We all know that skills shortages in IT, and information security in particular, are endemic. Globally, the industry is expected to need 1.8 million more workers by 2022, according to the Center for Cyber Safety and Education and (ISC)². One sure fire way to reduce this imposingly large total would be to encourage more women into the industry.
With that in mind, a new report, Women in Cybersecurity, makes for fascinating reading.
The report was compiled by Caroline Wong, VP at pen testing firm Cobalt, on the back of interviews with hundreds of female IT security practitioners in the US, UK, Singapore, Australia and elsewhere.
“Recent press coverage on the topic has a tendency to focus on the negative – under-representation, unfair pay, and challenges in the workplace,” she told me.
“These aspects are true, however I know there’s a story that’s just as true, and that’s how many women in the field are thriving. I personally know so many women – and now I have the data to back it up – that love their jobs, feel deeply satisfied by the work they’re doing, and are tremendously successful.”
One of the key takeaways from the report is the need for employers to prioritise diversity in their hiring. Often firms narrow their options too far by failing to consider candidates from other backgrounds. According to Wong, it’s critical that hiring managers are engaged in the process and thoughtful about what skills are needed for particular roles. In fact, over half of those women she spoke to had no IT or computer science background when entering the industry – but instead had experience in areas as diverse as compliance, psychology, internal audit, entrepreneurship, sales, and even art.
“I was pleasantly surprised by the seniority and diversity of the women who responded to the survey. The topic of women in cybersecurity has received more press in the past few years than ever before, and I think it’s possible for readers to assume that women working in this field is something new – it’s not,” concluded Wong.
“Some 36% of respondents have been working in the field for 10 or more years, while 53% have been working in the field for more than five years.”
So, listen up hiring managers. Try thinking outside the box when you’re next looking for candidates. The cybersecurity industry desperately needs fresh blood, and women make up a paltry 11% of the workforce globally at present. This needs to change – and fast.
It’s hard to find an optimist in the cyber security industry in these post-referendum days. I spoke to a fair few for an upcoming feature for Infosecurity Magazine and the consensus seems to be that a Brexit will be bad for staffing, the digital economy and the financial stability of UK-based security vendors.
That’s not even to mention the legal and compliance implications. Chatham House associate fellow, Emily Taylor, recommended firms continue on the road to compliance with the European General Data Protection Regulation. Aside from the fact that any firms with EU customers will still need to comply with the far-reaching law, she reckons that if we want to protect the free flow of digital information between the EU and UK, we’ll need to continue following European laws in this area.
Snoopers gonna snoop
However, a Brexit would cause other problems, notably in that the current Snooper’s Charter looks like it will enshrine in legislation the principle of bulk surveillance – the very thing which effectively led to the scrapping of the Safe Harbour agreement between the US and EU. If this bill goes through as is and we go out of Europe but stay in the single market, we’ll have to change that bit, Taylor told me.
“A case brought by David Davis and Tom Watson questioning the legality of bulk surveillance powers under the old DRIPA laws is currently being considered by the CJEU,” she explained.
“It’s not clear which way the CJEU will go on this, because many member states have lined up to support the British approach. However, if CJEU follows its recent decisions, it could strike down bulk data collection. If we wanted to stay in the single market, we’d have to amend our IP Bill in response.”
Even if we broke away from Europe completely and adopted the status of a “third country” like the US, we’d still have to adopt measures “to give equivalent protection to EU citizens’ data as they enjoy within the EU,” she argued. And bulk surveillance would certainly be a no-no in this scenario.
The uncertainty – which could continue potentially for years while Brexit deals are worked out – is also viewed by many as damaging to the cyber security industry, and tech in general. Immigration lawyer and partner at MediVisas, Victoria Sharkey, claimed firms may be unwilling to employ skilled workers if there’s a chance they might have to leave in a couple of years’ time.
“This is certainly going to be the case where significant training and investment is involved,” she added.
In fact, EU nationals are apparently already packing their bags.
“I am already seeing EU nationals who have been here for years make plans to leave and either go home or go to another EU country. They are worried for their jobs, are worried that they will be told to leave and so would rather leave on their own terms, and they are also being made to feel unwelcome,” Sharkey continued.
“I feel that when we do leave that it is going to become significantly harder for UK employers to encourage the best in their industry to come and work in the UK.”
This, for an industry which has always struggled with skills gaps and shortages, is potentially catastrophic.
Can we overcome?
Philip Letts, CEO of global enterprise services platform blur Group, has run businesses in Silicon Valley and the UK. He also pointed out the potential damage that political and financial uncertainty could have on the industry.
“The politicians are in unchartered territory. We don’t yet have a clear timetable for the triggering of Article 50, nor the trade deals that are going to have to be negotiated. There is a political vacuum. Business confidence is low and many will hunker down, try to avoid risk and wait for this to play out,” he told me.
“Globally, the US tech heavyweights will want to remain in the UK and the EU, and they will do both, operating across different European centres. But the EU market is more lucrative than the UK, so things may shift over time.”
