The “IT Middle Class” and the Growing Skills Gap

One of the cyber challenges that has long faced organizations is the IT skills gap, and as cybercriminals have widened their focus and moved down the food chain to target more small and medium-sized businesses, that problem has become more pronounced. This is particularly true for what Confer founder and VP of products Paul Morville describes as the “IT middle class.”

“You’ve seen this massive acceleration in terms of people who need to worry about security, people who have to acquire talent in that area,” said Morville, who was a guest on this week’s Cyber Chat podcast. “It’s only getting harder.”

That “democratization” of who is being targeted is the biggest driver behind the often-reported skills gap, Morville said. More businesses than ever are in need of security professionals, and there’s just not enough talent to go around.

The Growing IT Middle Class

The numbers back up those assertions. According to a 2015 analysis of Bureau of Labor Statistics numbers, the demand for IT security professionals is expected grow by 53 percent through 2018, and a 2016 ISACA report found that 62 percent of those surveyed stated their organizations have too few information security professionals.

In addition, the ISACA report noted:

  • Finding talent can take a long time: More than half of organizations require at least three months to fill open cybersecurity positions, and nine percent could not fill the positions at all.
  • Most applicants do not have adequate skills: Fifty-nine percent of respondents said that less than half of cybersecurity candidates were considered “qualified upon hire,” up from 50 percent a year prior.
  • Security confidence is down: Only 75 percent of respondents reported that they were comfortable with their security teams’ ability to detect and respond to incidents, down from 87 percent a year prior.

In many ways the problem of the cybersecurity skills gap is defined by this growing IT middle class, as Morville noted:

Currently, the largest organizations — such as mega-banks and the military — have the resources to excel at IT security. … Just one tier down from this elite group, it’s a different story. … Under these circumstances, security teams are forced to rely on security tools that are outdated, siloed and inefficient. These tools allow too many attacks to get through, are often disruptive to users, and offer no post-incident value.

Organizations at the top of their industries devote a lot of resources and manpower towards security, but that drops off “really fast” when you start moving down market, Morville said.

Addressing the Gap

Finding the right candidate can be challenging because — as others have said — security professionals often have to be a chameleon and wear many different hats.

“When you look at a security person, they’re part engineer, they’re part researcher, they’re part operational in nature, they’re partly a police officer,” Morville said. “You can’t go to a university right now and study that. There’s very few programs that are specialized in this area.”

He added, “I think the more we can do in terms of feeding more people with this skill set into the funnel, the better off we’ll be.”

But finding people to stop the bad guys is only half the equation, Morville said. The other half is doing so in a way that frees up resources. That’s where security tools need to improve to make sure they’re helping organizations become more efficient.

“I put a lot of burden back on the security vendor community in terms trying to create products that, as I said, become more of a force multiplier.”

As SurfWatch Labs chief security strategist Adam Meyer wrote, there is a huge difference between being actionable and being practical, and tools and intelligence need to be more practical. This means security tools should help free employees from low-level tasks so that the employees organizations do have can better utilize their time, Morville said.

“Everybody is just always looking for new security people — people to add to the team. It’s hard to find people, and it’s hard to train people, and it’s hard to retain people.”

For more, listen to the full conversation with Confer’s Paul Morville about the skills gap, how it’s affecting the IT middle class, and what security vendors, businesses and others can do to help address the problem.


Podcast: Hackers Get Political, Massive Cryptocurrency Theft and Password Woes Continue

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 74: Hackers Get Political, Massive Cryptocurrency Theft and Password Woes Continue:

Cybercrime and politics crossed paths yet again as a data breach at the Clinton Foundation was revealed as part of a wide-reaching campaign. A massive cryptocurrency theft led to tens of millions of dollars in potential losses for The DAO. Acer is notifying users of a breach at the company’s e-commerce site. And banks continue to be targeted with DDoS attacks. A variety of companies are also reporting secondary breaches stemming from the breaches at LinkedIn and others, keeping the issue of password reuse in the spotlight. Researchers highlighted a variety of malware this week including PunkeyPOS, DED Cryptor, RAA ransomware, Magnit and GozNym. The FBI released updated stats on business email compromise scams, and surprise, it’s only getting worse. Legal news includes financial institutions filing a lawsuit against Wendy’s, Home Depot filing an antitrust lawsuit against Visa and MasterCard over chip-and-signature issues, the SEC warning of a man hacking accounts to make unauthorized trades, and a $950,000 privacy settlement with the FTC. Also, some people are not too happy about a Game of Thrones spoiler service.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Organizations Overwhelmed, “Literally Lose Track” of Sensitive Data

Many businesses cannot keep up with the plethora of sensitive data that’s being created and shared by their organization, and as a result they may face increasingly stiffer fines as new regulations and laws are passed to protect that data.

