Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Closing The Skills Gap Between Hackers & Defenders: 4 Steps
Threaded  |  Newest First  |  Oldest First
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
8/11/2014 | 4:11:01 PM
there's another lesson
Many companies that stockpile data may not want to hear it, but the success of hackers ought to be a lesson to avoid storing data.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
8/12/2014 | 10:25:06 AM
Re: there's another lesson
@Thomas Claburn  Well on one hand, you're right: you can't get stung with a data breach if you don't have any data. But on the other hand, so many companies are trying to get into "big data" that it will be very difficult to convince them to store less. If anything, they'll continue to store more, and make it more accessible to their employees. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/13/2014 | 4:03:16 PM
Re: there's another lesson
Good point. Some companies think they do not have anything lose, when they review the requirements around the regulations they would realize it. If they do business they have data they need to protect.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/16/2014 | 10:05:02 AM
Re: there's another lesson
Unfortunately, I see this all too often.  One of the non-profits I volunteer with falls into this category.  They believe they have nothing to lose and will not spend the money to properly secure their data.  I address this issue with them about once a quarter but I get the same response, "Nobody cares about us, we are just a little operation".
adriangood
50%
50%
adriangood,
User Rank: Apprentice
8/12/2014 | 6:59:46 AM
Skills Shortage
There is an IT security skills shortage because the really smart geeks don't want to work for greedy Corporate entities whose only interest is short-term Shareholder returns, and the Corporate environment actively marginalize those people most suited to helping prevent the attacks.

Until Capitalist Business models change the Hacking will continue, the Chinese Government does not lock up its most talented Hackers at every opportunity, it gives them gainful employment.

Unfortunately creative thinking cannot be mass-produced, it has to be an integral part of the persons personality. 

The IT security maladies are just a symptom of our corrupt society, and will only change when our definition of success has been reset.

 

 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/12/2014 | 7:27:00 AM
Re: Skills Shortage
@AdrianGood Hacking will continue because cybercrime is a profitable business. But there are still plenty of smart geeks who are working to keep the bad guys in check.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/12/2014 | 8:40:10 AM
Re: Skills Shortage

Cyber crime is very profitable, and cyber criminals are better funded than the good guys. Naturally, that means that the good guys are always on the defensive, so really the best way to approach security is to be proactively prepared. True, we cannot be 100% effective in stopping attacks, but if we are diligent and adequately funded, we can put up some pretty good resistance. There really is no shortage of good guys with technical skills; most of the most brilliant geeks are good guys. The missing component is effective communication, and "what we have here is a failure to communicate". Many incredibly skilled people do not have the communication skills required to deliver the security message in a way that is fit for executive consumption, and also for the lay person.  Until we can effectively communicate the importance of security and its role in ensuring that organizational goals are met, funding will be difficult, and management and user support for awareness training will be lacking. For security to be effective, it must be ingrained in the culture of an organization, and the best way to get to that point is through effective communication.

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/12/2014 | 8:50:20 AM
Re: Skills Shortage
For security to be effective, it must be ingrained in the culture of an organization, and the best way to get to that point is through effective communication.

Great point @GonzSTL, I would add that communication about the increasing dangers of cyberattacks must go way beyond the culture of a single organization to the mindset of everyone who is using technology. Of course that is a problem that is far beyond the scope of a business security team!
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
8/12/2014 | 10:33:58 AM
Re: Skills Shortage
@adriangood  Wow, that's a fascinating perspective. I definitely agree with some of it -- like that relentless, short-sighted capitalism damages security (and the economy), and that a lot of talented hackers don't want to work for them. But...

if the most talented hackers aren't working for those big corporations, who are they working for? Are they working for smaller companies and government entities? Or are they working for criminal organizations?
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/12/2014 | 11:04:24 AM
Cyber Centurion
I was pretty pleased to hear that the UK is pushig for more digital security experts by opening up the Cyber Centurion competitiion to younger school children:

http://www.telegraph.co.uk/technology/internet-security/11025457/School-children-to-be-trained-in-cyber-warfare.html?placement=CB1

That said, I'm not sure I approve of one of the main prizes being to intern at an American defence contractor. Couldn't they do the same at a British company instead? 
dewser
50%
50%
dewser,
User Rank: Apprentice
8/12/2014 | 12:08:06 PM
Skills Shortage
There is only so much to teach at the college level.  Your standard BS holder is going to come out with some base knowledge in either MIS or CS.  That knowledge is most likely going to be out-of-date when they hit the workforce.  To be an effective defender you need to have some pretty strong bases in a number of IT disciplines.  You need to know how the infrastructure works.  The best way to learn this is to do it.  I've spent the last 15 years of my life in the IT space.  A majority of that was building servers, deploying firewalls, and troubleshooting everything from the simple app crash to the more complicated network performance issues.  Only in the last 3 years have I've focused on security.  But guess what, everything I tell a company now is everything I told them years ago when I was a Sys Admin.