So is the tech and cyber security sector really doomed? Not so, according to KPMG UK head of technology, Tudor Aw.
“I believe the resilient UK tech sector can withstand the challenges of Brexit and thrive,” he told me.
“Technology is increasingly a key sector that underpins all other sectors – whether it be back office systems or strategic enablers such as IoT and data analytics. Companies will need to invest in technology to drive efficiencies and strategic growth – one only has to look at developments across a diverse range of sectors such as healthcare, automotive, property, retail and the military to see that technology spend will only increase regardless of Brexit.”
It’s a moot point now, but I wonder how much better it could have thrived had we not voted out on 23 June.
The idea is to raise awareness among consumers to think twice about leaving a bigger digital footprint online than they already have, and to try and get businesses to take data privacy more seriously.
On both counts it’s a challenging prospect, according to many of the experts I spoke to.
David Gibson, vice president of strategy at Varonis, told me that improving privacy protection all comes down to better monitoring of fraud abuses.
“The proof that traditional methods don’t work is in the increasing frequency and magnitude of data breaches related to unstructured data,” he argued.
“Not only is there more data to worry about, but it’s containing more sensitive and valuable information and it’s getting easier for attackers to exfiltrate that data since it’s typically not monitored. If what you’re trying to steal isn’t being watched, you have a much better chance of getting away.”
Rackspace senior director of legal, Lillian Pang, admitted that firms still don’t prioritise data privacy at a board level, and this needs to change if things are to get better for consumers.
“Only then will firms start taking it seriously and filter down the privacy compliance needs to the ground level of its business. In some respects, you could say that privacy needs to be led from the top level of any business and administered from the ground level,” she told me.
“Many firms pay lip service to the importance of data privacy but few really understand or recognise that a robust data privacy program in a firm solidifies its information security and helps to further safeguard the firm’s business.”
The EU General Data Protection Regulation could be the push that many firms need to start taking the issue seriously, according to Gemalto data protection CTO, Jason Hart.
“The EU Data Protection Regulation is set to be finalised later this year, but companies need to start taking the steps to change how they protect their data now, otherwise they could find themselves subject to compliance penalties, and also put their reputation and consumer confidence at risk,” he warned.
“As the reporting requirements of the new EU regulation make data breaches more visible, we can expect the economic and business consequences of a breach to continue to escalate, so businesses need to start taking steps to ensure they are prepared for when new regulation comes into force.”
So are awareness raising exercises like Data Protection Day even worth the effort? Well the general consensus is that anything like this is probably a bonus, although the jury’s out on how effective it can be.
“Although Data Privacy Day is a great opportunity to raise awareness of the issue, understanding the importance of protecting data needs to be an all year round initiative,” said Hart. “Businesses need to realise the importance of the data they hold in their systems and how the loss of this can impact their customers.”
Data Protection Day (Data Privacy Day in the US) is on 28 January.
If there’s one major security trend of 2015 I’d predict causing even more trouble next year it’s abuse of crypto keys and digital certificates. Cybercriminals have simply found that abusing this layer of the internet is far easier, cheaper and often more effective than more traditional forms of attack.
Digital certificates stolen from Sony Pictures were later used to sign malware in order to make attacks more effective; and the same technique was linked to the Anthem and Premera healthcare breaches in the States.
And of course it was a similar strategy which contributed to the success of the Stuxnet attack.
Kaspersky Lab even said this week that the number of new malware files it detected this year have actually dropped, as hackers instead use stolen or bought digital certs to achieve the same ends.
Kevin Bocek is chief security strategist at Venafi – a firm which helps secure cryptographic keys and digital certs. He told me these foundational layers of trust on which the internet rests are being undermined by the latest developments in the black hat community.
“We’ve all seen that movie scene where the bad guy dresses up as a painter to gain access to a building; this is now what is happening in the cyberworld,” he told me.
“Bad guys are trading keys and certificates on the dark web and using them to crack into company systems – just look at Sony, the Snowden revelations and Stuxnet. They all involved stolen or misused keys and certificates.”
It doesn’t bode well for the future, with even current systems being architected in the same way – based on digital certificates.
“My concern is that moving forward industrial control centre malware could become bioweapons,” Bocek claimed. “This is because the moment you sign the malware with a valid certificate, it is essentially like a bio weapon. In the current climate, that’s frightening.”
That’s not all. The burgeoning Internet of Things space is ripe for exploitation in the same way, with cybercriminals likely to hold firms ransom by effectively taking over their smart devices.
“By taking a code-signing certificate and changing the entity it obeys, a hacker can change the firmware on a smart device to take control of it. Now when that sensor or smart device calls back to the ‘mothership’ who does it trust? The bad guy,” he explained.
“From a single point of compromise – the digital certificate – hackers and cybercriminals can take over a whole network of hundreds, thousands or even millions of smart ‘things’. This can then be used to blackmail companies – either cease operations, take on huge disruption, or pay up.”
Now, Venafi certainly has a vested interest to talk up the potential damage that abuse of certs and keys could effect.
