by Larry Loeb
About 350,000 IT positions that require cybersecurity knowledge and skills remain currently unfilled. What impact does the acute talent shortage have on critical day-to-day IT security tasks?
No wonder that in 2018, many CISOs are growing even more concerned about the acute talent and skills shortage in cybersecurity.
Critical areas and attack vectors go uncovered, due to a lack of personnel. Will more major trouble like last year’s Equifax hack be the result?
By 2022, industry observers expect a shortfall of 1.8 million infosec professionals. The effects of not having the right people in the right slots are varied, but one outcome seems certain: essential tasks will be left undone.
Which IT security to-dos are too easily missed?
A lack of awareness exacerbates the resulting risk for the organization’s overall cybersecurity posture.
"One of the greatest concerns companies should have is around visibility," Andrew Howard, chief technology officer at Kudelski Security, told the RSA Conference. "You don’t know what you do not know.”
With a limited IT staff, Howard warned, “firms are unlikely to have the visibility necessary to identify their weaknesses or a breach."
Where IT security suffers most from the lack of cybersecurity staff
What are the areas that require CISOs to pay extra attention when facing staff shortages and skill gaps?
1) Updates and patching
Large organizations face huge patching needs, no matter who they are. NASA, for example, found in April 2016 that more than 53,000 systems were missing 426,000 critical patches across the whole administration.
Applying software updates and patches requires advanced system knowledge and attention to details. Assigning the task to unqualified staff often leads to patches not working correctly or not working at all.
Incorrect patching can devastate an organization, as illustrated by the 2017 Equifax hack. Even though there were patches available to correct a vulnerability, they were never applied to production systems.
That allowed a major exfiltration of personally identifiable data, trashing the credit agency’s credibility and costing it $87 million at last count.
2) Lack of policies or policy enforcement
The Information Systems Audit and Control Association (ISACA) reported that in its State of Cybersecurity survey, 72 percent of respondents said security professionals often don’t understand the business of their own organization well enough.
This can affect how they understand, create and enforce policy (or not). To create policy, you need context. Policies should advance business goals, not just say no to something and stand in the way.
Attackers value management accounts because they are more likely to have routine access to a broader range of business functions.
Not only do such accounts open the door to a wide-range of sensitive business areas. Their owners are also known to often pull rank and claim exemptions from policies perceived as counterproductive.
3) Data breach cleanup cost (overruns)
Gartner reports that “for an average enterprise, indirect cost elements may contribute 50% or more of the overall TCO.” An understaffed security team will respond to a breach by (over-) spending significant resources for damage assessment and remediation.
It will take longer to clean up the impacted environment than with a full staff, which drives up the soft costs.
When LinkedIn was breached in 2012, one of the reasons it had to spend over $4 million on the clean-up was the poor choices infosec staff made on implementing password security, according to ZDnet.
4) Cloud services setup or configurations
The “ability to cut costs” was the primary reason for more than 40 percent of businesses of all sizes to move data and services to the cloud, a 2016 CompTIA survey found.
But the price many pay for leaving the configuration of cloud containers to inexperienced or not suitably trained IT security professionals is much higher than what they hope to save.
The recent spate of AWS S3 breaches was caused by such misconfigurations. 111 GB of confidential customer information was exposed at National Credit Federation, a credit repair service, alone - simply by misconfiguration of a cloud container.
5) Employee Credential Management
Forrester reported in November 2017 that inadvertent insider actions (36 percent) and malicious insider activities (25 percent) were two of the top five most common ways that led to data breaches.
IT security teams stretched thin often do not have the resources and procedures in place to validate employee system permissions. Necessary changes - for example when employees switch teams or leave the company - often happen too late or are completely overlooked.
This directly facilitates data breaches that affect the whole organization.
Even greater damage may result when employee credentials are accessed en gros by unauthorized outsiders. According to the 2017 Verizon Data Breach Investigations Report [PDF], 81 percent of data breaches involved stolen or weak passwords, in most confirmed cases at financial services firms.
6) Employee awareness and training
Once a year or less: that’s how infrequently 49 percent of C-Suite respondents conduct information security training for employees, according to Shred-it’s 2017 Information Security Tracker Survey. 39 percent of small business owners never train their employees on the pertaining industry requirements, according to the same survey.
The Ponemon Institute reported in 2017 that 54 percent of data breaches were due to employee or contractor negligence.
Given the dynamics of a rapidly changing threatscape, once-a-year instruction bodes ill for the cybersecurity of organizations at risk.
Companies can protect their employees by providing tools that shield them from threats online.
