Connect with us

Cyber Security

Ill-Defined Career Paths Hamper Growth for IT Security Pros

Avatar

Published

on

Appsec and cloud security skills are the most in demand, and a shortage of staff is wearing on security teams, a new study shows.

Landing a job in cybersecurity is the easy part. It’s what happens later that’s trickier for a high percentage of cybersecurity professionals.

A new report by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) shows people with IT security skills continue to be a blazing-hot commodity because of a deepening skills shortage. However, a continuous lack of training, career-development, and long-term planning often results in many of them largely going through their careers overworked, over-stressed – and with little strategic direction.

Organizations should demonstrate care and the willingness to invest in employees and staff, says Candy Alexander, president of ISSA International. “Do not treat them as a resource that is easily replaced because they are not. Take time to understand their role and position. Don’t be afraid to ask questions and keep the dialog open.”

Some 73% of the 327 total cybersecurity professionals and ISSA members interviewed for the report professed to being contacted by recruiters for other jobs at least once a month. Nearly one-quarter (24%) say they receive such solicitations multiple times a week, and another 16% at least once a week.

The data shows that the market for cybersecurity talent continues to be a “sellers market,” according to the report (the fourth on the topic by ESG and ISSA in as many years). Some 70% of survey respondents said their organizations had been impacted by a skills shortage and 45% described the situation as having worsened over the past few years.

The areas with the most significant skills shortages are application security and cloud security, with 33% and 31%, respectively, of the respondents identifying it as their biggest pain point. Other areas with high demand included security analysis and investigations (29%) and security engineering (26%).

Multiple Job Challenges

The survey shows that while demand for IT security skills continue to handily outstrip supply, those already in the profession face a slew of challenges.

One of them is being overworked. Since many organizations are short-staffed, existing staff has to take on more work. Fifty eight percent say increased workload is the biggest impact of the skills shortage.

Because of the increased workload, existing staff has little opportunity to utilize technology to their full potential or have little time to work with business units. Instead, many spend a disproportionate amount of time on incident response and other firefighting operations. Unsurprisingly, 34% described burnout and a high attrition rate as two big consequences on existing staff from the security skills shortage.

Disturbingly, the pace and pressure of the job are pushing at least some to depression, alcoholism, and drug addiction, according to the report. Twenty-nine percent say they or someone they know has experienced significant personal issues as a result of job-related stress.

Career Paths

Career progression and career growth are another factor. Sixty-three percent of the survey respondents were relatively new to the profession, with less than three years experience. Yet, less than one-third (32%) of the security professionals in the ESG/ISSA study believe they have a well-defined career-path and a plan to get to the next level. Twenty-eight percent say they don’t have a path or a plan, and 40% have some idea, but described it as not a well-defined plan.

Many security professionals enhance their security skills on the fly simply by jumping from job to job and not in a formal, systematic way. Some 43% said that having a mentor, a standardized career map, and technical training were critical to moving to the next level. Nearly seven in 10 say the most effective method to increase their knowledge, skills, and abilities (KSA) is via specific security training courses; 65% say participation in professional organizations and events is critical to that goal.

“From [an] industry perspective, it is critical for the profession to work together to define a globally accepted professional career map,” Alexander says. The map would need to detail “what exactly a cybersecurity profession is and what KSAs for each level are needed to be successful,” she adds.

Related Content:

Register now for this year’s fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

Source: https://www.darkreading.com/cloud/ill-defined-career-paths-hamper-growth-for-it-security-pros/d/d-id/1338502?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cyber Security

Bitglass Security Spotlight: Over 200k Instacart Users’ Data Is Being Sold on Dark Web

Avatar

Published

on

[ This article was originally published here ]

Here are the top stories of recent weeks:

  • Instacart Customer Data for Sale on Dark Web
  • 17 Million users exposed on SaaS platform
  • First American Financial Corp. Charged Over 2019 Breach
  • COVID-19 Research Data Hacked by Chinese Contractors
  • University of York, the Latest Victim of a Data Breach

Avatar

Source: https://www.cybersecurity-insiders.com/bitglass-security-spotlight-over-200k-instacart-users-data-is-being-sold-on-dark-web/?utm_source=rss&utm_medium=rss&utm_campaign=bitglass-security-spotlight-over-200k-instacart-users-data-is-being-sold-on-dark-web

Continue Reading

Cyber Security

Reddit Attack Defaces Dozens of Channels

Avatar

Published

on

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2020-15058
PUBLISHED: 2020-08-07

Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.