That’s according to John Wethington, VP of Americas for Ground Labs, a security company focused on helping organizations monitor their data.

“Simply put, there’s so much data being generated every single day that these organizations — they literally lose track of it,” said Wethington on SurfWatch Labs latest Cyber Chat podcast.

“The data is constantly being moved and shifted around. It’s being put in a variety of different formats, stored in a variety of different locations,” he said. “I think the average individual doesn’t see behind the scenes and understand all the hands that touch their data for a variety of different reasons.”

Do You Know Where Your Data Is?

That lack of insight is leading to data breaches caused by both mistakes within the organization as well as external actors such as cybercriminals and hacktivists.

Although data storage and data use has shifted over the past few years — more cloud services, more sharing, more tools to extract and analyze information — cybersecurity has often lagged behind that shifting approach.

If an organization isn’t closely monitoring that sensitive information, they may be in for a rude awakening, Wethington said.

“Much like a child, you have to constantly keep an eye on them otherwise they’re going to wander off somewhere you’re not going to expect, and the same thing with the data. It’s going to wander off somewhere, you’re not going to expect it to be there, and then you’re going to find yourself in trouble.”

Evolving Regulatory Landscape

That lost data may lead to larger fines and penalties as new regulations such as the EU’s General Data Protection Regulation (GDPR) come into effect and organizations have to deal with issues such as the right to be forgotten.

The GDPR, which goes into full effect in May 2018, comes with a considerable increase in potential monetary fines for those that don’t keep personal information protected: up to 4% of firms’ total worldwide annual turnover.

The global regulatory environment is “rapidly changing” as governments try to create different ways to compel organizations to maintain data security, Wethington said. As a result, organizations are trying to understand what new regulations such as GDPR will mean for them.

He added, “It’s going to be an interesting couple of years ahead of us.”

Listen to the full conversation with Ground Labs  John Wethington below:

About the Podcast
Throughout 2016 we’ve seen numerous data breaches related to businesses being unable to properly monitor and protect their data. As Ground Labs VP of Americas John Wethington put it, organizations simply cannot keep track of the growing amount of data they have. However, new regulations such as the EU’s General Data Protection Regulation come with stiff penalties for those organizations that do not protect the sensitive data they collect.

On today’s Cyber Chat we talk with Wethington about why businesses are having trouble monitoring that data, how they can improve, and what the future holds for data security.

Podcast: DNC Hacked, Espionage Makes Headlines, and Updates on CISA and Net Neutrality

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 73: DNC Hacked, Espionage Makes Headlines, and Updates on CISA and Net Neutrality:

This week’s trending cybercrime events include Wendy’s announcing its point-of-sale breach is significantly larger than previously reported, a breach at the Democratic National Committee and theft of Donald Trump opposition research, and a nearly 8-million strong breach at Japan’s top travel agency. The University of Calgary also joined the growing list of organizations that have made sizable ransomware payments, and file sharing service iMesh became the latest company to face a massive breach of user records. Advisories include more dark web dumps, a variety of espionage-related headlines, the apparent demise of the Angler Exploit Kit, and updates on malware, including ransomware targeting smart TVs. Trending legal stories include a hearing on the 6-month-old Cybersecurity Information Sharing Act, a ruling in favor of Net Neutrality, and a $1 million Morgan Stanley fine. Also, the once maligned website now ranks among the web’s most trustworthy sites.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Podcast: Massive Myspace Hack, Cryptoworm Warnings and Breach Lawsuits Continue

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 72: Massive Myspace Hack, Cryptoworm Warnings and Breach Lawsuits Continue:

