From Security Weekly Wiki
Jump to navigationJump to search

Security Weekly News Episode #55 - August 11, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Kr00k Vuln, Banning TikTok, & Mercedes-Benz Vulns - 04:30 PM-05:00 PM


This week, Dr. Doug White talks TikTok, Microsoft 0-Days, Google Bug Bounties, Mercedes bugs, Kr00k redux, Tor nodes, and is 5G Dead? Jason Wood joins us for Expert Commentary on how the Cybersecurity Skills Gap Worsens, Fueled by Lack of Career Development!


Doug White's Content:


  1. Microsoft patches two zero-days amongst other things this week.
  2. TikTok collected banned data on Android and may still be collecting data on the iPhone.
    1. US President tries to ban TikTok and WeChat with executive orders.
  3. 24% of Tor exit nodes controlled by single actor in May.
  4. Google pays out 10000 in bug bounties for RCE vulnerability in Chrome.
  5. SANS institute reports that 28, records, were exposed.
  6. Kr00k vulnerabilities updated at BlackHat presentation and tool for testing released.
    1. Black Hat Talkk
  7. Mercedes Benz E Series had 19 security flaws found in another BlackHat Talk.
  8. Nanyang Tech scientists publish first terahertz chip to exceed 5g speed limits.

Jason Wood's Content:


Cybersecurity Skills Gap Worsens, Fueled by Lack of Career Development

ThreatPost had a somewhat interesting and somewhat distressing post on career development and demand for cyber security professionals. The part that I thought was interesting was the view into how people view the career path and the ability to hire “qualified” people. I put qualified in air quotes here, because what meets that term varies wildly and can get absurd. The point of view I observed in this article is that organizations still can’t find people to fill roles and the pipeline for developing these skills is bleak. In fact, the article states there is “a lack of training and career-development opportunities” available.

This brings me to the part where I get distressed by the point of view being expressed in the article. In my opinion, there’s not really a lack of training opportunities available. There may be a lack of opportunities that are acceptable to employers. Job seekers may want training that is too expensive for them to pay for on their own, but are unwilling to accept alternatives. But there is a lot of training available in many different forms. Perhaps the problem is how we look at who is responsible for training and what is acceptable training.

In the US, there isn’t anything available (that I’m aware of) from the national government to have an impact on training. Local school districts are on their own as to what they want to do and fund. Universities have degree programs that may or may not be useful, but at least have the weight of a formal degree. Universities also have the added impact of high tuition costs and the four years to completion. Then you have to get your first job and start learning all over again. So that’s it on the traditional educational route.

For informal training, there is a wealth of options available. There is where I started out, which is a private training provider that expensive boot camp style classes. It wasn’t easy and it took a while to pay off, but it did lead to me getting my first job. But let’s say you don’t want to go down that route. The options actually only grow when you consider online training options. You have training vendors that offer classes that are self paced and very reasonably priced. The cost of them may involve some sacrifice, but for $30 per month you can get started. The risk here is that you have to dedicate time to getting it done or you don’t finish. I’m personally guilty of starting online classes and then not scheduling the time to get them done. Regardless, there is a lot of options here for us.

But how do we get employers to accept this type of training? Now there is the rub. Employers, you can’t expect someone to have a CISSP, other high dollar certifications, and be less than a year into their career so you can get them cheap. You can’t ask for years of experience in a technology that is longer than the technology or app has been around. If you expect your candidates to have formal degrees, every skill under the sun, and turn up your nose at people who have been busting their tail to develop skills but no piece of paper blessing them, don’t complain to me about not finding candidates. Be real about what the position needs to require. Does that Computer Science degree really have anything to do with doing incident response? If someone points you to their blog where they document what they’ve been learning and working on, you really need to add some weight to the impact that can have on the needs of the open position. And what it says about their work ethic.

To those job seekers out there… Look for opportunities to train yourself. Don’t depend on your employer to provide them or wait until they ask you to go to a class. Write about what you are doing. Speak about what you are doing. Do videos. Do something to demonstrate what you have learned. You don’t have to do all those things, but pick a medium for your voice. If the training available to you doesn’t exactly meet what you want, does it give you enough related skills for you to go and learn on your own. Schedule time (I know this part sucks) and do the work. It will require sacrifice and I get that. I know I’ve made my own trade offs between spending time with my family, doing things that are fun, and learning a new skill. It is a lot of work, but it opens opportunities up that we may not picture immediately.

There are definitely issues out there with how we develop people’s skills and careers, but it isn’t impossible to surmount. Fortunately for us workers, there are more options than ever before for us to take charge of our development and learning. Take advantage of it and don’t wait for you employer to give you permission.