Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Black Hat: European Security Pros Wrestling With Potential Breaches, Privacy Issues

Black Hat Europe attendee survey shows European cybersecurity leaders are uncertain of their ability to protect end user data - and are fearful of a near-term breach of critical infrastructure.

While 50 nations and 150 global companies gathered in Paris last week to boost the call for better cybersecurity, European IT security professionals this week are registering their concerns that the region isn't ready for an anticipated attack on critical infrastructure.

The 2018 Black Hat Europe Attendee Survey, published Wednesday, offers a sobering look at the state of cybersecurity defenses in Europe, bolstering the Paris meeting's conclusion that greater efforts are needed to protect data and infrastructure across national boundaries. 

Nearly two-thirds (65%) of security pros in Europe believe a successful cyberattack affecting the critical infrastructure of multiple EU nations will occur in the next two years, according to the Black Hat report. The survey of 132 high-level information security leaders was released in advance of the Black Hat Europe conference, which will take place in London Dec. 3 to 6. 

"Vital infrastructure is way behind on the cyberthreats," said one Black Hat survey respondent. "[Attackers] are often still hiding behind obfuscation techniques instead of [infrastructure] actually being secure." 

Another respondent agreed. "We have reached the point where it is possible to cause mass destruction by cyberattack," the respondent wrote. "This is a very worrying thing, as certain individual actors may cause large amounts of damage." 

This level of concern, which has changed very little since the 2017 Black Hat Europe Attendee Survey, mirrors similar concerns voiced by North American security pros in the Black Hat USA 2018 survey, in which 69% of respondents said they believe US critical infrastructure will suffer a breach in the next two years. And in each case, security pros are doubtful that their regional governments are prepared to respond to such a breach. Only 15% of US respondents believe the US government and private-sector entities are ready for imminent critical infrastructure attacks; 18% of EU respondents believe their regional governments are sufficiently prepared. 

Interestingly, two of the largest countries that declined to sign the Paris accord – Russia and China – are among the countries that European security pros fear most. According to a plurality of those surveyed (30%), the top threat to critical infrastructure is posed by large nation-states like Russia and China. Their concern also extends to their own environments; more than half of survey participants said they believe recent activity from Russia, China, and North Korea has made European enterprise data less secure. 

And concerns are not limited to critical infrastructure. Some three-quarters of European security pros said a major data breach will occur in their own organizations in the coming year. Only about a quarter of respondents said such a breach is unlikely to occur. 

In the area of privacy, European security leaders have a similar lack of confidence that current regulations – including GDPR, which went into effect in May – will prevent the loss and misuse of personal information, such as what Facebook experienced earlier this year. 

A solid 70% of European security pros said their organizations have dedicated resources to GDPR initiatives. Yet only slightly more than a third are confident in their organizations' state of GDPR compliance. Interestingly, while 85% of those surveyed think that GDPR will help at least a little in protecting individuals' privacy, fewer than one in four think that impact will be substantial. 

Like the participants at the Paris accord, many of the survey respondents called for a shift in security culture, both in organizations and among end users. 

"There's too much focus on technological solutions and experts, not enough focus on getting organizations and individuals to adopt secure processes and behaviors," commented one respondent. "Prevention is better than detection and cure." 

Another concurred: "Business is segmented, [which] leads to a mindset that security is the responsibility of someone else – and the security controls put in place to provide security are obstacles to be avoided, rather than embraced." 

Many of the European security pros continued to register concern about the shortage of trained cyberstaff in their organizations. Fewer than half of European security leaders said their organizations have enough staff to respond to the threats they expect to encounter in the next 12 months. 

"No company is staffed appropriately for security," one respondent said. "In my group, we have one security practitioner for each 107 software developers. That's an impossible ratio. Imagine 107 people creating dirty rooms, and one person responsible for cleaning each room – mission impossible. We need education, tooling, [and] technology to begin influencing software engineers to write more secure code." 

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...