Appsec and cloud security skills are the most in demand, and a shortage of staff is wearing on security teams, a new study shows.
Landing a job in cybersecurity is the easy part. It’s what happens later that’s trickier for a high percentage of cybersecurity professionals.
A new report by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) shows people with IT security skills continue to be a blazing-hot commodity because of a deepening skills shortage. However, a continuous lack of training, career-development, and long-term planning often results in many of them largely going through their careers overworked, over-stressed – and with little strategic direction.
Organizations should demonstrate care and the willingness to invest in employees and staff, says Candy Alexander, president of ISSA International. “Do not treat them as a resource that is easily replaced because they are not. Take time to understand their role and position. Don’t be afraid to ask questions and keep the dialog open.”
Some 73% of the 327 total cybersecurity professionals and ISSA members interviewed for the report professed to being contacted by recruiters for other jobs at least once a month. Nearly one-quarter (24%) say they receive such solicitations multiple times a week, and another 16% at least once a week.
The data shows that the market for cybersecurity talent continues to be a “sellers market,” according to the report (the fourth on the topic by ESG and ISSA in as many years). Some 70% of survey respondents said their organizations had been impacted by a skills shortage and 45% described the situation as having worsened over the past few years.
The areas with the most significant skills shortages are application security and cloud security, with 33% and 31%, respectively, of the respondents identifying it as their biggest pain point. Other areas with high demand included security analysis and investigations (29%) and security engineering (26%).
Multiple Job Challenges
The survey shows that while demand for IT security skills continue to handily outstrip supply, those already in the profession face a slew of challenges.
One of them is being overworked. Since many organizations are short-staffed, existing staff has to take on more work. Fifty eight percent say increased workload is the biggest impact of the skills shortage.
Because of the increased workload, existing staff has little opportunity to utilize technology to their full potential or have little time to work with business units. Instead, many spend a disproportionate amount of time on incident response and other firefighting operations. Unsurprisingly, 34% described burnout and a high attrition rate as two big consequences on existing staff from the security skills shortage.
Disturbingly, the pace and pressure of the job are pushing at least some to depression, alcoholism, and drug addiction, according to the report. Twenty-nine percent say they or someone they know has experienced significant personal issues as a result of job-related stress.
Career progression and career growth are another factor. Sixty-three percent of the survey respondents were relatively new to the profession, with less than three years experience. Yet, less than one-third (32%) of the security professionals in the ESG/ISSA study believe they have a well-defined career-path and a plan to get to the next level. Twenty-eight percent say they don’t have a path or a plan, and 40% have some idea, but described it as not a well-defined plan.
Many security professionals enhance their security skills on the fly simply by jumping from job to job and not in a formal, systematic way. Some 43% said that having a mentor, a standardized career map, and technical training were critical to moving to the next level. Nearly seven in 10 say the most effective method to increase their knowledge, skills, and abilities (KSA) is via specific security training courses; 65% say participation in professional organizations and events is critical to that goal.
“From [an] industry perspective, it is critical for the profession to work together to define a globally accepted professional career map,” Alexander says. The map would need to detail “what exactly a cybersecurity profession is and what KSAs for each level are needed to be successful,” she adds.
Register now for this year’s fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
GitHub Says Developers Often Need Years to Address Some of the Vulnerabilities
As a new GitHub report reveals, developers often need years to address some of the vulnerabilities introduced in their software.
Based on the analysis of more than 45,000 active repositories, the report shows that it typically takes 7 years for vulnerabilities in Ruby to be addressed, whereas those in npm are usually patched in five years. This is because they are often left undetected or unnoticed.
The Microsoft-owned platform explains that repositories taken into consideration for the report use one of six supported package ecosystems (Composer, Maven, npm, NuGet, PyPI, or RubyGems) and have dependency graph enabled.
Security vulnerabilities often go undetected before being disclosed for more than four years. The package maintainer and security community typically create and release a fix in just over four weeks once they are identified,” GitHub notes.
The software hosting platform also notes that coding errors are the result of most of the vulnerabilities identified in software, and do not represent malicious attacks. The analysis of 521 advisories, however, revealed that 17% of the advisories were linked to malicious behaviour.
Security vulnerabilities, any code referenced and bundled to make a software package work, can impact software directly or through its dependencies. That is, code can be vulnerable either because it contains vulnerabilities, or because the report reads that it relies on dependencies containing vulnerabilities.
The report also notes that CVE-2020-8203 (Prototype Pollution in lodash, one of the most commonly used npm packages) is the vulnerability that could be considered the most impactful bug of the year as it triggered more than five million alerts from Dependabot.
IOTW: A Pennsylvania County Pays Ransomware Ransom Covered Under Insurance Plan
Delaware County, Pennsylvania, agrees to pay a $500,000 ransom after being hacked by DoppelPaymer ransomware.
