Year: 2015

Posted on

Talent Crunch Haunts Enterprise Security

Demand for information security experts has grown 3.5 times over the last five years, reveals a study

IFM Correspondent

June 16, 2015: With technology no longer restricting itself to only IT companies, organisations are increasingly facing the risk of cyber attacks. Over the years, there has been an increase in the number of malware being released into companies and economies.

Malwares are basically malicious codes that will cause abnormal behaviour in your computing devices. It includes viruses, worms, Trojan horses, spams, rootkits and backdoors. Malwares are used not only to disrupt business operations but also steal information or prepare for an imminent attack.

With hackers continually evolving their attacks, organisations are facing a tough time. To add to their woes, there is a shortage of skilled professionals to protect a business’s assets and maintain continuity. Not surprisingly, according to the (ISC)² Global Information Security Workforce Study (GISWS) 2015, the demand for information security experts has grown 3.5 times over the last five years. There is a global shortage when it comes to hiring the right person for enterprise security.

“The year 2007 was the first time when demand for enterprise security talent outpaced the supply. Cisco says that at any given point of time, there is a supply of 600 security personnel as opposed to 1,000, making the delta a worrisome number,” says Bhavya Sahni, marketing head, Mettl,  an e-assessment software for recruitment, training.

The talent crunch being faced by the security space is unique to this industry. Globally, client IT teams do not have the confidence in the integration capabilities of the development team at enterprise security organisations. Enterprise security organisations thus have to possess an army of developers, which can instill confidence in client teams that they are capable of strategic integrations. This can only be possible once talent works across verticals and industries. Increasing exposure for enterprise security talent to multiple business intelligence software is the only way forward, remarks Sahni.

Quoting a Frost and Sullivan survey, Clayton Jones, managing director, Asia-Pacific, (ISC)², says that situation in China and Japan seems to be worse compared to other countries. “In the 2015 study, we found that signs of strain within security operations due to the workforce shortage are materialising while companies and organisations are increasingly struggling to manage threats, avoid errors and are taking longer to recover from cyber attacks,” Jones says.  This shortage is hardly static.  In 2013, the percentage of security professionals reporting “too few” information security professionals was 55.9%, 6.3 percentage points lower than the 2015 survey.

What needs to be done

“Companies need to impart proper training programmes that lead towards globally recognised certification.  These courses offer a structured education development roadmap and there are continuous education opportunities,” says Aloysius Cheang, Managing Director, Cloud Security Alliance, APAC.

Many firms also work with local institutes to train future cyber security leaders. “Blue Coat is actively working with local institutes and organisations to equip the next generation of cyber security leaders, both in government and private industry. That said, the talent crunch will exist for some time,” says Matthias Yeo, CTO for Asia Pacific, Blue Coat Systems, a provider of security and networking solutions based in California.

Chuan-wei Hoo, CISSP, Technical Advisor, Asia-Pacific, (ISC)²,  feels that the profession must invest in the future and offer entry-level pathways. “New disciplines must be recognised and the resources needed should be put behind them. However, companies cannot do it alone. This calls for a societal response, which is beginning to happen, but not at the rate that is required to stay ahead of threats. It requires all parts of society to respond to this need.”

Things to do

• Business disciplines need to embrace security concerns, especially when it comes to technology adoption rates. Security by design will be the differentiator

• Watch for complacency in awareness. Delivering awareness training isn’t enough–it must be imbedded and contextual  so people can recognise accountability

• Governments must invest more, recognise that cyber security and the health of their economies are intrinsically linked

Long way to go for firms

  • Many organisations have an unstructured or “ad hoc” approach to the malware containment process with no one person or function accountable. It reveals that while 67 percent of respondents report they have some type of structured approach to malware containment, 33 percent have an “ad hoc” approach
  • Organisations are also aware that any measure adopted is only detective in nature and not totally preventive. A reality that is sometimes hard to comprehend at the board level. Nevertheless, the current state of preparedness is still better than not doing anything. The next paradigm organisations need to look at will be advanced analytics to counter malware, or some form of predictive security

[International Finance Magazine]

Posted on

Organizations Grapple With Security Talent Shortage

When it comes to security, companies are trying to do the best they can with what they have and are often simply hoping they aren’t targeted in a cyber-attack.

