We all know that skills shortages in IT, and information security in particular, are endemic. Globally, the industry is expected to need 1.8 million more workers by 2022, according to the Center for Cyber Safety and Education and (ISC)². One sure fire way to reduce this imposingly large total would be to encourage more women into the industry.
With that in mind, a new report, Women in Cybersecurity, makes for fascinating reading.
The report was compiled by Caroline Wong, VP at pen testing firm Cobalt, on the back of interviews with hundreds of female IT security practitioners in the US, UK, Singapore, Australia and elsewhere.
“Recent press coverage on the topic has a tendency to focus on the negative – under-representation, unfair pay, and challenges in the workplace,” she told me.
“These aspects are true, however I know there’s a story that’s just as true, and that’s how many women in the field are thriving. I personally know so many women – and now I have the data to back it up – that love their jobs, feel deeply satisfied by the work they’re doing, and are tremendously successful.”
One of the key takeaways from the report is the need for employers to prioritise diversity in their hiring. Often firms narrow their options too far by failing to consider candidates from other backgrounds. According to Wong, it’s critical that hiring managers are engaged in the process and thoughtful about what skills are needed for particular roles. In fact, over half of those women she spoke to had no IT or computer science background when entering the industry – but instead had experience in areas as diverse as compliance, psychology, internal audit, entrepreneurship, sales, and even art.
“I was pleasantly surprised by the seniority and diversity of the women who responded to the survey. The topic of women in cybersecurity has received more press in the past few years than ever before, and I think it’s possible for readers to assume that women working in this field is something new – it’s not,” concluded Wong.
“Some 36% of respondents have been working in the field for 10 or more years, while 53% have been working in the field for more than five years.”
So, listen up hiring managers. Try thinking outside the box when you’re next looking for candidates. The cybersecurity industry desperately needs fresh blood, and women make up a paltry 11% of the workforce globally at present. This needs to change – and fast.
It’s hard to find an optimist in the cyber security industry in these post-referendum days. I spoke to a fair few for an upcoming feature for Infosecurity Magazine and the consensus seems to be that a Brexit will be bad for staffing, the digital economy and the financial stability of UK-based security vendors.
That’s not even to mention the legal and compliance implications. Chatham House associate fellow, Emily Taylor, recommended firms continue on the road to compliance with the European General Data Protection Regulation. Aside from the fact that any firms with EU customers will still need to comply with the far-reaching law, she reckons that if we want to protect the free flow of digital information between the EU and UK, we’ll need to continue following European laws in this area.
Snoopers gonna snoop
However, a Brexit would cause other problems, notably in that the current Snooper’s Charter looks like it will enshrine in legislation the principle of bulk surveillance – the very thing which effectively led to the scrapping of the Safe Harbour agreement between the US and EU. If this bill goes through as is and we go out of Europe but stay in the single market, we’ll have to change that bit, Taylor told me.
“A case brought by David Davis and Tom Watson questioning the legality of bulk surveillance powers under the old DRIPA laws is currently being considered by the CJEU,” she explained.
“It’s not clear which way the CJEU will go on this, because many member states have lined up to support the British approach. However, if CJEU follows its recent decisions, it could strike down bulk data collection. If we wanted to stay in the single market, we’d have to amend our IP Bill in response.”
Even if we broke away from Europe completely and adopted the status of a “third country” like the US, we’d still have to adopt measures “to give equivalent protection to EU citizens’ data as they enjoy within the EU,” she argued. And bulk surveillance would certainly be a no-no in this scenario.
The uncertainty – which could continue potentially for years while Brexit deals are worked out – is also viewed by many as damaging to the cyber security industry, and tech in general. Immigration lawyer and partner at MediVisas, Victoria Sharkey, claimed firms may be unwilling to employ skilled workers if there’s a chance they might have to leave in a couple of years’ time.
“This is certainly going to be the case where significant training and investment is involved,” she added.
In fact, EU nationals are apparently already packing their bags.
“I am already seeing EU nationals who have been here for years make plans to leave and either go home or go to another EU country. They are worried for their jobs, are worried that they will be told to leave and so would rather leave on their own terms, and they are also being made to feel unwelcome,” Sharkey continued.
