Securing the Cyber World

Raspberry Pi, Pi-hole DNS Sinkhole, Ad Blocker and DHCP Server with Log2RAM

I got a Raspberry Pi 3 a couple of years ago to use as a retro gaming device, which is well worth doing if you’re in to gaming and feeling nostalgic. It is super easy to set up, if you’re interested check out RetroPie – just be aware that many ROMs are copyrighted and may be illegal to download.

This post isn’t about RetroPie though. Since studying networking and cybersecurity, the Pi has had many different uses. It has been a wireless router, a network firewall, a web proxy, a VPN Server and a network monitor. However its current use is as a DNS sinkhole and DHCP server for my network, without doubt one of the most practical jobs I’ve had it perform.

Blocking Ads Using Pi-hole

Pi-hole is lightweight, open source software that will block ads across your whole network so you don’t need to configure individual devices. Websites load, but without the annoying ads, so loading times can be faster. For example without Pi-hole running, if I want to watch a video on the Sky Sports app on my iPhone, I am forced to endure two advertisements for the privilege, but with Pi-hole running, I can watch the video I’m interested in straight away.

It is very easy to install following the steps below, and works on most operating systems you can run on your Raspberry Pi. I have Raspberry Pi OS (used to be called Raspbian), but if you are starting from scratch and brand new to Raspberry Pi’s, check out this guide from the Raspberry Pi Foundation on how to install the operating system.

If you are using the GUI, open a terminal, otherwise SSH in to your Raspberry Pi. Note SSH is disabled by default with Raspberry Pi OS and must be enabled in the config menu first.

Don’t forget to make sure your system is up to date before you start the installation. Pi-hole can then be installed using the following command

sudo curl -sSL <https://install.pi-hole.net> | bash

If you want to avoid piping to bash, you can either download the installer manually or clone their repository

sudo git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole

Either way, once you run the installer you will be guided through the set up. You will be prompted to set a static IP address for your Pi-hole. If you are using DHCP, you might want to set a reservation or exclude the IP address to prevent conflicts. You will also need to select the network interface (ideally the Ethernet connection for faster speed).

You will be asked to select your upstream DNS provider. Either select from the options of popular providers or select custom to enter your ISP’s DNS servers.

Which DNS Provider Should You Use

If you use a router provided by your ISP, you are probably currently directed to their own DNS Server. My router doesn’t give me a choice to configure DNS, though of course there is always the option to configure it on each of your devices.

Since I stopped using my Raspberry Pi as a wireless router due to the slower speed, I no longer have Squid and SquidGuard blocking access to malicious websites. So I have been using 1.1.1.1 for Families from Cloudflare, which has been excellent so far, and blocks malicious websites with the option to also block websites featuring adult content.

Cloudflare is supposed to be the fastest DNS provider, but you could implement DNS over HTTPS for increased security, or another good option might be to set up your Pi-hole to be a recursive DNS server itself using Unbound from NLnet Labs. I haven’t used Unbound myself, but there is a guide on Pi-hole’s website if you want to look in to it.

Back to Pi-hole Installation

You will also be asked to select an ad services blacklist, if you want to block ads over IPv4, IPv6 or both, and whether you want to install the web interface and server for your Pi-hole, which is recommended. You also select whether to log queries and the level of privacy.

Once the installation has finished, you will get a message telling you the installation is complete and showing the password that you need for logging on to the web interface. You can test this by opening a browser and navigating to the web interface. The URL is http://IP_address/admin replacing IP_address with the IP of your Pi-hole. You can then log in using the password you were provided with.

Configure DNS

In order for Pi-hole to start blocking ads, it needs to be the primary DNS server. If you can configure your router to use the Raspberry Pi as the primary DNS, that is the easiest way. If like me, you are using an ISP provided router, you may not be able to change the DNS settings.