I tried my hand at working for a large enterprise.  My title was IT Security Analyst, but that was nothing more than a title.  I spent more time as a glorified project manager.  That consisted of helping everyone else where their projects to ensure they meet security/compliance objectives.  But honestly many of the regular IT staff had little knowledge of servers, operating systems, networking...  so I spent more time educating them on that.  So in my mind I was being severly underutilized.  Yes I think it was good I was able to help educate but very few of these people showed any desire to learn some things on their own.  Unfortunately this did not play into my long term goals and frankly I was bored out of my gourd.  Now I am doing exciting work in a small startup.  I have to wear many hats but it is very much worth it.

So the big enterprises and the government want skilled hackers, unfortunately I think many do not have the culture that can support these types of minds.  Also money is not always the best motivator.  I could probably be making much much more working for a larger entity as a "Cyber Security Analyst" but in my current role if I want to go to some type of special training or a hacker con, management is all for it.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/12/2014 | 1:12:30 PM
Re: Skills Shortage
As with most other BS degrees, you can only gain so much knowledge through education, and the rest really depends on hands-on experience. That does not detract from the importance of education because it is that education that provides the foundation upon which experience is built. You have to look at the entire picture to really understand the different aspects of IT and security. I received a BSCS and what that really did for me was help me understand how electronic computing worked, both from a hardware and a software perspective. As far as security is concerned, for me it was a combination of continuing education, mostly from reading manuals, technical papers, attending technology specific classes, hands on experience, and everyday common sense. The title of "Security Analyst" is so broad that it can encompass many different roles, such as the one you had. You mentioned that you helped everyone else with their projects to ensure that they met security/compliance objectives. Did it occur to you that it was in fact a critical and appropriate role in IT security? Educating fellow employees was also critical - if there was a need for it, then you also served that need, to increase the overall security posture of the organization. Sure, that sounds a lot like deskwork or paper pushing, or whatever, and it isn't quite as sexy as hacking, or tracking hacker activities in real time as depicted in the movies, but in reality, IT security is all of that combined. In a large organization, that is way too much for a single individual, and must be split off into several roles among several personnel. I have also worked for small companies where I wore many hats, and it was both exciting and fulfilling. I suppose that is really where I started to see the big picture, saw how everything worked and how they all come together. I admit it was more exciting that being pigeon-holed into some mundane role. However, one must look at security from an overall point of view, culling information from all the different mundane roles, to provide an overall assessment of the existing security posture in the context of existing business processes. From there, you determine where the gaps are, and provide an analysis and actionable data to produce a secure environment in which the organization can deploy technology in support of the organization's goals. IT security isn't merely a technical discipline; it is in fact a combination of technology know how and business savvy, and is an integral part of an organization that wants to poise itself for success.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/13/2014 | 3:59:39 PM
Re: Skills Shortage
Education is one thing, experience something else, they are all needed I would say, however what is most important is the creativity, in my view. Innovating new ways to protect ourselves from potential threats. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/15/2014 | 9:08:09 AM
Re: Skills Shortage
Creativity is definitely under-rated, Dr. T. Did you see Lysa Meyers recent blog -- Time To Broaden CompSci Curriculum Beyond STEM? She makes a very strong case for that skill set. 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/16/2014 | 10:02:27 AM
Re: Skills Shortage
I think you have hit the nail on the head here.  The important thing is not education into current practices, for they are all imperfect, but rather focusing on innovation.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/13/2014 | 3:56:25 PM
Think security
 

I agree with the article. Good guys have enough opportunities to outpace bad guys by developing more secure applications, networks and systems. The main reason all these system being attached and attacks are successful just simply because they all have vulnerabilities. When we embed security considerations early enough in a project not only those vulnerabilities would be minimized and but also the impact of attack would be minimized.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/16/2014 | 10:01:03 AM
Re: Think security
Although I agree the good guys sometimes become complacent, I don't believe we will ever see a 100% secure application.  The reason being that if you make an application 100% secure the usability of that application drops to near 0%.  

I concede that I may be proven wrong by future technologies but currently I don't see a path to 100% security.


News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32077
PUBLISHED: 2021-05-06
Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search se...
CVE-2020-23263
PUBLISHED: 2021-05-06
Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
CVE-2020-23264
PUBLISHED: 2021-05-06
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...