Enterprise IT security teams continue to struggle

CyberEdge conducted a web-based survey of 600 enterprise IT security professionals from seven countries and 19 industries in August 2020 in an effort to understand how the pandemic has affected IT security budgets, personnel, cyber risks, and priorities for acquiring new security technologies.

enterprise IT security teams

Impacts from the work-from-home movement

Prior to the pandemic, an average of 24% of enterprise workers had the ability to work from home on a full-time, part-time, or ad hoc basis. As of August 2020, that number more than doubled to 50%.

Many enterprises without existing BYOD policies were instantly compelled to permit employee-owned laptops, tablets, and smartphones to access company applications and data – in some instances without proper endpoint security protections.

Resulting IT security challenges

A 114% increase in remote workers coupled with a 59% increase in BYOD policy adoption has wreaked havoc among enterprise IT security teams.

The top-three challenges experienced by enterprise IT security teams have been an increased volume of threats and security incidents, insufficient remote access / VPN capacity, and increased risks due to unmanaged devices.

Furthermore, an astounding 73% of enterprises have experienced elevated third-party risks amongst their partners and suppliers. Adding fuel to the fire, 53% of these teams were already understaffed before the pandemic began.

Healthy 2020 and 2021 IT security budgets

While most enterprises searched for ways to reduce overall operating expenses in 2020, 54% of those surveyed increased their IT security operating budgets mid-year by an average of 5%.

Only 20% of enterprises reduced their overall IT security spending after the start of the pandemic. With regard to the impact of the pandemic on next year’s security budgets, 64% of organizations plan to increase their security operating budgets by an average of 7%.

Increased demand for cloud-based IT security investments

Arguably the biggest impact that the COVID-19 pandemic has had on the IT security industry is an increased appetite for cloud-based IT security solutions. This is primarily driven by the massive increase in remote workers but may also be influenced by having fewer IT security personnel available on site to install and maintain traditional on-premises security appliances.

Exactly 75% of respondents have indicated an increased preference for cloud-based security solutions. The top-three technology investments to address pandemic-fueled challenges are cloud-based secure web gateway (SWG), cloud-based next-generation firewall (NGFW), and cloud-based secure email gateway (SEG).

Reducing IT security personnel costs

Despite increased funding for cloud-based security technology investments, 67% of enterprise security teams were forced to temporarily reduce personnel expenses through hiring freezes (36%), temporary reductions in hours worked (32%), and temporary furloughs (25%). Fortunately, only 17% were forced to lay off personnel.

Training and certification make a huge difference

78% of those with IT security professional certifications feel their certification has made them better equipped to address pandemic-fueled challenges.

Next year, enterprises anticipate increasing their security training and certification budgets by an average of 6%.

Taking third-party risks seriously

The doubling of remote workforces has significantly increased third-party risks. As a result, 43% of enterprises have increased their third-party risk management (TPRM) technology investments. 77% are seeking technologies to help automate key TPRM tasks.

Securing employee-owned devices

In an effort to secure employee-owned devices connecting to company applications and data, 59% of enterprises are providing antivirus (AV) software, 52% are investing in mobile device management (MDM) products, and 48% are acquiring network access control (NAC) solutions.

Security professionals enjoy working from home

Not surprising, 81% of IT security professionals enjoy working from home. Once a COVID-19 vaccine is developed and the pandemic is over, 48% would like to continue working from home part-time while 33% would like to work from home full-time.

As attackers evolve their tactics, continuous cybersecurity education is a must

As the Information Age slowly gives way to the Fourth Industrial Revolution, and the rise of IoT and IIoT, on-demand availability of computer system resources, big data and analytics, and cyber attacks aimed at business environments impact on our everyday lives, there’s an increasing need for knowledgeable cybersecurity professionals and, unfortunately, an increasing cybersecurity workforce skills gap.

continuous cybersecurity education

The cybersecurity skills gap is huge

A year ago, (ISC)² estimated that the global cybersecurity workforce numbered 2.8 million professionals, when there’s an actual need for 4.07 million.

According to a recent global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and analyst firm Enterprise Strategy Group (ESG), there has been no significant progress towards a solution to this problem in the last four years.