These are trying times for corporate information security programs. As if dealing with increasingly sophisticated attacks that can come from virtually anywhere wasn’t enough for IT and security executives, they also have to grapple with a shortage of people who have the cyber-security skills organizations need.

Organizations need to find effective ways to continue protecting data and systems despite the struggle for talent, or they will risk joining the ranks of companies victimized by data breaches.

A recent report by the International Information System Security Certification Consortium Inc. (ISC)2, a global provider of education and certification services for information security professionals, shows how serious the talent shortfall has become.

Nearly two-thirds of the 14,000 worldwide organizations surveyed online for the report (62%) in 2014 said their organizations have too few information security professionals. That compares with 56% in the 2013 survey. The study, (ISC)2’s seventh Global Information Security Workforce Study, revealed the reasons for the hiring shortfall are less about money, with more organizations making budgets available to hire more personnel.

An even bigger contributor to the shortfall is the insufficient pool of suitable candidates. The report predicts that the global security hiring shortfall will reach 1.5 million in five years. The shortfall is the difference between a projection of the workforce needed to fully address escalating security staffing needs (calculated by research firm Frost & Sullivan) and (ISC)2’s workforce projection.

While the unending advancement in the variety and sophistication of cyber-threats and growing risk areas such as mobile, cloud-based services and the Internet of things are contributing to rising workforce demand and a workforce with a broader range of qualifications, the report noted, other contributors are “self-inflicted” due to decisions organizations make about security priorities.

“It’s unlikely we’ll find solutions to get around the workforce shortage for the long-term,” said David Shearer, executive director at (ISC)2. “In the near term, organizations are attempting to use technology as a workforce multiplier. But there’s only so much efficiency and effectiveness you can achieve.”

Companies are investing more in tools and technologies, Shearer said. “However, threats are evolving faster than vendors can advance their products,” according to the firm’s research, he said.

“In some cases, it’s more of a situation where organizations are trying to do the best they can with what they have and hoping for the best,” Shearer said. “Until we find viable solutions to the workforce shortage, many organizations will be ‘hoping’ they’re doing enough” to protect their resources.

Signs of strain within security programs due to the workforce shortage are showing up, the report states. For example, survey respondents cited configuration mistakes and oversights as a material concern, and remediation time following system or data compromises is steadily getting longer.

Demand for security talent continues to far outpace the supply, added Mark Orlando, director of cyber operations at Foreground Security, a security consulting, training and services firm.

“We see many people jumping into the cyber-security field without having the requisite baseline knowledge to truly understand what is normal activity versus what is malicious or suspicious, or what is a secure configuration versus unsecure,” Orlando said.

As businesses continue to educate themselves about IT security, they must also learn how to measure and evaluate what they’re getting in terms of security support and risk management, Orlando said. “In the absence of security ‘rock stars’ to perform defensive super heroics, documented, repeatable processes underpinned by solid security policy is vital to protecting critical data and responding effectively when a problem or a breach has occurred,” he said.

Companies are attempting to make do despite the security talent constraints.

Hargrove, an organizer of trade shows and other events, is facing challenges both in finding security talent and dealing with budget constraints related to hiring security staff. The company is looking to outsource most of the security analysis, evaluation and technology implementation, said Barr Snyderwine, CIO.

“We will have a response team, but will also rely on outsourcing the level two response and analysis,” Snyderwine said. “Even at that, it is hard to find companies with the skills and time to assist. The next step will be to propose additional budget for next year for additional consulting time to improve our security.”

In the meantime, Hargrove is relying on standard security tools and measures, such as antivirus software, patching, updates and limiting access to its network. “In addition, we do least permissions,” Snyderwine said. “We take away as much admin rights as we can without hurting the ability to work. This has improved our security by decreasing incidents across all platforms.”

The company is moving business applications to the cloud with service providers that have high levels of security and encryption, Snyderwine said.