“I feel that when we do leave that it is going to become significantly harder for UK employers to encourage the best in their industry to come and work in the UK.”
This, for an industry which has always struggled with skills gaps and shortages, is potentially catastrophic.
Can we overcome?
Philip Letts, CEO of global enterprise services platform blur Group, has run businesses in Silicon Valley and the UK. He also pointed out the potential damage that political and financial uncertainty could have on the industry.
“The politicians are in unchartered territory. We don’t yet have a clear timetable for the triggering of Article 50, nor the trade deals that are going to have to be negotiated. There is a political vacuum. Business confidence is low and many will hunker down, try to avoid risk and wait for this to play out,” he told me.
“Globally, the US tech heavyweights will want to remain in the UK and the EU, and they will do both, operating across different European centres. But the EU market is more lucrative than the UK, so things may shift over time.”
So is the tech and cyber security sector really doomed? Not so, according to KPMG UK head of technology, Tudor Aw.
“I believe the resilient UK tech sector can withstand the challenges of Brexit and thrive,” he told me.
“Technology is increasingly a key sector that underpins all other sectors – whether it be back office systems or strategic enablers such as IoT and data analytics. Companies will need to invest in technology to drive efficiencies and strategic growth – one only has to look at developments across a diverse range of sectors such as healthcare, automotive, property, retail and the military to see that technology spend will only increase regardless of Brexit.”
It’s a moot point now, but I wonder how much better it could have thrived had we not voted out on 23 June.
The idea is to raise awareness among consumers to think twice about leaving a bigger digital footprint online than they already have, and to try and get businesses to take data privacy more seriously.
On both counts it’s a challenging prospect, according to many of the experts I spoke to.
David Gibson, vice president of strategy at Varonis, told me that improving privacy protection all comes down to better monitoring of fraud abuses.
“The proof that traditional methods don’t work is in the increasing frequency and magnitude of data breaches related to unstructured data,” he argued.
“Not only is there more data to worry about, but it’s containing more sensitive and valuable information and it’s getting easier for attackers to exfiltrate that data since it’s typically not monitored. If what you’re trying to steal isn’t being watched, you have a much better chance of getting away.”
Rackspace senior director of legal, Lillian Pang, admitted that firms still don’t prioritise data privacy at a board level, and this needs to change if things are to get better for consumers.
“Only then will firms start taking it seriously and filter down the privacy compliance needs to the ground level of its business. In some respects, you could say that privacy needs to be led from the top level of any business and administered from the ground level,” she told me.
“Many firms pay lip service to the importance of data privacy but few really understand or recognise that a robust data privacy program in a firm solidifies its information security and helps to further safeguard the firm’s business.”
The EU General Data Protection Regulation could be the push that many firms need to start taking the issue seriously, according to Gemalto data protection CTO, Jason Hart.
“The EU Data Protection Regulation is set to be finalised later this year, but companies need to start taking the steps to change how they protect their data now, otherwise they could find themselves subject to compliance penalties, and also put their reputation and consumer confidence at risk,” he warned.
“As the reporting requirements of the new EU regulation make data breaches more visible, we can expect the economic and business consequences of a breach to continue to escalate, so businesses need to start taking steps to ensure they are prepared for when new regulation comes into force.”
So are awareness raising exercises like Data Protection Day even worth the effort? Well the general consensus is that anything like this is probably a bonus, although the jury’s out on how effective it can be.
“Although Data Privacy Day is a great opportunity to raise awareness of the issue, understanding the importance of protecting data needs to be an all year round initiative,” said Hart. “Businesses need to realise the importance of the data they hold in their systems and how the loss of this can impact their customers.”
Data Protection Day (Data Privacy Day in the US) is on 28 January.
If there’s one major security trend of 2015 I’d predict causing even more trouble next year it’s abuse of crypto keys and digital certificates. Cybercriminals have simply found that abusing this layer of the internet is far easier, cheaper and often more effective than more traditional forms of attack.
Digital certificates stolen from Sony Pictures were later used to sign malware in order to make attacks more effective; and the same technique was linked to the Anthem and Premera healthcare breaches in the States.
And of course it was a similar strategy which contributed to the success of the Stuxnet attack.
