Tuesday, January 24, 2017

What constitutes cybersecurity education?

Cybersecurity Education http://www.csec2017.org/ proposals on curriculum needed for cyber training and education.

What's the need ? http://www.csoonline.com/article/2953258/it-careers/cybersecurity-job-market-figures-2015-to-2019-indicate-severe-workforce-shortage.html
an extract:
An analysis of the cybersecurity job market looking back at 2014, the first half of 2015, and projecting out to 2019, reveals some interesting figures. For instance, the top paying cybersecurity job is a security software engineer with an average annual salary of $233,333, according to a recent report from the job board Dice. That tops the salary for a CSO which is $225,000.

But the big story in the cybersecurity labor market is a severe workforce shortage.

“The demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million,” stated Michael Brown, CEO at Symantec, the world’s largest security software vendor. Not long before Brown's statement, the Cisco 2014 Annual Security Report warned that the worldwide shortage of information security professionals is at 1 million openings, even as cyberattacks and data breaches increase each year.

Wednesday, January 11, 2017

Off The Record communications

The title of the paper has a byline: “Why Not To Use PGP”. Sometimes, private back channel conversations are best when
  • - They are confidential and kept private between the participants – so the messages should be encrypted in transit
  • - The parties must be clearly authenticated / identified so you know who you’re talking to
  • - They offer repudiation: the conversation must remain unverifiable to third parties, where conventional encryption would identify and verify who said what (and when), if keys were to be compromised or broken.
PFS (perfect forward secrecy) is desirable in these use cases since “compromise of long-term keys does not compromise past session keys”. From the article, “If forward secrecy is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future, even if the adversary actively interfered.”

If it is useful to have a verifiable record, use PGP and proper signatures.

If you want to just float an idea privately, say among representatives of nations with externally antagonistic views, or peace talks among parties in the Middle East, “just us girls talking”, OTR protocols can be great ways to explore options without being held to previous statements. OTR conversations allow participants to more freely speculate about a wide range of options, which is very much in the nature of human conversation that is not formally recorded.

Preliminary conversations relating to merger and acquisitions, or collaborations, might be helped by a properly implemented "off the record" conversation. Until the concept gains general understanding and acceptance, however, it seems unlikely that such benefits will become widely used.

Separately, Forward Anonymity has a different emphasis and objective, in that the identities of the participants should not be discoverable after the fact.

Saturday, December 3, 2016

Blockchain - BitCoin - moocs

Be on lookout for developments in "FinTech" (technology implementations in finance and business transactions).  "Follow the money" - tomorrow, money being manipulated and analyzed by technology, is where it is.  Let me know if you want to talk about it.

Univ of Nicosia (classes are in English, not to worry), and first online Masters degree on BlockChain / BitCoin.

Much more than digital currency.   Next class starts in February, but youtube videos of previous class in fall of 2016 are online - link below.


http://courses.dcurr.unic.ac.cy/course/view.php?id=29

========= other resources =====

Tuesday, November 8, 2016

libvirt - why it's important

http://libvirt.org/   is a foundation stone of many virtualization capabilities and where really interesting features are being added to cloud and virtualization.

for one area,  it is where software defined storage (SDS) inserts itself, for example, ceph provides software defined storage and makes it available to OpenStack as a swift interface.   Underneath, it is not part of OpenStack but so tightly integrates with OpenStack and works underneath, that tenants will never know nor detect any difference in their access to storage.

another, VMQoS examines the QoS (quality of service) issues internal to a complex service like OpenStack.   Conventional QoS talks about external connectivity (communications QoS), but what about the internal movement of data between compute and storage (through the network linking them)?   How is that measured and what assurances can be established, and corrected when the performance deviates beyond set limits?

it can also be an interesting attack surface for malicious actors since so much depends on libvirt