There are two ways around this. If you can disable DHCP in your router, you can use the inbuilt DHCP functionality of Pi-hole. This can be set up on the Web UI and though it is no more configurable than the DHCP of my particular router, at least using the UI, it works well and is a better option than manually configuring each of your devices individually.

From what I have read, using another DHCP on your Pi or configuring the Pi-hole DHCP manually in the config file doesn’t work smoothly with Pi-hole. If you have found a way around this, please let me know in the comments or send me a message.

My router still acts as the DHCP server for its guest network, which my IoT devices are connected to, so that may be an option for you to isolate your IoT devices from the rest of your network.

Using the Web UI

The interface is intuitive with graphical displays that you can drill down on, you can search the logs, and select devices and websites to query in the log. There is a whitelist for any blocked sites you want to unblock and a blacklist for any that you want to block. You can also alter the DNS settings and options you selected in the initial set up.

The only other thing to bear in mind, whatever you are using a Raspberry Pi for, is to make sure that you lock it down by implementing firewall rules and eliminate any vulnerabilities as much as possible.

Log2RAM

One of the issues faced with Raspberry Pi’s used for purposes that create logs is an increase in write cycles. This reduces the longevity of an SD card, which already have a shorter lifespan than an SSD, much less an HDD. Modern SD cards are better at writing across the whole memory to maximise the life span, something called wear levelling, but a few utilities like Log2RAM can also help in this regard.

Log2RAM works by pushing the log files to the RAM. They are then written to the SD card at specified intervals, thus reducing how often the SD card is written to. The only thing to bear in mind is that if your Raspberry Pi loses power suddenly, you would lose any logs that haven’t already been written to the SD card. So if you want those logs, make sure you shutdown the Raspberry Pi, as you should always do anyway, rather than cutting the power.

Installation

Log2RAM was scripted by Azlux and can be downloaded from their GitHub via

sudo wget https://github.com/azlux/log2ram/archive/master.tar.gz -o log2ram.tar.gz

This saves the archive as log2ram.tar.gz and it must then be extracted.

sudo tar xf log2ram.tar.gz

The files are extracted in a new directory called log2ram-master. Change to the new directory and then run the install script.

cd log2ram-master
sudo ./install.sh

A message will tell you to reboot to activate log2ram and that options are configured in /etc/log2ram.conf

You can confirm that Log2RAM is working using the command systemctl status log2ram

Customising Log2RAM

Within the config file there are a couple of options that you may wish to consider. One is the size of the log folder reserved in RAM. The default is 40MB and depending on your preferences you may wish to increase this. You will probably want to check how much is being stored as it will be different depending on your set up, though for most the defaults will be enough.

In order to check how much space is currently taken and how much RAM is being used, you can run the following commands.

df -h | grep log2ram
free -m

As you will see, unless you are creating a lot of logs the defaults should be adequate, but to change the size of the folder, edit the config file using the below command and change the figure in SIZE=40M

sudo nano /etc/log2ram.conf

Another option you may wish to change is how often Log2RAM writes to disk. The default is once a day or upon reboot or shutdown and I would recommend keeping that schedule, but it be changed to weekly by running systemctl edit log2ram-daily.timer with sudo privileges and adding the following:

[Timer]
OnCalendar=weekly

Or even disabled with the command

sudo systemctl disable log2ram-daily.timer

… in which case the logs will only be written when the system is rebooted or if the Log2RAM service is stopped.

Conclusion

With the Log2RAM service up and running, the lifespan of the SD card will be extended even with high usage of your Raspberry Pi. One way of checking the effect of Log2RAM is by installing iotop which monitors I/O usage. You could compare before and after running Pi-hole, and then again after installing Log2RAM.

What’s your favourite use of your Raspberry Pi? Let me know in the comments below.

Nearing the End of the First Leg of My Journey in to Cybersecurity

It has been a while since I posted and I want to update the journey blog on my studies, job hunting and my love of interviews.