Delaware County, Pennsylvania, moved some of its network offline the weekend of November 21st after discovering a security breach. Delaware County released the following statement regarding the attack: “The County of Delaware recently discovered a disruption to portions of its computer network. We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems.”
Local media reports list payroll, police reports, and purchasing reports as a few of the systems that were encrypted by hackers. In response, Delaware County made the decision to pay the $500,000 ransom. The county has cyber security insurance and will be minimally impacted by the hack financially.
Pennsylvania has been the target of several lawsuits from the Trump campaign alleging voter fraud which were rejected by Pennsylvania’s high court. However, the lawsuits have sprouted disinformation campaigns that are taking hold with various success across the nation. Delaware County addressed the election insecurities in regard to the attack, stating, “The Bureau of Elections and Emergency Services are separate computer networks from The County of Delaware and there is no evidence they were impacted by the disruption.”
The county is working with forensic specialists in an ongoing investigation and promises to update its residents when the investigation is over.
There is an ongoing debate on whether or not ransoms should be paid to cyber criminals. In the case of Delaware County, their cyber security insurance covered the hefty fee. In return, encrypted systems critical to running the county were decrypted quicker—and possibly cheaper—than they would have been had they hired outside experts to decrypt the systems.
Still, every successful ransomware attempt lines the pockets of hackers, who often reinvest a portion of their profits into further advancing their schemes. It also emboldens cyber criminals to target likely carriers of cyber insurance, including government and healthcare agencies.
In other words, paying cyber security insurance is a double-edged sword. A March 11 report released by Deloitte uncovered that, “For every dollar in premiums collected from policyholders, insurers paid out roughly 35 cents in claims, making cyber insurance nearly twice as profitable as other types of insurance.” Not paying the ransom, especially for holders of insurance, can feel like a bad business move, but such a decision may be short sighted.
In the same Ransoming Government report, Deloitte offers a third option: “Building well, operating well, and responding well.”
- Building well is a first line of defense. A well-built systems architecture compartmentalizes and manually backs up mission-critical data.
- Operating well entails risk mitigation through proper cyber security hygiene. Examples include regular system updates and timely application and security patches. Additionally, investments must be made toward ongoing staff training and evaluation.
- Cyber incidents aren’t ever 100% preventable, so every good cyber security plan needs a holistic response strategy. Constantly deploying new technologies to combat and remediate cyber attacks ensures that response technology is as up to date as possible, utilizing powerful new tools such as AI and ML. Additionally, building a network of cyber security knowhow and experiences helps to shine a light into the shadows. By sharing and reporting cyber security incidents, enterprises and governments can work together to get to the bottom of new schemes and prevent them from running rampant.
It is possible that dependence on cyber security insurance will have a negative blowback effect. If ransoms continue to be successful, ransom rates will continue to increase. If ransom rates continue to increase, insurance policies may enact certain prerequisites and increase rates. Thus, it is advantageous for all parties to do their best toward thwarting and mitigating ransomware attacks.
Read More: Incident Of The Week
TrickBot Allows to Scan the UEFI/BIOS Firmware of the Targeted System for Vulnerabilities
Security researchers have found that TrickBot has been upgraded with features that enable it to check the targeted system’s UEFI/BIOS firmware for vulnerabilities.
The malware has recently survived a shutdown attempt since 2016, resulting in most of its territories of command and control (C&C) being unresponsive. However, since then it has received many upgrades that not only allow it to continue operations, but also to survive similar attempts better.
Reported by Advanced Intelligence (AdvIntel) and Eclypsium security researchers, the current newly added features exploit readily accessible resources to detect vulnerabilities that enable the UEFI/BIOS firmware to be changed by attackers.
TrickBot operators might start using firmware implants and backdoors or transition to bricking targeted devices by exploiting those bugs. The boot operation could be monitored and they could also have complete power of corrupted devices.
Firmware-level malware is strategically important, as Eclypsium points out: attackers can ensure that their code runs first and is hard to detect, and can stay concealed for very long periods of time before the firmware or hard drive of the device is replaced.
TrickBot has proved to be one of today’s most adaptable pieces of malware, adding new features constantly to expand rights, spread to new computers, and sustain host persistence. Eclypsium states that the inclusion of UEFI features represents a significant advance in this continuing development by expanding its focus beyond the device’s operating system.
This is not the first time that the creators of TrickBot, who are thought to be none other than the cybercriminals behind the Dyre Trojan, have shown an interest in utilising the techniques and vulnerabilities that have been created.
For their destructive activities, they have previously implemented Mimikatz and EternalBlue, and are now using an obfuscated variant of the RwDrv.sys driver from the RWEverything (read-write everything) tool to reach the SPI controller and check that the BIOS can be changed.
