Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/11/2014
12:00 PM
W. Hord Tipton
W. Hord Tipton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Closing The Skills Gap Between Hackers & Defenders: 4 Steps

Improvements in security education, budgets, tools, and methods will help our industry avoid more costly and dangerous attacks and data breaches in the future.

The bad guys are winning. Numerous companies have been in the news recently because they failed to rebuff information security attacks. Target lost its customers’ credit and debit card data. Adobe lost its customers’ credit card information, along with IDs and passwords. EBay lost its customers’ personal information, including email addresses and physical addresses.

These breaches have caused disquiet in the minds of consumers and cost the companies themselves millions of dollars' worth of bad publicity and damage to their brands, not to mention the costs of mitigation and restoration. And the breaches we know about could just be a fraction of the incidents. Companies have to disclose breaches of consumer data, but not the theft of their own internal information.

As long as there is valuable personal information at risk, hackers will try to access it, whether the goal is the immediate use of stolen financial data, the long con of identity theft, or just causing pain to companies and their consumers.

Unfortunately, there is a growing skills gap between those out to do harm and the average defender. Until the information security workforce catches up, we will continue to see the increasing success of sophisticated attacks. However, there are important steps the information security industry can take to slow and even reverse this trend. Here are four key areas to get you started:

Everything starts and ends with education
Education and research need to be improved at the college and university level to improve the skills of future information security professionals and to grow the number of individuals qualified to enter the workforce. Once those security professionals -- the front line against malicious attacks -- have been hired, employers need to invest in their continuing education and training in order to stay ahead of ever-changing security threats. Only such educated individuals will be able to predict the next wave of vulnerabilities and attacks, and design ways to combat them before they develop into a crisis.

Be smart about spending
It is crucial to make the most of our limited security budgets. With more and more critical data touching the Internet, increasingly well-funded cyber criminals have their choice of targets. High-profile companies are always going to be attacked, but small-and medium-sized businesses are now being targeted as low-hanging fruit. Though the rewards might be smaller, there’s a high probability of success and a low probability of being caught.

As an industry, we need to focus whatever security budget is available on the most likely threats. Though all companies must be aware of common threats like APTs and DDoS attacks, one of the biggest threats to us all is the under-educated employee. Whether it’s an executive who falls prey to social engineering or an IT guru who chooses not to use the best network configuration techniques, we often open ourselves up to preventable attacks.

Involve application developers
Increased security has a reputation for hindering an application’s usability, and as time and budget constraints work against the developers, security requirements get squeezed out of software development. There is a massive difference in building a computer application and building a secure computer application, though. Despite the immediate price tag, building security into an application up front is rarely more expensive than trying to make adjustments once the application is built, or cleaning up the mess once a vulnerability is exploited.

Get management to buy in
Even when the security pros are aware of what needs to be done, they can have trouble convincing management to allocate the resources to do it. We need to improve our ability to make a business case for better tools and better training. If you can’t talk “dollars and sense” to your CFO or budget analyst and navigate office politics, you won’t get anywhere. Part of improving education is improving a security professional’s awareness of not just the theoretical importance of security, but security’s return on investment. When you can show executives specifically how security can save the business money, or even save their jobs, you are now speaking their language.

The very public breaches of the past year have caused a lot of damage to companies and individuals, but perhaps they have been a blessing in disguise. If these cyberattacks serve as a wake-up call to the security industry and the businesses we support, precipitating an improvement in our education, budgets, tools, and methods, then we may be able to avoid even costlier and more dangerous breaches down the road. Lost passwords and credit card data will be the least of our concerns if cyberattacks become the weapon of choice in nation-state attacks or ultimately damage the country’s critical infrastructure.

 

W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS, is currently the executive director for (ISC)2, the not-for-profit global leader in information security education and certification. Tipton previously served as chief information officer for the U.S. Department of the Interior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
8/12/2014 | 10:33:58 AM
Re: Skills Shortage
@adriangood  Wow, that's a fascinating perspective. I definitely agree with some of it -- like that relentless, short-sighted capitalism damages security (and the economy), and that a lot of talented hackers don't want to work for them. But...

if the most talented hackers aren't working for those big corporations, who are they working for? Are they working for smaller companies and government entities? Or are they working for criminal organizations?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
8/12/2014 | 10:25:06 AM
Re: there's another lesson
@Thomas Claburn  Well on one hand, you're right: you can't get stung with a data breach if you don't have any data. But on the other hand, so many companies are trying to get into "big data" that it will be very difficult to convince them to store less. If anything, they'll continue to store more, and make it more accessible to their employees. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/12/2014 | 8:50:20 AM
Re: Skills Shortage
For security to be effective, it must be ingrained in the culture of an organization, and the best way to get to that point is through effective communication.

Great point @GonzSTL, I would add that communication about the increasing dangers of cyberattacks must go way beyond the culture of a single organization to the mindset of everyone who is using technology. Of course that is a problem that is far beyond the scope of a business security team!
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/12/2014 | 8:40:10 AM
Re: Skills Shortage

Cyber crime is very profitable, and cyber criminals are better funded than the good guys. Naturally, that means that the good guys are always on the defensive, so really the best way to approach security is to be proactively prepared. True, we cannot be 100% effective in stopping attacks, but if we are diligent and adequately funded, we can put up some pretty good resistance. There really is no shortage of good guys with technical skills; most of the most brilliant geeks are good guys. The missing component is effective communication, and "what we have here is a failure to communicate". Many incredibly skilled people do not have the communication skills required to deliver the security message in a way that is fit for executive consumption, and also for the lay person.  Until we can effectively communicate the importance of security and its role in ensuring that organizational goals are met, funding will be difficult, and management and user support for awareness training will be lacking. For security to be effective, it must be ingrained in the culture of an organization, and the best way to get to that point is through effective communication.

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/12/2014 | 7:27:00 AM
Re: Skills Shortage
@AdrianGood Hacking will continue because cybercrime is a profitable business. But there are still plenty of smart geeks who are working to keep the bad guys in check.
adriangood
50%
50%
adriangood,
User Rank: Apprentice
8/12/2014 | 6:59:46 AM
Skills Shortage
There is an IT security skills shortage because the really smart geeks don't want to work for greedy Corporate entities whose only interest is short-term Shareholder returns, and the Corporate environment actively marginalize those people most suited to helping prevent the attacks.

Until Capitalist Business models change the Hacking will continue, the Chinese Government does not lock up its most talented Hackers at every opportunity, it gives them gainful employment.

Unfortunately creative thinking cannot be mass-produced, it has to be an integral part of the persons personality. 

The IT security maladies are just a symptom of our corrupt society, and will only change when our definition of success has been reset.

 

 

 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
8/11/2014 | 4:11:01 PM
there's another lesson
Many companies that stockpile data may not want to hear it, but the success of hackers ought to be a lesson to avoid storing data.
<<   <   Page 2 / 2
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...