I’ve had a break recently with a week away and then various events and things happening at home, so the best part of two weeks went by with little studying. I made myself a new desk (pictured below) out of furniture that we were getting rid of, to aid my studies, but little actual time spent watching videos about pentesting or cybersecurity.

Used to be a cot, now has a new life as a desk

I had initially set a goal of completing all my certs by the end of May, but that changed the middle of last month when I started to focus on other studies. I spent more time on TryHackMe and then the RangeForce Community SOC Challenge came up, which was a lot of fun and I was keen to do more of that. Then the two week break kicked in.

Now I am enrolled on the SOC 1 & 2 Battlepaths at RangeForce, about halfway through SOC 1 and really enjoying it, and it feels like I am learning a lot. Once I have done those then I’ll finish the CompTIA certs, though I might park pentest+ and do CySA+ first and in the mean time start looking for a job.

On that note, I have done a lot of networking on LinkedIn, though it is easily a full-time job in itself. A change of focus from information gathering and one eye on future employment, I’ve started to have more conversations with industry professionals and recruiters, including a chat about some possible voluntary work. There have been some very encouraging telephone conversations and I am happy with my progress on that front.

With the help of the community, an overwhelming response really, I have identified the type of organisation that I want to work for (you can read the post here), and in part thanks to that I feel I can focus again on getting myself ready to work as a SOC Analyst. I’m resigned to the fact that there will always be more that I want to learn, but at some point I need to take the plunge.

A very interesting person pointed out to me that there is a balance between the amount of experience someone has and the amount of certs that will help in that stage of their career.

Interviews are like torture, and you’ll never convince me otherwise

The idea of interviews fills me with apprehension. As someone who is modest by nature and find it uncomfortable talking about myself, I have never enjoyed them, and I think people that do must be masochists. I’ve led teams, made presentations, chaired meetings, given best man speeches with aplomb, but interviews are another matter. I enjoy conducting interviews, and you’d think that experience would help, I know it’s a two-way street, but nothing makes me at ease with the alien encounter of interviewing for a potential job.

Most of my experience is with competency based interviews and they should be done away with in my opinion. I’m not sure what it is, but I get tongue-tied, my mind goes blank and no matter how many times I’ve gone over them, I can’t remember any of the great examples I’d prepared. I know one of the things being assessed is the ability to think on my feet and work under pressure, which I have no problem with – it’s a key requirement of many of my previous roles, but I just leave the interviewer with the wrong impression.

I do like to hear the experiences others have had in interviews, so please let me know how you have gotten on.

Blockchain and its Implications for Cybersecurity

In the simplest terms, a blockchain is a chain of blocks containing information. First described in 1991, its intended use was to time stamp digital documents so that they could not be tampered with.

Each block in the chain contains some data, for example financial transactions, along with the hash of the block and the hash of the previous block, creating a secure chain. This cryptographic chaining means that if one block is tampered with, all following blocks will become invalid as the hash will no longer match, and similarly ensures the integrity of all previous blocks.

Blockchain was largely unused until 2008 when the technology was adapted to create bitcoin, enabling the direct transfer of assets between individuals. The use of a public blockchain to record the transactions removed the necessity for a mutually trusted third-party, meaning transactions could be carried out faster and cheaper.

How does it work?

The transactions recorded in the blockchain create a ledger, open and public to everyone. The ledger is distributed to everyone on the network, thus removing centralisation. Transactions are validated by special nodes on the network called miners, that discover new keys for each transaction, publish the key, and confirm the transaction to the rest of the network, ensuring the distributed ledger is synchronised amongst everyone on the network.

Security is enhanced by increasing the time it takes to generate new blocks, which is around 10 minutes for bitcoin, making the blockchain almost impossible to tamper with.

Uses of Blockchain Technology in Cybersecurity

Apart from the current and potential economic impacts of blockchain technology, there are many, varied proposed uses including notaries, health information, voting and personal data privacy.

