Connect with us

Cyber Security

Ill-Defined Career Paths Hamper Growth for IT Security Pros




Appsec and cloud security skills are the most in demand, and a shortage of staff is wearing on security teams, a new study shows.

Landing a job in cybersecurity is the easy part. It’s what happens later that’s trickier for a high percentage of cybersecurity professionals.

A new report by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) shows people with IT security skills continue to be a blazing-hot commodity because of a deepening skills shortage. However, a continuous lack of training, career-development, and long-term planning often results in many of them largely going through their careers overworked, over-stressed – and with little strategic direction.

Organizations should demonstrate care and the willingness to invest in employees and staff, says Candy Alexander, president of ISSA International. “Do not treat them as a resource that is easily replaced because they are not. Take time to understand their role and position. Don’t be afraid to ask questions and keep the dialog open.”

Some 73% of the 327 total cybersecurity professionals and ISSA members interviewed for the report professed to being contacted by recruiters for other jobs at least once a month. Nearly one-quarter (24%) say they receive such solicitations multiple times a week, and another 16% at least once a week.

The data shows that the market for cybersecurity talent continues to be a “sellers market,” according to the report (the fourth on the topic by ESG and ISSA in as many years). Some 70% of survey respondents said their organizations had been impacted by a skills shortage and 45% described the situation as having worsened over the past few years.

The areas with the most significant skills shortages are application security and cloud security, with 33% and 31%, respectively, of the respondents identifying it as their biggest pain point. Other areas with high demand included security analysis and investigations (29%) and security engineering (26%).

Multiple Job Challenges

The survey shows that while demand for IT security skills continue to handily outstrip supply, those already in the profession face a slew of challenges.

One of them is being overworked. Since many organizations are short-staffed, existing staff has to take on more work. Fifty eight percent say increased workload is the biggest impact of the skills shortage.

Because of the increased workload, existing staff has little opportunity to utilize technology to their full potential or have little time to work with business units. Instead, many spend a disproportionate amount of time on incident response and other firefighting operations. Unsurprisingly, 34% described burnout and a high attrition rate as two big consequences on existing staff from the security skills shortage.

Disturbingly, the pace and pressure of the job are pushing at least some to depression, alcoholism, and drug addiction, according to the report. Twenty-nine percent say they or someone they know has experienced significant personal issues as a result of job-related stress.

Career Paths

Career progression and career growth are another factor. Sixty-three percent of the survey respondents were relatively new to the profession, with less than three years experience. Yet, less than one-third (32%) of the security professionals in the ESG/ISSA study believe they have a well-defined career-path and a plan to get to the next level. Twenty-eight percent say they don’t have a path or a plan, and 40% have some idea, but described it as not a well-defined plan.

Many security professionals enhance their security skills on the fly simply by jumping from job to job and not in a formal, systematic way. Some 43% said that having a mentor, a standardized career map, and technical training were critical to moving to the next level. Nearly seven in 10 say the most effective method to increase their knowledge, skills, and abilities (KSA) is via specific security training courses; 65% say participation in professional organizations and events is critical to that goal.

“From [an] industry perspective, it is critical for the profession to work together to define a globally accepted professional career map,” Alexander says. The map would need to detail “what exactly a cybersecurity profession is and what KSAs for each level are needed to be successful,” she adds.

Related Content:

Register now for this year’s fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights


Cyber Security

GitHub Says Developers Often Need Years to Address Some of the Vulnerabilities





As a new GitHub report reveals, developers often need years to address some of the vulnerabilities introduced in their software.

Based on the analysis of more than 45,000 active repositories, the report shows that it typically takes 7 years for vulnerabilities in Ruby to be addressed, whereas those in npm are usually patched in five years. This is because they are often left undetected or unnoticed.

The Microsoft-owned platform explains that repositories taken into consideration for the report use one of six supported package ecosystems (Composer, Maven, npm, NuGet, PyPI, or RubyGems) and have dependency graph enabled.

Open source dependencies are most often used in JavaScript (94 percent), Ruby (90 percent), and .NET (90 percent), according to the report. Ruby (81 percent) and JavaScript (73 percent) repositories have had the highest chance of receiving a security alert from GitHub’s Dependabot over the past 12 months.

Security vulnerabilities often go undetected before being disclosed for more than four years. The package maintainer and security community typically create and release a fix in just over four weeks once they are identified,” GitHub notes.

The software hosting platform also notes that coding errors are the result of most of the vulnerabilities identified in software, and do not represent malicious attacks. The analysis of 521 advisories, however, revealed that 17% of the advisories were linked to malicious behaviour.

Security vulnerabilities, any code referenced and bundled to make a software package work, can impact software directly or through its dependencies. That is, code can be vulnerable either because it contains vulnerabilities, or because the report reads that it relies on dependencies containing vulnerabilities.

JavaScript was found to have the highest number of median dependencies when direct dependencies are taken into consideration, at ten, with Ruby and PHP next in line at nine, Java at eight, and .NET and Python at six.

The report also notes that CVE-2020-8203 (Prototype Pollution in lodash, one of the most commonly used npm packages) is the vulnerability that could be considered the most impactful bug of the year as it triggered more than five million alerts from Dependabot.


