Day: February 9, 2018

Posted on

CYBERSECURITY HIRING – AN ISSUE FOR ALL

As cyber threats proliferate, organizations looking to fill cybersecurity vacancies need to take concrete steps to reboot recruiting and hiring efforts. Qualified candidates for cybersecurity jobs are scarce and getting scarcer, creating a challenge for companies to properly defend themselves against threats. By 2022, an estimated 1.8 million cybersecurity jobs will go unfilled, according to research by (ISC)2.

It’s a classic supply-and-demand challenge, with too many vacancies for too few candidates. Currently it takes 55% of organizations at least three to six months to fill a cybersecurity vacancy, and 32% spend even more time to find qualified candidates, ISACA has found. In the United States, 27% of companies say they cannot fill cybersecurity vacancies.

To reverse this trend, employers should work on offering attractive compensation packages and creating a career advancement path for qualified candidates. Cybersecurity workers are more likely to accept jobs with companies willing to invest in training and education to update their cybersecurity skills. And as revealed in a recent (ISC)2report, a greater investment in technology to protect against cyber threats also is needed, since 51% IT workers in charge of security fear their organizations aren’t prepared enough to respond to cyberattacks.

Employers also should work on expanding the talent pipeline, identifying candidates from other fields who can quickly adapt to the cybersecurity profession and stepping up recruitment efforts in demographics that traditionally have been underserved for cybersecurity work – millennials and women. Tapping these sizable talent pools could help reduce the skills shortage.

The State of Cybersecurity Employment

Skills gaps have persisted in the IT industry for decades; something industry trade organization CompTIA has sought to address along the way. At least eight in 10 of U.S. businesses feel adverse effects of this shortage, according to CompTIA. The problem is especially acute – and worrisome because of what’s at stake – in cybersecurity.

The U.S. Bureau of Labor Statistics estimates the number of IT security jobs is expected to have increased 18% by 2024, but as (ISC)2 has discovered, there will be nowhere near enough skilled candidates to fill those jobs. ISACA has found one in five organizations draw fewer than five candidates for each cybersecurity position.

Meanwhile, cyber threats get progressively worse, becoming more frequent and damaging. Studies suggest many organizations need to better prepare to address the cybersecurity challenge. For instance, a Crowd Research Partners study released in early 2017 shows 62% of respondents had moderate to no confidence in their security measures.

The Recruitment Challenge

What makes cybersecurity recruiting such a vexing challenge? It’s a confluence of factors:

  • Cybersecurity careers remain relatively novel. Most cybersecurity professionals (87%) start out in different work. A student envisioning a technology career is more apt to think about web or mobile app development, not protecting an organization from cyber attacks. However, this dynamic is changing rapidly as colleges expand their cybersecurity curricula, and the cybersecurity field matures.
  • Hiring practices are problematic. Admittedly, when demand far exceeds supply, even the best recruiters will struggle. That isn’t to say improvements are impossible. Protracted hiring processes can discourage jobseekers, who will find employment elsewhere. In a highly competitive market, hiring must be quick and efficient. Another issue is too often the people recruiting and hiring lack cybersecurity expertise, which can make it difficult to identify the right candidate.
  • Employers have unrealistic expectations. Employers need to make sure descriptions for cybersecurity positions accurately match the knowledge, skills and abilities the role requires. (ISC)2 research indicates this is an area for improvement, and the same is true of employers’ investment in training and certifications. Only about one-third of respondents (34%) said their company pays for all of their cybersecurity training.
  • Women are underrepresented. Female cybersecurity workers remain relatively rare. In North America, only 14% of the region’s cybersecurity professionals are women. That compares with 10% in Asia-Pacific, 9% in Africa, 8% in Latin America and 7% in Europe.
  • Millennials also are scarce. Millennials make up a small fraction of the cybersecurity job market. Millennials are a diverse group with a strong interest in training, mentorship and apprenticeships, areas in which too many of today’s budget-conscious employers could do a better job.

 

High Stakes

Solving the cybersecurity hiring challenge will take time and effort. In the short term, employers can make progress by adjusting their hiring expectations, streamlining the recruitment process and tapping underserved talent pools.

There’s a lot at stake because organizations need to protect their critical IT assets. As threats proliferate, new tools to combat those threats become available. Companies need to invest in those technologies and the people who run them. This is an ongoing endeavor, which will benefit from upfront investments in hiring and recruiting and in skills development for members of the cybersecurity team. Keeping the skills of cybersecurity workers up to date is essential to the execution of an effective cybersecurity strategy.

