ATLANTA, Sept. 27, 2022 /PRNewswire/ -- Veristor Systems, Inc., a trusted provider of transformative business technology solutions, and SANS Security Awareness, the global leader in providing security awareness training, today announce that Veristor has become a certified provider of SANS Security Awareness' comprehensive suite of products to enable a data-driven approach to cybersecurity training for an organization's end users.
"Researchers from Stanford University found that as much as 88% of all data breaches are caused by an employee mistake," said Daniel Martin, Principal Security Consultant, vCISO, Veristor. "This shows that end users are the most critical vulnerability gap in today's enterprise. Yet if properly trained, they can also be the most resilient security defense – a human firewall. Together with the experts from SANS Security Awareness we are helping customers guard their environments with an army of well-trained employees. With proven training to spot and act when suspicious activity arises, users can take an active role in preventing the growing wave of cyberattacks."
The SANS Security Awareness suite of dynamic multilingual computer-based training, games, phishing simulations, and engagement materials teach vital security behaviors to effectively manage human cyber risk. With different training styles to match different corporate cultures, employee comprehension levels, and learning preferences, SANS Security Awareness training equips workforces to recognize and prevent current cyberattacks, including work-from-home threats. The platform delivers valuable metrics to measure the effectiveness of each program, and customization features to tailor training to meet specific organizational needs."
With some groups requiring even greater specialized training, in addition to addressing core human behavior risk topics, SANS Security Awareness also offers secure development and coding techniques, understanding NERC CIP compliance requirements, and handling Industrial Control Systems (ICS) incidents.
"We are very pleased to be partnering with the cybersecurity experts at Veristor to provide the SANS Security Awareness program to their customers," said Brad Stilling, Director of Global Sales for SANS Security Awareness. "Regular awareness training is an essential activity for organizations looking to ensure security and compliance. When employees feel informed and empowered to recognize and address cyber risks, they can protect the organization. With SANS Security Awareness, Veristor customers are now better positioned to detect and prevent cyber-attacks."
For organizations starting their awareness training journey, Veristor delivers a SANS Human Risk Insight assessment to identify program cost reductions, eliminate unneeded staff training, and create risk metrics to baseline and benchmark an organization's human cyber risk. Request a pre-assessment consultation here.
The SANS Security Awareness training solutions are now offered as a part of Veristor's suite of security solutions that are designed to solve business challenges through the intelligent application of next-generation security technology. For more information visit: https://veristor.com/it-security/.
About Veristor Systems, Inc.
Veristor, which recently announced a merger with Anexinet, is a leading provider of transformative business technology solutions that helps its customers accelerate the time-to-value for the software, infrastructure and systems they deploy. We do this by harnessing deep expertise in today's most advanced data center, security, networking, hybrid cloud, and big data technologies and guiding businesses to the right solutions for their most pressing challenges. And with a full suite of design, deployment, support, and managed service offerings, we work shoulder-to-shoulder with our customers at every step of their technology journey to make technology truly work for them. IT's just who we are. Learn more at veristor.com.
About SANS Security Awareness
SANS Security Awareness provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their human cybersecurity risk. SANS Security Awareness has worked with over 1,300 organizations and trained over 6.5 million people around the world. The SANS Security Awareness program offers globally relevant, expert authored tools and training to enable individuals to shield their organization from attacks and a fleet of savvy guides and resources to work with you every step of the way. To learn more, visit www.sans.org/security-awareness-training
SOURCE Veristor Systems, Inc.
The SANS Institute was founded in 1989 to provide IT security and administration information and vendor-neutral training on those subjects. Since its inception, SANS has trained more than 165,000 individuals via in-class courses, training events, and technical conferences held throughout the world; self-paced online training (called SANS OnDemand); and interactive virtual training (called SANS vLive).
Course subjects from the SANS Institute include security essentials, hacking techniques, intrusion detection and incident response, network defense, mobile device security, auditing, digital forensics and related security topics. The “information” component of SANS includes the SANS memorizing Room, an extensive library of downloadable security research documents; the Internet Storm Center, which monitors and reports on malicious attacks and provides weekly bulletins and alerts; free security policy templates; the CIS Critical Security Controls for cyber defense and more.
SANS formed the Global Information Assurance Certification (GIAC) program to act as the certification arm for its training courses, ensuring that individuals meet knowledge and skills standards in specific areas of IT security. More than 165,000 GIAC credentials have been issued. GIAC certifications are well known and highly respected among employers and the information security industry. Even the United States National Security Agency (NSA) recognizes GIAC certifications.
GIAC offers more than 30 security certifications across introductory, intermediate, advanced and expert levels. According to SANS, GIAC certifications are unique because “they measure specific skills and knowledge areas rather than general infosec knowledge.” That means a typical GIAC certification requires rigorous preparation and hands-on experience. That’s why SANS training comes highly recommended.
Note: Another component of SANS is the SANS Technology Institute, which offers one security-related master’s degree – the Information Security Engineering (MSISE). The SANS Technology Institute also offers five graduate certificate programs focused on Cybersecurity Engineering (CORE), Cyber Defense Operations, Incident Response, Industrial Control Systems Security, and Penetration Testing and Ethical Hacking.
GIAC certifications fall within six specific domains, each with its own certification track:
Another certification “category” is the pinnacle GIAC certification – namely, the GIAC Security Expert (GSE). Some industry officials consider the GSE to be the premier security-related certification available today. Whereas most GIAC certifications can be achieved by passing a single multiple-choice exam, the GSE exam includes both a multiple-choice component and a hands-on lab.
SANS offers four levels of certifications, including introductory, intermediate, advanced and expert. The table below is a modified version of the GIAC certification roadmap, which lists each certification by level and certification tracks.
Digital Forensics and Incident Handling
Management and Leadership
Digital Forensics and Incident Response
Management and Leadership
Other than the GSE, GIAC certifications require passing one exam and have no prerequisites. That said, GIAC highly recommends SANS training courses, especially for candidates who don’t have adequate hands-on experience and aren’t able to self-study.
Once an application has been approved, candidates have four months to attempt the associated exam. (GIAC does not administer exams immediately upon conclusion of a training event; candidates must wait at least seven days to sit for the exam.) The cost of each GIAC exam is currently $1,899, which includes two practice exams. The lab exam for the GSE is $2,459, and the written exam is $499. (Note: Students can purchase and take an exam as part of a training course, or they may purchase and take an exam by itself.)
To remain certified, credential holders must renew their GIAC certifications every four years by earning 36 continuing professional education (CPE) credits. CPE credits may be earned by completing approved training or certifications, participating in continuing education, publishing a technical paper, completing certain graduate-level courses, getting community or work experience or participating in cyber range activities. A renewal fee of $429 is also required.
GIAC certifications cover the gamut of job roles in IT security today. GIAC-certified professionals work as security analysts or certified (two of the most common roles), information security engineers, network security admins, database administrators, developers, forensic specialists, risk managers and auditors.
