A Crisis of Confidence Among Security Pros

Would love to hear the community's thoughts on this article:

New report shows that a majority of security professionals worldwide doubt they can stop or quell attacks.

There's a sense of unease among security professionals around the globe on how well they can truly protect their organizations from cyberattacks, a new report finds.

Some 57% of security pros say their organizations aren't protected from advanced attacks, and 63% don’t think they can stop confidential information from leaking out of the enterprise, a new report by the Ponemon Institute says. Nearly 70 percent say they believe threats slip by their installed security systems.

Full story here.

Find more posts tagged with

Comments

MSP-IT

I think a lack of confidence, rephrased, can be a good thing. Those that have real confidence in their security mechanisms are more likely just incompetent or niave. The belief that you're never protected is what makes a good security professional.

RobertKaucher

And those are just the ones who are being honest. security pros are at a distinct disadvantage and always will be... The bad guys only have to have one successful attack, the good guys have to be 100% effective against everything.

zxbane

Great point and post, the security folks have it pretty rough in the sense that it is impossible to cover everything at all times, as new attacks evolve and come to light

colemic

That's an interesting read. My initial reaction though is that they might not be measuring what they think they are (and this is me going off on a tangent here) - every organization invests X amount, and from security's perspective, it's only going to get you so far. It's like a baseline, kind of - what you spend, is your acceptable risk. More spending (not necessarily in dollars, but in time as well) usually leads to increased results. I wonder if the respondents are saying that they think they need to spend more to have the same level of assurance given how attacks are evolving, or if it is they think it was too low to begin with. Sorry I am in a rush and that may not be entirely clear.

docrice

I only skimmed the article, but the way I see it there is typically a major disconnect between how senior management perceives security threats and mitigating / reducing the associated risks vs. the actual reality and the speed of evolution regarding the types and number of threats out there. Business environments are often conservative in nature and the decision-making tends to be cost-based. "Security" is seen more as an operational cost-nuisance and with some funding a convenient button / checkbox to make the superficial liabilities go away (the cost of doing business, if you will).

But with the number of high-profile breaches making the news these days, executive teams are probably realizing that this isn't just a technology problem, but like many other things a human / business-relationship issue as well and you can't simply buy a set of shiny appliances to perform magic as a solution. It's becoming more expensive to be complacent.

Compounding the problem is the disconnect between those in the trenches of digital warfare and those in charge of the businesses. Too many techies aren't able to explain the problems and risks in terms the business owners understand. This is a common point of frustration in any organization, but I think technical staff tend to forget that senior management has to keep focused on business goals. Being inundated with all the low-level minutia is outside their area of comfort.

It's also mindset and training. There are too many shops / technical professionals who are overly-dependent on the new firewall / endpoint / malware-detection technology without really understanding how they work and what it is these solutions accomplish at a technical level. I attribute this mainly to insufficient training, lack of training, or the wrong type of training. While vendor-specific training is important, I generally feel that they don't reveal the actual security problems of today and they only teach it based on how their marketed solutions help resolve known problems. This is why I'm a big proponent of augmenting with vendor-neutral training as it helps provide clarity and see past the assumptions vendor-centric training makes.

The scale which must be covered for effective security revolve around understanding the technologies, protocols, human behavior, business requirements, and all the other microscopic details and putting the appropriate auditing and access controls in place. In other words, complete security requires seeing and knowing everything because without it, you can't detect and respond to every anomaly. This is an impossible task, and the growing advances in network-enabled technology and how we use them only exaggerates this problem at a higher rate.

colemic

Totally agree that the gap is become wider between the business side and the security side... but how do you fix that? Security training for business? Business training for security? Both? That's the million-dollar question, how to bridge the gap.

Jackace

My security instructor in school made it clear that with enough resources any system can be compromised. Your job as a security expert is to make yourself as tough a target as you can based on the value/cost of the data you are trying to protect. In that respect I agree with the article, there isn't much you can do if someone really wants your data. IF they spend enough time/money they will get to that data no matter what you do to secure it.

chopsticks

Without attacks, security professionals will be out of jobs or businesses, and I'm speaking from the good-guy side

NovaHax

MSP-IT wrote: »

I think a lack of confidence, rephrased, can be a good thing. Those that have real confidence in their security mechanisms are more likely just incompetent or niave. The belief that you're never protected is what makes a good security professional.

This!!!

There is security and then there is better security. But no such thing as perfect security. Awareness of this will make you a better security professional.

GarudaMin

As mentioned by docrice, security is not just a technology issue. It's about policy, procedure, people, ... basically defense-in-depth. The question is what is the root cause of the lack of confidence? We all know that no system is 100% secure and it's about how much controls we can place in terms of defense-in-depth; and the controls needed to place have to have blessings from the company leaders. If a company does not care about security, it's very hard on security professionals. After all, humans are the weakest link and you can't tackle human issues without visible support from the leaders. The article doesn't really go into root cause but imho, confidence of security pros is hugely related to the culture and ethics of the company and their value on security.