 

How to Attract Qualified Candidates

Successfully filling cybersecurity jobs in such a wildly competitive field takes a refined approach. Here are some recommendations for employers to follow during the recruitment process:

  1. Invest in training and certifications.

Investment in cybersecurity skills through training and certification benefits both the individual and the employer. The cybersecurity field is evolving rapidly to keep up with an ever-changing threat landscape, so security workers need ongoing training to update their skills. Training also has a positive effect on retention. Workers will be less tempted to seek employment elsewhere if they believe their current employers understand the importance of skills development.

  1. Offer career advancement.

Employees view career advancement opportunities as a reason to grow professionally with their employers.. That’s true of any field, including cybersecurity. Too often, employers resist advancing workers when they are doing a good job because they want to protect the organization. But this may have the effect of demoralizing employees who deserve to move up as well as those behind them who are ready take over their positions. Employers should offer advancement paths based on clearly defined achievements and goals, and make that known during the recruitment and hiring process.

  1. Engage cybersecurity workers in decision-making.

Employers are more likely to attract cybersecurity talent by correctly setting expectations and defining responsibilities. This means clearly articulating you recognize the role of cybersecurity professionals is primarily to advise senior management on how to minimize risk. (ISC)2 has found employers often ignore advice from workers in charge of IT security, with only about one-third (35%) of those workers saying management follows their advice. Employers should be realistic with cybersecurity jobseekers about the organization’s culture and willingness to accept advice, all of which directly contribute to the success of the cybersecurity program. Position the cybersecurity role as a valued contributor and advisor to leadership, but don’t oversell it.

  1. Fine-tune recruitment processes.

As already noted, protracted hiring processes discourage job applicants. Managers can improve the likelihood of hiring the best candidates by making a decision as quickly as possible, and not forcing candidates to wait for an answer for weeks or months. To streamline processes, HR and cybersecurity managers should work together to maintain a pool of resumes they can use when needing to fill a vacancy. In addition, keeping staffers with cybersecurity expertise involved in the hiring process is crucial to hiring the best-qualified candidates.

  1. Target untapped talent.

Millennials and women are a largely untapped talent pool for cybersecurity. Employers can get a jump on the talent market by reaching out to female and millennial candidates, both internally and externally. Another area worthy of exploring is to identify professionals in other fields, such as communications, accounting and law enforcement, who could easily adapt to cybersecurity work. The more diverse your cybersecurity team, the more likely it is to develop effective, innovative practices and approaches to the defense of your IT environment. Homogeneous teams tend to get stuck in repeating tired practices, sometimes even after those practices become ineffective.

  1. Partner with school districts and universities.

The IT industry – and by extension the cybersecurity field – can partly address skills gaps by forging partnerships with schools. Getting students interested in cybersecurity in their formative years is an investment in the future, and there are multiple ways to accomplish this:

  • Sponsor and participate in career days.
  • Offer internships and apprenticeships.
  • Actively participate in the educational process with guest lectures at local schools.
  • Sponsor field trips to data centers and other locations where students can meet cybersecurity workers.
  • Offer scholarships to deserving students, and target girls and other groups that are underrepresented in the industry. 
  1. Offer attractive compensation packages.

Competitive pay isn’t the only way to attract good talent – especially among millennials, who also put a premium on corporate values and career development. Still, compensation is a major factor. When talent is so scarce, employers may have no choice but to offer compensation above the average, coupled with an attractive benefits package and bonus schedule. Employers should also make it a practice to adjust compensation for existing cybersecurity staff to prevent poaching.

 

Competition for cybersecurity talent is fierce and will get more intense in years to come, as employers try to fill positions from a limited talent pool. In the meantime, cyber threats are likely to continue getting worse, adding pressure to fill vacancies. Organizations need to adopt hiring and recruitment best practices, promote from within when possible, and partner with educational institutions to find and develop cybersecurity talent. Hiring cybersecurity workers is a major challenge that shouldn’t be ignored because there’s so much at stake.

(ISC)² will soon have a report, based on survey research, on how job seekers – and those hiring – can come together to help mitigate the challenge of hiring in cybersecurity. Stay tuned!

[(ISC)² Blog]

Posted on

Protecting Workloads on Google Cloud Platform with the VM-Series

One of three articles in a series about the VM-Series on: Google, AWS and Azure.

Organizations are adopting Google Cloud Platform to take advantage of the same technologies that drive the commonly used Google search engine and maps services. Business initiatives – such as big data, analytics and machine learning – deployed on GCP can leverage contextual data collected from billions of Google search engine data points. GCP offers a global footprint to allow you to quickly deploy enterprise-class applications and services.