CVE-2020-15059
PUBLISHED: 2020-08-07

Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.

CVE-2020-15060
PUBLISHED: 2020-08-07

Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.

CVE-2020-15061
PUBLISHED: 2020-08-07

Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.

CVE-2020-15062
PUBLISHED: 2020-08-07

DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.

Source: https://www.darkreading.com/attacks-breaches/reddit-attack-defaces-dozens-of-channels/d/d-id/1338614?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Continue Reading

Cyber Security

Researcher Finds New Office Macro Attacks for MacOS

Avatar

Published

on

Building successful macro attacks means getting past several layers of security, but a Black Hat speaker found a way through.

Microsoft Office is no stranger to vulnerabilities and exploits. Most of those vulnerabilities led from Microsoft Office to Microsoft Windows, but it’s possible for an attacker to take an exploit path from Microsoft Office to macOS — a path that Patrick Wardle, principal security researcher at Jamf, discussed in his presentation on Wednesday at Black Hat USA.

Wardle began by pointing out that macros — executable code inserted into documents — have been exploited as attack vectors since at least 1999. In the last three or four years, Wardle said, more of these exploits have been aimed at macOS targets as Macs have become more attractive targets because of their increased use in business environments.

The Human Side
In most of the macro-based attacks, human intervention on the part of the victim is required at least once, and usually twice, Wardle said. First, the victim must click on an email attachment or malicious link in order to download and open the infected document. Next, in most cases macros will not run on a system by default — they must be given explicit permission to run by the user.

Most macro-based attacks have two stages, Wardle explained. In the first — the stage given explicit permission to run by the victim — code executes that checks the system status, checks for the presence of anti-malware software, and then downloads the second stage. It’s the second stage payload that contains the “working” code of the attack, whether it’s skimming credentials, creating a bot, or encrypting the system’s data as part of a ransomware scheme.

Out of the (Sand)box
Modern malware writers have an additional hurdle to overcome. Microsoft Office now executes all macros in a “sandbox,” a walled-off environment within the operating system that prevents code from gaining persistence or interacting with the system as a whole. The goal for malware writers is breaking out of the sandbox.

Wardle said that researchers Pieter Ceelen and Stan Hegt found ways to include SYLK files and XLM code that make macros execute whether or not they’re invoked or allowed. They still run within the sandbox. Wardle showed that it’s possible to create files through a macro — files that can be placed outside the macro and can be built to auto execute on system boot. That combination is the key to persistence, one of the golden tickets that attackers pursue in any campaign.

What kind of files can fit the twin bill? Wardle found that a ZIP file, dropped into the proper subdirectory, will be invoked automatically. While the latest macOS endpoint security framework should detect such a file’s creation, Wardle said that there’s room for research here.

Asked by an audience member how he decides on which areas to pursue in his research, Wardle said that he looks at common vulnerabilities and exposures and their patches — especially patches that are very specific — and wonders whether there can be ways around them. Also, he said, he keeps abreast of research and finds that other researchers are a constant source of inspiration.

Related content

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Recommended Reading:

More Insights

Source: https://www.darkreading.com/endpoint/researcher-finds-new-office-macro-attacks-for-macos/d/d-id/1338610?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Continue Reading
AR/VR4 hours ago