Continue Reading

Cyber Security

IOTW: A Pennsylvania County Pays Ransomware Ransom Covered Under Insurance Plan




Delaware County, Pennsylvania, agrees to pay a $500,000 ransom after being hacked by DoppelPaymer ransomware.


Delaware County, Pennsylvania, moved some of its network offline the weekend of November 21st after discovering a security breach. Delaware County released the following statement regarding the attack: “The County of Delaware recently discovered a disruption to portions of its computer network. We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems.” 

Local media reports list payroll, police reports, and purchasing reports as a few of the systems that were encrypted by hackers. In response, Delaware County made the decision to pay the $500,000 ransom. The county has cyber security insurance and will be minimally impacted by the hack financially.

Pennsylvania has been the target of several lawsuits from the Trump campaign alleging voter fraud which were rejected by Pennsylvania’s high court. However, the lawsuits have sprouted disinformation campaigns that are taking hold with various success across the nation. Delaware County addressed the election insecurities in regard to the attack, stating, “The Bureau of Elections and Emergency Services are separate computer networks from The County of Delaware and there is no evidence they were impacted by the disruption.”

Related: What Is The Last Thing To Do Before The End Of The Year?

The county is working with forensic specialists in an ongoing investigation and promises to update its residents when the investigation is over.

Lessons Learned

There is an ongoing debate on whether or not ransoms should be paid to cyber criminals. In the case of Delaware County, their cyber security insurance covered the hefty fee. In return, encrypted systems critical to running the county were decrypted quicker—and possibly cheaper—than they would have been had they hired outside experts to decrypt the systems.

Still, every successful ransomware attempt lines the pockets of hackers, who often reinvest a portion of their profits into further advancing their schemes. It also emboldens cyber criminals to target likely carriers of cyber insurance, including government and healthcare agencies.

Related: Adding Incident Response Containers To The Cyber Security Tool Belt

In other words, paying cyber security insurance is a double-edged sword. A March 11 report released by Deloitte uncovered that, “For every dollar in premiums collected from policyholders, insurers paid out roughly 35 cents in claims, making cyber insurance nearly twice as profitable as other types of insurance.” Not paying the ransom, especially for holders of insurance, can feel like a bad business move, but such a decision may be short sighted.

Quick Tips

In the same Ransoming Government report, Deloitte offers a third option: “Building well, operating well, and responding well.”  

  • Building well is a first line of defense. A well-built systems architecture compartmentalizes and manually backs up mission-critical data.
  • Operating well entails risk mitigation through proper cyber security hygiene. Examples include regular system updates and timely application and security patches. Additionally, investments must be made toward ongoing staff training and evaluation.
  • Cyber incidents aren’t ever 100% preventable, so every good cyber security plan needs a holistic response strategy. Constantly deploying new technologies to combat and remediate cyber attacks ensures that response technology is as up to date as possible, utilizing powerful new tools such as AI and ML. Additionally, building a network of cyber security knowhow and experiences helps to shine a light into the shadows. By sharing and reporting cyber security incidents, enterprises and governments can work together to get to the bottom of new schemes and prevent them from running rampant.

It is possible that dependence on cyber security insurance will have a negative blowback effect. If ransoms continue to be successful, ransom rates will continue to increase. If ransom rates continue to increase, insurance policies may enact certain prerequisites and increase rates. Thus, it is advantageous for all parties to do their best toward thwarting and mitigating ransomware attacks.

Read More: Incident Of The Week


Continue Reading

Cyber Security

TrickBot Allows to Scan the UEFI/BIOS Firmware of the Targeted System for Vulnerabilities





Security researchers have found that TrickBot has been upgraded with features that enable it to check the targeted system’s UEFI/BIOS firmware for vulnerabilities.

The malware has recently survived a shutdown attempt since 2016, resulting in most of its territories of command and control (C&C) being unresponsive. However, since then it has received many upgrades that not only allow it to continue operations, but also to survive similar attempts better.

Reported by Advanced Intelligence (AdvIntel) and Eclypsium security researchers, the current newly added features exploit readily accessible resources to detect vulnerabilities that enable the UEFI/BIOS firmware to be changed by attackers.

TrickBot operators might start using firmware implants and backdoors or transition to bricking targeted devices by exploiting those bugs. The boot operation could be monitored and they could also have complete power of corrupted devices.

Firmware-level malware is strategically important, as Eclypsium points out: attackers can ensure that their code runs first and is hard to detect, and can stay concealed for very long periods of time before the firmware or hard drive of the device is replaced.

TrickBot has proved to be one of today’s most adaptable pieces of malware, adding new features constantly to expand rights, spread to new computers, and sustain host persistence. Eclypsium states that the inclusion of UEFI features represents a significant advance in this continuing development by expanding its focus beyond the device’s operating system.

This is not the first time that the creators of TrickBot, who are thought to be none other than the cybercriminals behind the Dyre Trojan, have shown an interest in utilising the techniques and vulnerabilities that have been created.