Our VM-Series, deployed to protect workloads within a Google project, helps customers address their role in the shared responsibility model. GCP was designed with security as a core component and uses a variety of technologies and processes to secure information stored on Google servers. However, Google is very clear on where their security responsibilities end, and where the customer’s security responsibilities begin. As shown below, it is the customer’s responsibility to protect their operating systems packages and the applications they deploy.

Figure 1: GCP Shared Responsibility Model

 

That’s where the VM-Series on GCP, which we officially announced this month, can help. It complements Google Firewall by protecting your applications and data using a prevention-based approach:

  • Complete visibility and control: The VM-Series gives you complete visibility into the applications traversing your cloud deployment and the content within, malicious or otherwise. This knowledge allows you to deploy a more consistent, stronger security policy for inbound and outbound traffic to prevent known and unknown attacks.
  • Reduce the attack surface; limit data exfiltration: Using the application identity as a means of enforcing a positive security model reduces the attack surface by enabling only allowed applications and denying all else. Application usage can be aligned with business needs, extending to application functions as needed (e.g., allow SharePoint documents for all but limit SharePoint administration access to the IT group). In addition to controlling applications, policies can be enabled to block or generate alerts on file and data transfers, thereby limiting data exfiltration.
  • Prevent known and unknown threats: Applying application-specific threat prevention policies to allowed traffic can block known threats, including vulnerability exploits, malware, and malware-generated command-and-control traffic. Unknown and potentially malicious files are analyzed based on hundreds of behaviors. If a file is deemed malicious, a prevention mechanism is delivered in as few as five minutes. Following delivery, the information gained from file analysis is used to continually improve all other prevention capabilities.

To help eliminate security as a possible bottleneck, bootstrapping, the XML API and other VM-Series automation features, combined with GCP or Terraform templates, will allow you to embed next-generation security into your application development lifecycle. The VM-Series on GCP will be available in March 2018.

 

Learn More

Watch the VM-Series on Google Cloud Platform Lightboard

Read the VM-Series on Google Cloud Platform Deployment Guidelines

Visit the VM-Series on Google Cloud Platform resource page

[Palo Alto Networks Research Center]

Posted on

Mobile Android Is an Even Bigger Opportunity for Attackers Than Windows PCs

Mobile Android is now a bigger threat opportunity than Windows PCs – in terms of shipments, usage, installed base and the number of vulnerable targets.

According to Statcounter, at the end of 2017, the leading mobile operating system, Android OS, was the most used global operating system, surpassing usage of 17 other operating systems, including Windows. Android had surpassed Windows shipments a few years ago, reaching 1.9 billion by the end of 2017 – nine times the shipments of traditional PCs according to Gartner. There are now 2.7 billion Android-based smart devices in use, compared to an estimated 1.5 billion Windows devices.

Historically, cybercriminals simply did not have enough vulnerable mobile devices out there to make significant attacks worthwhile. That’s changed. Cybercriminals are in it for the money; and they look for the most vulnerable targets, in the greatest quantity, that will take the least amount of effort to breach and have the highest potential for monetary gain.

This building of mobile threat has been foreseen for some time. In 2006, roughly six months before the release of the first iPhone, Scientific American warned about the perils of mobile malware and noted mobile malware growth at that time roughly paralleled that of computer viruses in the first two years after the first PC virus, “Brain,” was released in 1986.

In 1988, computer experts dismissed viruses as inconsequential, vastly underestimating how quickly malware could grow in prevalence, diversity and sophistication. In their 2006 article, Scientific American also warned about making the same mistakes with mobile, pointing out that the bigger the target, the greater the attraction for malicious programmers and that smartphones would soon make up most of the world’s computers (now true).

Outdated Windows devices have proven to be a significant security risk. About 140 million active Windows PCs are still running Windows XP, a 14-year-old operating system that Microsoft stopped updating in 2014. The massive WannaCry cyberattack last year exploited a security hole in the Windows XP operating system.

But in comparison, Android has about one billion of the 2.7 billion active devices running outdated operating systems. That’s about seven times the amount of vulnerable XP devices.

Mobile devices do have had some advantages over Windows security-wise, so maybe that will help stall the pace of infection and attack going forward. Applications are more tightly controlled by OS leaders, like Apple and Google, and users must provide permission to allow access to core phone functions. There are fewer malicious actors adept in mobile software. But counter to that is the more casual attitude of subscribers towards security of their mobile devices and the fact that mobile devices have billing mechanisms built in, leading to SMS fraud.