Large organizations with security operations centers (SOCs) need SOC analysts, engineers and supervisors, as well as directors of cybersecurity. A bevy of companies also hire employees and consultants who perform incident response, penetration testing and the like.
With almost 314,000 security-related jobs open in the U.S. alone (and 3.5 million globally by 2021), a reasonably educated and experienced person stands a good chance of getting hired fairly quickly. Adding a security certification or two to your resume not only validates your skills, but it may get you noticed by a hiring manager or give you more leverage during salary negotiations.
SANS training courses and events vary in format and price, but candidates can expect to pay around $5,800 to $6,610 for a training course. Although the price tag is high, many candidates recommend SANS training for its quality and depth as well as its usefulness in eventually achieving GIAC certification. SANS instructors are usually industry experts and/or full-time security practitioners, and invariably get glowing reviews from course attendees.
Candidates who attempt GIAC certification exams should consider taking practice questions beforehand. A practice exam mimics an genuine exam and is, therefore, a terrific study aid. All GIAC certification attempts (except for the GSE) come with two free practice exams. A few practice questions are also included with training courses. Candidates who don’t take training can purchase practice questions for $159 each by clicking a link in their SANS/GIAC portal account.
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site (opens in new tab).
© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.
A couple times a year I compile, analyze, and write about cybersecurity developments and statistics. As we begin the Cybersecurity Awareness month of October 2022, it is incumbent for all of us to be more wary than usual by the scary stats surrounding an increasingly sophisticated and lethal cyber threat landscape.
A first case in point to the precariousness of cybersecurity is the ease of beaching by criminal hackers.
Most hackers need 5 hours or less to break into enterprise environments
Most hackers need 5 hours or less to break into enterprise environments | CSO Online
“ Around 40% of ethical hackers recently surveyed by the SANS Institute said they can break into most environments they test, if not all. Nearly 60% said they need five hours or less to break into a corporate environment once they identify a weakness.
The SANS ethical hacking survey, done in partnership with security firm Bishop Fox, is the first of its kind and collected responses from over 300 ethical hackers working in different roles inside organizations, with different levels of experience and specializations in different areas of information security. The survey revealed that on average, hackers would need five hours for each step of an attack chain: reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours.”
Chuck’s Comments: Thankfully this statistic cites ethical hackers. Many are top notch and exceptionally good at what they do. Still, exploitation of weaknesses is relatively easy even if it takes more than five hours for less experienced hackers. This call attention to the urgency of cyber hygiene including strong passwords, multifactor authentication, having good anti-malware software, and patching regularly.
Phishing remains the top threat in almost all cyber-threat statistics out there, especially driven more and more by mobile:
Phishing Attacks Crushed Records Last Quarter, Driven by Mobile
Phishing Attacks Crushed Records Last Quarter, Driven by Mobile (darkreading.com)
“Shocking phishing numbers (more than 1 million in a single quarter) are being driven by vishing, smishing, and other lures that target mobile devices.
Last quarter saw a record-shattering number of observed phishing attacks, fueled in large part by attempts to target users on their mobile devices.
The latest Anti-Phishing Working Group (APWG) "Phishing Activity Trends Report" for the second quarter of 2022 found 1,097,811 observed phishing attacks, the most the group has ever measured in its history. “
The financial sector remained the top target for phishing lures (27.6%), along with other bombarded sectors, including webmail and software-as-a-service providers, social media sites, and cryptocurrency.
"We're seeing a huge increase in mobile phone-based fraud, with smishing and vishing collectively seeing a nearly 70% increase in volume as compared to Q1 totals," Matthew Harris, senior product manager of fraud at Opsec said in reaction to the APWG findings. "We are still seeing fraud coming in via the typical OTT apps (WhatsApp, WeChat, Facebook Messenger, etc.), but the SMS-based fraud is really the kicker here."
Chuck’s Comments: Phishing is the tool of choice for many hackers. Phishing is commonly defined as a technique of hackers to exfiltrate your valuable data, or to spread malware. Anyone can be fooled by a targeted phish, especially when it appears to be coming as a personal email from someone higher up the work chain, or from a bank, organization, or a website you may frequent.
Usually, the phishing malware comes via email attachments but can also be web-based. According to an analysis by Webroot, 46,000 new phishing sites are created every day and 1.385 million new, unique phishing sites are created each month. At a more granular level, the firm Wandera says that a new phishing site launches every 20 seconds. Two cybersecurity hygiene actions to Excellerate your digital life in 2021 | AT&T Cybersecurity (att.com)
Phishes can be quite sophisticated nowadays. The tools are available on the Dark Web and the graphics used to mimic emails or texts from banks, companies, employers, and even friends are a far cry from the misspelled and cheesy phishing attempts from a decade ago. Moreover, they are automated and sent by the thousands with help of machine learning. I am frightful as deep fakes are on the horizon and they are a scary proposition in the wrong hands. Be alert and double check before you click!
Most organizations had a cloud-related security incident in the past year
Most organizations had a cloud-related security incident in the past year | Cybersecurity Dive
Security leaders consider the risk of cloud-based incidents higher than on-premises incidents, yet they expect to move more applications to the cloud.
Chuck’s Comments: Both the public sectors and private sectors are rapidly transitioning into a cloud and hybrid cloud world and computing is certainly moving closers to the edge. It is important to work closely with your cloud provider, know what data you need to protect and encrypt, and have an incident response plan in case you get breached .Clouds are not inherently risky, but companies need to recognize they have to evaluate provider policies and capabilities to protect their vital data. The use of the cloud and hybrid clouds enables implementation of dynamic policies, faster encryption, drives down costs, and provides more transparency for access control (reducing insider threats). When viewed from a security administrator perspective, optimized security in the cloud mitigates the risk of hackers getting key access to data.
64% of Businesses Suspect They’re Target of Nation State Attacks
64% Of Businesses Suspect They’re Targets Of Nation-State Attacks- Expert (informationsecuritybuzz.com)
New findings from Venafi 64% of Businesses Suspect They’ve Been Targeted or Impacted by Nation-State Attacks. Among key findings:
Chuck’s Comments: Critical Infrastructure has been increasingly targeted by nation states and evidenced by Colonial Pipeline and other high profile events. Protecting critical infrastructure Industrial Control Systems, Operational Technology, and IT systems from cybersecurity threats is a difficult endeavor. They all have unique operational frameworks, access points, and a variety of legacy systems and emerging technologies. As DHS CISA mission has recognized, protecting the critical infrastructure supply chain in IT and OT systems need to be a public and private sector priority. The Russian/Ukraine conflict has led to a “Shields Up” response from DHS CISA and stronger threat sharing between industry and government. Unfortunately, the energy sector and especially the Grid is still at great risk with a mix of OT/IT systems and infrastructure built decades back. Fortification of critical Infrastructure need to be a top priority.
