Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/28/2014
04:47 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Global Shortage Of Security Professionals Amid Raised Threat Level

Cisco annual security report highlights Web, Java, Android abuse

Applications and websites littered with malware. Multinational companies' computers sending suspicious traffic. Android the main target of mobile malware writers. A global shortage of more than 1 million security professionals.

And all of this amid another growth year for overall vulnerabilities and threats -- by 14 percent year over year since 2012, according to Cisco's newly published 2014 Annual Security Report.

"Security talent is in short supply. The skill sets are very different, but, overall, broken down into security architect, incident response, and threat intelligence," says Levi Gundert, technical lead of the Cisco Threat Research, Analysis, and Communications (TRAC) group. "[Organizations] need to make careful business decisions about outsourcing some of these functions to trusted third parties or whether they invest in people internally."

While the talent pool scrambles to play catch-up, the bad guys are getting more sophisticated and savvy. "The sophistication of the technology and tactics used by online criminals -- and their nonstop attempts to breach networks and steal data -- have outpaced the ability of IT and security professionals to address these threats. Most organizations do not have the people or the systems to continuously monitor extended networks and detect infiltrations, and then apply protections in a timely and effective manner," according to Cisco's report.

Buffer errors were the most common threat category of 2013, with 21 percent of the Common Weakness Enumeration threat categories, according to Cisco's data. Three verticals -- electronics manufacturing, agriculture, and mining -- are getting hit by malware at a rate of six times what other verticals see.

Java accounts for 91 percent of Web exploits, while 76 percent of companies using Cisco Web Security services run the outdated and no-longer-supported version 6 of Java, the report says.

Gundert says the large volume of Web malware infecting the pharmaceutical and chemical industries was eye-opening. It may be a function of nation-state cyberespionage. "In reality, nation-states make up some percentage of these attacks," he says. "Almost when you look at verticals you have to have a copy of The Economist in the other hand because geopolitical events drive some of what you see down the line ... nation-states have priorities for" their targets, he says.

And most companies are already compromised in some way with malware: Cisco found that 100 percent of the business networks whose DNS traffic it analyzed had traffic going out to malware-hosting websites, and 92 percent of businesses sent traffic to Web pages that don't have content, a sure sign of sites hosting malicious activity. And 96 percent had traffic to hijacked servers.

Meanwhile, Android devices were the focus of 99 percent of all mobile malware last year. The most popular variant was Andr/Qdplugin-A, which often spreads via repackaged copies of legitimate apps from unauthorized sources. More than 70 percent of Android users come across Web-borne malware.

Says John N. Stewart, senior vice president, chief security officer, for Cisco Threat Response Intelligence and Development: "Although the Cisco Annual Security Report paints a grim picture of the current state of cybersecurity, there is hope for restoring trust in people, institutions and technologies -- and that starts with empowering defenders with real-world knowledge about expanding attack surfaces. To truly protect against all of these possible attacks, defenders must understand the attackers, their motivations, and their methods -- before, during, and after an attack."

The full report is available for download here from Cisco.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
byarbrough2008
50%
50%
byarbrough2008,
User Rank: Apprentice
2/13/2014 | 2:14:10 PM
re: Global Shortage Of Security Professionals Amid Raised Threat Level
If I read one more article about "shortage of security professionals" I'm going to puke! This is a self-imposed "epidemic" by the industry refusing to accept anyone with less than 5-10 years of experience, thus putting the onus on the public sector to have trained enough personnel that the gaps can be augmented from their ranks as they enter the private sector. There are plenty of qualified people with years of IT experience that have the ability and desire to work in the industry, that have sought out education and training related to the discipline and that could accomplish the transition with great success, yet cannot make the transition. However, there are few and far between entry positions and of those that do exist, they require 2-3 years of experience at minimum in security related roles. If the industry does not see fit to have a backlog of qualified entry level positions, how can it expect to have an appropriate amount of qualified professionals? To further exacerbate the problem, most of these positions require the CISSP certification, which is cannot be obtained without 5 years of experience within 2 disciplines of the domain.

For those who would counter "IT personnel trained in security does not make them professionals in the field of security," I couldn't agree more, however; you have to start somewhere and wouldn't it be better to have someone that understands networks or applications and has a solid foundation to start a security career? I see all the whining of about the lack of professionals but little towards offering a solution.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...