For the cybersecurity industry, blockchain-based solutions for authentication and public key infrastructure can remove the need for Certificate Authorities, utilising the distributed consensus of trust properties of the blockchain and the open ledger system.

Blockchain technology can greatly increase the security of IoT devices addressing their inherent vulnerabilities. This can be done with the implementation of Smart Contracts, where IoT devices become nodes on the blockchain rendering the need for central control obsolete. The blockchain records tamper-resistant transactions between IoT devices, securing communication and preventing compromise of the network from threat actors.

My Experience of RangeForce’s Community Challenge

Cards on the table: I’m part way through the TryHackMe beginner course and I have a bit of hands on experience with Kali (mostly just nmap scans and practicing hacking my wi-fi), so this is the first challenging lab/real-world scenario-type thing I’ve done, at least where you’re not having your hand held. I had absolutely no idea if I would be able to do any of it.

SPOLIER ALERT: Throughout this post I have purposely not given too much away as the challenge is ongoing. So you won’t find anything too revealing, but you will find a few extra hints and tips on top of what RangeForce give you, so if you want to complete the challenge without any prior knowledge at all, this is where you stop reading.

You can join RangeForce’s community edition by signing up here.

Email Challenge

Examining headers in greater detail than what you see in the email was something new to me. I know how to spot spoofed emails, but had never looked at the source code before. The scenario was that you work on the security team for an organisation and you have a bunch of emails in your inbox from colleagues forwarding you emails they are concerned about.

The questions themselves point you to the tools you need to use (like MX Toolbox) and you are asked specific questions about the output from those tools.

I went through the questions pretty quickly after getting used to the platform, though it took me a little while to realise I could throw the whole source code in to MX Toolbox; initially I thought I needed to paste specific information.

I definitely felt a sense of achievement at getting through the challenge, but it was easier than I was expecting. On to the next.

Malware Analysis and YARA Rules

Right then. I didn’t know the first thing really about how to practically analyse malware, except that it should be done in an isolated environment. I also didn’t know what a YARA rule was (does it really stand for Yet Another Ridiculous Acronym?), although I’d seen the term before on LinkedIn.

The first question was about analysing the strings of the first sample and I jumped straight to the hint, which told me to use the “strings” command. Fair enough.

I first ran the strings command on the file and saw a very long list in the terminal window, and then I remembered that the question was about the number of strings over a certain length. So I checked the usage of the string command to find that you can indeed indicate the minimum length.

I adjusted the command to find strings at least 7 characters long and got another long list. I couldn’t see any way to count them using the strings command, but I knew how to number the lines in a file, so, wondering if there was a better way (I’ve since discovered that there is), I saved the output in a text file and then using the “cat” command with the n flag, I obtained the number of strings.

Surprise of surprises, it was the right answer! I gave a little cheer at my new-found skills. With the next question I was very quickly brought down to Earth. After a quick google search, I shut down the challenge and started learning more about malware analysis. I had an idea about what needed to be done, but I wasn’t sure how to write or save a YARA rule. So I started writing this blog post instead!

Jump forward a busy 48 hours or so, itching to get back to it, and I’m quite proud to say that I finished the malware analysis challenge, although some help was requried. I used several sources to study Yara rules, among them were a blog post on RangeForce’s site by Vickie Li, another being the Malware Analysis Bootcamp from Hackersploit on their YouTube channel, and another being a course on malware analysis from Skillsoft that I had access to through the training provider I’m studying with. By combining several resources, I think I have what would be considered a good, basic foundation in static analysis, and I highly recommend checking out the Hackersploit bootcamp, but if you have any suggestions for further study on malware analysis, please leave a comment or send me a message.

YARA rules themselves are not complicated, at least not in the way you use them for this challenge. You define your indicators, the conditions that must be met with regards to them, and run it on the files you want to check. I did run in to a snag because I hadn’t read the documentation on https://yara.readthedocs.io/en/v4.1.0/gettingstarted.html so I was getting an error when I ran my YARA rule on the sample file. The available hint told me that I needed to escape certain characters, which was easy enough to figure out by referring to the above documentation.