This week saw more news about password breaches as 427 million Myspace passwords and 65 million Tumblr passwords were put up for sale on the dark web. announced a potential data breach stemming from a vulnerability in third-party email server software. TeamViewer faced a DDoS attack and what the company claims are false accusations that it suffered a data breach. Australia’s NSW Trainlink halted its online reservation system due to a compromise. Pakistan’s Zameen real estate was hacked and had its entire database allegedly posted online. Trending advisories include warnings of a potential cryptoworm known as ZCrypt, the dormant FrameworkPOS campaign resurfacing, and Kovter malware targeting Fortune 500 companies by escalating from low-level adware to more advanced threats. The FBI also warned of data breach victims being extorted, and there was a vulnerability discovered in the popular WordPress Jetpack plugin. Legal stories include developments in the Anthem, CareFirst and Kroger breach lawsuits as well as warnings from the UK’s IOC and the largest ever arrest of Russian hackers. Finally, one apartment complex found a controversial new way to get Facebook likes.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Vulnerability Management: False Confidence, the Remediation Gap and Other Challenges

Organizations believe their vulnerability management programs are more mature than they really are, and the time it takes to remediate vulnerabilities remains an issue for many businesses, according to several reports.

A SANS whitepaper, What Are Their Vulnerabilities?: A SANS Survey on Continuous Monitoring, concluded that security practitioners are overconfident in their current state of continuous monitoring:

… survey results starkly illustrate that we are approaching a dangerous state in which we believe we have appropriately addressed problems, though we have, in fact, not adequately remediated them—therefore unknowingly leaving a window of opportunity open for attackers.

“Each of the questions taken on their own – there’s nothing really major that’s unsound. But looking at those questions together is very interesting,” said David Hoelzer, SANS Fellow Instructor, author of the paper, and founder and CISO of CyberDefense, the parent company of Enclave Forensics.

“More than half of these [organizations] are saying that they are mature or maturing. They say that, but then when we look at the coverage of assets … no one is even willing to say that they are covering 100% of their publicly exposed systems.”

Hoelzer, who was a guest on our vulnerability management podcast last October, said that gap in perception is a cause of concern.

“I would not define what we’re seeing in that report as anything like mature,” he said. “It seems as though our criteria or the bar we’re trying to reach is not high enough.”

Closing the Remediation Gap

One of the biggest challenges around vulnerability management is the time it takes organizations to remediate those vulnerabilities, or the remediation gap.

According to a 2015 Kenna Security report, The Remediation Gap: Why Companies Are Losing the Battle Against Non-targeted Attacks, even “conservative” estimates found that the window of opportunity for many exploits remains significant:

  • On average, it takes businesses 100-120 days to remediate vulnerabilities.
  • At 40-60 days, the probability of a vulnerability being exploited reaches over 90 percent – indicating that most successfully exploited vulnerabilities are likely to be exploited in the first 60 days.
  • The gap between being likely exploited and closing a vulnerability is around 60 days.

“The gap that we’re looking at is getting much bigger, and I think that is happening because attackers are getting really, really good at automated attacks,” said Kenna Security’s senior data scientist Michael Roytman, who was also featured on the podcast.

Old Vulnerabilities, New Problems

According to Roytman, enterprises often have a huge backlog of vulnerabilities. That “security debt” is one of the primary reasons for the remediation gap. In addition, it can be difficult to know which of those vulnerabilities are actually being exploited.

For example, attackers continue to exploit old vulnerabilities, as pointed out in the report:

  1. CVE-2010-3055 was exploited 121,000 times in 2014. It allows attackers to run arbitrary code in phpmyadmin via a POST request, and phpmyadmin runs millions of sites worldwide. It’s a CVSS 7.5, which means it’s bound to fly under the radar more often than not. But it shouldn’t.
  2. CVE-2002-0649 is an ancient worm that exploits SQL Server 2000 and Microsoft Desktop Engine 2000. Reading the Wikipedia article on the worm makes it seem like it’s a long forgotten problem, but we witnessed 156,000 successful exploitations in 2014. It’s not new, it’s not hip, it’s not current, so one talks about it – but it’s a significant threat.
  3. CVE-2000-1209 is also not to be forgotten, with 272,000 successful exploitations. It exploits Microsoft SQL Server 2000, SQL Server 7.0, and Data Engine (MSDE) 1.0, including third party packages that use these products such as Tumbleweed Secure Mail (MMS), Compaq Insight Manager, and Visio 2000.

The report concluded: “These vulnerabilities are not new – in fact, they’re extremely old – and yet they perfectly represent the kind of unremediated vulnerabilities that automated attacks attempt to find. They’re the windows that the criminals rattle around and try to pry open.”