Most mobile subscribers don’t apply even the basic security passwords, and even fewer install device protection. Permissions in new apps are requested and granted broadly by impatient subscribers. The monetary incentives are also getting sweeter for cybercrime. Use of mobile for financial transactions is growing. The GSMA estimated that the industry processed 22 billion financial transactions in 2016 and identifies mobile technology as key to transforming access to financial services in emerging markets for hundreds of millions of people.

Our Unit 42 threat intelligence team has been analyzing threat trends and reporting on the last four years of new Android malware evolution. Check out their latest research on Android threats.

Will the threat landscape for mobile networks and devices reach the attack volume witnessed with Windows devices and enterprise networks? We believe the answer is “yes,” and we think the trend is well underway.

For mobile network operators, the growing number of attacks threatens their own infrastructure as well as their subscribers. Malware-infected devices can be recruited into botnets and turn against mobile infrastructure to degrade network availability. The full visibility provided by Palo Alto Networks Next-Generation Security Platform is essential as it allows mobile network operators to monitor building threats, identify already infected devices and determine appropriate action.

 

Connect with us at Mobile World Congress in Barcelona

Want to learn what we’re doing to help secure the new hyper-connected world that we live in? Connect with our mobile network specialists or reserve your seat at one of our speaking sessions at Mobile World Congress in Barcelona.

[Palo Alto Networks Research Center]

Posted on

IoT Security in Healthcare is Imperative in Life and Death

We go into the hospital with a great deal of trust. We trust that doctors will help us and potentially even save our lives. Beyond hospitals, there are not many places in the world where we are willing to do anything we are asked: take off our clothes, talk about our sex lives, etc.

Recent cyberattacks, such as WannaCry and NotPetya, put this trust into question. An increasing number of cybersecurity incidents have impacted many hospitals and made them unsafe. Not only was patient information stolen and privacy impaired, but, in some cases, the cyberattacks interrupted normal operations and services. In hospitals, that could mean life or death.

Over the last decade, the healthcare industry made significant progress on digital transformation. Patients’ healthcare records are online, test results and images are digitized, an increasing number of medical devices are connected, and medical equipment can be remotely monitored and maintained. This technology has brought tremendous improvements in efficiency and convenience to medical staff and patients alike, while helping reduce human errors and lower operational costs. At the same time, however, this high level of connectivity has created a much larger surface area for security risks. Because there are so many connected devices and a large variety of different types of connected devices, it is becoming increasingly difficult to completely secure all of them at all times.

Hackers can not only use these devices as stepping stones to access critical assets, such as patients’ healthcare records, they also can compromise these devices to cause physical harm and put people’s lives at risk. For example, we demonstrated in our research lab that we can hack into an infusion pump from a leading vendor to change the dosage of the medication that is going directly into a patient’s body. This dosage change alone could be fatal to a patient.

Mid- to large-size hospitals use hundreds, if not thousands of third-party products and services. Even if the hospital itself is secured, these third-party vendors can bring in lots of vulnerabilities. Each of these third parties also uses many more other external vendors. If any of those external vendors is affected, there could be a domino effect on the hospital’s security – yet another reason it is extremely challenging to secure a hospital and all its IoT devices.

Is there a solution? In many ways, an IoT system is very similar to the human body – a large and complex system that is always on. Let’s use a heart attack as an analogy. We all know that a heart attack can be catastrophic. Although a heart attack usually happens suddenly, the conditions that make it likely actually take days, months or even years to build up. If we could continuously, automatically and intelligently monitor the heart and body, we could detect early signs of problems and take preventive actions to avoid the heart attack.

Doctors detect and cure diseases through their detailed knowledge of different parts of our body and their functionalities. Surprisingly, we don’t have similar information on IoT networks. Most hospitals we have talked to don’t have up-to-date information about what types of IoT devices they have, much less how many of these devices are connected onto their networks. So, IoT device visibility is the first task for each organization. At any given time, we need to know which devices are connected onto the network – plus, what they are supposed to do and not supposed to do – and conduct real-time monitoring of their behavior for early detection of potential cyberattacks.

Yet another challenge beyond the number and varied types of devices: these devices get on and off the network dynamically. How do we handle a highly dynamic system of such large scale? Obviously, manual monitoring is not feasible. The key is to leverage artificial intelligence (AI) to identify and monitor devices automatically, so that we can further protect them – and the hospital and its patients – in the event of a cyberattack.

In summary, visibility and AI are the keys for IoT security in healthcare.

Dr. May Wang, Co-Founder and CTO, ZingBox

[ISACA Now Blog]

English
English
Exit mobile version