Security FYI blog is being retired

This is the last blog post to be published here on WordPress, as the articles will now be published to the news page of the Information Systems & Technology website for MIT. See them at ist.mit.edu/news. Thank you to all the visitors of this blog and for subscribing to the Security FYI emails.

MIT Certificates Expire on July 31

If you haven’t done so already, be sure to renew your MIT personal web certificates and at the same time update your password (if the password is over a year old). Pick a strong password so that it’s less likely to be compromised.

Renewal of personal web certificates is not automatic, so plan to renew to ensure continued access to MIT’s secure applications, including Atlas, Benefits, SAPweb, WebSIS and software downloads.

This year, signing up for Duo Authentication (see above article) is added as an option, but next year when certificates expire it will be required, including for students.

Microsoft Ends Support for Windows Server 2003

Microsoft ended support of Windows Server 2003 on July 14, 2015. If you have machines still running Windows Server 2003, it is very important that you upgrade to Windows Server 2012 R2 and apply the latest patches from Microsoft to minimize security risks and comply with recent Massachusetts data regulations.

IS&T recommends that Windows users subscribe to the MIT Windows Automatic Update Service (MIT WAUS) to get the latest service packs and security patches. Visit the MIT WAUS article in the KB for detailed instructions on how to subscribe.

If you have questions or need assistance, send email to the IS&T Help Desk at helpdesk@mit.edu or call 617.253.1101. You can also submit a request online.

Learn more from Microsoft about migrating from Windows Server 2003.

Cybersecurity Talent Woes

It is no secret that there is a shortage of talented cybersecurity professionals in the US. As posted in the news, this issue is worse than a skills shortage, it’s a critical gap. As an article at thehill.com states: “We don’t have the workforce needed to address the challenges before us.”

The article goes on to further sum up the concern: “There are simply an inefficient number of qualified, skilled professionals available to do what’s needed to protect organizations and consumers.”

The problem becomes clear when organizations attempt to hire cybersecurity professionals. Many applicants don’t have the necessary skills for the open positions, which means it can take months to hire someone, while a short-staffed security team is trying to safeguard data and critical infrastructure.

SANS Institute is doing its part to help professionals launch cybersecurity careers and also assist companies and organizations to obtain the talent. This resource is available for employers: https://www.sans.org/cybertalent/

This week, on May 14, SANS is also hosting SANS CyberTalent Fair, a two-day, online meeting place for top cybersecurity employers and jobseekers in the US. According to the event website, “More than 209,000 cybersecurity jobs in the US are unfilled.”

MIT is hiring cybersecurity professions to work in Information Systems & Technology. See the MIT Careers website. Contract positions for IT Risk & Security Engineers are also available. For a job description, please contact Harry Hoffman.

Security Training By SANS

SANS (sans.org) offers all kinds of training for professionals who are involved in cybersecurity. There are various ways to access their quality training material: by attending a live conference, accessing your training on demand (online) or hosting a training session in your community.

Courses include a range of topics including: hacker tools and techniques, forensic analysis, intrusion detection, network penetration testing, incident response and many more.

Find a training by course, location or date: http://www.sans.org/find-training/

Find or host a training in your community: http://www.sans.org/community/

On demand training: http://www.sans.org/ondemand/

SANS Holiday Hack Challenge

Help save old Ebenezer Scrooge from certain doom! This year’s Holiday Hack Challenge from SANS is designed to help build your information security skills and have some holiday fun in the process. This year, match wits with an Artificially Intelligent agent, exploit a target machine, and do some detailed packet capture and file analysis, all with the goal of unraveling the mysteries of the Ghosts of Hacking Past, Present and Future.

Everyone is invited to participate. Compete for some really cool prizes:

http://pen-testing.sans.org/holiday-challenge/2014

DeterLab Offers Free Cybersecurity Exercises

The free, open-infrastructure DeterLab provides exercises for students to learn cybersecurity techniques by getting their arms around attacks and defenses. Dedicated to supporting cybersecurity education, DeterLab has been used by 99 classes, from 64 institutions and involving more than 3,500 users.

Deter stands for Defense Technology Experimental Research, and is a project started ten years ago at the University of Southern California. From the DETER Project came DeterLab, which enables faculty members from all over the world to use pre-built exercises in their classes, letting students try out security activities in a safe environment. Students can work through exercises without breaking or attacking something “for real.” Included are real-world activities such as buffer overflows, man-in-the-middle attacks, worm modeling and detection, denial-of-service and distributed denial-of-service attacks, and forensics and monitoring.

Read the full story online.