Operations

7/6/2017
12:00 PM
50%
50%

Black Hat Survey: Security Pros Expect Major Breaches in Next Two Years

Significant compromises are not just feared, but expected, Black Hat attendees say.

A major compromise of U.S. critical infrastructure will occur in the next couple of years, according to a majority of IT security professionals -- and most expect breaches of their own enterprise networks to occur even sooner.

These serious concerns are among those registered by respondents to the 2017 Black Hat Attendee Survey, the results of which are being published Wednesday. The survey offers insights on the plans and attitudes of 580 experienced security professionals, including many cybersecurity leaders who work in critical-infrastructure industries.

The survey results come on the heels of federal warnings about a hacking campaign being waged against U.S. energy and nuclear power companies.

Sixty percent of respondents to the Black Hat survey believe that a successful cyberattack on U.S. critical infrastructure will occur in the next two years. Only 26% are confident that U.S. government and defense forces are equipped and trained to respond appropriately.

About two-thirds of respondents think it likely that their own organizations will have to respond to a major security breach in the next 12 months. Sixty-nine percent say they do not have enough staff to meet the threat; 58% feel they do not have adequate budgets.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

The heightened concern over near-term attacks appears to have been exacerbated by recent activity by nation-state threat actors and a shortage of confidence in current U.S. cyber policy. Sixty-nine percent of IT security professionals feel that state-sponsored hacking from countries such as Russia and China has made U.S. enterprise data less secure.

Only 26% of information security pros believe that the new White House administration will have a positive impact on cybersecurity policy, regulation, and law enforcement over the next four years.

When it comes to threats, IT security professionals’ greatest concerns are around phishing and social engineering (50%) and sophisticated attacks targeted directly at their own organizations (45%), according to the Black Hat survey. For the second straight year, respondents ranked ransomware as the greatest emerging threat to rise over the past 12 months, with 34% of the vote. The survey was conducted before the emergence of the recent WannaCry and Petya exploits.

As in past surveys, the Black Hat attendees registered strong concern over the disparity between their own priorities and those of top management in their organizations. Despite concern about emerging attacks, respondents indicated that functions such as compliance and risk measurement occupy the largest shares of their time and budget.

When asked how their IT security budgets are spent, 36% of Black Hat survey respondents said that compliance is the top priority, up from 31% in 2016. The effort to measure security posture and risk – a priority that finished ninth among security professionals but third among top executives – is a top spending priority for 23% of respondents, about the same percentage as last year, making it the number three overall security spending priority.

While respondents to the Black Hat survey today are most concerned with social engineering and targeted attacks, the majority believe that their priorities will change in the not-too-distant future. Digital attacks on non-computer systems – the Internet of Things – currently ranks 10th among security professionals’ chief worries; but when asked what they believe they will be most concerned about two years from now, IoT security ranks first on the list, at 34% (up from 28% in 2016).

Security pros also registered some concerns about internal data leaks, particularly those released via WikiLeaks. When asked which attackers they feared most, Black Hat respondents said they are most concerned about those with inside knowledge of their organizations (39%, up from 36% in 2016). Some 61% of respondents said they believe WikiLeaks is having an impact on the way corporations and government agencies conduct their operations. Thirty-two percent of IT security pros oppose the work done by WikiLeaks; 31% are in favor of it, with 37% remaining neutral.

Related Content:

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
7/6/2017 | 12:30:41 PM
2 years, and compliance
Coincidentally, as per an old stat that's been floating around a few years now (from Gartner, I think? I don't quite remember) indicating that within two years of a major breach, a small business goes out of business.

On a separate note, I'm not sure how I feel about compliance gaining a bigger percentage of the "top priority" pie here. On the one hand, it's good to see more security pros taking it seriously. On the other hand, it's kind of sad when you think about it that compliance has to take so much away from actual security and privacy issues. While compliance can help make you way more secure, compliance and security are not the same thing -- and, sometimes, even contradict each other!
tcritchley07
50%
50%
tcritchley07,
User Rank: Strategist
7/7/2017 | 9:57:54 AM
Re:Breaches over Next 2 Years
The 'breach' (in its broadest sense) figures are climbmg inexorable despite all the talk and flannel os vendors and consultants. It is like fixng rust spots on a rust bucket car whre as soon as you fix one, another appears. This will never work and the whole issue needs a new, solid cybersecurity architecture. This will take much of the onus off the end user or organisation and quite rightly. When I fly, I am not expected to take my own oxygen, life vest etc. It is supplied by the body that sold me the ticket. We expect the equivalent of users/organisations over cybersecurity.

The architecture wil inevitabky involve:

1. Changes to existing internet SW (DNS, Windows etc.) or even scrapping and repleacing. This will allow intimate knowledge of 'user', whether good guy or bad guy, including location, SW level, his PC ID/serial no. etc.

2, Hardware innovation such as built in memory and storage encryption.

3. Judicious data placement ( I am working on this) and other tricks of the trade to prevent malicious encryption and possibly make it theft-proof. These things will not happen by fiddling, patching and twiddling with the current setup. The internet is open, was conceived that way and the SW around it reflects that ethos. It MUST change if we are to have true security.

4. The redoubt (miltary fallback for a last stand); this means a proper disaster recovery (DR) plan where the organisation or user is not wiped out when data is lost (deleted) or encrypted. The recent UK NHS Wannacry debacle showed the need for, and in this case the absence of, a good, rapid recovery DR plan.

If you think about this you will see the sense in it. The architecture must be agreed by all (conforming nations at least) which will get over the disaster I see promised by the dozen or more cybersecurity initiatives being developed by government bodies and other bodies. If they all come to pass, I dread to think what will happen when a system with cybersecurity 1 tries to talk to one with cybersecurity 6; it will be 'request rejected. I don't recognise you'. Take a look at the US and UK cybersecurity initiatives as a starter, then look at all the cybersecurity vendors (about 50 or more) and what their initaitives are and you will see what I see as a final result; a complete dog's breakfast'.

Terry Critchley
Dario.Forte
50%
50%
Dario.Forte,
User Rank: Author
7/10/2017 | 9:08:48 AM
Disparity in priorities
I think the concern over the disparity between the practitioner priorities and those of top management in their organizations is probably one of the most relevant of the survey and it denotes a misalignment between business and technical requirements. While it is clear that compliance is a driver (and probably it always will be), the importance of creating a common playground for technical and business management is mandatory. I think GDPR will provide a huge opportunity to create (and maintain) this common layer, as it is a clear example of how compliance cannot be reached without technical execution.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/13/2017 | 7:36:06 AM
Defining "cyberattack"
> Sixty percent of respondents to the Black Hat survey believe that a successful cyberattack on U.S. critical infrastructure will occur in the next two years.

How loosely or strictly are we defining "cyberattack" here?

Because, depending upon the definition, there have already been such successful cyberattacks.

Case in point from six years ago here: pastebin.com/Wx90LLum
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.