For their destructive activities, they have previously implemented Mimikatz and EternalBlue, and are now using an obfuscated variant of the RwDrv.sys driver from the RWEverything (read-write everything) tool to reach the SPI controller and check that the BIOS can be changed.

LoJax ransomware attacks and the Slingshot APT campaign involve prior incidents where cybercriminals exploited those capabilities to sustain firmware persistence.

As the researchers clarify, the new TrickBot module interacts with the SPI controller to check if BIOS write protections are allowed. Although the BIOS itself has not been changed by the module, the malware includes code that enables it to read and update the firmware.

This new ability offers a means for TrickBot operators to brick any computer that they deem vulnerable. Recovery from compromised UEFI firmware includes the motherboard, which is more labor-intensive than merely re-imagining or removing a hard disc, to be patched or re-flashed, the researchers demonstrate.


Continue Reading

Cyber Security

What CISO's Need To Know About Risk Based Cyber Security




Episode 160 of Task Force 7 Radio

Add bookmark

Cyber Security Hub recently asked the community “What is the last thing to do in 2020?” Not surprisingly, a consistent response was manage risk. Both taking inventory of risk and budgeting or insuring for risk came up on the list. 

Episode Summary:

Every cyber security executive has to express the value of security activities in terms of measurable and defined outcomes based on risk reduction. This requires a rich understanding of the threat environment, a clear appreciation of the concept of criticality, and an awareness of the potential impact of cyberattacks from an operational business standpoint. Senior Vice President of Global Intelligence for Recorded Future, Mr. Levi Gundert rejoins co-host Andy Bonillo on Episode #160 of Task Force 7 Radio to give a readout on his new book The Risk Business: What CISO’s Need to Know About Risk-Based Cyber Security. Levi discusses the case for risk based cyber security, how risk is the language of business, threat driven vs compliance driven security, and what risk driven security programs look like. 

Listen Now:


Continue Reading
Cleantech2 hours ago

Four Corners EV Charging: Utah & Colorado Are Leaving NM & Arizona Behind

Cleantech2 hours ago

Aptera Announces First “Never Charge” Electric Vehicle

Cleantech2 hours ago

Gayam Motor Works & Sokowatch Launch East Africa’s First Commercial Electric Tuk-Tuks

Cleantech3 hours ago

The German Constitution May Protect A Right To Human Driving

Cleantech4 hours ago

2021 Toyota RAV4 Prime Fails Moose Avoidance Test

SaaS5 hours ago

Top 10 SaaStr Videos of the Week: MongoDB, Splash, Slack + Yammer, Gainsight and More!

Cleantech5 hours ago

Supercell Technology From Cadenza Is Centerpiece Of New York Energy Storage Project — CleanTechnica Exclusive (Video)

SaaS5 hours ago

How to Create PPC Campaigns for Real Estate Marketing

Cleantech5 hours ago

Cleantech ETFs Vastly Outperform Dow Jones, Oil & Gas In 2020

Cleantech5 hours ago

ICE Racing Can Still Teach Us Things

Cleantech6 hours ago

California’s Low Carbon Fuel Standard Accelerating Transportation Electrification

SaaS6 hours ago

7 Warning Signs You Have Product Flop on Your Hands (and How to Fix It!)

Ecommerce7 hours ago

Amazon Marketing Consulting

Globe NewsWire7 hours ago

McPhy Energy : Déclaration du nombre total des droits de vote et du nombre d’actions au 30 novembre 2020

Cleantech7 hours ago

Breaking News! Oakland & Seattle Ban Natural Gas as Cities Continue to Lead on Electrification

SaaS7 hours ago

Did You Ship At Least 3 Game-Changing Features This Year?

SaaS9 hours ago

When Should You Use Microsites

Globe NewsWire10 hours ago

Dassault Aviation : Roll-out du Falcon 6X

Globe NewsWire10 hours ago

Dassault Aviation: Falcon 6X rollout

Energy11 hours ago

Crescent Point Announces 2021 Budget

Energy11 hours ago

PHNIX dévoile une nouvelle pompe à chaleur pour le chauffage, le refroidissement et l’eau chaude des habitations, destinée au marché européen

Energy11 hours ago

PHNIX stellt neue Wärmepumpe für Hausheizung, Kühlung und Warmwasser für den europäischen Zielmarkt vor

Esports12 hours ago

NiP announce “Path of a Ninja” talent program

Energy12 hours ago

Wilbur-Ellis Agribusiness Acquires Probe Schedule

Energy12 hours ago

High Purity Alumina Market Estimated to Expand at a CAGR of 12.5% over the Forecast Period of 2020 to 2030 – Persistence Market Research

Energy14 hours ago

Gunvor inaugura una nueva línea de crédito de 540 millones de dólares dedicada al biodiésel

Energy14 hours ago

Gunvor Launches New US $540 Million Biodiesel Borrowing Base

Techcrunch15 hours ago

China’s internet regulator takes aim at forced data collection

Blockchain16 hours ago

Amazing Blocks joins startup and innovation hub TechQuartier

Blockchain17 hours ago

Amazing Blocks attended the European Blockchain Convention