CompTIA recently polled about 600 companies worldwide to identify major cybersecurity trends. According to the respondents, we’re facing a three-fold set of challenges:
- Enlarging attack surface
- Increasinglywell-armed adversaries
- Lack of trained individuals
The increased attack surface involves two major elements:
- First, we’re seeing a proliferation of powerful devices and applications. Many of these have been created rather hastily, to put it lightly.
- Second, we’re seeing an increase in ever-more varied attacks that focus on social engineering, sophisticated credential harvesting and ways to manipulate foundational internet services, especially the Domain Name System (DNS).
When it comes to social engineering, this key problem remains: well-motivated, intelligent groups and individuals are actively targeting us. And, we’re succumbing to these attacks with increasing regularity.
This is a major problem because our identities are increasingly defined online. Yet, the military, corporations and individuals are using the same out-of-date resources and procedures that led to 2017’s Equifax debacle. We’re still seeing companies create internet of things (IoT) devices using suspect software and hardware development cycles. This combination of vulnerable individuals and poorly developed computing devices has created a toxic stew.
The continuing barrage of new devices and applications reflects the poor software and hardware development cycles throughout the industry. In late February, I had the opportunity to tour Ben Hill Griffin Stadium, where the University of Florida Gators play. It is a magnificent outdoor venue, like many others throughout the world. But my tour focused less on the fans or the football team and more on the technology used within the stadium.
We reviewed the $6.3 million IT infrastructure the university put in place, which includes powerful, quasi-hidden cell towers and more than 1,100 Wi-Fi hotspots. This implementation seemed quite secure to me. But imagine if such a powerful infrastructure wasn’t secured. Imagine the credential harvesting campaign that a well-funded attacker could wage in such a situation.
Key Skills Cybersecurity and IT Pros Need
Today’s cybersecurity workers need more skills that allow them to better identify and rectify the ever-increasing attack surface.
- Modern Pen Testing Skills: the ability to create customized applications and investigate IoT implementations and cloud platforms
- Security Analytics: the ability to search for the indicators of compromise that pen testers create.
- Knowledge of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) Systems: These systems are increasingly under attack worldwide, and private and public organizations alike require knowledge of both legacy and modern systems.
As cybersecurity workers, we need companies to implement resilient networks, efficient data-driven security information and event management (SIEM) and security orchestration, automation and response (SOAR) solutions. We need individuals who know both the technical and business sides of security so that they can use metrics and measure progress to goal. And we also need better end-user training that educates people on what to do when faced with social engineering threats or phishing attacks.
Finally, organizations need coders, project managers and executives to work together to develop software and hardware according to a secure development lifecycle. For all the talk about baking in security from the start, most organizations clearly haven’t gotten the recipe right.
Improving the Situation: What Employers and Employees Can Do
In our report, 72 percent of respondents keep their cybersecurity capability strictly in house. As this remains the case, it’s critical for executives and managers to properly upskill their cybersecurity workers. With technology changing so quickly and solutions being rushed to market, we need cybersecurity subject-matter experts more than ever before.
Organizations need to leverage the experience and wisdom of tens of thousands of people and distill it into educational programs that are affordable, scalable and, most of all, authoritative. These come from well-defined educational pathways that teach how multiple technologies from multiple vendors work together. Even though automation and artificial intelligence (AI) are helping us more and more, I’m still confident that upskilling people will be the primary way we can manage today’s cybersecurity attack surface.
People tell me that we’ve put up with this cybersecurity dumpster fire for too long. It’s clear to me, at least, that if we pursue well-defined educational pathways, we can avoid past mistakes and develop employee skills to help put it out.