Kaspersky Lab even said this week that the number of new malware files it detected this year have actually dropped, as hackers instead use stolen or bought digital certs to achieve the same ends.
Kevin Bocek is chief security strategist at Venafi – a firm which helps secure cryptographic keys and digital certs. He told me these foundational layers of trust on which the internet rests are being undermined by the latest developments in the black hat community.
“We’ve all seen that movie scene where the bad guy dresses up as a painter to gain access to a building; this is now what is happening in the cyberworld,” he told me.
“Bad guys are trading keys and certificates on the dark web and using them to crack into company systems – just look at Sony, the Snowden revelations and Stuxnet. They all involved stolen or misused keys and certificates.”
It doesn’t bode well for the future, with even current systems being architected in the same way – based on digital certificates.
“My concern is that moving forward industrial control centre malware could become bioweapons,” Bocek claimed. “This is because the moment you sign the malware with a valid certificate, it is essentially like a bio weapon. In the current climate, that’s frightening.”
That’s not all. The burgeoning Internet of Things space is ripe for exploitation in the same way, with cybercriminals likely to hold firms ransom by effectively taking over their smart devices.
“By taking a code-signing certificate and changing the entity it obeys, a hacker can change the firmware on a smart device to take control of it. Now when that sensor or smart device calls back to the ‘mothership’ who does it trust? The bad guy,” he explained.
“From a single point of compromise – the digital certificate – hackers and cybercriminals can take over a whole network of hundreds, thousands or even millions of smart ‘things’. This can then be used to blackmail companies – either cease operations, take on huge disruption, or pay up.”
Now, Venafi certainly has a vested interest to talk up the potential damage that abuse of certs and keys could effect.
But this is already happening in the wild with real consequences for organizations and their customers around the world.
Unfortunately 2016 is likely to see things get a lot worse before CISOs start to give this their full attention.
Just finished an interesting story from security firm Damballa on mobile malware.
Breaking ranks with most of the rest of the industry, the vendor suggests in its new report that the amount of mobile malware on US networks is actually pretty minimal, and that if most users stick to the official app stores they should steer pretty clear of danger.
Indeed, it found in its analysis of half of the mobile traffic in America, only 0.0064% – or 9,688 devices out of 151 million – contacted a domain on the mobile black list.
This was even down on the 0.015% that did so in 2012.
Now the caveat is that this is just in the US, and only focusing on malicious network traffic rather than installs, but it’s still a pretty interesting piece of research.
It tends to fly in the face of the picture painted by many anti-malware companies, some of which perhaps are talking slightly disingenuously about malware epidemic on Android.
There undoubtedly is an awful lot of malware designed for Android. But how much of it actually makes its way on users’ devices? Especially if those users only stick to the first party app stores.
I’ve a feeling that if you took China and Russia out of the equation, for example, the Android malware problem wouldn’t be even remotely as acute.
“I do not know when if ever mobile malware (as we see it on the PC) will become a problem on mobile devices. I really think the app stores can control distribution of ‘money-making’ malware,” Damballa CTO Brian Foster told me by email.
“The risks and threats of around insecure cloud apps or insecure access to cloud apps are already here. The risk of losing your device and giving a 3rd party inappropriate access to your data is already here.”
It is those latter risks that IT managers would do well to get a handle on, says Foster.
Another part of the research worth mentioning is that only 1.3% of mobile hosts weren’t also in the set of hosts contained by historical non-cellular traffic.
This means that mobile apps are using the same hosting infrastructure as desktop applications and, as such, IT security teams can apply the same network-based security to spot domains with bad reputation scores etc.
F-Secure security advisor, Sean Sullivan, agreed that most Western netizens would be safe sticking to the authorised channels.
He admitted to me too via email that the mobile malware epidemic had been “overstated by *some* in the AV industry”.
However, he felt justified in sharing threat intelligence on new mobile malware, given that F-Secure’s customer-base stretches far and wide globally.
“We don’t just sell mobile AV – we sell mobile security with multiple security features and sell/bundle it with our other services in our cross-platform ‘SAFE’ offering,” he explained. “When you buy our PC software, you also get Android software – it’s all part of the package.”