LoJax ransomware attacks and the Slingshot APT campaign involve prior incidents where cybercriminals exploited those capabilities to sustain firmware persistence.
As the researchers clarify, the new TrickBot module interacts with the SPI controller to check if BIOS write protections are allowed. Although the BIOS itself has not been changed by the module, the malware includes code that enables it to read and update the firmware.
This new ability offers a means for TrickBot operators to brick any computer that they deem vulnerable. Recovery from compromised UEFI firmware includes the motherboard, which is more labor-intensive than merely re-imagining or removing a hard disc, to be patched or re-flashed, the researchers demonstrate.
What CISO's Need To Know About Risk Based Cyber Security
Episode 160 of Task Force 7 Radio
Cyber Security Hub recently asked the community “What is the last thing to do in 2020?” Not surprisingly, a consistent response was manage risk. Both taking inventory of risk and budgeting or insuring for risk came up on the list.
Every cyber security executive has to express the value of security activities in terms of measurable and defined outcomes based on risk reduction. This requires a rich understanding of the threat environment, a clear appreciation of the concept of criticality, and an awareness of the potential impact of cyberattacks from an operational business standpoint. Senior Vice President of Global Intelligence for Recorded Future, Mr. Levi Gundert rejoins co-host Andy Bonillo on Episode #160 of Task Force 7 Radio to give a readout on his new book The Risk Business: What CISO’s Need to Know About Risk-Based Cyber Security. Levi discusses the case for risk based cyber security, how risk is the language of business, threat driven vs compliance driven security, and what risk driven security programs look like.
Four Corners EV Charging: Utah & Colorado Are Leaving NM & Arizona Behind
Aptera Announces First “Never Charge” Electric Vehicle
Gayam Motor Works & Sokowatch Launch East Africa’s First Commercial Electric Tuk-Tuks
The German Constitution May Protect A Right To Human Driving
2021 Toyota RAV4 Prime Fails Moose Avoidance Test
Top 10 SaaStr Videos of the Week: MongoDB, Splash, Slack + Yammer, Gainsight and More!
Supercell Technology From Cadenza Is Centerpiece Of New York Energy Storage Project — CleanTechnica Exclusive (Video)
How to Create PPC Campaigns for Real Estate Marketing
Cleantech ETFs Vastly Outperform Dow Jones, Oil & Gas In 2020
ICE Racing Can Still Teach Us Things
California’s Low Carbon Fuel Standard Accelerating Transportation Electrification
7 Warning Signs You Have Product Flop on Your Hands (and How to Fix It!)
Amazon Marketing Consulting
McPhy Energy : Déclaration du nombre total des droits de vote et du nombre d’actions au 30 novembre 2020
Breaking News! Oakland & Seattle Ban Natural Gas as Cities Continue to Lead on Electrification
Did You Ship At Least 3 Game-Changing Features This Year?
When Should You Use Microsites
Dassault Aviation : Roll-out du Falcon 6X
Dassault Aviation: Falcon 6X rollout
Crescent Point Announces 2021 Budget
PHNIX dévoile une nouvelle pompe à chaleur pour le chauffage, le refroidissement et l’eau chaude des habitations, destinée au marché européen
PHNIX stellt neue Wärmepumpe für Hausheizung, Kühlung und Warmwasser für den europäischen Zielmarkt vor
NiP announce “Path of a Ninja” talent program
Wilbur-Ellis Agribusiness Acquires Probe Schedule
High Purity Alumina Market Estimated to Expand at a CAGR of 12.5% over the Forecast Period of 2020 to 2030 – Persistence Market Research
Gunvor inaugura una nueva línea de crédito de 540 millones de dólares dedicada al biodiésel
Gunvor Launches New US $540 Million Biodiesel Borrowing Base
China’s internet regulator takes aim at forced data collection
Amazing Blocks joins startup and innovation hub TechQuartier
Amazing Blocks attended the European Blockchain Convention
Blockchain1 week ago
Bitcoin Breaks Out but Is Stopped Short of New All-Time High
Blockchain1 week ago
Ethereum Becomes One of the Largest Proof of Stake Chains Even Before Launch
Esports1 week ago
Super Smash Bros. Melee Slippi mod launches broadcast feature early in response to #FreeMelee
Amb Crypto4 days ago
Bitcoin’s price could one day be $500,000: Gemini’s Winklevoss brothers
Blockchain6 days ago
Whales Flood Exchanges With Bitcoin, Take Over $15 Billion In Profits
Amb Crypto4 days ago
Ethereum long-term Price Analysis: 30 November
Coinpedia5 days ago
Bitcoin Strongly Heads Towards $20k While Some Still Await $15k Retracement
Amb Crypto4 days ago
What does Bitcoin’s Sentiment say about its future?