise Grade Security: Will you be there?

By J.R. Santos,  Executive Vice President of Research, Cloud Security Alliance

CSA Summit at RSAC 2018Today’s enterprise cloud adoption has moved well beyond the early adopters to encompass a wide range of mission-critical business functions. As financial services, government and other industries with regulatory mandates have made significant steps into the cloud over the past year, it’s only fitting that this year’s CSA Summit at RSA Conference 2018, now in its ninth year, turn its attention to enterprise-grade security.

For both companies and governments, however, making this leap has not come without effort. It’s required a transformation in both the technology of security and the mindset of security professionals. To help facilitate this transformation, we’ll again be bringing together some of the best and brightest minds from across the industry to share the common practices that are enabling the shift to cloud as our dominant IT system.

Thought leaders from multi-national enterprises, government, cloud providers and the information security industry will be speaking on some of cloud security’s most pressing topics, including:

  • Appetite for Destruction – The Cloud Edition. Over the last two years, the multitude of data leaks and breaches in the cloud has skyrocketed. Many of these leaks are reminiscent of the past security lessons, and some show new attributes unique to our evolving computing environments. In this short talk, Raj Samani, chief scientist at McAfee, takes a look at the past, and peers toward the future.
  • Cloud Security Journey. Get a preview of how a major retailer solves the problem of security software chaos and fragmentation while addressing new security requirements in this session from Symantec and Albertsons Companies. You’ll get a real-world perspective on how they approached cloud security while addressing end-to-end compliance, data governance, and threat protection requirements.
  • A GDPR-Compliance & Preparation Report Card. With the impending May 2018 deadline for GDPR compliance, organizations worldwide need to account for the regulation in their security policies and programs. Join Netskope Chief Scientist Krishna Narayanaswamy and CSO Jason Clark for an interactive session that previews their recent study with the Cloud Security Alliance on how organizations are preparing for compliance.
  • The Software-Defined Perimeter in Action. Cyxtera’s Cybersecurity Officer Chris Day will chronicle how organizations have taken CSA’s Software-Defined Perimeter (SDP) from experimental to enterprise-grade. You’ll walk away with valuable insights and learn compelling best practices on how enterprises can make SDP adoption a reality.

Other discussions and panels will also explore new frontiers that are accelerating change in information security, such as artificial intelligence, blockchain and fog computing.

Register for RSAC and the Summit today using the discount code 18UCSAFD to receive $100 of the full conference pass to RSAC or receive a complimentary expo pass with the code X8ECLOUD. The CSA Summit is a free event for all registered conference attendees regardless of pass.

For those interested in taking their careers to the next level, we also are offering the CCSK Plus Hands-on Course (April 15-16) at the RSA Conference 2018. Our intensive 2-day course gives you hands-on, in-depth cloud security training, where you’ll learn to apply your knowledge as you perform a series of exercises to complete a scenario bringing a fictional organization securely into the cloud and emerge prepared to take the Certificate of Cloud Security Knowledge exam.

The CCSK gives you a distinct edge over your cloud security colleagues. Why else would CIO Magazine have called it the “Mother of all cloud computing security certifications?” Certification Magazine even listed CCSK at #1 on the Average Salary Survey 2016.

So what are you waiting for? Register now.