Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
Why Lack of Qualified Cyber Security Workforce is a Critical Vulnerability for Many Businesses
There’s WannaCry. There’s Petya. There’s NotPetya. These cyber threats have hugged the headlines in the past few days. There’s one cyber threat that remains as a critical vulnerability for many businesses: lack of qualified cyber security workforce.
Cyber Attacks Outpace Cyber Defense
According to Symantec, 430 million new unique pieces of malware were discovered in 2015. At the close of 2015, Symantec added, 191 million records were exposed as a result of cyber attacks.
“Attacks outpace defense, and one reason for this is the lack of an adequate cyber security workforce,” said the Center for Strategic and International Studies in its study called “Hacking the Skills Shortage: A study of the international shortage in cyber security skills”. A report from Frost & Sullivan and ISC² found that by 2020, more than 1.5 million global cyber security positions will be unfilled. Frost & Sullivan and ISC² revealed that 45 percent of hiring managers reported that they’re struggling to fill additional information security positions despite the increase of security spending across the board for technology, rising average annual salaries and high rates of job satisfaction. Five years ago, cyber threat wasn’t part of the top 10 risks (it only ranked 12th) prioritized by corporate boards according to Lloyds’ 2011 annual risk survey. Corporate attitude towards cyber security has drastically changed in recent years. A Forbes report found that four financial institutions – J.P. Morgan Chase & Co., Bank of America, Citigroup, and Wells Fargo – spent more than $1.5 billion on cyber security in 2015. In a live interview on Bloomberg in 2015, Bank of America CEO Brian Moynihan said that cyber security is the bank’s only business unit with no budget limit. In 2017, PwC’s global CEO survey found that cyber threat is the top five risks on CEOs’ minds, behind only to availability of key skills, volatile energy costs and changing consumer behavior. Delay of Hiring Cyber Security Workforce Leaves Businesses Vulnerable to Cyber Attacks The 2017 state of cyber security survey by ISACA (Information Systems Audit and Control Association) found it takes six months or longer to fill priority cyber security and information security positions in more than 1 in 4 companies around the globe. “When positions go unfilled, organizations have a higher exposure to potential cyber attacks. It’s a race against the clock,” said Christos Dimitriadis, ISACA board chair. For its part, the Center for Strategic and International Studies said, “The continued skills shortage creates tangible risks to organizations.” In the study conducted by the center, 1 in 4 respondents said their organizations have lost proprietary data as a result of their inability to maintain adequate cyber security staff. Lack of Qualified Applicants
The ISACA report showed that compared to other corporate job openings, which garner 60 to 250 applicants, cyber security opening receives fewer applicants.
Fifty-nine percent of the organizations surveyed by ISACA reported that for each cyber security opening, they only receive at least 5 applicants, and only 13 percent receive 20 or more applicants. Sixteen percent of North American respondents in the ISACA survey indicated that cyber security opening receives at least 20 applicants. Compounding the problem of lack of applicants for cyber security opening is the problem of qualified applicants. ISACA board chair said, “As enterprises invest more resources to protect data, the challenge they face is finding top-flight security practitioners who have the skills needed to do the job.” Sixty-four percent of the respondents of the ISACA survey said half or less of their applicants for cyber security position are qualified, while 35 percent of the survey respondents said that less than 25 percent of applicants are qualified. When asked to identify the most important attributes of a qualified applicant, respondents of the ISACA survey ranked practical verification or hands-on experience as the most important; reference/personal endorsement is ranked second; certifications is ranked third; formal education is ranked fourth; and specific training is ranked fifth. Security Fatigue
Making things worse is the “security fatigue” of non-cyber security personnel. The National Institute of Standards and Technology (NIST) defined security fatigue as a “weariness or reluctance to deal with computer security”.