More on that OT cybersecurity syllabu of Industrial Control Systems:
Industrial control systems face more cyber risks than IT, expert testifies
Industrial control systems face more cyber risks than IT, expert testifies | Cybersecurity Dive
· Most ICS technology was designed more than 20 years ago and built without cyber resilience, Idaho National Laboratory’s Vergle Gipson said.
90% of companies affected by ransomware in 2022
An annual SpyCloud survey found that 90% of organizations were impacted by ransomware over the past twelve months, an alarming increase from last year’s 72.5%.
Despite increased investment in cybersecurity, over the past year, the relentless tide of ransomware continued to disrupt operations and put organizations’ data at risk. Moreover, organizations were more likely than last year to be impacted more than once: 50% were hit at least twice, 20.3% were hit between 6 and 10 times and 7.4% were attacked more than 10 times.
Chuck’s Comments: a statistic of 90% in ransomware attacks is more than alarming, it is spooky. Ransomware attacks are easy to initiate and criminal hackers can get paid in cryptocurrency and are difficult to find and prosecute. There are many anti-ransomware tool software tools available for companies to protect themselves. And for any company, backing up and isolating and encrypting sensitive data should be a part of their risk management strategy.
Ransomware attacks surge in education sector
Ransomware attacks surge in education sector | Cybersecurity Dive
Colleges and universities are particularly challenged as repercussions of ransomware hit them harder and longer than other organizations.
Chuck’s Comments: unfortunately, the education vertical is a cyber target like healthcare. Their systems are often made up of many networks and devices that can be targets of exploitation. This is a serious risk to high education, and in fact, one College (Lincoln College in Illinois) had to close after being victimized by a ransomware attack.
Half of global firms supply chains compromised by ransomware
Half of global firms supply chains compromised by ransomware | Cyber Magazine
· · Global cybersecurity company, Trend Micro, announced new research today that reveals global organizations are increasingly at risk of ransomware compromise via their extensive supply chains.
· Trend Micro commissioned Sapio Research in May and June 2022 to poll 2,958 IT decision makers across 26 countries. The research revealed that 79% of global IT leaders believe their partners and customers are making their own organization a more attractive ransomware target. The challenge is particularly acute considering that potentially less well-secured SMBs make up a 'significant' portion of the supply chain for over half (52%) of these organizations.
Chuck’s Comments: Supply chains that often are comprised of multiple vendors are a top target. Companies need to better authenticate, validate, and protect their supply chains. Supply chain cyber-attacks can be perpetrated from nation state adversaries, espionage operators, criminals, or hacktivists. Their goals are to breach contractors, systems, companies, and suppliers via the weakest links in the chain. This is often done through taking advantage of poor security practices of suppliers, embedding compromised (or counterfeit) hardware and software, or from insider threats within networks.
The remedy to fixing supply chain vulnerabilities is heightening government and industry collaboration highlighted in the policy initiatives, such as NIST, and in task forces on supply chain security established by the Executive Branch. More precisely, it requires enacting a risk management process that identifies vulnerable systems (especially legacy) and gains visibility into all the elements of the supply chain. Please see my article in GovConWire on this topic: Chuck Brooks: Government Focused on Securing the Cyber Supply Chain - GovCon Wire
Less Than Half of Large US Businesses Investing in Cybersecurity Despite Major Concern
Despite the rise in threats to businesses, companies aren't doing enough to protect themselves or their customers.
Less Than Half of Large US Businesses Investing in Cybersecurity Despite Major Concern (tech.co)
· With cyberattacks on the rise and the average cost of an attack in the millions, safeguarding against issues such as data breaches and ransomware should be a number one concern for businesses of all sizes — but especially large businesses.
· While small businesses are the least likely to be protected, large businesses are the most targeted by attackers and, surprisingly, don’t fare much better. 83% of large businesses see security as a significant threat to their business growth. Yet only 43% of large businesses consider security a top three tech budget priority to invest in.
Chuck’s Comments: there is an adage that you can lead a horse to water, but you cannot make them drink. This rings true for industry. What will it take to make them take cybersecurity as an existential threat to their business operations and reputations?
Cybersecurity Statistics are good indicators where there are gaps and what the public and private sectors need to help remedy their situations. There is a lot of great advice out there to consider, especially in risk management. Below are a couple of my own articles on paths forward to consider. They are focused on the actions of proactive cybersecurity and public private cooperation.
Why Proactive Cybersecurity Is a Must in Today’s Sophisticated Threat Environment
Prevention and preparedness begin with discovering the knowns and unknowns in the code that is the backbone of the array of applications and operating networks.
By Chuck Brooks
Why Proactive Cybersecurity Is a Must in Today’s Sophisticated Threat Environment - HS Today
(Photo by Greg Wilson/405th Army Field Support Brigade - Europe & Africa)
In accurate years, the cybersecurity focus and activities by both industry and government have been reactive to whatever is the latest threat or breach. As a result, mitigating the threats was difficult because, from the outset, cyber-defenders were always at least one step behind.
The reactive mindset has been changing due to a series of wake-up calls that have included a major series of intrusions by sophisticated threat actors against many high-profile targets (including SolarWinds, Colonial Pipeline, OPM, Anthem, Yahoo, and many others) that exposed a flawed approach to defending data and operating with a passive preparedness.
As our reliance on the interconnectivity of cyber devices, enterprises, and applications on the cyber landscape has grown, so have the cyber intrusions and threats from malware and hackers. The growing and sophisticated cyber threat actors include various criminal enterprises, loosely affiliated hackers, and adversarial nation-states. The firm Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025. Cybercrime To Cost the World $10.5 Trillion Annually By 2025 (cybersecurityventures.com)
Also, a change in the cyber risk environment resulting from a transition to remote work coinciding with a heightened need for procurement of innovative technologies and services has created a new paradigm for cybersecurity.
With the growing realization of just how important IT is to our business and as a result of the dramatic increase in breaches, there is a growing recognition that protection against them should be considered more than a business cost item and a necessity to ensure business continuity and reputation. Proactive cybersecurity has been a posture that has been adopted increasingly by industry and government.
Proactive Cybersecurity = Risk Management
Being proactive in the evolving digital ecosystem is not just about procuring technologies and hiring people. It also means adopting a cybersecurity framework that would include tactical measures, encryption, authentication, biometrics, analytics, and continuous testing, diagnostics, and mitigation, as they may apply to specific circumstances. Concisely, proactive cybersecurity means helping ensure business continuity.
In a core sense, a successful cyber threat consequences strategy is really about risk mitigation and incident response to maintain business continuity. It is critical to be aware of the morphing threat landscape and plan contingencies for all potential scenarios. A risk management strategy requires stepping up assessing situational awareness, information sharing, and especially resilience planning.
Foundational to a commitment to proactive cybersecurity is a cyber vulnerability risk assessment. That action item is a critical first step in cybersecurity best practices. A risk assessment can quickly identify and prioritize cyber vulnerabilities so that you can immediately deploy solutions to protect critical assets from malicious cyber actors while immediately improving overall operational cybersecurity.
