Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Black Hat Survey: Breach Concerns Hit Record Levels Due to COVID-19

Annual "Black Hat USA Attendee Survey" indicates unprecedented concern over possible compromises of enterprise networks and US critical infrastructure.

Thanks to the COVID-19 crisis, security professionals are more concerned than ever about potential breaches, according to a survey released by Black Hat this week.

Respondents – 273 top security professionals – registered record levels of concern about near-term compromises of their own IT environments, as well as US critical infrastructure. Ninety-four percent said they believe the COVID-19 crisis increases the cyberthreat to enterprise systems and data, according to the "2020 Black Hat Attendee Survey." Twenty-four percent said the increased threat is critical and imminent. Vulnerabilities in enterprise remote access systems that support home workers were the chief concern (57%). Increased phishing and social engineering threats also ranked highly (51%).

In addition, nearly 90 of respondents (87%) said they believe a successful cyberattack on US critical infrastructure will occur in the next two years, up from 77% in 2019 and 69% in 2018. Only 16% believe government and private industry are prepared to respond to such an attack, down from 21% in 2019.

Seventy percent of cybersecurity pros said they believe they will have to respond to a major security breach in their own organizations in the coming year, up from 59% in 2018. Thirteen percent of 2020 respondents said such a breach is a certainty. When asked whether they have sufficient security staff to defend their enterprises against current cyberthreats, 59% said no. When asked whether they had enough budget to defend their data against current threats, a majority (56%) also said no.

While breach concerns have been high for the past several years, COVID-19 has heightened them.

"Greater dependence on cloud computing and employee-controlled/owned devices and networks will lessen the visibility and control IT and security functions rely upon to manage risk," said one survey respondent. "This is a fundamental paradigm shift that will necessitate a change in the way we manage risk, allocate already scarce resources, and deploy controls."

While resources are a major concern for security pros, many also raised concerns about current security technologies. In the survey, only 10 of 21 categories of security products were rated as "effective" by respondents. Multifactor authentication (84%), encryption (74%), and endpoint security tools (63%) received the highest "effectiveness" rating.

The security technologies rated least effective were passwords (25%), deception/honeypots (27%), and antivirus tools (31%). Cloud security providers (41%) and cloud security tools (46%) were rated ineffective by the majority of respondents.

The Black Hat survey also revealed frustration about some technologies that have been repeatedly promoted as "game changers" in security technology. When asked about artificial intelligence (AI) and machine learning (ML), for example, only 23% of survey respondents said they believe AI and ML will be game-changing technologies. Eighty-three percent said they believe the impact of AI and ML on security will be limited. Thirty percent said they believe AI and ML are discussed too much or overhyped; only 33 percent ranked them as effective.

Attitudes toward blockchain technology were even more cynical: Only 12 percent of Black Hat survey respondents rated the technology as game-changing, while 24% said they believe the technology is overhyped and unlikely to be of much use to their organizations.

Many security experts also expressed serious questions about the ability of corporations and consumers to protect the data and identity of individual users. In the survey, nearly half of respondents (45%) said they believe the consumer data stored by most corporations is highly vulnerable to attack, and that consumers should assume that their personal data has been breached.

Eighty-seven percent of cybersecurity pros said they believe that no matter how careful consumers are with their personal information, it's likely that their data and/or credentials are available to criminals online right now. Only 38% of respondents believe it will be possible for individuals to protect their online identity and privacy in the future.

Many of the survey responses also indicated that, thanks to the COVID-19 crisis, cybersecurity professionals are under more pressure than ever before. And this pressure is taking its toll – not only on enterprise networks, but on IT security pros themselves.

When asked about their current level of "burnout," in which professionals lose effectiveness because they are overstressed and oversubscribed, a majority of security professionals (53%) said they consider themselves "burned out" by their work. This figure is up significantly from 40% in 2019, suggesting that burnout is now prevalent across the industry.

Related Content:

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...