“Huge Opportunity” for Threat Intelligence

Integrating threat intelligence into vulnerability management is recent development, Roytman said, as the data available now wasn’t available five or ten years ago. But threat intel can help provide the biggest bang for the buck in terms of deciding which of the potentially thousands of actions an organization should take first.

“What’s surprising to me is the lack of information about what is being exploited,” Roytman said. “Integrating those data sources, disseminating that knowledge, is something that can really shorten the remidation gap, and it was surprising to me to see how many enterprises don’t have that information integrated.”

He added: “We’re kind of at this crossroads where the data is flowing in, but maybe we’re not integrating it into our vulnerability managment practices, and that’s a huge opportunity.”

You can listen to our previous podcast on vulnerability management below for more information:

About the Podcast:
This special episode is all about the challenges and issues around vulnerability management. David Hoelzer – SANS Fellow Instructor, dean of faculty for the SANS Technology Institute, and founder and CISO of CyberDefense, the parent company of Enclave Forensics – discusses the recent SANS survey and whitepaper “What Are Their Vulnerabilities?: A SANS Survey on Continuous Monitoring.” Among the findings is that “we are approaching a dangerous state” where companies believe they are doing better than they are – leaving a window of opportunity for attackers.

Kenna Security’s senior data scientist Michael Roytman also joins the podcast to discuss their recent report, “The Remediation Gap: Why Companies Are Losing the Battle Against Non-targeted Attacks.” The report estimated that most companies take an average of 100-120 days to remediate vulnerabilities. We chat about the state of vulnerability management, the challenges facing organizations, and what businesses can do to improve on that front.

Podcast: Big Names Get Breached, Malware Evolves and Court Questions Data Sharing

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 71: Big Names Get Breached, Malware Evolves and Court Questions Data Sharing:

This week’s trending cybercrime events include breaches at the NBA’s Milwaukee Bucks and the furry site “Fur Affinity,” a two-year cyber-espionage campaign against Swiss military contractor Ruag, payment card skimmers found at Walmart, and DDoS-for-hire services found on the online marketplace Fiverr. Researchers discussed several new types of malware including a stealthy new malware dubbed “Furtim,” a new variant of Cerber ransomware, and changes to DMA Locker – which is being upgraded for a potential “massive” distribution. On the legal front, the transfer of data between the U.S. and the EU continues to be questioned in court, Wells Fargo was ordered to pay a $1.1 million fine related to employee data theft, another W-2-related breach lawsuit was filed, and various individuals were arrested and cybercriminal groups disrupted. Also, people continue to get in trouble by hacking road signs.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Podcast: Hackers Get Hacked, SWIFT Attacks and a Ruling from the Supreme Court

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 70: Hackers Get Hacked, SWIFT Attacks and a Ruling from the Supreme Court:

The hacker forum was breached and the sensitive information of its members was made publicly available. SWIFT warned of more attacks against banks at the same time the Anonymous OpIcarus campaign hit more financial sector targets. LinkedIn discovered its 2012 breach was much bigger than previously thought. And a couple of researches upset OkCupid by publishing data on 70,000 of the dating site’s users. This week’s advisories included more developments in the cat-and-mouse game around the CryptXXX ransomware, an alert on an old SAP vulnerability, an Android banking Trojan and click-fraud botnet, and more PayPal phishing scams. This week also saw a highly anticipated Supreme court ruling on a privacy-related class action lawsuit, the continuation of financial institutions lawsuit against Home Depot, and a new lawsuit around a breach of W-2 information at aircraft maintenance company Haeco. A judge also ruled the FBI did not have disclose a vulnerability in the Firefox browser, and the U.S. saw its first conviction in the hack of newswires that generated $100 million in profit. Also, the LinkedIn breach revealed another round of terrible password habits.

Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.

Will Your Internal Sharing of Data Cause a Breach?

On May 4 the United Kingdom’s Information Commissioner’s Office (ICO) announced a £185,000 fine against a health trust for inadvertently publishing the personal details of 6,574 staff members on its website.

Blackpool Teaching Hospitals NHS Foundation Trust is required to post annual equality and diversity metrics. Unfortunately, the published spreadsheets contained “hidden data.” Simply double clicking on the posted tables revealed the sensitive information behind them. This included employees’ names, pay scales, National Insurance numbers and dates of birth as well as other volunteered information such as ‘disabled’ status, ethnicity, religious belief and sexual orientation.