The VR Job Hub: Asobo Studio, ARVI & Fun Train

Blockchain11 hours ago

Yield Farming Fuels Buzz Around DeFi, but Fundamentals Are Lagging

Blockchain17 hours ago

South Korean Beachgoers Can Now Use Bitcoin to Pay for Services

Blockchain18 hours ago

Price Highs, Bull Runs, and Thieves: Bad Crypto News of the Week

Blockchain18 hours ago

Massive Short Squeeze Prompts Chainlink (LINK) Price to Rally 52%

Blockchain18 hours ago

Cryptocurrency Cards: An Unnecessary Solution That Should Be Stopped

Blockchain20 hours ago

Kava Labs Partners with BNB48 Club to Raise BNB DeFi Awareness

Blockchain21 hours ago

Real Estate Blockchain Firm Ubitquity to Build Tokenized Title Platform

Blockchain23 hours ago

Cryptocurrency News From Japan: August 2 – August 8 in Review

Blockchain24 hours ago

Polish Financial Watchdog Impersonated by Crypto Scammers

Blockchain1 day ago

Chinese State Grid Launches Blockchain-Based Blackout Insurance Policy

Blockchain1 day ago

Mobile DeFi and the Shift Toward Self-Sovereignty

Blockchain1 day ago

BTC and ETH Crypto Derivatives in Demand, Market Expected to Grow Further

Covid191 day ago

Virginia Supreme Court Grants Temporary Moratorium on Evictions

Blockchain1 day ago

Bitcoin is Almost as Big as Bank of America

Blockchain1 day ago

The Price of Bitcoin Is Facing Its Final Resistance Zone Before $15K

AR/VR1 day ago

Virtual Reality: The Solution for the Present and Future of Events — Simlab IT

Cannabis1 day ago

FREE Webinar September 17: Hemp CBD Q&A

Blockchain1 day ago

Richard Stallman: A Discussion on Freedom, Privacy & Cryptocurrencies

AR/VR1 day ago

VR Escape Room Specialist ARVI Partners With HTC Vive to Expand Global Deployment

Blockchain1 day ago

Slow But Steady: FATF Review Highlights Crypto Exchanges’ Struggle to Meet AML Standards

Science1 day ago

Première biopsie liquide à recevoir l’approbation de la FDA pour le profilage complet des tumeurs dans tous les cancers solides, le diagnostic compagnon Guardant360® de Guardant Health gagne en crédibilité auprès des oncologues en Asie, au Moyen-Orient et en Afrique.

Covid191 day ago

2 Out Of 3 Churchgoers: It’s Safe To Resume In-Person Worship

Blockchain1 day ago

Title Token for Blockchain Estate Registry, Part 3

Blockchain1 day ago

Eerily Accurate Analyst Thinks Bitcoin Could Hit $20,000 in the Next 3 Months

Blockchain1 day ago

Ransomware Attacks Demanding Crypto Are Unfortunately Here to Stay

Science1 day ago

Ever-Glory To Report Second Quarter 2020 Earnings on August 14, 2020

Cyber Security2 days ago

Bitglass Security Spotlight: Over 200k Instacart Users’ Data Is Being Sold on Dark Web

Blockchain2 days ago

Analysts Fear an Ethereum Drop to $300 As Price Becomes “Heavy”

Science2 days ago

WeissLaw LLP Reminds GRUB and NBL Shareholders About Its Ongoing Investigations

Science2 days ago

SHAREHOLDER ALERT: WeissLaw LLP Reminds OTEL and DCOM Shareholders About Its Ongoing Investigations

Science2 days ago

SHAREHOLDER ALERT: WeissLaw LLP Reminds MXIM and TORC Shareholders About Its Ongoing Investigations

Science2 days ago

WeissLaw LLP Reminds CNXM and ONDK Shareholders About Its Ongoing Investigations

Blockchain2 days ago

Major South Korean Bank Joins the Crypto Custody Business

Blockchain2 days ago

Bullish Bitcoin Price Trend Intact Even After BTC Retests $11.4K Support

Blockchain2 days ago

BitMEX Leaderboard Trader Fears Bitcoin Could See a Second “Flash Dump”

Blockchain2 days ago

Analyst: Bitcoin May “Teleport” to $13,000 if It Breaks Key Level

Blockchain2 days ago

Adam Back: Some ICOs Funded Useful Research Despite Being Unethical

Covid192 days ago

Gov. Cuomo Clears The Way For In-Person Learning At Schools In New York State

Blockchain2 days ago

An Official North Dakota Cryptocurrency Could Be on the Horizon

Trending