A comprehensive risk management approach should include cyber-hygiene best practices, education/training, use policies and permissions, configuring network access, testing of code, security controls, applications, device management, application controls, and regular network audits.
Three strategies are most commonly being used today to bolster risk management in cybersecurity. They include Security by Design, Defense in Depth, and Zero Trust. Security by design monitors manages and maintains the security process. Defense in depth enables layers of redundant protective security measures to help deter data breaches. And zero trust focuses on protecting resources (assets, services, workflows, network accounts) through strict identity and access management enforced by authentication and proper authorization. Combining Three Pillars of Cybersecurity (forbes.com)
The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements are situational awareness combined with systematic abilities for critical communications in cases of emergency. These guidelines are represented in the U.S. government’s National Institute of Standards and Technology (NIST) mantra for industry and government: “Identify, Protect, Detect, Respond, Recover.”
First Steps: Testing of Code & Applications
Testing software code is a critical function of information technology product validation. If the process of testing is not followed, the end-use product may be defective and potentially put a business or organization at risk. Detecting and fixing bugs in software development is a way to ensure the end quality of products.
That assessment needs to begin with application security testing to identify vulnerabilities that can be exploited in code or misconfigurations, or the discovery of malware already existing in programs and applications. Prevention and preparedness begin with discovering the knowns and unknowns in the code that is the backbone of the array of applications and operating networks that will determine our digital future.
New code, especially third-party software, needs to be thoroughly identified, assessed, and validated before it is installed on the network. Third-party advisory websites such as US-CERT and BugTraq are important to monitor for new known vulnerabilities for your cybersecurity team.
While new code is a threat, many applications and programs may already be operating on legacy systems that include flaws and access points that can lead to breaches. Therefore, legacy code needs to be reviewed for patches along with any new code as part of a vulnerability assessment. Every application begins with software coding and standards are needed to optimize and discover vulnerabilities. This can be done by visibility scanning and penetration testing, which includes the verification/validation of the source code that can be exploited. The testing and validation testing process is all about finding issues before they get to production and contaminate networks and devices.
What is known can be tangible, but a big challenge for software testing, assessment, and validation is being able to anticipate the unknown threats common with cybersecurity breaches. These unknowns may include finding hidden malware undetectable by sandboxes, signature-based, and other behavioral identification products.
For most companies, software testing is used for quality assurance purposes that bring value to the users. Testing is a reputational enabler that helps ensure that quality products and any troubling issues are fixed before they are brought to the marketplace. The testing checks the alignment, user interface, and functionality of the products which translates to customer satisfaction. If you are planning to launch an application, it is necessary to check the compatibility and performance of the same in a wide array of operating systems and devices.
Testing also is a budget-related issue because it is cost-effective. It allows for planning and saves money in the software development process where bugs and misconfigurations can be caught and fixed in the initial stages of the software development lifecycle.
Security is another significant factor in the need for software testing. If security capabilities are built into the products in development, it builds trust for the users. Product security is a fundamental requirement for both industry and government, especially with the heightened sophistication of cyber threat actors.
The Need for Continuous Simulation Validation Testing
The sober reality is that cyber-breaches are not a static threat and criminal hackers are always evolving in tactics and capabilities. Cyber-criminals are now using stronger evasion techniques that can even stop running if it detects it is in a sandbox or other malware detection capabilities are detected. Software runs injection of code and manipulation of memory space as an exploit kit is injected in the target system. Often these criminals use stolen certificates that are sold underground or on the Dark Web to bypass anti-malware detection and get around machine learning code. Industry and government must do more to meet and contain cyber-threat challenges.
Because of the sophisticated and growing attack surface being exploited by hackers, testing needs to go beyond traditional vulnerability scanners and manual penetration testing. It also needs to be automated to keep up with the pace of change in the evolving cyber landscape. Anticipating what criminal hackers might do in likely scenarios and practicing how to defend against it is a prudent measure to Excellerate cybersecurity. That is what is done via continuous simulation validation testing.
Continuous simulation validation testing helps fill that discovery and protection gap. Through simulations, results can be immediate, can be performed frequently, and do not rely on the skill level of the tester, which can be a weak point that leads to vulnerabilities.
Continuous simulation validation testing combined with penetration testing is a good avenue to consider since new payloads and attacks show up in the wild every day. There are currently several vendors providing continuous security validation solutions with different approaches. According to one of those vendors, Cymulate, in 2021 top threats that impacted companies include LockBit, Conti and Dharma ransomware, HAFNIUM, TeamTNT, and APT29 with Log4j abuse. Cymulate’s simulation validation approach employs an Immediate Threat Intelligence module to enable companies to assess and optimize their Email Gateway, Web Gateway, and End Point security controls with out-of-the-box test scenarios that simulate potential new threats. Cymulate research reveals unique threats in the wild rose by over 35% in 2021 – Cymulate
Simulated attacks are useful because they also enable security blue teams to assess and fine-tune their detect, alert, and response capabilities through integrations with existing security programs and systems including vulnerability management, EDRs, SIEM, SOAR and GRC systems.
Cyber-Resilience and Business Continuity
Cyber-resilience and business continuity after an intrusion is an area that must be continuously developed for optimizing response protocols, training of information security personnel, and deployment of automated detection and backup technologies.
Cyber-resilience, business continuity, innovation, and collaboration between government and industry stakeholders is a proven model that makes good sense. Together, government and the private sector can identify products and align flexible product paths, evaluate technology gaps, and help design, evaluate, and simulate scalable architectures that will lead to more efficiencies, and fiscal accountability.
Information sharing is also a key cog to the resilience and business continuity equation as it helps both industry and government keep abreast of the latest viruses, malware, phishing threats, ransomware, insider threats, and especially denial of service attacks. Information sharing also establishes working protocols for lessons learned and resilience that is critical for the success of commerce and the enforcement against cyber-crimes. DHS CISA has expanded its programs in information sharing with industry in the past couple of years, especially with companies involved in operating critical infrastructure.
Cybersecurity at the leadership level requires effective communication with the board and management team. The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of networks. Reputation management is often needed if the breach interferes with a company’s operations.
Remediation is important to continuity; no matter what, breaches will happen. To be most effective for resilience, industry and governments should have an incident response plan that includes mitigation, business continuity planning, and secure backup protocols in case networks and devices are compromised. Training and tabletop exercises can Excellerate incident response plan implementation should an genuine incident occur.
The incorporation of best practices and the lessons learned from the various and many breaches over the past few years is certainly valuable data for establishing components of prevention, recovery, and continuity in a plan. Unfortunately, many businesses are still negligent in their preparation and analyses. A accurate study by Wakefield Research found that a third of mid-sized organizations still do not have a cyber-incident response plan in place! A third of mid-sized organizations don’t have a cyber-incident response plan (betanews.com)
The Challenge of Emerging Technologies
Emerging technologies are both tools for cyber-defenders and threat actors. The current cyber-threat landscape now includes artificial intelligence, machine intelligence, IoT, 5G, virtual and augmented realities, and quantum computing.