The next part of the challenge involved analysing a different sample using the string from the previous question and finding the offset, which meant running the rule on the other sample and out pops the offset. Not too bad.

For the next part of the challenge, you have to create a YARA rule to check if a file is of the Portable Executable (PE) type. I had a good idea of how this could be accomplished from the two courses I had done and the hint confirmed what I needed to do. My rule needed a little tweak, but I was beginning to think I was getting good at it. However, the final part of the challenge was still to come.

You are given a long list of strings with which to create a YARA rule, which you need to use to scan a couple of hundred suspicious files to check how many of them are malware. The list of strings is too long to think about typing the rule out manually and upon checking the hints, three for this final part of the challenge, they suggest you use scripting. They also tell you to include the PE check. The final hint threw me a bit, but I’ll come back to that. I thought I would just get started and see where it got me.

I don’t know bash scripting, but I’ve done Dr Charles “Chuck” Russell Severance’s course on Python For Everybody, which is brilliant and if you want to get started on Python, do check it out, it’s free by the way. So I knew I could script what I thought was required with Python, and before too long I had my rule set up.

I tried running it on one of the suspicious files and the rule threw out some errors. Checking the lines that the error indicated, I saw that a lot of the strings had special characters that needed to be treated in the same way as the string in the “Simple Rule” part of the challenge. I wasn’t sure if that was supposed to happen, but it made sense why RangeForce would choose that particular string for the first YARA rule.

I kept running the rule, correcting the errors until it wasn’t throwing up any more. Getting a little excited, I ran the rule on all the suspicious files and found that nearly every one of them was malware according to my rule, and I didn’t get the tick in the box.

Back to the final hint. It suggested I might need to use all of the indicators as some of the indicators might exist in insolation. I was already using all the indicators, but in such a way that if a file contained any one of the strings, along with the PE check, it would flag the file as malware. So I altered the conditions in my YARA rule so that the file must contain all of the indicators and ran it again. Nothing. It now didn’t detect any of the suspicious files as malware, and, I still didn’t have the tick in the box, not that I was expecting it now.

Feeling deflated, I ran just the PE check on the files to check that would at least work, and it did. I started to doubt the rule I had made, wondering if we were supposed to somehow write a script that ran each string individually on each file and returned the files that had all the strings in them all in one go. I did some Google searches to try to find something that would help, but was stumped, so I reached out for some help.

I contacted someone on LinkedIn who had offered me some advice with regards to the challenge, to ask about the last hint – I still wasn’t sure if I had understood it correctly, and I thought I might be able to glean some information that would help, without asking how to solve it completely. We discussed the scripts and having to manually alter the strings once the rule was set up – although he was planning to go back in and make that a part of his script. He then explained what I was missing in the final hint. Thanking him, I went back, altered my rule… and it still didn’t work.

I was also in conversation with someone else who was struggling with the same challenge, and I was offering hints for the earlier parts of the challenge. He had been sent a video of somebody completing that very challenge. At this point I didn’t think I was going to be able to complete the challenge so I watched the video.

The guy in the video also used Python to script his rule, though his command of Python was far superior to mine, but our output was the same. I actually think I preferred my simpler code, and I guess the guy who made the video is used to far more complicated coding. He used find and replace to make the necessary alterations, which hadn’t occurred to me, saved the YARA file and ran it. And it worked straight away.

It now dawned on me that I had messed up one or more of the strings when altering them manually, so I ran my script again, and used find and replace to make the alterations, which took a fraction of the time compared to doing it manually. There were still a couple of errors in my rule, but eventually, it worked. I’d completed the second challenge and a fanfare went off in my head.