Frequently instructing them on how to prevent data breaches will also help improve the security posture of organizations whose IT teams are overworked and understaffed. If not addressed, the lack of awareness among employees may result in a cybersecurity breakdown of Hollywood proportions.
Case in point: Sony Pictures was breached by phishing emails that appeared to be from someone known to the employees. This tricked them into trusting the email source.
The employee login credentials were then used to access Sony's network and steal more than 100 terabytes of data, which caused damages estimated at $100 million.
7) Local browser and plugin maintenance
Maintaining and updating local browsers, plugins and extensions across the organization has become a bane of modern IT.
In 2017, security rating provider BitSight surveyed more than 8,500 organizations for its report A Growing Risk Ignored: Critical Updates.
The firm found that more than 50 percent of the respondents’ computers were running out-of-date browser versions, “doubling their chances of experiencing a publicly disclosed breach.”
In most systems, the local browser is the only application that is permitted to download and execute code from an outside location, such as an external website.
According to various studies, more than 80 percent of data breaches are browser-related. European security researchers found that over a ten year period, there was neither a clear, systematic reduction nor stabilization in the number of browser-related exploits.
Where regular browsers have not been replaced by secure remote browsers (which can be centrally managed in the cloud), missed patches, updates and hijacked or malicious plugins will further increase the risk emanating from the local browsers inherent vulnerabilities.
8) White/blacklisting and exemption support for Secure Web Gateways (SWG)
Secure Web Gateway (SWG) solutions demand a high degree of extra attention from IT, lest they fail to catch dangerous websites in their Go/NoGo lists or block legitimate web resources that are needed by employees.
Source: ISACA [PDF]
The automated URL categorization provided by such systems often requires support staff to customize these “one size fits all” products into what the enterprise actually needs and requires for each of its users.
If the organization lacks the resources for manual categorization fixes or to configure and monitor exemptions, security can stifle employee productivity - or miss out on new threats.
Examples include uncategorized URLs or domains that are whitelisted, but since have fallen into the wrong hands. Researchers estimate that out of 50 billion URLs, only 30 billion have been categorized.
9) Firewall maintenance and configuration/adaptation to new threats
Researchers at the University of Notre Dame calculated that the average firewall rulebase contains 793 rules, and that administrators typically add nine rules per month while removing only four.
And it doesn’t end there. The median monthly rulebase churn rate (percentage of rules added, modified or deleted) is at about 6 percent. Without this continual maintenance, firewalls cannot be expected to work properly.
Analyzing firewall logs also still requires human involvement. Proactive analysis, if a fully staffed effort, can show breach attempts while also giving IT a path to head off future attacks.
2017’s WannaCry and NotPetya ransomware pandemic were in part credited to negligent IT administrators who left firewall ports 445 and 139 open, which allowed the ExternalBlue exploit to infiltrate the network.
10) AV software vetting and implementation
AV software demands diligent vetting. Will it solve the kinds of threats that may arise, and how? Will it create new attack vectors?
AV firm Carbon Black, for example, can allow for routine uploading of virus samples which may contain confidential company information. IT has to properly configure it to ensure this will not happen.
AV tools have also opened backdoors for attackers. The classified networks of the Republic of Korea Armed Forces were recently compromised due to their AV software Hauri, as a result of a configuration error.
Researchers in Canada discovered that anti-virus software has the potential to expand the attack surface when it tries to forge a certificate for a TLS proxy that is used by a server to “impersonate” itself when examining certain kinds of traffic. This could facilitate a Man-in-The-Middle attack.
The previous examples show: traditional AV software can actually damage the business, rather than protect it. AV tools need to be evaluated, configured, maintained and monitored to head off problems.
Without qualified IT security staff, it’s a tall order.
In summary, the lack of experienced, properly trained personnel puts enterprise IT security at risk on many levels. Managers are under pressure to identify the weak spots and prioritize critical tasks.
This overview can help identify IT soft spots that are most impacted by the cybersecurity talent shortage, to address and minimize the resulting risks.
By tackling such risks more systematically and managing them centrally, IT can keep its eyes on the other, “productive” areas in which it needs to contribute to the company's core mission.
Larry Loeb has been online since uucp "bang" addressing (where the world existed relative to !decvax) and served as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. He wrote for BYTE magazine, was a senior editor for the launch of WebWeek, and authored books on the Secure Electronic Transaction Internet protocol and "Hack Proofing XML" (his latest). Larry currently writes about cybersecurity for IBM's SecurityIntelligence as well as Security Now.