Another part of the strategy is providing regular training for employees in the security of company data as well as personal information. “Users listen better when it is their data on the line too,” Snyderwine said. The training includes the launching of fake phishing attacks, which he says are very effective.

“We also are moving as much sensitive data off the network as we can,” Snyderwine said. “We recently tokenized one set of sensitive data so we do not store it on our network.”

Experts say one of the keys to increasing the security talent pool is getting Millennials and other younger workers interested in pursuing careers in the field.

“We really need to refine our messaging to younger generations to attract them into this stable, high-paying and in-demand career field,” Shearer said. “The profession must invest in the future, create more awareness around information security as a viable career option and offer entry-level pathways.”

To attract Millennials, “we can stress the importance of understanding what we’re protecting at a practical level, including business processes,” Orlando said. “We should engender a curiosity and a passion for security that extends beyond coursework and certifications. We must cast this industry as what it is: a challenging, dynamic set of problems that can only be solved by creative and analytical minds.”

Bob Violino

[CIO Insight]

Posted on

Making IT Management and Assessment More Reliable via Automation

I am a technology enthusiast and hence, I am more inclined toward newer and developmental methods when it comes to auditing approach. I have worked on both sides of internal audit assignments—the auditor side and the process consultant side. In my experience under both these functions and despite various auditing standards and expected objectivity of the auditor, there are instances of unfair assessment.

The reason for such misrepresentation can range across multiple factors, right from lack of expertise to lack of objectivity in audit execution. Risk of incompetency cannot be completely eliminated; however, in order to eliminate the risk of bad judgement and thus unfair assessment, we can employ utilities provided by the system itself to generate customized reports with more insight into the system. While use of auditing tools is discretionary for auditors, and these tools come with more functionality than just report generation, IT systems could be designed to generate anomaly reports to reduce risk of inadequate sampling. Similarly, reports can be generated from systems to reflect the impact of failed IT controls. When this much analysis is available with the system itself, risk of misjudgment gets eliminated from the execution, thus reducing the auditor’s burden to a greater extent.

Similarly, IT management can benefit from automation. More often, risk of inadequate policy execution is neglected or accepted without much analysis. This happens because policies put in place are manually assessed. While there is automation for the functions that could be easily automated such as access management, there is very little automation in implementing policy adherence on whole. For example, I have come across various IT changes that were implemented in production without approval and IT policy allowed accepting the post-dated approval for such changes.

From a compliance point of view, this would be considered an acceptable practice by internal assessment teams. This assurance from the internal audit team is not very diligent as the code is already in production without being properly authorized and it is not known if any damage has already taken place. As we can see, this problem stemmed out of a basic flaw in the system—the flaw that did not bar the change to take place in production environment without approval. This happens because the system was not designed to meet the policy. Perhaps, one more layer of security can be added here. A simple solution that checks for an approval signature along with the proper user authorization can provide a much better level of governance than a post-dated approval can. Mostly, IT systems are implemented with minimalistic levels of customization, and human factor is responsible for execution of process control. With the evolving industry, there are advents of automated solutions for particular IT functions. While each of these solutions performs assessments neatly for such functions, they do not address the risk of lacuna between policy-on-paper and the actual IT infrastructure.

Thus, we need to automate more in this aspect of IT management. We currently rely mostly on human judgement, which at times could be erroneous. At times, IT executives do not have knowledge of the whole system in place and they end up configuring it wrong and missing the important functionalities. Because of this, IT solutions do not operate to the expected level or even worse, end up failing on the whole. Such mistakes can be avoided by solutions that learn the functionality of the system and on the basis of risk recommendations on how the system should be configured to reduce risk of inadequate operation. Also, as I mentioned earlier, using additional level of utilities, systems could be designed exactly as per policies and with minimum reliance on human factor for proper execution of controls. In the industry, there is overall progress in this regard; however, it is still at a slow pace. To make IT more reliable and assessments more transparent, we need to reduce reliance on human judgement and put more emphasis on automation and analytics of the systems.

Ketan Kulkarni, CISA
Independent consultant

[ISACA]

Posted on

BYOD Makes You Productive, and It’s Also Why Your NAC Deployments Fail

Network Access Control (NAC): everyone wants to do it, and the goals for most programs are noble.

