Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/28/2014
04:47 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Global Shortage Of Security Professionals Amid Raised Threat Level

Cisco annual security report highlights Web, Java, Android abuse

Applications and websites littered with malware. Multinational companies' computers sending suspicious traffic. Android the main target of mobile malware writers. A global shortage of more than 1 million security professionals.

And all of this amid another growth year for overall vulnerabilities and threats -- by 14 percent year over year since 2012, according to Cisco's newly published 2014 Annual Security Report.

"Security talent is in short supply. The skill sets are very different, but, overall, broken down into security architect, incident response, and threat intelligence," says Levi Gundert, technical lead of the Cisco Threat Research, Analysis, and Communications (TRAC) group. "[Organizations] need to make careful business decisions about outsourcing some of these functions to trusted third parties or whether they invest in people internally."

While the talent pool scrambles to play catch-up, the bad guys are getting more sophisticated and savvy. "The sophistication of the technology and tactics used by online criminals -- and their nonstop attempts to breach networks and steal data -- have outpaced the ability of IT and security professionals to address these threats. Most organizations do not have the people or the systems to continuously monitor extended networks and detect infiltrations, and then apply protections in a timely and effective manner," according to Cisco's report.

Buffer errors were the most common threat category of 2013, with 21 percent of the Common Weakness Enumeration threat categories, according to Cisco's data. Three verticals -- electronics manufacturing, agriculture, and mining -- are getting hit by malware at a rate of six times what other verticals see.

Java accounts for 91 percent of Web exploits, while 76 percent of companies using Cisco Web Security services run the outdated and no-longer-supported version 6 of Java, the report says.

Gundert says the large volume of Web malware infecting the pharmaceutical and chemical industries was eye-opening. It may be a function of nation-state cyberespionage. "In reality, nation-states make up some percentage of these attacks," he says. "Almost when you look at verticals you have to have a copy of The Economist in the other hand because geopolitical events drive some of what you see down the line ... nation-states have priorities for" their targets, he says.

And most companies are already compromised in some way with malware: Cisco found that 100 percent of the business networks whose DNS traffic it analyzed had traffic going out to malware-hosting websites, and 92 percent of businesses sent traffic to Web pages that don't have content, a sure sign of sites hosting malicious activity. And 96 percent had traffic to hijacked servers.

Meanwhile, Android devices were the focus of 99 percent of all mobile malware last year. The most popular variant was Andr/Qdplugin-A, which often spreads via repackaged copies of legitimate apps from unauthorized sources. More than 70 percent of Android users come across Web-borne malware.

Says John N. Stewart, senior vice president, chief security officer, for Cisco Threat Response Intelligence and Development: "Although the Cisco Annual Security Report paints a grim picture of the current state of cybersecurity, there is hope for restoring trust in people, institutions and technologies -- and that starts with empowering defenders with real-world knowledge about expanding attack surfaces. To truly protect against all of these possible attacks, defenders must understand the attackers, their motivations, and their methods -- before, during, and after an attack."

The full report is available for download here from Cisco.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
byarbrough2008
50%
50%
byarbrough2008,
User Rank: Apprentice
2/13/2014 | 2:14:10 PM
re: Global Shortage Of Security Professionals Amid Raised Threat Level
If I read one more article about "shortage of security professionals" I'm going to puke! This is a self-imposed "epidemic" by the industry refusing to accept anyone with less than 5-10 years of experience, thus putting the onus on the public sector to have trained enough personnel that the gaps can be augmented from their ranks as they enter the private sector. There are plenty of qualified people with years of IT experience that have the ability and desire to work in the industry, that have sought out education and training related to the discipline and that could accomplish the transition with great success, yet cannot make the transition. However, there are few and far between entry positions and of those that do exist, they require 2-3 years of experience at minimum in security related roles. If the industry does not see fit to have a backlog of qualified entry level positions, how can it expect to have an appropriate amount of qualified professionals? To further exacerbate the problem, most of these positions require the CISSP certification, which is cannot be obtained without 5 years of experience within 2 disciplines of the domain.

For those who would counter "IT personnel trained in security does not make them professionals in the field of security," I couldn't agree more, however; you have to start somewhere and wouldn't it be better to have someone that understands networks or applications and has a solid foundation to start a security career? I see all the whining of about the lack of professionals but little towards offering a solution.
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19668
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-17963. Reason: This candidate is a reservation duplicate of CVE-2018-17963. Notes: All CVE users should reference CVE-2018-17963 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2019-12882
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2017-6363
PUBLISHED: 2020-02-27
** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for...
CVE-2017-6371
PUBLISHED: 2020-02-27
Synchronet BBS 3.16c for Windows allows remote attackers to cause a denial of service (service crash) via a long string in the HTTP Referer header.
CVE-2017-5861
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-1000020. Reason: This candidate is a reservation duplicate of CVE-2017-1000020. Notes: All CVE users should reference CVE-2017-1000020 instead of this candidate. All references and descriptions in this candidate have been removed to...