Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Black Hat: European Security Pros Wrestling With Potential Breaches, Privacy Issues

Black Hat Europe attendee survey shows European cybersecurity leaders are uncertain of their ability to protect end user data - and are fearful of a near-term breach of critical infrastructure.

While 50 nations and 150 global companies gathered in Paris last week to boost the call for better cybersecurity, European IT security professionals this week are registering their concerns that the region isn't ready for an anticipated attack on critical infrastructure.

The 2018 Black Hat Europe Attendee Survey, published Wednesday, offers a sobering look at the state of cybersecurity defenses in Europe, bolstering the Paris meeting's conclusion that greater efforts are needed to protect data and infrastructure across national boundaries. 

Nearly two-thirds (65%) of security pros in Europe believe a successful cyberattack affecting the critical infrastructure of multiple EU nations will occur in the next two years, according to the Black Hat report. The survey of 132 high-level information security leaders was released in advance of the Black Hat Europe conference, which will take place in London Dec. 3 to 6. 

"Vital infrastructure is way behind on the cyberthreats," said one Black Hat survey respondent. "[Attackers] are often still hiding behind obfuscation techniques instead of [infrastructure] actually being secure." 

Another respondent agreed. "We have reached the point where it is possible to cause mass destruction by cyberattack," the respondent wrote. "This is a very worrying thing, as certain individual actors may cause large amounts of damage." 

This level of concern, which has changed very little since the 2017 Black Hat Europe Attendee Survey, mirrors similar concerns voiced by North American security pros in the Black Hat USA 2018 survey, in which 69% of respondents said they believe US critical infrastructure will suffer a breach in the next two years. And in each case, security pros are doubtful that their regional governments are prepared to respond to such a breach. Only 15% of US respondents believe the US government and private-sector entities are ready for imminent critical infrastructure attacks; 18% of EU respondents believe their regional governments are sufficiently prepared. 

Interestingly, two of the largest countries that declined to sign the Paris accord – Russia and China – are among the countries that European security pros fear most. According to a plurality of those surveyed (30%), the top threat to critical infrastructure is posed by large nation-states like Russia and China. Their concern also extends to their own environments; more than half of survey participants said they believe recent activity from Russia, China, and North Korea has made European enterprise data less secure. 

And concerns are not limited to critical infrastructure. Some three-quarters of European security pros said a major data breach will occur in their own organizations in the coming year. Only about a quarter of respondents said such a breach is unlikely to occur. 

In the area of privacy, European security leaders have a similar lack of confidence that current regulations – including GDPR, which went into effect in May – will prevent the loss and misuse of personal information, such as what Facebook experienced earlier this year. 

A solid 70% of European security pros said their organizations have dedicated resources to GDPR initiatives. Yet only slightly more than a third are confident in their organizations' state of GDPR compliance. Interestingly, while 85% of those surveyed think that GDPR will help at least a little in protecting individuals' privacy, fewer than one in four think that impact will be substantial. 

Like the participants at the Paris accord, many of the survey respondents called for a shift in security culture, both in organizations and among end users. 

"There's too much focus on technological solutions and experts, not enough focus on getting organizations and individuals to adopt secure processes and behaviors," commented one respondent. "Prevention is better than detection and cure." 

Another concurred: "Business is segmented, [which] leads to a mindset that security is the responsibility of someone else – and the security controls put in place to provide security are obstacles to be avoided, rather than embraced." 

Many of the European security pros continued to register concern about the shortage of trained cyberstaff in their organizations. Fewer than half of European security leaders said their organizations have enough staff to respond to the threats they expect to encounter in the next 12 months. 

"No company is staffed appropriately for security," one respondent said. "In my group, we have one security practitioner for each 107 software developers. That's an impossible ratio. Imagine 107 people creating dirty rooms, and one person responsible for cleaning each room – mission impossible. We need education, tooling, [and] technology to begin influencing software engineers to write more secure code." 

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...