Automation, combined with artificial and machine intelligence, is an emerging and future cybersecurity pathway. Artificial intelligence (AI) is really going to be a big catalyst for cybersecurity. It will enable real-time threat detection and real-time analysis. Companies will be able to monitor what is in their system, and who may be doing things that are anomalies.
AI can also be used as a tool for nefarious purposes by criminal hackers to find vulnerabilities and automate phishing attacks, so not deploying or understanding the implications of such usage will undermine resiliency and continuity. AI and these other emerging technologies will all have a disruptive impact on security and operating models for the near future. Addressing new and more sophisticated threats will be fundamental to cyber-resilience and business continuity in the next decade.
In today’s sophisticated threat environment, cybersecurity can no longer be viewed as an afterthought if businesses are going to survive and thrive. Being proactive rather than reactive makes sense for anyone operating in the digital landscape. There are a variety of established paths to follow in cyber risk management to fill gaps and bolster defenses. Complacency in the face of growing threats is not one of them.
Government and Industry Cooperation: More Important Than Ever for Cybersecurity Awareness
By Chuck Brooks
Government and Industry Cooperation: More Important Than Ever for Cybersecurity Awareness - United States Cybersecurity Magazine (uscybersecurity.net)
With another National Cybersecurity Awareness Month upon us, few major things have changed from the past year in terms of threats. As the capabilities and connectivity of cyber devices have grown, so have the cyber intrusions from malware and hackers. The cyber- threat actor ecosystem has grown in both size and sophistication. They are also openly collaborating in sharing targets. And tools. The cyber threat actors include various criminal enterprises, loosely affiliated hackers, and adversarial nation states.
Information sharing on threats and risk is one of the most principal functions of government and industry collaboration.
Achieving a full awareness of nefarious actors who operate in the cyber realm and protecting against their capabilities is an arduous task. Clearly, industry cannot respond to growing cyber-threats alone, especially for small and medium businesses who lack the resources and expertise. Increased government and industry cooperation to meet those challenges is a viable course to help mitigate threats and challenges. It is a proven risk management model that makes good sense. In several areas.
Information sharing on threats and risk is one of the most principal functions of government and industry collaboration. Sharing such information helps allow both government and industry to keep abreast of the latest viruses, malware, phishing threats, ransomware, and insider threats. Information sharing also establishes working protocols for lessons-learned and resilience that is critical for the success of commerce and the enforcement against cyber-crimes.
Both Solar Winds and the Colonial pipeline breaches highlighted the government’s assistance in mitigating breaches and moving toward resilience. Government was directly collaborating with the companies to discover the extent of the breaches and options for amelioration.
Remediation of breaches is important to continuity; no matter what, breaches will happen. The incorporation of best practices and the lessons learned from the various and many corporate breaches over the past few years is certainly valuable data for both industry and government in terms of prevention, recovery, and continuity.
GOVERNMENT TAKES PROACTIVE ROLE WITH INDUSTRY PARTNERSHIPS
The government and industry partnership are being well coordinated via the Cybersecurity and Infrastructure Protection Agency (CISA) of the Department of Homeland Security (DHS). Over the past few years, CISA has taken on a formal and increasingly larger role as the lead civilian agency in government working with industry, and state & local and tribal stakeholders on cybersecurity threats. The proposed 2023 DHS budget has appropriated more than $2.5 billion toward cybersecurity demonstrating the importance of the agency’s role in protecting the homeland in cyberspace, including in the aforementioned areas of information sharing and resilience.
Most significant is that CISA under the leadership of Jen Esterly created the Joint Cyber Defense Collaborative (JCDC) last year to fundamentally transform how cyber risk is reduced through continuous operational collaboration between government and trusted industry partners. “The Cybersecurity and Infrastructure Security Agency established JCDC—the Joint Cyber Defense Collaborative—to unify cyber defenders from organizations worldwide. This diverse team proactively gathers, analyzes, and shares actionable cyber risk information to enable synchronized, holistic cybersecurity planning, cyber defense, and response.” The JCDC also is supported by other government agencies including the FBI, NSA, and U.S. Cyber Command to help drive down risk in partnership with industry.
In accurate years, DHS along with The National Institute of Standards (NIST), has made a growing effort to bring the private sector together with the government, especially to develop information sharing protocols in risk management. In a core sense, a successful cyber threat consequences strategy is really about risk mitigation and incident response. A risk management strategy requires stepping up assessing situational awareness, information sharing, and especially resilience planning. It is critical to be aware of the morphing threat landscape and plan contingencies for all potential scenarios. NIST has been extremely helpful to industry in those areas.
The White House has also heighted government and industry cooperation in various areas including supply chain security, protecting critical infrastructure (most of which is owned by the private sector). In specific regard to critical infrastructure, the underlying goal of collaboration is to help protect against targeted cyber intrusions of the nation’s critical infrastructure, such as financial systems, chemical plants, water and electric utilities, hospitals, communication networks, commercial and critical manufacturing, pipelines, shipping, dams, bridges, highways, and buildings.
White House and industry cooperation has been primarily aimed at identifying vulnerabilities, ensuring security, and integrating resilience in the public/private cyber ecosystem. The most accurate activity by the White House was an executive order formulating a Zero trust strategy for government agencies. That “trust nothing connected” perspective is also being assimilated in industry.
Congress has supported CISA’s expanded role and involvement with industry. Several bi-partisan bills have bolstered the agency’s integral role in cyber preparedness, response and resilience for both government and industry.
COOPERATIVE RESEARCH AND DEVELOPMENT
Research and development of potentially disruptive cybersecurity technologies is another benefit of government and industry cooperation. The change in the cyber risk environment coinciding with a heightened need for procurement of innovative technologies and services has created a new paradigm for a cybersecurity partnership between government and industry.
Together, government and the private sector can identify products and align flexible product paths, evaluate technology gaps, and help design scalable architectures that will lead to more efficiencies, and fiscal accountability. Bridging R&D spending between the government and private sectors should also allow for a more directed and capable cybersecurity prototype pipeline to meet modern technology requirements.
An enhanced and streamlined government and industry partnership should continue to be a priority for cybersecurity strategies in 2023, as threats can morph, especially with the emergence of technologies such as artificial intelligence, machine learning, 5G, and eventually quantum computing. The partnership needs to be both proactive and adaptive to change as the
threat matrix may become increasingly lethal to economic and strategic stability if we remain unaware and unprepared for the potential consequences.
Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. Chuck is also Adjunct Faculty at Georgetown University’s Graduate Cybersecurity Risk Management Program where he teaches courses on risk management, homeland security technologies, and cybersecurity. He is also IEEE Cyber Security for Next Generation Connectivity Systems for Quantum IOT Vice-Chair and serves as the Quantum Security Alliance Chair for IOT. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named as one of the world’s “10 Best Cyber Security and Technology Experts” by Best Rated, as a “Top 50 Global Influencer in Risk, Compliance,” by Thompson Reuters, “Best of The Word in Security” by CISO Platform, and by IFSEC, and Thinkers 360 as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020, 2021, and 2022 Onalytica "Who's Who in Cybersecurity" He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic, He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to FORBES. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.