[Deleted User]

I agree with GarudaMin. There are multiple layers of security that need to be covered (physical access all the way to securing data.) However, with proper end-user training, I would "assume" that at-least ~50% of these issues would be solved but people don't always follow the rules (if only IT was a dictatorship

where they had to abide by our words.) There will be more and more attacks growing each and everyday. Also keep in mind, most people are only aware of just the common scams such as the Nigerian prince scam or FedEx package scams. There are more and more sophisticated and complex scams it may be difficult (not impossible) to prevent these issues from recurring.

colemic: I think meeting halfway would suffice for business needs along with the needs that security professionals need. If you compromise your employees and the security professionals needs, that can cause issues.

it_consultant

I have a different perspective on why there is a crisis of confidence among IT pros. Most of them aren't very good. CEH, CISSP, etc means diddly squat against truly talented intruders. The SOC's I have seen were widely incompetent at detecting threats and spent more time responding to false alarms from overly sensitive IDS devices than actually monitoring vectors of intrusion. Look at Target, how did not one Security professional notice outbound traffic from the POS devices? That isn't getting it wrong "one time", that is a systematic failure of detecting data leakage. Sadly, I am sure Target had plenty of CISSPs on staff and I am sure they were PCI compliant too. Hello false sense of security.

The problem is that a vast collection of security professionals were trained by military contractors or by businesses who were either junior admins or right out of college. As an experience network admin, I can easily defeat most Security measures even if I have never seen the network because I know what I am doing. Meanwhile, hackers are experienced programmers with a ton of knowledge on operating systems and networks. At the very least, the lowest level of security guy should have years under his/her belt as a systems admin or a network admin.

GarudaMin

Target just failed on many aspects. From my understanding: infosec security professionals (before the attack) informed target that they were weak and needed improvement (including the area that led to the breach) but the leaders did not pay attention to it. Those infosec security professionals have also left Target before the attack occurred. Also their FireEye system, as well as Norton AV has reported the initial attacks and malware callbacks on 2 separate instances. Whoever is supposed to handle (IT or infosec, etc.) did not follow up with those alerts. Failures on multiple levels from the top to bottom.
But I agree about security guys having systems/network admin experiences. After all, if you don't know what it is then how can you properly protect it.

the_Grinch

Lack of confidence is the wrong phrase to use here. I've never meant a true security professional who was confident that they were 100% secure. Given enough time and money anything can be broken into.

higherho

it_consultant wrote: »

I have a different perspective on why there is a crisis of confidence among IT pros. Most of them aren't very good. CEH, CISSP, etc means diddly squat against truly talented intruders. The SOC's I have seen were widely incompetent at detecting threats and spent more time responding to false alarms from overly sensitive IDS devices than actually monitoring vectors of intrusion. Look at Target, how did not one Security professional notice outbound traffic from the POS devices? That isn't getting it wrong "one time", that is a systematic failure of detecting data leakage. Sadly, I am sure Target had plenty of CISSPs on staff and I am sure they were PCI compliant too. Hello false sense of security.

The problem is that a vast collection of security professionals were trained by military contractors or by businesses who were either junior admins or right out of college. As an experience network admin, I can easily defeat most Security measures even if I have never seen the network because I know what I am doing. Meanwhile, hackers are experienced programmers with a ton of knowledge on operating systems and networks. At the very least, the lowest level of security guy should have years under his/her belt as a systems admin or a network admin.

So true. This is the biggest factor imo, most security professionals (That are not on the red team) have no experience on the field / keyboard to understand what is actually being attacked or how it happened.

YFZblu

it_consultant wrote: »

hackers are experienced programmers with a ton of knowledge on operating systems and networks.

Yes, infosec is chock full of over-confidence and ignorance; just like the rest of IT. Also let's not forget that 99% of attack traffic is generated by skiddies with no talent, skill, or understanding. They're spraying at internet address space with something they found on Git, or metasploit, or NMAP.

Infosec is at the inherent disadvantage of investigating badness and reacting after the fact, in ever-changing environments while trying to maintain a perceived sense of 'normal' on the wire. It's cat and mouse, and that will never change.

Regarding confidence, I agree with others who say that's the wrong word. Security people are definitely confident - but often tend to be logical as well. Any security person who tells you, as a matter of fact, that the network is 100% under the control of its owner, is lying to you.

it_consultant

I don't even consider port probes as attack traffic, technically it is but the cheapest firewalls on the market take care of that for us. I am talking about real hackers that use bait and lure techniques, social engineering attacks, break into physical safeguards etc. These people know what the eff they are doing and are a cut above the average security guy.

We should look at the opposite example. When a reporter's email at NYT was hacked, their security people noticed and traced the attack and even planted false information in the account - while giving the reporter a different email account so they could continue their work. I am not suggesting all security people are bad, I am saying that a lot of popular methods and certifications for security simply provide a false sense of security.

