Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/28/2014
04:47 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Global Shortage Of Security Professionals Amid Raised Threat Level

Cisco annual security report highlights Web, Java, Android abuse

Applications and websites littered with malware. Multinational companies' computers sending suspicious traffic. Android the main target of mobile malware writers. A global shortage of more than 1 million security professionals.

And all of this amid another growth year for overall vulnerabilities and threats -- by 14 percent year over year since 2012, according to Cisco's newly published 2014 Annual Security Report.

"Security talent is in short supply. The skill sets are very different, but, overall, broken down into security architect, incident response, and threat intelligence," says Levi Gundert, technical lead of the Cisco Threat Research, Analysis, and Communications (TRAC) group. "[Organizations] need to make careful business decisions about outsourcing some of these functions to trusted third parties or whether they invest in people internally."

While the talent pool scrambles to play catch-up, the bad guys are getting more sophisticated and savvy. "The sophistication of the technology and tactics used by online criminals -- and their nonstop attempts to breach networks and steal data -- have outpaced the ability of IT and security professionals to address these threats. Most organizations do not have the people or the systems to continuously monitor extended networks and detect infiltrations, and then apply protections in a timely and effective manner," according to Cisco's report.

Buffer errors were the most common threat category of 2013, with 21 percent of the Common Weakness Enumeration threat categories, according to Cisco's data. Three verticals -- electronics manufacturing, agriculture, and mining -- are getting hit by malware at a rate of six times what other verticals see.

Java accounts for 91 percent of Web exploits, while 76 percent of companies using Cisco Web Security services run the outdated and no-longer-supported version 6 of Java, the report says.

Gundert says the large volume of Web malware infecting the pharmaceutical and chemical industries was eye-opening. It may be a function of nation-state cyberespionage. "In reality, nation-states make up some percentage of these attacks," he says. "Almost when you look at verticals you have to have a copy of The Economist in the other hand because geopolitical events drive some of what you see down the line ... nation-states have priorities for" their targets, he says.

And most companies are already compromised in some way with malware: Cisco found that 100 percent of the business networks whose DNS traffic it analyzed had traffic going out to malware-hosting websites, and 92 percent of businesses sent traffic to Web pages that don't have content, a sure sign of sites hosting malicious activity. And 96 percent had traffic to hijacked servers.

Meanwhile, Android devices were the focus of 99 percent of all mobile malware last year. The most popular variant was Andr/Qdplugin-A, which often spreads via repackaged copies of legitimate apps from unauthorized sources. More than 70 percent of Android users come across Web-borne malware.

Says John N. Stewart, senior vice president, chief security officer, for Cisco Threat Response Intelligence and Development: "Although the Cisco Annual Security Report paints a grim picture of the current state of cybersecurity, there is hope for restoring trust in people, institutions and technologies -- and that starts with empowering defenders with real-world knowledge about expanding attack surfaces. To truly protect against all of these possible attacks, defenders must understand the attackers, their motivations, and their methods -- before, during, and after an attack."

The full report is available for download here from Cisco.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
byarbrough2008
50%
50%
byarbrough2008,
User Rank: Apprentice
2/13/2014 | 2:14:10 PM
re: Global Shortage Of Security Professionals Amid Raised Threat Level
If I read one more article about "shortage of security professionals" I'm going to puke! This is a self-imposed "epidemic" by the industry refusing to accept anyone with less than 5-10 years of experience, thus putting the onus on the public sector to have trained enough personnel that the gaps can be augmented from their ranks as they enter the private sector. There are plenty of qualified people with years of IT experience that have the ability and desire to work in the industry, that have sought out education and training related to the discipline and that could accomplish the transition with great success, yet cannot make the transition. However, there are few and far between entry positions and of those that do exist, they require 2-3 years of experience at minimum in security related roles. If the industry does not see fit to have a backlog of qualified entry level positions, how can it expect to have an appropriate amount of qualified professionals? To further exacerbate the problem, most of these positions require the CISSP certification, which is cannot be obtained without 5 years of experience within 2 disciplines of the domain.

For those who would counter "IT personnel trained in security does not make them professionals in the field of security," I couldn't agree more, however; you have to start somewhere and wouldn't it be better to have someone that understands networks or applications and has a solid foundation to start a security career? I see all the whining of about the lack of professionals but little towards offering a solution.
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9501
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
CVE-2019-16971
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
CVE-2019-16972
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16973
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2015-9496
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.