Source: Jandré van der Walt / Unsplash
Co-authored by Zamfira Parincu and Tchiki Davis
Sometimes life throws you a curveball and you find yourself overwhelmed. Maybe you experienced a loss. Perhaps you find yourself pondering the meaning of life. Or maybe the current state of world affairs makes you feel lost. Whenever you find yourself feeling anxious or stressed, you can use grounding techniques to reconnect with yourself and the present moment. This research-based strategy may be helpful for anxiety, panic attacks, flashbacks, or even dissociation.
Grounding techniques work by “grounding” you in the present moment and pulling you away from intrusive thoughts or feelings. This refers not only to having your “feet on the ground” but also your “mind on the ground.” When you turn your attention away from thoughts, memories, or worries, you can refocus on the present moment (Fisher, 1999).
Grounding techniques are useful because they help you distance yourself from an emotional experience. When you experience negative emotions—for example, perhaps you accidentally remember a painful memory—the brain's natural instinct is to start the involuntary physiological change known as the “fight or flight” response. Although this response keeps you safe by preparing you to face, escape from, or fight danger, memories do not present a tangible danger. If you find yourself in moments like these, grounding techniques can help the body calm itself and return to the present moment.
This is one of the most common grounding techniques. It helps by grounding you to the moment and reconnecting you to all five senses by naming:
The next time you feel anxious or that you are overthinking a problem, try the 5-4-3-2-1 technique to become more present in the moment.
Guided meditation is a powerful grounding technique to reduce stress, depression and anxiety, and it can help you get out of your head and reconnect to your body. There are many types of meditation, such as the body scan, moving meditations, or loving-kindness meditation, so it’s important to try to determine which one works best for you. Meditation has been shown to reduce stress, make you calmer, promote happiness (Mineo, 2018), and even reduce symptoms of PTSD in studies with the U.S. military (Seppälä et al., 2014)
Many clinical professionals use breathing exercises to help patients be present in the moment. Focusing on breathing is a great tool for reducing stress and anxiety (Stefanaki et al., 2015). Breathing exercises work because they help you disengage from your mind and not pay attention to distracting thoughts. You can do the simple exercise below before bed, when you wake up in the morning, or before an important meeting:
First, find a comfortable and quiet place to sit or lie down. Breathe in slowly through your nose, and notice how your chest and belly rise as you fill your lungs. Then, breathe out slowly through your mouth. Do this a few times until you start to calm down.
Grounding techniques are strategies that can reconnect you with the present and may help you overcome anxious feelings, unwanted thoughts or memories, flashbacks, distressing emotions, or dissociation. You can try as many techniques as you want: The more you try, the higher the chance you’ll find at least one that works for you.
Adapted from an article published by The Berkeley Well-Being Institute.
Provides Improved Learning Experience with Increased Accessibility and Usability for Students
BETHESDA, Md., Sept. 28, 2022 /PRNewswire/ -- SANS Institute, the global leader in cybersecurity training and certifications, today announced the launch of its updated OnDemand platform. SANS utilized direct student and customer feedback to shape the all-new OnDemand experience that includes enhanced features for students to be more successful. This release follows SANS' 15th anniversary of SANS OnDemand, which has provided online learning to more than 100,000 students worldwide.Celebrating 15 Years of Online Training, SANS Institute Announces Updated OnDemand Training Platform
"With an ever-changing cyber landscape, tightening budgets, and rising travel costs, more and more businesses are looking to SANS OnDemand to help secure their organization at the best return on investment," said Andrew Williams, Director of Digital at the SANS Institute. "SANS has been a pioneer in online training, delivering exceptional learning outcomes to students and improved security posture to organizations globally."
The new OnDemand experience was designed with accessibility and usability in mind from the beginning. Students can still train on their own schedule, now within a state-of-the-art and easy-to-use OnDemand interface created to maximize their learning experience. New features include an updated video player, a refreshed sidebar with outlines, course books, notes, improved search, and new Bookmarking capabilities. They can also take their training on the go with easy access to course content available online or offline with the SANS OnDemand mobile app. Help and support are even easier to find, including the ability to live chat or ask questions with a GIAC-certified Subject Matter Expert.
"I was a mom to a 1-year-old and working full-time as a physical therapist when I joined the SANS WiCyS (Women in Cybersecurity) Academy. The key to my success and getting through the coursework was the flexibility SANS OnDemand offered me. I would use the mobile app to play the lectures in my car and then replay them if there was something I did not understand," said Christine Morency, a SANS graduate "I'd listen on the go, to and from daycare, the supermarket, and work — anywhere I was going, SANS OnDemand went with me. I got to use my time at home to do reading, highlighting, indexing, and the labs. It's what made SANS work for me, and I could not be happier after landing my current job as a Cloud Security Engineer!"
SANS OnDemand offers convenient and flexible online cybersecurity training, anytime and anywhere. With cyber attacks on the rise, there has never been a better time to develop an organization's workforce with courses that are created and taught by world-renowned experts and are designed to build real-world cybersecurity skills. Students have praised SANS OnDemand training as being top-notch, with an exceptional training experience that offers trackable progress and achievement milestones.
To learn more about the platform and see a showcase of features and benefits, visit: https://www.sans.org/u/1n9h.About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cybersecurity training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cybersecurity events and OnDemand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cybersecurity. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's and bachelor's degrees, graduate certificates, and an undergraduate certificate in cybersecurity. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to manage their "human" cybersecurity risk easily and effectively. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. www.sans.org
View original content:https://www.prnewswire.com/news-releases/celebrating-15-years-of-online-training-sans-institute-announces-updated-ondemand-training-platform-301635404.html
SOURCE SANS Institute
If you’ve ever considered getting into the cybersecurity field or have some experience and need continuing education, the SANS Institute has a new academy for Maryland residents.
The cybersecurity training and certifications company announced in early August the formation of the SANS Cyber Workforce Academy. Through a collaboration with the Maryland Department of Labor’s EARN MD grant, the academy is free to Maryland residents who are accepted.
The program was built on a series of different academies that SANS has hosted since 2015.
“Each of these (academies) was built with the idea that if you can find people who are passionate about cybersecurity and have the aptitude to learn it, we can help close the talent gap that the industry faces,” said Max Shuftan, SANS director of Mission and Partnerships. Their first collaboration with the state occurred in 2018 and this academy is the third iteration of the program.
“From our perspective, the academy is needed because traditional academia often requires individuals to invest four years and hundreds of thousands of dollars of money or (get a) loan to try to get degrees that often, not always, but often don’t teach practical hands-on skills that help people be job ready in the field,” he said. “The academy is a model that can be that bridge for someone looking to jump into the field but with skills that are needed by employers and that speak to the job you will be performing on day one. Having that kind of immersive approach will enable participants to gain skills quickly, prove themselves with certifications and get to work.”