A NIST study found that a majority of computer users experienced security fatigue that often results in risky computing behavior in the workplace and in their personal lives. “The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” cognitive psychologist and co-author of the NIST study Brian Stanton said. “Years ago, you had one password to keep up with at work,” computer scientist and co-author of the NIST study Mary Theofanos said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cyber security expanding and what it has done to people.” The NIST study found that security fatigue results to feelings of resignation and loss of control. This weariness or reluctance to deal with computer security, the NIST study found, can lead to choosing the easiest option among alternatives, behaving impulsively, and failing to follow security rules. How to Remedy the Cyber Security Workforce Shortfall
Here are three recommendations on how to remedy the cyber security workforce shortfall:
1. Accept Non-Traditional Sources of Education The Center for Strategic and International Studies study suggested that hiring managers should put less emphasis on degree requirements especially for entry-level cyber security positions, and instead place greater emphasis on hands-on experience and professional certifications. 2. Diversify the Cyber Security Workforce A number of studies have shown that women and minorities are underrepresented in the field of cyber security. Opening this field to women and minorities will diversify the cyber security workforce and will also expand the talent pool. 3. Automate The Center for Strategic and International Studies study revealed that organizations are looking to automate cyber security functions to offset the skills shortage. Cyber security automation generates efficiencies. Efficient processes allow cyber security personnel to focus their talent and time on cyber threats that need human intervention. Here is why Petya is not a Typical Ransomware
This week, another ransomware called “Petya” attacked major companies around the globe.
The Victims
Petya attacked the computers at the Chernobyl nuclear plant, forcing workers to manually monitor the plant’s radiation. The ransomware also attacked the computers of major global companies including Russian oil and gas giant Rosneft, Cadbury and Oreo-maker Mondelez, British advertising giant WPP, Danish shipping firm Maersk, U.S.-based pharmaceutical company Merck, real estate subsidiary of French bank BNP Paribas and multinational law firm DLA Piper.
Microsoft, in a blog post, said that than 70% of the computers attacked by Petya were in Ukraine, while computers in other countries were also affected in significantly lower volumes. Microsoft added that the majority of Petya infections were observed in Windows 7 computers. How Does Petya Spread and Infect Computers
Cyber security firms Kaspersky Lab and Symantec, and even Microsoft confirmed that Petya ransomware uses the Eternal Blue – a Microsoft Windows’ exploit believed to be originally developed for the use of the U.S. National Security Agency (NSA). The Eternal Blue is the same exploit used in WannaCry – another ransomware that affected hundreds of thousands of computers worldwide less than two months ago.
“Similar to WannaCry, Petya uses the Eternal Blue exploit as one of the means to propagate itself,” Symantec said. “However it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they’ve patched against Eternal Blue.” In addition to exploiting Microsoft Window’s vulnerability, Symantec said this latest ransomware spreads by acquiring usernames and passwords and spreading across network shares. According to Symantec, the Petya ransomware that started propagating last June 27 is a variant of an original Petya – a malware known to be in existence since 2016 – that not just encrypt files, it also overwrites and encrypts the master boot record (MBR). Kaspersky Lab, for its part, said that this latest ransomware is significantly different from all earlier known versions of Petya, as such the cyber security firm calls it “ExPetr” or “NotPetya”. In the new Petya – the term we use here as the world media adopted this name – cyber criminals demand from each of their victims to pay $300 in bitcoins to recover files. The following ransom note is displayed on the victim’s infected computer:
Cyber criminals behind the Petra ransomware attack use an email from the German email provider Posteo as a means to contact their victims. Upon learning that its email platform was used by cyber criminals, Posteo blocked the email account used by the Petra perpetrators on the same day that the ransomware was released to the wild.
As a result of Posteo’s email blockade, Petra’s victims will have no way to contact the people behind the latest ransomware attack. The Posteo’s email was supposed to be a venue where the victims would contact the blackmailers, telling them whether they’ve sent the bitcoins and from which they would receive decryption keys. A complete technical analysis is available from the US-CERT, published on July 1, 2107. Wiper vs Ransomware
According to Kaspersky Lab, even without the email blockade, there’s still no way that victims can recover their files as the ransomware was designed in such a way that it’s impossible for victims to recover their data. To decrypt files, cyber criminals need the installation ID. Kaspersky Lab said other ransomware such as the old Petya, Mischa and GoldenEye have installation ID for file recovery.
In the new Petya, even the cyber criminals themselves can’t decrypt the victims’ files. The installation key shown in the new Petya ransom note, Kaspersky Lab said, is just a random gibberish, “which means that the threat actor could not extract the necessary information needed for decryption.”