GAngel

The real headline should be
"Most security pro's not good enough in the first place".

YFZblu

it_consultant wrote: »

I don't even consider port probes as attack traffic, technically it is but the cheapest firewalls on the market take care of that for us.

Who said anything about port scanning? That's just the cost of being connected to the internet. There is plenty of automated exploitation from the internet to public-facing infrastructure that doesn't 'probe' a single port.

it_consultant wrote: »

I am talking about real hackers that use bait and lure techniques, social engineering attacks, break into physical safeguards etc. These people know what the eff they are doing and are a cut above the average security guy.

You're referring to an entity willing to do anything to gain a foothold within an organization. Over a long period of time, that entity is probably going to get in, and the blame for that is spread much wider than the average security guy.

it_consultant

That isn't what I am talking about at all, actually. I am talking about loose string theory. A skilled attacker can spend a few minutes determining whether there is a veritable "string" they can tug at to get into an organization. Above and beyond the standard NMAP and port probes and other things anyone can find on the dark net. I am talking about exploiting weaknesses in versions of apache and IIS. If the attacker finds a string, they can start tugging and those guys are very skilled.

The NYT hack was a nation state and therefore not completely alike to other breaches but what I was focusing on was the response of the security professionals involved. I don't see that level of skill in the average security guy; in fact I would call it more of a rarity. That is the problem with security as I see it, we rely too much on process level security (which there is a need for) and not enough on people with the technical gravitas to be able to discern an attack when or right after it happened. We feel nice and comfortable with our PCI certifications and CISSPs meanwhile your website is getting pilfered by malicious scripts without anyone noticing.

YFZblu

it_consultant wrote: »

That isn't what I am talking about at all, actually. I am talking about loose string theory. A skilled attacker can spend a few minutes determining whether there is a veritable "string" they can tug at to get into an organization. Above and beyond the standard NMAP and port probes and other things anyone can find on the dark net. I am talking about exploiting weaknesses in versions of apache and IIS. If the attacker finds a string, they can start tugging and those guys are very skilled.

We're talking past each other on this point. I'll try to be more clear. Earlier you indicated that script kiddies on the web can be easily flicked away by any modern piece of network infrastructure by denying probe traffic on arbitrary ports. My point was, generally speaking, security people don't care much about random port scanning. Even script kiddies realize that waltzing through the front door and poking at open services/applications is much more fruitful than pounding on a wall for no reason. How do they identify those open services? Often times they don't identify anything - they just point at blocks of address space and spray at port 80 exclusively. Either their bot exploited your service or it didn't. They'll eventually pop a number of servers, and continue on with their trollish lives of bitcoin mining on enterprise infrastructure and saturating bandwidth with more scans at the victims expense.

So yes, when the business forces us to keep vulnerable software online, and some know-nothing skiddie with an automated exploit starts pounding on it, we most definitely categorize that as attack traffic. Not to say that noisy, enumerating port scans don't happen, it definitely does. But typically that occurs within the context of things we don't care much about.

it_consultant wrote: »

we rely too much on process level security (which there is a need for)

Yes.

it_consultant wrote: »

I was focusing on was the response of the security professionals involved. I don't see that level of skill in the average security guy; in fact I would call it more of a rarity.

Of course the response was a rarity - after determining they were in over their heads, AT&T and the Times roped in both the FBI and Mandiant; institutions in the field. You're pitting them against the "average security guy". That's like saying what Michael Jordan did was a rarity, and by comparison other professional players were bad at basketball. That's not a realistic thought process because at Mandiant, the business is security.

it_consultant wrote: »

The NYT hack was a nation state and therefore not completely alike to other breaches

I disagree - The New York Times incident was very similar to other targeted breaches. Threat actors used spear-phishing to introduce stealthy malware into the network, and spent weeks targeting what they believed to be the prod domain controller and cracking passwords; under the watchful eye of arguably the best incident handling organization in the world. After reviewing the malware, Mandiant recognized it as something they had seen before. After reviewing network-based information, Mandiant recognized the behavior immediately and attributed it to a group they were aware of and monitoring.

My original point is this: Yes, there is incompetence in infosec. But that's a cheap and incomplete way of looking at it. There is incompetence in every area of IT. As Docrice once put it, at most shops technical security people are handed a BB gun and asked to conquer the zombie apocalypse. For that reason, it's extremely eye-rolling when people who don't work in dedicated security positions criticize the field with only a half understanding of what is actually taking place.

colemic

Not directed at you specifically, YFZblu, but it is also eye-rolling when people assume that only the ones in the nuts-and-bolts type of technical positions, are the only 'real' InfoSec jobs. #petpeeve

YFZblu

No, you're right - After re-reading my post it does come off that way. It's probably an immaturity thing on my part. The fact is, what I do at my firm would have no teeth without risk, policy, and architecture setting standards.