The incident is just one of many examples of data breaches resulting from the inappropriate sharing of data within an organization. In fact, the ICO recently published a guide about how to safely disclose information due to a string of similar incidents.

One of the drivers behind those breaches is business intelligence moving away from a locked-down, data-silo approach and back towards the the freewheeling, self-serving nature of the early 1990s as tools like Tableau empower analysts, said Datawatch chief product officer Jon Pilkington, who was a guest on this week’s Cyber Chat podcast.

In its monetary penalty notice to Blackpool Teaching Hospitals NHS Foundation Trust, the ICO noted that the trust:

  1. Did not have any procedure governing requests for information around electronic staff records
  2. Did not provide the team with training on the functionality of the Excel spreadsheets
  3. Had no guidance in place for the web services team to check those spreadsheets for hidden data before making them public

“[Analysts] are offloading data from its originating source for the purposes of getting their job done,” Pilkington said, adding that this approach is revealing potential data governance gaps within organizations.

The Big Concern is a Data Breach

Internally sharing data without the proper precautions may result in a highly publicized exposure, said Dan Potter, chief marketing officer at Datawatch, which helps businesses users prepare and analyze data from a variety of sources.

“The big concern, the big risk, is around data breach because now you’ve got data being moved from governed systems — like a database or data warehouse that are well-managed and well-governed and controlled — to something that is now living on the desktop of an analyst and therefore being shared with other people in a non-governed way.”

Take the recent breach at retailer Kiddicare. Earlier this month the company notified nearly 800,000 customers that their names, addresses and telephone numbers may have been stolen after a test website using real customer information was compromised.

However, using real data on a test site tends to be a bad practice, noted security blogger Graham Cluley. As a test site, things are expected to go wrong, and in the case of Kiddicare, they did.

“Unfortunately, time and time again it’s seen that companies can be sloppier about the security of their test sites than their official sites — opening opportunities for data thieves and hackers,” Cluley wrote. “For that reason it’s usually much safer to generate fake data for testing purposes – just in case.”

Importance of Data Masking

Redaction and data masking can provide the best of both worlds: analysts across all departments are free to examine the data they want, and the sensitive information is removed or replaced with innocuous data.

This can help ensure you’re staying compliant with both government regulations and corporate policy. For example, if the employees names and insurance numbers had been masked in the data behind the trust’s equality and diversity metrics, the mistaken disclosure of that information would have been much less significant.

Potter added, “There’s a whole host of other kinds of data that people need to be very, very careful with in making sure that they’re masking it in some way because as you move to self-service analytics it does create more risk.”

Listen to the full conversation with Datawatch for more about business intelligence and data masking.

About the Podcast
In early May Blackpool Teaching Hospitals NHS Foundation Trust was fined £185,000 by the United Kingdom’s Information Commissioner’s Office for inadvertently publishing the personal details of 6,574 staff on its website. And last week retailer Kiddicare announced that 800,000 customers were impacted after a test site using real customer information was compromised by hackers. The incidents highlight a growing problem. Organizations have more data than ever, and that sensitive data is often being shared with other departments or with third parties for a variety of purposes.

On today’s Cyber Chat we talk with Datawatch chief product officer Jon Pilkington and chief marketing officer Dan Potter about business intelligence, the importance of data masking and how businesses can protect their sensitive information when it’s being shared both inside and outside of the organization.

Podcast: More Bank Attacks, New Malware and Walmart Sues Visa

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 69: More Bank Attacks, New Malware and Walmart Sues Visa:

This week’s trending cybercrime events included data breaches at Google, Kiddicare, and InvestBank as well as a ransomware infection that led to YahooMail being temporarily banned from the House of Representatives and a series of Anonymous-led DDoS attacks against banks. Researchers discovered several new mobile threats including RuMMS and Viking Horde Botnet malware. Blogger, PerezHilton and CBS-affilitiated websites were hit with malvertising. A new credit card scam was uncovered in Kuala Lumpur. Legal news includes Walmart suing Visa over chip-and-signature practices, the FTC and FCC partnering to investigate mobile security updates, and updated information on several stories including the Wendy’s data breach and the signing of the Defend Against Trade Secrets Act of 2016. Lastly, a Lego robot can bypass screen pattern security.

Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.