According to Symantec, the encryption performed by Petya is twofold:
“Either it was a sophisticated actor who knew what they were doing – except screwed up horribly on the part where they actually get paid or it wasn’t about the ransom in the first place,” said Nicholas Weaver, a researcher at the International Computer Science Institute and a lecturer at the University of California, Berkeley, told the New York Times. “They are no longer collecting a ransom [referring to the new Petra ransomware],” Justin Harvey, managing director of global incident response at Accenture Security, told the New York Times. “They are just being destructive.” If the main motive of the ransomware is money, Harvey said, cyber criminals typically set up multiple avenues to collect funds from their victims. The recent ransomware attack uses a single email address and a single bitcoin wallet for electronic payments. How to Prevent Ransomware Attacks
Here are some of the ways to prevent ransomware attacks like the new Petya:
1. Use the latest operating system and make sure that most current updates are installed It’s worthy to note that according to Microsoft, most of the Petya victims use Windows 7. Microsoft said that Windows 10 and its new streamlined operating system Windows 10 S block this type of attack by default. 2. Back up your data Early this month, Nayana, a web hosting company in South Korea, agreed to pay more than $1 million to ransomware criminals to unlock its servers. This is believed to be the biggest ransomware payout on record. Backing up your data either offline or in the cloud protects your business from ransomware attacks. Cyber criminals will have no leverage on your business if you can easily retrieve your data somewhere else. Businesses must backups and most importantly test the backups by performing test restores. Home users could protect their data by subscribing to one of many cloud storage and file sharing services. Since the most important thing to protect your data against ransomware is to make sure that the operating system are always up to date, always ask your IT department to demonstrate that they have a solid vulnerability and patch management solution to keep the information safe. Connect with us today, and our experts will answer your questions. 7 Steps to Prioritize Cyber Security Threats
Today’s businesses are under constant threat of cyber attacks. The recent WannaCry ransomware attack, which affected major businesses and institutions around the world, showed the importance of prioritizing cyber security threat remediation.
Here are 7 steps on how to prioritize cyber security threat remediation within your organization: Step 1. Involve Business Stakeholders in the Process
Cyber security threat remediation is often left to the “IT people”. Business stakeholders, which include those in the senior management positions and those possessing unique perspectives, experiences and skills that IT may not possess, are invaluable in prioritizing cyber security threat remediation.
A survey conducted by Info-Tech Research Group showed that organizations that were able to engage business stakeholders in cyber threat identification were 79% more successful in identifying all threats compared to organizations where business stakeholders’ participation was minimal. Another Info-Tech survey found that 97% of organizations that involved business stakeholders in the cyber risk assessment process reported success. It’s beneficial to involve business stakeholders as they can put forward perspectives that IT departments may have overlooked, and they can bolster IT’s knowledge regarding particular risks and their overall effect on the organization. Step 2: Identify Cyber Security Threats
In identifying cyber security threats, determine the threat categories, threat scenarios and threat events.
Threat Categories
Threat categories are advanced groupings that label threats relating to major IT functions. The following are some of the identified categories:
Threat Scenarios
After identifying the threat categories, identify the threat scenarios or common situations for each category. For instance, in the data risk category, threat scenarios could be data theft, data integrity, data confidentiality and data availability.
Threat Events
Threat events refer to specific vulnerabilities under a particular threat scenario. An example of threat event under data integrity includes data recovery/loss within system.
Step 3: Determine the Threshold for Acceptable and Unacceptable Risk
Establish a threshold that sets what comprises as an acceptable and unacceptable risk for the organization. This threshold should be in a concrete dollar value, and should be based on the ability of the organization to absorb financial losses and its tolerance towards risk. For instance, an organization's threshold could be $100,000. A cyber threat costing below $100,000 is acceptable, while above $100,000 is an unacceptable threat.
Step 4: Create a Financial Impact Assessment Scale
Cyber threat has a corresponding financial consequence. It’s difficult for senior management to make intelligent decisions about cyber security threats if they don’t know what their financial impact will be. For each identified threat event, it’s critical to create a scale to assess the financial impact. Typically, financial risk impacts are assessed on a scale of 1 to 5 or low to extreme. Make sure that that the unacceptable risk threshold is reflected in the scale. Let’s say,
In the financial impact assessment, include project overruns and service outages. For instance, a cyber security project that runs for 20 days, with 8 employees, average cost of $300 per day and a total estimated cost of $48,000, falls under the low impact scale. Another example is a service outage that runs for 4 hours, with $10K loss of revenue per hour and an estimated cost of $40,000, falls under the low impact scale. Step 5: Create a Probability Scale
For every threat event, create a scale to assess the probability that the event will happen over a given period of time. Make sure that the probability scale has the same number of levels as the financial impact scale. Let’s say,
Step 6: Threat Severity Level Assessment
For all threat events, assess the severity level. To calculate the severity level of each threat event, multiply the financial impact cost with the probability of occurrence. A threat event with a probable financial impact cost of $250K or "high" multiplied with the probability of occurrence which is 10% or "low" generates a $25K or "medium" threat severity level.