Afterwards it occurred to me that I had just used Python to solve a “real world” problem, which is pretty cool. I have also redone the challenge and wrote the character escapes in to my script. I thought that might be beyond me, but Python is such a user-friendly language, it is made relatively easy for you. Though I will say, it is quicker to use find and replace unless you know exactly what your are doing.

SOC Detection Challenge

It was late by the time I’d finished the previous challenge, but buoyed by the excitement of finally getting it done, I thought I’d have a look at the SOC Detection Challenge. Remembering advice I’d been given about how to search, I started the module.

For this challenge you are working as a SOC Analyst and you have been made aware that Windows Security has been disabled on a particular host. You must investigate what happened using Splunk.

The first part of the challenge involves re-enabling Windows Security and you are given a couple of scripts to execute. So far so good and on to the first question. Now we start using Splunk. I’d been given the suggestion of going through the Splunk module on RangeForce, but I hadn’t gotten round to that yet. It was still fairly self-explanatory so far.

The next task starts to delve a bit deeper with a series of questions. It is just a case of picking out the required information and you can narrow down the search results by adding more search terms, which helped. My eyes were starting to feel a little heavy though, so I shut my laptop and went at it again the next day.

This time I did the community Splunk challenge first as had been suggested, but by this point, it didn’t teach me anything I hadn’t already picked up in the community challenge. So back to the final challenge I went and worked my way to the point I’d left off.

I wasn’t expecting the next part, which was about dynamic analysis of the malware stager. I had assumed the challenge was all about Splunk, although there isn’t much dynamic analysis about it. They tell you that the system has been sandboxed and off you go executing the malware before answering a couple of questions about it.

The final task is to delete the malware stager and that is it, all done! Everybody start cheering!

I really enjoyed my first taste of malware analysis and Splunk. RangeForce have put together a brilliant challenge for those inexperienced with these tools, and I have definitely learnt some things and gained some valuable practical experience.

As I said in the beginning I wasn’t sure if I would be able to do it, so I’m very happy that I could. It took me longer than I would’ve liked due to my inexperience and not always knowing if I was doing the right thing, but if you want me to create some YARA rules, sure I can do that now, need me to examine some emails, no problem, and I’ve made a tiny scratch on the surface of Splunk, which is what I really hoped to get out of this exercise.

I can’t wait to do more, but I can hear a Pentest+ exam calling my name, so it’s time to get back to study.

Getting to the Bottom of the Cybersecurity Skills Gap/Hiring Issue

There is a virus infecting the cybersecurity industry. The number of breaches and the cost of cybercrime continues to skyrocket, there are millions of unfilled positions, and yet many would-be cybersecurity professionals are struggling to find a job.

Astonishingly there is much disagreement in the cybersecurity community about the reasons for this gap. For anyone hoping to gain employment in the not too distant future, or further a career, this is a somewhat important topic. So I decided to investigate.

The Scale of the Problem

Most media outlets quote 3.5 million unfilled positions globally. I wanted to confirm if this was an accurate representation of the number of available positions. So where did it come from? The original source is actually a prediction from four years ago.

This prediction (their word by the way) is from the jobs report released by Cybersecurity Ventures in May 2017, which you can read here. It is right there in big, bold letters in the opening sentence. This new prediction revised previous, lower forecasts. Media outlets and tech articles have been quoting this figure ever since.

For example, this New York Times article from November 2018 says “A stunning statistic is reverberating in cybersecurity.” This is one of the few articles that does cite Cybersecurity Ventures, but they do not mention that the report is eighteen months old.

How did Cybersecurity Ventures arrive at this prediction you may ask? Communication is the key. They spoke to people, a whole host of cybersecurity professionals, and they looked at research. Sneakily, they spoke to people and more importantly, listened to what they had to say. There were surveys being conducted at the time arriving at quite different figures, but I guess they forgot to speak to people. Or rather, maybe they weren’t listening, but then 3.5 million unfilled positions is an enormous figure to take in.

