Application Security
8/11/2014
12:00 PM
W. Hord Tipton
W. Hord Tipton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Closing The Skills Gap Between Hackers & Defenders: 4 Steps

Improvements in security education, budgets, tools, and methods will help our industry avoid more costly and dangerous attacks and data breaches in the future.

The bad guys are winning. Numerous companies have been in the news recently because they failed to rebuff information security attacks. Target lost its customers’ credit and debit card data. Adobe lost its customers’ credit card information, along with IDs and passwords. EBay lost its customers’ personal information, including email addresses and physical addresses.

These breaches have caused disquiet in the minds of consumers and cost the companies themselves millions of dollars' worth of bad publicity and damage to their brands, not to mention the costs of mitigation and restoration. And the breaches we know about could just be a fraction of the incidents. Companies have to disclose breaches of consumer data, but not the theft of their own internal information.

As long as there is valuable personal information at risk, hackers will try to access it, whether the goal is the immediate use of stolen financial data, the long con of identity theft, or just causing pain to companies and their consumers.

Unfortunately, there is a growing skills gap between those out to do harm and the average defender. Until the information security workforce catches up, we will continue to see the increasing success of sophisticated attacks. However, there are important steps the information security industry can take to slow and even reverse this trend. Here are four key areas to get you started:

Everything starts and ends with education
Education and research need to be improved at the college and university level to improve the skills of future information security professionals and to grow the number of individuals qualified to enter the workforce. Once those security professionals -- the front line against malicious attacks -- have been hired, employers need to invest in their continuing education and training in order to stay ahead of ever-changing security threats. Only such educated individuals will be able to predict the next wave of vulnerabilities and attacks, and design ways to combat them before they develop into a crisis.

Be smart about spending
It is crucial to make the most of our limited security budgets. With more and more critical data touching the Internet, increasingly well-funded cyber criminals have their choice of targets. High-profile companies are always going to be attacked, but small-and medium-sized businesses are now being targeted as low-hanging fruit. Though the rewards might be smaller, there’s a high probability of success and a low probability of being caught.

As an industry, we need to focus whatever security budget is available on the most likely threats. Though all companies must be aware of common threats like APTs and DDoS attacks, one of the biggest threats to us all is the under-educated employee. Whether it’s an executive who falls prey to social engineering or an IT guru who chooses not to use the best network configuration techniques, we often open ourselves up to preventable attacks.

Involve application developers
Increased security has a reputation for hindering an application’s usability, and as time and budget constraints work against the developers, security requirements get squeezed out of software development. There is a massive difference in building a computer application and building a secure computer application, though. Despite the immediate price tag, building security into an application up front is rarely more expensive than trying to make adjustments once the application is built, or cleaning up the mess once a vulnerability is exploited.

Get management to buy in
Even when the security pros are aware of what needs to be done, they can have trouble convincing management to allocate the resources to do it. We need to improve our ability to make a business case for better tools and better training. If you can’t talk “dollars and sense” to your CFO or budget analyst and navigate office politics, you won’t get anywhere. Part of improving education is improving a security professional’s awareness of not just the theoretical importance of security, but security’s return on investment. When you can show executives specifically how security can save the business money, or even save their jobs, you are now speaking their language.

The very public breaches of the past year have caused a lot of damage to companies and individuals, but perhaps they have been a blessing in disguise. If these cyberattacks serve as a wake-up call to the security industry and the businesses we support, precipitating an improvement in our education, budgets, tools, and methods, then we may be able to avoid even costlier and more dangerous breaches down the road. Lost passwords and credit card data will be the least of our concerns if cyberattacks become the weapon of choice in nation-state attacks or ultimately damage the country’s critical infrastructure.

 

W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS, is currently the executive director for (ISC)2, the not-for-profit global leader in information security education and certification. Tipton previously served as chief information officer for the U.S. Department of the Interior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/16/2014 | 10:05:02 AM
Re: there's another lesson
Unfortunately, I see this all too often.  One of the non-profits I volunteer with falls into this category.  They believe they have nothing to lose and will not spend the money to properly secure their data.  I address this issue with them about once a quarter but I get the same response, "Nobody cares about us, we are just a little operation".
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/16/2014 | 10:02:27 AM
Re: Skills Shortage
I think you have hit the nail on the head here.  The important thing is not education into current practices, for they are all imperfect, but rather focusing on innovation.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/16/2014 | 10:01:03 AM
Re: Think security
Although I agree the good guys sometimes become complacent, I don't believe we will ever see a 100% secure application.  The reason being that if you make an application 100% secure the usability of that application drops to near 0%.  