That’s completely understandable and I think even if Vendor A doesn’t sell into markets where mobile threats are higher risk (like Asia, for example) they still have a responsibility to reveal major new discoveries.
However, unfortunately it doesn’t take much for responsible disclosure of threat intelligence to turn into FUD-y marketing hyperbole.
The threat of accidental or malicious employees compromising information security has been around ever since there were computer systems. But you would have thought by now that CISOs would have got a handle on it.
Not so, according to a new report from training and research firm the SANS Institute which I’ve just covered for Infosecurity Magazine.
It found that although three-quarters of IT security pros are concerned about the insider threat, a third have no means of defending against it and around a half either don’t know how much they’re spending on it or have no idea what the potential losses would be.
From JPMorgan to Chesapeake, the dangers of failing to properly mitigate internal risks are clear to see, but firms seem to be slow on the uptake.
According to Roy Duckles, EMEA Channel Director at Lieberman Software, it’s a lack of “visibility, accountability and auditability” which is to blame.
“There is an assumption that if a person or group have the ‘keys to the kingdom’ with full admin rights across an enterprise, that this is a viable and effective way to apply security policies,” he told me.
“Where most businesses fail is that due to the fact that this approach not only reduces security, but it makes it almost impossible to see who is changing what, on which systems, at what time, and the effect and risk that it has on a business.”
Firms therefore need to remove privileges where possible, introduce 2FA and prevent admins “knowing” which passwords get them into systems, he advised.
Sagie Dulce, security researcher at Imperva, told me by email that organisations lack “budget, training, technology and an incident response plan” for when a breach occurs.
“Obviously, the first things organizations must do is put some resources into the insider threat. The second thing organizations must do is prioritise: ask themselves what are the most important thing they are trying to protect?
Once they know what they are trying to protect they should consider:
- Is it Personal Information, emails, code etc?
- Is the data structured, unstructured?
- Is it found on databases, file shares?
- Who has access to this data and how (from special terminals, via VPN, 3rd party partners etc.)?”
Finally I asked David Chismon, security consultant at MWR InfoSecurity, who repeated the notion that employees should be given the minimum access necessary to do their jobs.
Investing in systems to spot insider abuse could also help protect organisations against targeted attacks which spearphish users and abuse their access, he argued.
“For example, organisations are able to detect when an employee’s account is used to try and access data it shouldn’t or if a large amount of data is being exfiltrated,” Chismon explained. “It doesn’t matter at that stage if it is the employee misusing their account or an external attacker who has compromised the network.”
The case, of course, is the destructive hit on Sony Pictures Entertainment which not only forced the movie giant to close its entire network for over a week, but also led to embarrassing internal documents and communications leaking online.
Oh, and the movie which is said to have started it all – The Interview – was virtually withdrawn from North American cinemas after distributors feared for the safety of movie-goers.
On one side it’s the Feds, who believe North Korea was responsible for the attack. On the other, industry players who believe a disgruntled insider – possibly with help from others – was to blame.
FBI director James Comey this week claimed that the hackers in question got “sloppy” a few times and forgot to use proxy servers to hide their true location, revealing IP addresses used “exclusively” by North Korea.
“They shut it off very quickly once they saw the mistake,” he added, according to Wired. “But not before we saw where it was coming from.”
The agency’s “behavioural analysis unit” has also been studying the Guardians of Peace – the group claiming responsibility – and deduced that it displays many of the psychological characteristics of North Korean operatives, he added.
The Feds have already claimed that some of the code in the malware used in this attack had been previously developed by Pyongyang, and that some of the tools used were also deployed in the DarkSeoul attacks of 2013.
So far so clear? Well, not quite according to security consultant and Europol special advisor, Brian Honan.
“What was interesting is director Comey also stated they have not yet identified the original attack vector. So this makes it even more difficult to attribute who is behind the attack and makes it more important that the FBI and Sony provide assurances regarding their attribution, particularly given that this attack is resulting in diplomatic action impacting international relations,” he told me.
“It would also be useful for many other companies to have sight of the IP addresses that were used in this attack so they can add them to their own defensive measures to prevent attacks from those IP addresses against their networks and systems.”
