Operations

11/28/2014
09:00 AM
Marilyn Cohodas
Marilyn Cohodas
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Why We Need Better Cyber Security: A Graphical Snapshot

By 2022, demand for security industry professionals will grow 37%.
Previous
1 of 6
Next

Over the past year, we have all experienced the onslaught of headlines about major hacks and widespread new information security threats. It has been dark reading, indeed, for the hundreds of millions of consumers who have seen their credit card numbers, email addresses, and other personal information exposed by online intruders.

Globally, cybercrime costs exceed $445 billion each year, with the United States accounting for nearly one-quarter of that price tag, the Center for Strategic and International Studies reported in June.

How did we get here, and what does it mean for the future? Researchers in the Florida Tech University online Master of Science in Information Technology/Cybersecurity program recently pulled together data on industry trends and predictions to create a graphical portrait of where the industry is -- and where it needs to be. Take a look at our slideshow on their findings, and then let's chat about what steps your company is taking in the fight for better cyber security.

 

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio

Previous
1 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
DavidC239
50%
50%
DavidC239,
User Rank: Apprentice
12/3/2014 | 6:56:20 AM
Re: Is this a trend?
I can't say due to legal reasons. I do know that it's symptomatic of a lot of companies. There is no single silver bullet to address what happened to the Target's of the world. It's far too complex of a problem.

Let me describe it like this: Cyber Security is an ecosystem. Any breakdown in that ecosystem will have ripple effects all across it. One of the most common effects of such a breakdown is the watering down of security monitoring staff, either due to budget constraints, or diverting security staff to other areas (compliance/audit, projects, etc.). This.happens.every.single.day to Cyber Security staff across virtually all markets, including Critical Infrastructure. That ripple effect results in not having sufficient people with their eyes on the screen mitigating security issues as they occur. Add to this is the fact that (in Target's case) they were off shoring some of their security monitoring. That suggests to me they were trying to keep security budgets as low as possible. So there are a couple of bread crumbs to follow...

We are in the early stages of a cyber war and look at who some here are blaming for the compromises... the people trying to defend against them. We should be blaming the corporate boards and executive management for failing to properly fund and staff their security programs.

Ask yourself this...  What has been the single most common response by major companies over the past year in addressing their security breaches? *Increased funding for Cyber Security*. More bread crumbs...

This will be my last response to this discussion. I need to get back to security monitoring... :)
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/2/2014 | 4:40:10 PM
Re: Is this a trend?
@David, I hear what you are saying. But do you KNOW if Target was understaffed or did the people there just blow it?

As I said, I'm not a security professional and have never worked at a company big enough to have a security professional. Well, maybe big is not correct word, we were $100 million+ companies. But we are heavy mfg, we don't have credit cards, personal info or any intellectual property that can be monetized by these clowns. So we are lucky. I feel for the businesses that do have to deal with it and and genuinely am trying to understand what is going on out there. So I appreciate your comments as an insider.

But the key to your response is that they were (and entire indusrty) understaffed and undertrained. If that is case, this 37% growth Marilyn talks about isn't driven from future activity, it's a fix for the current situation.

But my inital point remains: this isn't that different from War on Drugs and throwing resources at that did nothing to curb it and consumed a lot of our tax dollars. Like drugs, the bad guys get enough from cyber breaches they can match whatever you throw at them. 37% more people won't cure this by itself, not even make it 37% better.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
12/2/2014 | 3:47:20 PM
Re: Is this a trend?
Prior to the exfiltration of data from the Target networks, certain alarms were triggered when the malware was detected, and Target IT security personnel were informed about them. I am not sure that the warning was lost due to other false positives from other security software, nor was it a lack of resources, as Target claimed to have invested hundreds of millions of dollars in data security. The alarm sent to IT security was that malware graded at the top of FireEye's criticality scale were discovered within their network. More likely, the failure was in Target's Incident Response and Event Handling procedures. You can throw as much detection resources as you can, but unless you have a properly defined, practiced, and rigorously followed incident response procedure coupled with a well structured and comprehensive risk management program, you may as well have nothing. Alarms are there for a reason, and each one of them must be addressed properly. IT security systems such as SIEM, IDS/IPS, Anti-malware, etc. must be configured properly so that events can be properly correlated to vulnerabilities and threats so that the instances of "false positives" are reduced as much as possible and actionable items become manageable. Malware detection, which was the case at Target, was not properly managed and addressed, leading me to conclude that either their incident response procedures or their risk management program was sorely lacking. If you were a retailer, what would you do if you found Black POS in your payment systems network? Although the initial detection did not specify Black POS, but instead noted that "unknown malware" existed within their payment systems, and Target personnel were informed about its presence, and they supposedly acted upon it. What exactly did they do? What we do know is that whatever action they performed proved inadequate, and that can only happen if the incident response procedure was not thorough enough, or their risk assessment of unknown malware did not result in a high rating, which would have yielded a strong response. I would like to think that they recognized the risk properly, which leaves incident response as the culprit. I know this sounds simplistic, but it is probably exactly what happened at Target. The formula is quite simple: if you find malware in your payment systems, obliterate it immediately and check everything. Had IT security acted upon the malware report in a timely and appropriate fashion, then the breach could have been contained before data actually left the network.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/2/2014 | 1:56:31 PM
Re: Training and awareness for end users
That's very true @Keith Graham, But we all know the limits of user training. And the phishers are so sophisticated these days, I bet they can fool even the most expert & skeptical security expert occaisionally. 
Keith Graham
50%
50%
Keith Graham,
User Rank: Apprentice
12/2/2014 | 1:53:36 PM
Training and awareness for end users
I'd like to also just throw into the mix here, that a major part of the problem is lack of training and awareness of our end users.  I dont disagree with any of the points made here, but all the time we have non-savvy users falling for that phishing email, clicking that link/or opening that weaponized document (thus resulting in malware being downloaded and an attacker getting a foothold) we're onto a losing battle. 
DavidC239
50%
50%
DavidC239,
User Rank: Apprentice
12/2/2014 | 11:35:59 AM
Re: Is this a trend?
/rant