It goes like this: By ensuring only authorized users and devices connect to the network, IT can help alleviate the risk of an intruder bringing a rogue device onto the corporate network, or avoid people connecting their personal devices riddled with malware to the corporate network and infecting corporate-managed devices. Sounds perfectly simple and reasonable, right?

Not quite. The BYOD trend means NAC is no longer a clear-cut issue. Because most IT departments don’t support or keep tabs on users’ personal electronic devices, they need to limit the amount of access users on their own devices have to the environment in order to protect the rest of the network. Users, in turn, argue that limiting their ability to use their own devices on their employer’s network limits the productivity gains made possible by BYOD. 

Traditional NAC employs several technologies working in tandem to provide a solution. A NAC server is deployed that will house the policies, while an agent is deployed on BYOD devices for integrity profiling. If there is a setting or software on a computer, NAC can interrogate the device and report back to the server. The routers will need to be set up with at least a couple of networks: one for fully compliant devices and another for guests. The access switches will be configured to send authentication requests to the NAC server when a device connects. Based on the results of the integrity checks on the host, the NAC server will configure the switches to connect the user either to the fully compliant network or the guest network.

Most NAC deployments fail. We are used to a networking environment where you connect your device and have full access to the network. When NAC is deployed the opposite is true; when your device connects to the network it usually has little to no access by default. Once the device has been interrogated and is compliant with the NAC profile, it may be granted more access.

For example, a NAC policy will often be configured to require specific anti-virus software running and up-to-date on the device, and if someone brings his or her personal computer to work it will be deemed non-compliant by NAC. The moment someone with enough clout can’t get on the network because of this, a flood of the exceptions to the NAC policy start to roll in to IT. The project soon fails.

NAC is yet another “firewall helper” – something to be added on next to a traditional firewall, similar to how standalone URL filtering or Intrusion Prevention Systems are. It is a complicated and expensive proposition to keep adding devices to the network when NAC policies are so easily discarded.

GlobalProtect from Palo Alto Networks offers a simpler approach that can more easily attain the same results leveraging existing infrastructure. GlobalProtect is the remote access VPN client with both SSL and IPSEC connectivity options. GlobalProtect can also be used to perform Host Integrity Posture (HIP) checks.

Consider:

  • You can ensure groups of users are properly defined in your directory server. The more levels of access you want to define, the more groups will need to exist on the directory server. The security appliance obtains the user and group information from the directory server for use in access control policy so it’s important to get this where you want it. This step is true for all NAC deployments.
  • You can decide on what “compliant” means. For example,
    • Fully compliant may mean the user is authenticated to the directory server, the device is connected to the directory server, the device has a certificate, and the device has your standard endpoint protection software running.
    • Partially compliant may mean the user is authenticated to the directory server and has the GlobalProtect software running. These will likely be users on their personal devices who installed GlobalProtect by visiting the VPN portal.
    • Non-compliant users will be users who are not authenticated and do not have the GlobalProtect software installed.
  • You can decide on the levels of access users will get depending on their endpoint posture. Much of this may already be accomplished if you are using User-ID in your Palo Alto Networks security policies. You may have three security policies, as in this basic example;
    • Access for authenticated and compliant users may include typical web browsing and full intranet access with email, file shares, CRM, and development systems.
    • Access for authenticated non-compliant users may include web-browsing and DNS to the Internet and email access internally.
    • Access for unauthenticated non-compliant users may include web-browsing and DNS to the Internet only.

When devices connect from outside the physical walls of the organization, or from inside one of the offices, the network will adapt to the user and device based on what it observes (or doesn’t observe).

This is a clear departure from deploying another NAC server firewall helper that needs to communicate and make dynamic changes to the switching infrastructure to be effective. In this use case we are using a centralized security platform with a single policy engine to identify users and devices and provide appropriate levels of access depending on who they are and what device they are on.

To learn more about how GlobalProtect can help you enable a NAC policy that gives users the freedom to use their own devices, yet still protects your network, please visit our GlobalProtect technology page.

[Palo Alto Networks Blog]

English
English
Exit mobile version