This scepticism has been echoed throughout sections of the information security sector – with experts claiming that attribution is tricky at the best of times and that the Feds would be wise to hold fire until a detailed forensic examination has been undertaken.
US security vendor Norse, for example, claimed last week that any evidence linking North Korea to the attacks was purely circumstantial and that an investigation it undertook pointed to the involvement of a former employee.
Part of its reasoning is that the names of corporate servers and passwords were programmed into the malware fired at Sony, which would indicate an insider’s involvement.
Another sticking point is the motivation of North Korea. If it did carry out the attack in retaliation for The Interview, which lampoons the Kim Jong-un regime, the Guardians of Peace online missives didn’t even mention the movie until the media began pegging it as the cause.
It certainly wasn’t mentioned when the group were trying to extort a ransom for the stolen data online.
In the end, we’ll have to assume the Feds have more up their sleeves than they’ve admitted to right now if we’re to be convinced about the link to Pyongyang.
“Such information need not be shared with others as it would expose valuable intelligence sources, however knowing that is what is reinforcing the FBI’s claims would help those of us in the industry to accept those claims,” said Honan.
“The FBI do have very skilled technical individuals on the case which are no doubt supplemented by Sony’s own staff and any of the private computer security companies engaged by Sony. However, analysing log data and forensics takes a very long time so I would not be surprised to see additional details come out at a later stage.”
First of all, the app market will see an ever-tightening regulatory regime following new regulations passed in October, according to co-founder Percy Alpha.
“I fear that in the future, apps will be like websites, i.e you have to get a license before publishing any,” he told me by email.
Then there’s the current trend for Man in the Middle attacks as a way to monitor and block access to various online services and sites.
The Great Firewall has already tried this tactic on Google, Yahoo and iCloud to name but three. It’s the only way the authorities can see what people are up to once a site switches to HTTPS.
The smart money is apparently on more of these attacks in 2015, but increasingly focused on smaller sites so as to not arouse much media attention.
The Chinese authorities have also been going after Greatfire itself of late, proof the anti-censorship group must be doing something right.
Their mirrored sites, which allow users behind the Great Firewall view blocked content, have been a minor irritant to the authorities until now. But since last week Beijing upped the ante in two astonishing moves against the content delivery networks (CDNs) Greatfire uses.
The first resulted in EdgeCast losing all service in China – which could mean tens of thousands of sites affected. Then another swipe took out an Akamai subdomain also used by HSBC. The result? Its corporate banking services became unavailable. It just shows the lengths the Party is prepared to go to control the flow of information.
The last word goes to co-founder Charlie Smith:
“I think we will continue to see the kinds of crackdown we have seen this past year. I think that for a long time, many optimists have said, give the authorities some time, restrictions will loosen up and information will flow more freely. If anything, the exact opposite is happening – I’m not sure why people seem to make comments otherwise.
If anything, I think the authorities will take censorship too far in 2015. They will push the Chinese over the limit of what they are willing to tolerate.”
It should come as no surprise that the web application layer is one of the most vulnerable and highly targeted in any IT organisation. The latest report from Imperva I’ve just covered for Infosecurity Magazine, bears that out, and adds some interesting new insights.
Did you know, for example, that public cloud platforms like Amazon Web Services are increasingly being used by cyber criminals to launch such attacks?
According to Imperva, 20% of all known vulnerability exploitation attempts aimed at its customers came from AMS servers – that’s a pretty sizeable chunk.
Director of security research at the Israeli firm, Itsik Mantin, told me part of the reason:
“The ability of the attackers to utilize cloud services to mount their attack, makes it easier for them to carry out longer campaigns, and thus they can scan for more vulnerabilities in more pages in the target application,” he said.
Another point of note from the report is the continued growth in SQL injection attacks – up 10% since the last report – and the less well known Remote File Inclusion (RFI) attacks, which have increased 24%.
So what’s to blame? Well not necessarily bad coding, according to Mantin.
“Applications have become more complicated, with more pages and more functions, relying on more third-party modules that are hard to control, and thus the size of the attack ‘domain’ grows over time,” he explained.
Mantin also pointed out that the attack incidents analysed in the report included attacks that were detected and prevented.
“Thus the numbers in the research indicate more the attacker’s intention and less the vulnerability of the applications,” he said.