If you don't have sufficient security staff to tune those monitoring systems in the first place (1) you will have an excessive amount of noise.  If your security staff are not 100% dedicated (left alone) to monitor those security systems (2) you will have more security incidents.  If you do not have sufficient security staff engaged in the SDLC and project development process (3) then you will end up allowing insecure systems and software to be implemented in your production environment, which will result in more security incidents.  If your security staff does not have sufficient (and *current*) training on the latest threats and how to counter them then they will miss or be delayed in responding to the resulting security incidents.   "That doesn't sound like something that throwing MORE people at will fix, sounds like we need better systems." (5) suggests a lack of understanding of what it really takes in todays hostile world...

1.  Tuning your monitoring systems = security staff

2.  Dedicated security monitoring = security staff

3.  Engaged with the IT and business units during product/software development = security staff

4.  Ensuring a robust training budget exists for security = well trained security staff

5.  Intelligent, accurate, efficient, and automated security technology does not really exist.  That stuff might exist in the CSI TV show but not in the real world.  The security technology that *does* exist still requires #1, #2, #4 above.

We can't do our jobs on a shoe string staffing budget, without advanced, continous training, and if we are pulled in 15 different directions, leaving the house unguarded (Target breach anyone?), then you get what you get... hacked!  We are facing warehouses and dorms full of foreign hackers with all the advantages.  Either we comit to fighting the good fight (in the hear and now) or we disconnect from the web, take our ball and go home.

/rant

PS.  I do not, nor have I ever worked for, or been affiliated with Target.  My views are my own and have no realtion to current or past employers.
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/1/2014 | 4:15:29 PM
Re: Is this a trend?
60 Minutes was very general and non technical, Marilyn. I suspected none of that was news to you professionals. I'm primarily a developer and generalist (I'm only local IT guy here) who's background is from IBM mainframe and midrange servers, so I don't read Dark Reading very often. As a browser app developer, I am interested in staying up on application exploits in that vector. But almost all my apps are consumed internally behind a firewall, I'm not exposed like these public facing sites. So I don't lose a lot of sleep over cross site scripting.

But I had read a few articles on the Target breach, knew about initial access coming from one of their vendors hacked. Also knew the breach went undiscovered for a long time. But had no idea some security systems flagged it and it just wasn't acted on because of the routine noise. Is that called a "Chicken Little" system? :-)

My main point is I'd be shocked to see any IT job grow by 37%. I mean, more software gets written and used every year and you sure don't see developer jobs growing to match that. The underlying tech/systems has to solve this, not throwing more people at it who can only do so much about careless password usage, phishing, infected web pages and opening rogue email attachments. We can't have a security professional following every business user around and authorizing every computer transaction. Just too much cost involved.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/1/2014 | 3:27:01 PM
Re: Is this a trend?
I saw the 60 minutes segment, too and much of what was reported there (for a general audience) has been part of our regular conversation on Dark Reading. But to your point, the challenge is definitely getting right people, the  right technology and the right processes to get through all the noise. There is no magic bullet, to be sure, but we can do better. 
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/1/2014 | 1:15:23 PM
Re: Is this a trend?
This is not a knock on security professionals but the discussion is beginning to sound more like the DEA's response to the War on Drugs. Throw more resources and people at it and then we will win! We've seen how well that worked out.

I watched the 60 Minutes segment on Cyber Security last night. Especially interesting was the guy from FireEye. It was first time I heard the story that FireEye's stuff caught the Target breach but the warning was lost in all the false positives from other security software. That doesn't sound like something that throwing MORE people at will fix, sounds like we need better systems.

The other key takeaway for me was his comment that you WILL get breached, that battle is just to limit how long it lasts and what they get access to. Again, not something throwing security people at is going to fix.

No question the awareness of security importance has to be drilled into developers and architects of systems. From a cost point of view, businesses will sure get more bang for their buck that way than paying people who do security and nothing else. But there is no magic bullet here.
mejiac
50%
50%
mejiac,
User Rank: Apprentice
12/1/2014 | 10:09:33 AM
Re: Is this a trend?
@Marilyn Cohodas,

So the question remains...do we get out of the storm? (mearning pursuit more low tech solutions), or get better rain coats?

I think an answer lies somewhere inbetween, in I think the finance industry would be the ones trying to implement more robust security meassures
Page 1 / 2   >   >>
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.