I concede that I may be proven wrong by future technologies but currently I don't see a path to 100% security.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/15/2014 | 9:08:09 AM
Re: Skills Shortage
Creativity is definitely under-rated, Dr. T. Did you see Lysa Meyers recent blog -- Time To Broaden CompSci Curriculum Beyond STEM? She makes a very strong case for that skill set. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/13/2014 | 4:03:16 PM
Re: there's another lesson
Good point. Some companies think they do not have anything lose, when they review the requirements around the regulations they would realize it. If they do business they have data they need to protect.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/13/2014 | 3:59:39 PM
Re: Skills Shortage
Education is one thing, experience something else, they are all needed I would say, however what is most important is the creativity, in my view. Innovating new ways to protect ourselves from potential threats. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/13/2014 | 3:56:25 PM
Think security
 

I agree with the article. Good guys have enough opportunities to outpace bad guys by developing more secure applications, networks and systems. The main reason all these system being attached and attacks are successful just simply because they all have vulnerabilities. When we embed security considerations early enough in a project not only those vulnerabilities would be minimized and but also the impact of attack would be minimized.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/12/2014 | 1:12:30 PM
Re: Skills Shortage
As with most other BS degrees, you can only gain so much knowledge through education, and the rest really depends on hands-on experience. That does not detract from the importance of education because it is that education that provides the foundation upon which experience is built. You have to look at the entire picture to really understand the different aspects of IT and security. I received a BSCS and what that really did for me was help me understand how electronic computing worked, both from a hardware and a software perspective. As far as security is concerned, for me it was a combination of continuing education, mostly from reading manuals, technical papers, attending technology specific classes, hands on experience, and everyday common sense. The title of "Security Analyst" is so broad that it can encompass many different roles, such as the one you had. You mentioned that you helped everyone else with their projects to ensure that they met security/compliance objectives. Did it occur to you that it was in fact a critical and appropriate role in IT security? Educating fellow employees was also critical - if there was a need for it, then you also served that need, to increase the overall security posture of the organization. Sure, that sounds a lot like deskwork or paper pushing, or whatever, and it isn't quite as sexy as hacking, or tracking hacker activities in real time as depicted in the movies, but in reality, IT security is all of that combined. In a large organization, that is way too much for a single individual, and must be split off into several roles among several personnel. I have also worked for small companies where I wore many hats, and it was both exciting and fulfilling. I suppose that is really where I started to see the big picture, saw how everything worked and how they all come together. I admit it was more exciting that being pigeon-holed into some mundane role. However, one must look at security from an overall point of view, culling information from all the different mundane roles, to provide an overall assessment of the existing security posture in the context of existing business processes. From there, you determine where the gaps are, and provide an analysis and actionable data to produce a secure environment in which the organization can deploy technology in support of the organization's goals. IT security isn't merely a technical discipline; it is in fact a combination of technology know how and business savvy, and is an integral part of an organization that wants to poise itself for success.
dewser
50%
50%
dewser,
User Rank: Apprentice
8/12/2014 | 12:08:06 PM
Skills Shortage
There is only so much to teach at the college level.  Your standard BS holder is going to come out with some base knowledge in either MIS or CS.  That knowledge is most likely going to be out-of-date when they hit the workforce.  To be an effective defender you need to have some pretty strong bases in a number of IT disciplines.  You need to know how the infrastructure works.  The best way to learn this is to do it.  I've spent the last 15 years of my life in the IT space.  A majority of that was building servers, deploying firewalls, and troubleshooting everything from the simple app crash to the more complicated network performance issues.  Only in the last 3 years have I've focused on security.  But guess what, everything I tell a company now is everything I told them years ago when I was a Sys Admin.

I tried my hand at working for a large enterprise.  My title was IT Security Analyst, but that was nothing more than a title.  I spent more time as a glorified project manager.  That consisted of helping everyone else where their projects to ensure they meet security/compliance objectives.  But honestly many of the regular IT staff had little knowledge of servers, operating systems, networking...  so I spent more time educating them on that.  So in my mind I was being severly underutilized.  Yes I think it was good I was able to help educate but very few of these people showed any desire to learn some things on their own.  Unfortunately this did not play into my long term goals and frankly I was bored out of my gourd.  Now I am doing exciting work in a small startup.  I have to wear many hats but it is very much worth it.

So the big enterprises and the government want skilled hackers, unfortunately I think many do not have the culture that can support these types of minds.  Also money is not always the best motivator.  I could probably be making much much more working for a larger entity as a "Cyber Security Analyst" but in my current role if I want to go to some type of special training or a hacker con, management is all for it.
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
8/12/2014 | 11:04:24 AM
Cyber Centurion
I was pretty pleased to hear that the UK is pushig for more digital security experts by opening up the Cyber Centurion competitiion to younger school children:

http://www.telegraph.co.uk/technology/internet-security/11025457/School-children-to-be-trained-in-cyber-warfare.html?placement=CB1

That said, I'm not sure I approve of one of the main prizes being to intern at an American defence contractor. Couldn't they do the same at a British company instead? 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.