Shuftan notes Maryland is a great location for the academy given its proximity to the nation’s capital and the Baltimore/Washington, D.C. corridor that is home to a bevy of government contractors, organizations and agencies as well as private sector employers.
“Maryland’s prominence in terms of both the national security space and the commercial sector requires it to have significant cyber security talent pool,” he said.
As of mid-August, there were nearly 700,000 cybersecurity jobs open across the United States. In mid-September, Tasha Cornish, executive director of the Cybersecurity Association of Maryland Inc. (CAMI) noted there were more than 23,000 open jobs in cybersecurity just in the state.
“That number just keeps growing,” she said. “It is really a great career to have especially if you want to stay, raise a family, have a good meaningful career and stay in Maryland.”
The academy, she said, is a great entry point to the field. “It really gives a nice broad but rich introduction to cybersecurity in a very practical way by giving trainees the skills that are in demand from the industry. I hope that it gets people more excited. I think there is a lot of opportunities to continue to grow and learn and I hope it gives some people the bug to pursue a career in this and get more involved in the industry.”
The online academy focuses on two areas — reskilling and upskilling. The reskilling academy is focused on educating individuals that are not currently working in cybersecurity. This track involves three training courses over a six-month period and the ability to earn three certifications. The upskilling academy provides educational opportunities for individuals with IT experience and/or limited cybersecurity skills in order to get certified to move into higher-level cyber positions. This track lasts four months and includes two industry courses with the opportunity to earn two certifications.
Only Maryland residents may apply for this academy. Applicants will take an aptitude assessment to try to gauge their potential in cybersecurity as well submitting a resume and participating in an interview. Typically there is about an 8 to 1 applicant-to-selected student ratio. A new cohort of students starts every 8 to 12 weeks. A cohort usually has 10 to 12 students. We will have eight to nine cohorts with a total of 88 students over the course of about two years.
Shuftan hopes participants take away hands-on technical skills, cyber defense and incident handling abilities. “This type of work is critical to our national and economic security and they will be ready to make a contribution,” he said.
Pakistan is pretty much on the brink of collapse. The saviours are many, but they are also opportunists
The writer is a public policy analyst based in Lahore. She tweets @durdananajam
Pakistan is busting at its seams. One of the largest floods has washed away half of its agricultural land. The number of deaths can be in the thousands. Millions of people face food shortages, including a high percentage of children. The entire world has converged on lending Pakistan help. The UN has even appealed to the IMF to go slow on the country vying for the latter’s cash to finance its parched government. In this scenario, the only place showing partial sympathy towards the present crisis is perhaps Pakistan. Instead of conducting a detailed study on the crisis so that the chances of its reoccurrence in future are mitigated, the policymakers are busy laying blackmailing landmines to harass politicians. Our leaders want to rule this country, but none wants to own its problems. Instead, every government lays the blame for the financial and moral chaos on its previous counterpart. Moreover, where this alibi cannot work, the burden is laid on the foreign hands — usually the US or India.
The waste of political wreckage is telling this time. It was no new attempt to dress down a sitting prime minister and have him removed. Even the players staging this drama over the last 75 years have stopped feeling ashamed of being seen naked. The new joker in the deck is a hacker. Though lately, we heard he/she/it has been lifted from some unknown place and shifted to an equally unknown place. That has not, however, stopped the leakage of audio recordings of private conversations of the PTI or PML-N leaders. In fact, the hacker forewarns about the new leaks lest the victims are taken aback.
The other part of the country, if saved from the ravages of climate, is trapped in a new wave of terrorism. Swat has once again entered the radar of terrorists. Already they have ambushed a school van killing a few children. The people of Swat have thronged the streets of the valley in protest. The message is clear: “We shall not become a fodder for anybody.”
The military is already stretched. The western border is a constant headache. Though calm since August 2021, the eastern border cannot be left unattended. Balochistan is reeking of the blood of both the soldiers and the militants. If we kill two militants, they kill one soldier. Moreover, on the worst days, the equation is reversed.
Pakistan is pretty much on the brink of collapse. The saviours are many, but they are also opportunists. If the IMF pulls out or if the US or, for that matter, even Saudi Arabia or China decides to pull the rugs (read debt) off our feet, we will have to scramble for years before finding our feet to stand barely. Are we prepared to face any such situation? The answer is NO.
In the midst of all this, there are gods of little things. For 75 years, they have not gotten over the squabble with the elephant in the room. The elephant has grown much bigger over time, usurping the citizens’ rights to enjoy a stable political and economic life. If the elephant is insurmountable, the little gods are also dispassionate about the country’s future. Instead of becoming a league to multiply their force to push the elephant out, they are applying individual efforts. That is what makes the elephant happy the most. The multiplication of force is not the kind of situation they like. It is in their favour to have a system managed by unhinged, disunited and corrupt politicians.
All these characters may have been why Pakistan is in a mass, but the ignorance and indifference that Pakistan’s civil society has shown is neither forgivable nor forgettable. It is one thing to side with a politician and another to stand with the country for the enforcement of the right ideology, pragmatic policies and to struggle for the right to rule at the grassroots level. Civil society is supposed to play the role of guardians, a watchdog, and a check on the representatives they send to parliament. When we say civil society, it means the educated, relatively stable financially and a contributing hand in the growth and development of its country. When they disintegrate and support their interest rather than the larger interest of the country, it gives a highway to the robbers, where the mightiest wins the race.
It’s a classic case of a static country. According to the legal and political philosopher, HLA Hart, “the only mode of change in the rules (of obligations) will be the slow process of growth, whereby courses of conduct once thought optional become first habitual or usual, and then obligatory, and the converse process of decay, when deviations, once severely dealt with, are first tolerated and then pass unnoticed.”
Published in The Express Tribune, October 13th, 2022.
With a focus on healthy living, a Hispanic family a few kilometers from the U.S. capital keeps a traditional way of farming alive. The owners of Glory Fields in Maryland use techniques from the past to implement a sustainable living initiative they say is paying off so far. VOA News' Cristina Caicedo Smit has the story.
France is in the midst of a prolonged mustard shortage that has left supermarket shelves sapped of 21% of its stock of the beloved condiment. Mustard producers have had to put caps on in-store purchases to minimize hoarding.
Now, with mustard in high demand due to drought and war, French farmers are looking to innovate and stake a larger claim in the market for France’s gastronomical heritage.
The French are doggedly seeking mustard anywhere they can get it as grain shortages crimp production. But the surge in demand is also opening up opportunities for mustard innovation.
French mustard fields have seen production cut by two-thirds in five years, from 12,000 tons in 2017 to 4,000 in 2021. And imports aren’t able to make up the difference due to foreign grain shortages. But the overwhelming demand has sent prices surging and has encouraged local mustard growers to increase production.