In looking for corroborating articles and studies, I found a surprising number from the past 12 months that quote predictions more than 3 years old as if they are actual figures of the day. There was at least one article released on Monday that quoted the 3.5 million estimate from 2017 as if it had just been announced. The attention-grabbing figure permeated well beyond the cybersecurity industry becoming less a prediction, often quoted as fact.

Even in a relatively recent article from PWC about how to Future-proof your security team, they quote the “most recent studies”, in a point about the lack of candidates to fill the needed positions. This is linked to a Security Magazine article from June last year, which cites research released by Emsi. There is a link to the research and you can download the pdf. This research paper in turn quotes the (ISC)² Cybersecurity Workforce Study 2019, which gathered the data for its study between April and June of that year.

So what have we learned? The PWC article refers to 2-year old data as the “most recent studies”. In an industry where research is a key skill. There’s more…

Again from the same PWC article, the 3.5 million figure is quoted. This time the link is to Cybersecurity Ventures 2019/2020 jobs report. Now this you’ve got to love. In the 2019/20 jobs report, Cybersecurity Ventures quote the very New York Times article, which quotes their own prediction from 2017! They point out that their prediction has been corroborated many times from almost every kind of outlet.

I would humbly suggest that there’s a difference between corroborating and regurgitating. However, the report then mentions a couple more articles that cite their 2017 prediction, one of which is the Harvard Business Review. So I guess that makes them right. Either way, they “stand firmly behind the two-and-a-half-year-old prediction.” They probably spoke to some more people.

Cybersecurity Ventures made the point that (ISC)² figures had now aligned with their own, having had quite different estimates back in 2017. It may or may not be relevant that in an article on their 2017 jobs report titled “Jobs Report Vs Survey”, Cybersecurity Ventures went to some pains to suggest that the estimate of 1.8 million from (ISC)² was not in opposition to their own estimate, but rather was a subset of the 3.5 million prediction for 2021.

So in 2017, the (ISC)² estimated figures were a subset of the 3.5 million, but in 2019, their estimate of the shortfall for 2021 was roughly the same as Cybersecurity Ventures. In fact the 2019 Cybersecurity Workforce Study estimated a workforce shortage of 4 million.

So the question remains how accurate was the 3.5 million prediction? It may be that the report was spot on, and 4 years later we do indeed have 3.5 million unfilled positions. There have been some major changes in that time though and nobody (apart from Bill Gates) could have foreseen a global pandemic forcing massive changes to the way we work, increasing the pressure on cybersecurity teams.

The (ISC)² Cybersecurity Workforce Study 2020 released last November, based on data collected between April and June found that the jobs of up to 41% of respondents was affected by COVID-19 with reduced hours, reduced salary or being laid off. They report on the “Workforce Gap” by the way, defined to be the difference between the estimated number of professionals required by organisations and the number employed in cybersecurity. It is not an estimate of vacancies.

Their estimate is that the gap had narrowed by approximately 900,000 to 3.1 million worldwide in 2020 with over 2 million of those in the Asia-Pacific region. The reason for the gap reducing was due to a perceived lower average headcount demand by the respondents, due to the pandemic. However the data was collected soon after the start of the pandemic; cybercriminals hadn’t begun to take advantage of the increased attack surface and budgets were being hit.

To obtain an estimate of the current global workforce shortage, we can look at the U.S. estimates made by (ISC)² from their 2019 and 2020 studies and compare that to the size of the current workforce from Cyberseek.

Year	US Workforce	US Workforce Gap	Global Workforce Gap
2019	804,700	~500,000	~4.07 Million
2020	879,157	359,236	~3.12 Million
2021	956,341	464,420	?

From this you can estimate that when (ISC)² release their 2021 Cybersecurity Workforce Study, with figures being collected now if they stick to the same time frame as previous years, we will be seeing the global cybersecurity workforce gap getting wider. It might just be 3.5 Million.

