Attacks/Breaches
1/28/2014
04:47 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Global Shortage Of Security Professionals Amid Raised Threat Level

Cisco annual security report highlights Web, Java, Android abuse

Applications and websites littered with malware. Multinational companies' computers sending suspicious traffic. Android the main target of mobile malware writers. A global shortage of more than 1 million security professionals.

And all of this amid another growth year for overall vulnerabilities and threats -- by 14 percent year over year since 2012, according to Cisco's newly published 2014 Annual Security Report.

"Security talent is in short supply. The skill sets are very different, but, overall, broken down into security architect, incident response, and threat intelligence," says Levi Gundert, technical lead of the Cisco Threat Research, Analysis, and Communications (TRAC) group. "[Organizations] need to make careful business decisions about outsourcing some of these functions to trusted third parties or whether they invest in people internally."

While the talent pool scrambles to play catch-up, the bad guys are getting more sophisticated and savvy. "The sophistication of the technology and tactics used by online criminals -- and their nonstop attempts to breach networks and steal data -- have outpaced the ability of IT and security professionals to address these threats. Most organizations do not have the people or the systems to continuously monitor extended networks and detect infiltrations, and then apply protections in a timely and effective manner," according to Cisco's report.

Buffer errors were the most common threat category of 2013, with 21 percent of the Common Weakness Enumeration threat categories, according to Cisco's data. Three verticals -- electronics manufacturing, agriculture, and mining -- are getting hit by malware at a rate of six times what other verticals see.

Java accounts for 91 percent of Web exploits, while 76 percent of companies using Cisco Web Security services run the outdated and no-longer-supported version 6 of Java, the report says.

Gundert says the large volume of Web malware infecting the pharmaceutical and chemical industries was eye-opening. It may be a function of nation-state cyberespionage. "In reality, nation-states make up some percentage of these attacks," he says. "Almost when you look at verticals you have to have a copy of The Economist in the other hand because geopolitical events drive some of what you see down the line ... nation-states have priorities for" their targets, he says.

And most companies are already compromised in some way with malware: Cisco found that 100 percent of the business networks whose DNS traffic it analyzed had traffic going out to malware-hosting websites, and 92 percent of businesses sent traffic to Web pages that don't have content, a sure sign of sites hosting malicious activity. And 96 percent had traffic to hijacked servers.

Meanwhile, Android devices were the focus of 99 percent of all mobile malware last year. The most popular variant was Andr/Qdplugin-A, which often spreads via repackaged copies of legitimate apps from unauthorized sources. More than 70 percent of Android users come across Web-borne malware.

Says John N. Stewart, senior vice president, chief security officer, for Cisco Threat Response Intelligence and Development: "Although the Cisco Annual Security Report paints a grim picture of the current state of cybersecurity, there is hope for restoring trust in people, institutions and technologies -- and that starts with empowering defenders with real-world knowledge about expanding attack surfaces. To truly protect against all of these possible attacks, defenders must understand the attackers, their motivations, and their methods -- before, during, and after an attack."

The full report is available for download here from Cisco.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
byarbrough2008
50%
50%
byarbrough2008,
User Rank: Apprentice
2/13/2014 | 2:14:10 PM
re: Global Shortage Of Security Professionals Amid Raised Threat Level
If I read one more article about "shortage of security professionals" I'm going to puke! This is a self-imposed "epidemic" by the industry refusing to accept anyone with less than 5-10 years of experience, thus putting the onus on the public sector to have trained enough personnel that the gaps can be augmented from their ranks as they enter the private sector. There are plenty of qualified people with years of IT experience that have the ability and desire to work in the industry, that have sought out education and training related to the discipline and that could accomplish the transition with great success, yet cannot make the transition. However, there are few and far between entry positions and of those that do exist, they require 2-3 years of experience at minimum in security related roles. If the industry does not see fit to have a backlog of qualified entry level positions, how can it expect to have an appropriate amount of qualified professionals? To further exacerbate the problem, most of these positions require the CISSP certification, which is cannot be obtained without 5 years of experience within 2 disciplines of the domain.

For those who would counter "IT personnel trained in security does not make them professionals in the field of security," I couldn't agree more, however; you have to start somewhere and wouldn't it be better to have someone that understands networks or applications and has a solid foundation to start a security career? I see all the whining of about the lack of professionals but little towards offering a solution.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.