But this is already happening in the wild with real consequences for organizations and their customers around the world.
Unfortunately 2016 is likely to see things get a lot worse before CISOs start to give this their full attention.
Just finished an interesting story from security firm Damballa on mobile malware.
Breaking ranks with most of the rest of the industry, the vendor suggests in its new report that the amount of mobile malware on US networks is actually pretty minimal, and that if most users stick to the official app stores they should steer pretty clear of danger.
Indeed, it found in its analysis of half of the mobile traffic in America, only 0.0064% – or 9,688 devices out of 151 million – contacted a domain on the mobile black list.
This was even down on the 0.015% that did so in 2012.
Now the caveat is that this is just in the US, and only focusing on malicious network traffic rather than installs, but it’s still a pretty interesting piece of research.
It tends to fly in the face of the picture painted by many anti-malware companies, some of which perhaps are talking slightly disingenuously about malware epidemic on Android.
There undoubtedly is an awful lot of malware designed for Android. But how much of it actually makes its way on users’ devices? Especially if those users only stick to the first party app stores.
I’ve a feeling that if you took China and Russia out of the equation, for example, the Android malware problem wouldn’t be even remotely as acute.
“I do not know when if ever mobile malware (as we see it on the PC) will become a problem on mobile devices. I really think the app stores can control distribution of ‘money-making’ malware,” Damballa CTO Brian Foster told me by email.
“The risks and threats of around insecure cloud apps or insecure access to cloud apps are already here. The risk of losing your device and giving a 3rd party inappropriate access to your data is already here.”
It is those latter risks that IT managers would do well to get a handle on, says Foster.
Another part of the research worth mentioning is that only 1.3% of mobile hosts weren’t also in the set of hosts contained by historical non-cellular traffic.
This means that mobile apps are using the same hosting infrastructure as desktop applications and, as such, IT security teams can apply the same network-based security to spot domains with bad reputation scores etc.
F-Secure security advisor, Sean Sullivan, agreed that most Western netizens would be safe sticking to the authorised channels.
He admitted to me too via email that the mobile malware epidemic had been “overstated by *some* in the AV industry”.
However, he felt justified in sharing threat intelligence on new mobile malware, given that F-Secure’s customer-base stretches far and wide globally.
“We don’t just sell mobile AV – we sell mobile security with multiple security features and sell/bundle it with our other services in our cross-platform ‘SAFE’ offering,” he explained. “When you buy our PC software, you also get Android software – it’s all part of the package.”
That’s completely understandable and I think even if Vendor A doesn’t sell into markets where mobile threats are higher risk (like Asia, for example) they still have a responsibility to reveal major new discoveries.
However, unfortunately it doesn’t take much for responsible disclosure of threat intelligence to turn into FUD-y marketing hyperbole.
The threat of accidental or malicious employees compromising information security has been around ever since there were computer systems. But you would have thought by now that CISOs would have got a handle on it.
Not so, according to a new report from training and research firm the SANS Institute which I’ve just covered for Infosecurity Magazine.
It found that although three-quarters of IT security pros are concerned about the insider threat, a third have no means of defending against it and around a half either don’t know how much they’re spending on it or have no idea what the potential losses would be.
From JPMorgan to Chesapeake, the dangers of failing to properly mitigate internal risks are clear to see, but firms seem to be slow on the uptake.
According to Roy Duckles, EMEA Channel Director at Lieberman Software, it’s a lack of “visibility, accountability and auditability” which is to blame.
“There is an assumption that if a person or group have the ‘keys to the kingdom’ with full admin rights across an enterprise, that this is a viable and effective way to apply security policies,” he told me.
“Where most businesses fail is that due to the fact that this approach not only reduces security, but it makes it almost impossible to see who is changing what, on which systems, at what time, and the effect and risk that it has on a business.”
Firms therefore need to remove privileges where possible, introduce 2FA and prevent admins “knowing” which passwords get them into systems, he advised.
Sagie Dulce, security researcher at Imperva, told me by email that organisations lack “budget, training, technology and an incident response plan” for when a breach occurs.
“Obviously, the first things organizations must do is put some resources into the insider threat. The second thing organizations must do is prioritise: ask themselves what are the most important thing they are trying to protect?
Once they know what they are trying to protect they should consider:
- Is it Personal Information, emails, code etc?
- Is the data structured, unstructured?
- Is it found on databases, file shares?
- Who has access to this data and how (from special terminals, via VPN, 3rd party partners etc.)?”
Finally I asked David Chismon, security consultant at MWR InfoSecurity, who repeated the notion that employees should be given the minimum access necessary to do their jobs.
Investing in systems to spot insider abuse could also help protect organisations against targeted attacks which spearphish users and abuse their access, he argued.
“For example, organisations are able to detect when an employee’s account is used to try and access data it shouldn’t or if a large amount of data is being exfiltrated,” Chismon explained. “It doesn’t matter at that stage if it is the employee misusing their account or an external attacker who has compromised the network.”