Unfilled Positions

Whatever the actual number, there are a lot of vacancies not getting filled. One of the reasons given most often is a lack of skills. There are two sides to this. One is that a large percentage of vacancies are for senior positions, but against a backdrop of 0% unemployment and high salaries, they fail to attract talented professionals, and hiring managers are seemingly happy to let the positions go unfilled rather than recruit someone who doesn’t currently possess the specific skillset.

The other side is the large number of students looking for an entry level role. The lack of skills referred to in this case is commonly a lack of hands-on experience. Among the requirements are often 3+ years of experience in an IT role, not to mention those entry level roles requesting the CISSP certification. Otherwise ideal candidates are overlooked when they can’t get past the HR filter.

According to the Emsi report “Build (Don’t Buy)” from July last year, among the skills most in demand are SIEM, Intrusion detection and prevention, and penetration testing. These are certainly among the skills that cybersecurity students are studying and practicing.

In webinars discussing this topic, I have often heard the advice “find your niche”, but based on this study, it is those core skills that employers really need. The challenge for prospective candidates is gaining real, hands-on skills to overcome the experience barrier that many hiring managers feel is a must-have.

It is this point that is often debated, with terms like “gatekeeper” and “talent shortage” sent back and forth.

Closing the Gap

The shortage has been there since cybersecurity became an industry and it is hard to find two people who agree on how to fix it.

Cybersecurity professionals need time to train in order to start to fill the more senior, more specialised roles. This is easier said than done when working over 100% capacity just to keep afloat because the team is understaffed.

The Emsi, Build (Don’t Buy) report suggests re-skilling existing employees from other areas of the business, and implementing something called a “Capability Academy” to help nurture existing employees in to cybersecurity roles and increase the skills and knowledge of employees already in the role.

Another possible solution is for hiring managers to recruit from more diverse backgrounds and I think more are coming round to this way of thinking. There is a loud and lively movement pushing this agenda for the benefit of all.

Conclusions

Here is a list of 10 solutions amongst the most commonly put forward to address the gap:

Career professionals should focus on the right certs
Career professionals should focus on web application and cloud security
Employers should pay a lower salary, but offer training
Offer a higher salary to attract the right candidates
Hire from more diverse backgrounds
More investment in high schools
Organisations need to think more creatively and aim lower with outside talent while cultivating inside talent
Gain volunteer experience
Start a blog (tick!)
Companies need to revaluate their hiring strategy

What can be concluded from such a wide variety of suggestions is that we have not yet found appropriate mitigation techniques for this threat, but it will likely be a multi-vector approach. One thing you can count on, is that as long as the gap remains, the cost of cybercrime will continue to grow.

Westpoint Cyber Talent – Cyber Lounge Coffee Morning

Westpoint Cyber Talent host a web chat over coffee every week or so with different guest speakers. I’ve just watched the video from earlier this week. The guest speaker was Dani Nadeem, Senior Security Response Analyst at cloud service provider, Oracle.

He offered some great insights in to what to expect as an entry level SOC Analyst. It was also good to hear some advice from recruiters based in the UK.

There are many streams and content creators from the US aimed at cybersecurity training and helping people start careers in cybersecurity, but this is the first I’ve seen from a UK standpoint. The fact it is created by a recruitment company also gives an alternative perspective.

You can find the links for past recordings and upcoming coffee chats on Westpoint’s LinkedIn page here

SANS New To Cyber Summit

I attended SANS.org’s New to Cyber Summit recently, which I’d seen advertised on LinkedIn. It was free to attend and was just a wealth of information. One of the speakers I knew from twitter and it was cool to put a voice to the face.

There were talks on all the different entry level roles; a talk about how to level up your resume; a presentation on social engineering and much, much more. It was also a great opportunity to chat and network with other cybersecurity students.

If you have the opportunity to attend any of these summits, especially when the theme is around entering the industry, I highly recommend it.