Some mustard growers are testing new seed varieties that are more resistant to climate change’s unpredictable weather patterns. And producers are looking for ways to widen the scope of what consumers want. Mustard producer Patrice Boudignat has developed trial versions of mustard oil and mustard-flavored chocolate, for example.
“If we want to reduce the costs and inconveniences of transportation and have a shorter supply circuit, then we need to make more room for our local product,” he says. “It’s our heritage that we’re trying to preserve every day.”
A half-dozen tourists huddle around a metallic counter at the Edmond Fallot mustard mill, as company employee Martine Dupin pumps various blends of Dijon mustard onto miniature wooden spoons. There are gingerbread, blackcurrant, and whole seed “old style” varieties, among others. Faces contort as the pungent zing rises to their nostrils.
“I’m definitely planning to buy some mustard today,” says Elisabeth Soulier, from Poitiers. “It’s great in a sauce for cooked rabbit, or in a vinaigrette for salad. It’s hard to find mustard anywhere anymore. And Burgundy mustard is so much better than the rest.”
Like her fellow tour group members, Ms. Soulier will be able to buy her pot of mustard in the gift shop – but just one. France is in the midst of a prolonged mustard shortage that has left supermarket shelves sapped of 21% of its stock of the beloved condiment. Edmond Fallot and its competitors have had to put caps on in-store purchases to minimize hoarding.
The French are doggedly seeking mustard anywhere they can get it as grain shortages crimp production. But the surge in demand is also opening up opportunities for mustard innovation.
Now, with mustard in high demand due to drought and war, French farmers are looking to innovate and stake a larger claim in the market for France’s gastronomical heritage. They say they’re ready to move beyond the shortages and find opportunities for growth.
“Canadian mustard grains are very good, but mustard is emblematic of France,” says Patrice Boudignat, a mustard producer with 12 acres of land in the Ile-de-France region. “If we want to reduce the costs and inconveniences of transportation and have a shorter supply circuit, then we need to make more room for our local product. It’s our heritage that we’re trying to preserve every day.”
Mustard is the third most popular condiment in France, behind salt and pepper, and the French are the No. 1 consumers in Europe of the spicy yellow paste, at approximately 2.2 pounds annually per person.
The Burgundy region, and specifically the city of Dijon, has been at the center of mustard-making since the Middle Ages. In accurate years, Burgundy has counted some 300 producers, capable of producing more than 10,000 tons of grains annually.
But mustard fields have been hit with insect attacks, which farmers have been unable to contain due to French laws on the use of insecticides since 2019. The region has seen its production cut by two-thirds in five years, from 12,000 tons in 2017 to 4,000 in 2021.
Even in good years however, Burgundy producers are not able to meet French consumer demand for moutarde with local grains, which require around 30,000 tons annually. Major labels have relied heavily on the Canadian market to fill the gaps. But drought conditions throughout 2021 – blamed largely on climate change – abruptly cut production in half.
The war in Ukraine has meant that France can’t count on grains from Russia and Ukraine, which produce a milder, yellow mustard version, to increase supply – assuming the French would buy it. The combined effect has put increased pressure on local producers to meet market demand.
“This is a situation affecting the whole world,” says a spokesperson for Maille, a market leader in Dijon mustard. “It’s temporary and out of our control.”
Edmond Fallot, which represents 5% of the French market, increased production by 20% to 25% at the beginning of the year. But they can’t do more.
“We have a small facility. We still use a stone mill to grind our seeds, something that big distributors abandoned long ago,” says Marc Désarménien, the owner of the company, which has been family-owned since 1840 and uses 100% Burgundy-grown seeds. “They want to produce fast, but they lose quality. I’m the third-generation owner of this business and we’ve always favored quality over quantity.”
The overwhelming demand has sent prices surging for next year’s mustard harvest, and has encouraged local mustard growers to increase production and brought new farmers to the crop, in an attempt to bring mustard back to its French roots and reduce the country’s reliance on Canada.
The Burgundy Mustard Association says the price for Burgundy seed is expected to double next year as compared to last: €900 euros per ton in 2021 versus an anticipated record €2,000 euros for 2023. And the Chamber of Agriculture for the Cote d’Or region says the number of producers has since risen from 160 to 500, with a goal to produce 15,000 tons of seed by 2023 – 40% of producers’ needs.
The challenge now for mustard producers is to make this newfound bounty sustainable and resilient against the sorts of conditions that caused the shortages this year, including insects and drought.
“Periods of crisis represent opportunities, but the concern is that these new [growing] methods are not preserved in the long run,” says Stéphane Fournier, a professor of innovation and sustainable development at the Institut Agro Montpellier. “All of us – citizens, nonprofits, and all the players involved – need to continue to develop alternative methods.”
Local mustard growers have heard the call for innovation. Some are testing new seed varieties that are more resistant to the unpredictable weather patterns that have come with climate change. Small-scale farms in regions not traditionally known for mustard are popping up.
And producers are looking for ways to widen the scope of what consumers want. Mr. Boudignat in Ile-de-France has developed trial versions of mustard oil and mustard-flavored chocolate, in addition to his more traditional varieties.
Edmond Fallot also now sells a sweet and savory mustard flavored with a pain d’épices (spice bread) blend, compliments of Mulot & Petitjean, a family-owned company in Dijon since 1796. In turn, Mulot & Petitjean has begun incorporating Edmond Fallot mustard into their dessert breads.
“We’re always searching for innovation and so is the consumer,” says Catherine Petitjean, the ninth-generation head of Mulot & Petitjean, based in Dijon. “We want to remain anchored in tradition but it’s the 21st century. We have to keep developing or we won’t move forward.”
Local producers are confident that consumers will follow them. French consumers value knowing the source of their food and appreciate products that circumvent large supply chains more than ever, especially since the COVID-19 pandemic hit. They put food origin as the top criteria for buying fruits and vegetables, according to a 2020 Ipsos poll, with 63% of those polled saying they bought local products whenever possible.
“We’re seeing that people are becoming more and more attentive to what they’re consuming, to know not only where [their food] was produced but also how it was produced,” says Marc De Nale, the director-general of Demain La Terre, a nonprofit that works with fruit and vegetable producers to promote sustainable development. “They want to know that farmers are engaged [in sustainable practices], have progress in mind, to produce better while also protecting the environment.”
As French consumers wait out the mustard shortage, some are supplementing their cravings with similar products from Algeria and Poland now filling supermarket shelves. Others have paid for train tickets to the Burgundy region in hopes of scoring a pot from local producers or are paying a fortune on Amazon. Still more are trying to make their last pot of Dijon mustard last as long as possible, until the tangy zest of this homegrown culinary hero makes its way back to the stores.
“I always use mustard when I cook, it’s simply part of our traditional cuisine,” says Guy Benoît, a native of Beaune, during a mustard tasting at Edmond Fallot. “I still have my little reserve of two pots at home because unless you get to the supermarket at 8 o’clock in the morning, there’s nothing left. But I know it’s going to come back.”
Editor's note: The original version mistakenly misnamed the Edmond Fallot mustard mill.