Step 7: Determine the Proximity of the Threat Event
Over a period of time, the financial impact and probability of occurrence of a threat event often fluctuate. The relationship between threat severity and time is called threat proximity. These fluctuations are every so often unpredictable. Some threat events are, however, predictable. The risk severity of losing key personnel is constant. The risk severity of data breach leading up to new product launch is confined at a particular point in time. The risk of severity of project overrun after staff layoffs either increases or decreases after a particular point in time.
In determining the proximity of the risk event, focus on “high” and “extreme” threats. Describe the proximity of these high and extreme threats. For instance, for a particular threat event, the threat proximity can be described in this way: “The probability of this threat event will fall when the new budget for the IT department is released.” So what’s the difference between threat severity and threat proximity? The threat proximity description notifies senior management about the urgency of a cyber threat event and the importance of timely implementation of risk responses, while threat severity notifies senior management about the relative importance of each threat event. Cyber Security Threat Remediation Equals Cost Effectiveness
Threat identification and prioritizing these threats demand time and money. But the time and money spent on these security risk management tasks can mean the difference between staying on budget and spending too much.
When your organization needs help with assessing and prioritizing cyber security threats, give us a call and we will be happy to help. 5 Cyber Security Threats To Look Out ForAs the world becomes more technological, so do the cyber criminals. From bank details to medical records, we store our most sensitive information on the web. Savvy swindlers take advantage of this new arena with a variety of scams designed to rob you of money, information, and identity. Protect your business by looking out for these common cyber security threats. Mobile transactionsDid your dad ever warn you about the danger of paying for things on the internet? Turns out his paranoia could be valid. A new host of vulnerabilities are available for fraudsters to exploit. They're hidden in the complexities of online payment platforms. Weak points are lurking in virtual wallets and CNP (card not present) transactions. Mobile transactions are predicted to exceed $220 billion in 2017, an enticing number for a scam-artist seeking a quick win. RansomwareHow could we forget the recent Wannacry ransomware attack While criminals promised to send the description keys to unlock your files, crime fighting cyber security experts released the keys free of charge. Ransomware is usually deployed to extort money, and it won't be changing any time soon. The hackers demand a ransom for locked personal or business information against the threat of deleting the precious data forever. On the flip side, vital information is 'kidnapped' until the victim pays for its release. These types of cyber security threats continue to increase. Avoiding suspicious links and downloads is an effective preventative against ransomware. DDoS attacksDistributed Denial of Service attacks are cyber security threats that aim to make a site useless. The hacker will infect and commandeer a network of connected devices. This "botnet" overloads the site with requests, preventing users from accessing the service. Hackers use DDoS to extort money, eliminate competition, or make a political statement. The increasing reliance on website traffic makes DDoS attacks devastating to modern businesses. IoT attacksThe Internet of Things heralds an age when your alarm clocks can instruct your coffee machine to turn on. This interconnectivity of devices can optimize your lifestyle. It can also make it vulnerable to cyber security threats. Hackers use IoT attacks to steal information, manipulate devices, and launch DDoS attacks. Phishing attacksMost people know the risks of opening unsolicited attachments and strange links. Phishing scams have had to up their game. These days it's harder to spot a phishing email. They're created with an intimate knowledge of the user, which entices them to click. The dodgy link opens the gateway to malware, which steals information. The phisher may also use your email to distribute phishing emails to your contacts list. How to defend against cyber security threatsWhile the face of cyber security threats is always changing, staying up-to-date on attack trends should be your first line of defense. Educate your staff on the appearance and symptoms of common cyber attacks. Common password hacks are among the simplest ways for scammers to access your system. Ensure your team practices healthy password hygiene and are vigilant about locking devices. The help of an information security specialist can help you to further fortify your systems and identify weaknesses before they become real threats. Contact us today and let's protect your business from cyber attacks.
|
AuthorSteve E. Driz, I.S.P., ITCP Archives
November 2024
Categories
All
|
7/7/2017
0 Comments