“What’s needed is a holistic approach of continuous cybersecurity education, where each stakeholder needs to play a role versus operating in silos,” ISSA and ESG stated.

Those starting their career in cybersecurity need many years to develop real cybersecurity proficiency, the respondents agreed. They need cybersecurity certifications and hands-on experience (i.e., jobs) and, ideally, a career plan and guidance.

Continuous cybersecurity training and education are key

Aside from the core cybersecurity talent pool, new job recruits are new graduates from universities, consultants/contractors, employees at other departments within an organization, security/hardware vendors and career changers.

One thing they all have in common is the need for constant additional training, as technology advances and changes and attackers evolve their tactics, techniques and procedures.

Though most IT and security professionals use their own free time to improve their cyber skills, they must learn on the job and get effective support from their employers for their continued career development.

Times are tough – there’s no doubt of that – but organizations must continue to invest in their employee’s career and skills development if they want to retain their current cybersecurity talent, develop it, and attract new, capable employees.

“The pandemic has shown us just how critical cybersecurity is to the successful operation of our respective economies and our individual lifestyles,” noted Deshini Newman, Managing Director EMEA, (ISC)².

Certifications show employers that cybersecurity professionals have the knowledge and skills required for the job, but also indicate that they are invested in keeping pace with a myriad of evolving issues.

“Maintaining a cybersecurity certification, combined with professional membership is evidence that professionals are constantly improving and developing new skills to add value to the profession and taking ownership for their careers. This new knowledge and understanding can be shared throughout an organisation to support security best practice, as well as ensuring cyber safety in our homes and communities,” she pointed out.

Why developing cybersecurity education is key for a more secure future

Cybersecurity threats are growing every day, be they are aimed at consumers, businesses or governments. The pandemic has shown us just how critical cybersecurity is to the successful operation of our respective economies and our individual lifestyles.

developing cybersecurity education

The rapid digital transformation it has forced upon us has seen us rely almost totally on the internet, ecommerce and digital communications to do everything from shopping to working and learning. It has brought into stark focus the threats we all face and the importance of cybersecurity skills at every level of society.

European Cybersecurity Month is a timely reminder that we must not become complacent and must redouble our efforts to stay safe online and bolster the cybersecurity skills base in society. This is imperative not only to manage the challenges we face today, but to ensure we can rise to the next wave of unknown, sophisticated cybersecurity threats that await us tomorrow.

Developing cybersecurity education at all levels, encouraging more of our students to embrace STEM subjects at an early age, educating consumers and the elderly on how to spot and avoid scams are critical to managing the challenge we face. The urgency and need to build our professional cybersecurity workforce is paramount to a safe and secure cyber world.

With a global skills gap of over four million, the cybersecurity professional base must grow substantially now in the UK and across mainland Europe to meet the challenge facing organisations, at the same time as we lay the groundwork to welcome the next generation into cybersecurity careers. That means a stronger focus on adult education, professional workplace training and industry-recognised certification.

At this key moment in the evolution of digital business and the changes in the way society functions day-to-day, certification plays an essential role in providing trust and confidence on knowledge and skills. Employers, government, law enforcement – whatever the function, these organisations need assurance that cybersecurity professionals have the skills, expertise and situational fluency needed to deal with current and future needs.

Certifications provide cybersecurity professionals with this important verification and validation of their training and education, ensuring organisations can be confident that current and future employees holding a given certification have an assured and consistent skillset wherever in the world they are.

The digital skills focus of European Cybersecurity Month is a reminder that there is a myriad of evolving issues that cybersecurity professionals need to be proficient in including data protection, privacy and cyber hygiene to name just a few.

However, certifications are much more than a recognised and trusted mark of achievement. They are a gateway to ensuring continuous learning and development. Maintaining a cybersecurity certification, combined with professional membership is evidence that professionals are constantly improving and developing new skills to add value to the profession and taking ownership for their careers. This new knowledge and understanding can be shared throughout an organisation to support security best practice, as well as ensuring cyber safety in our homes and communities.

Ultimately, we must remember that cybersecurity skills, education and best practice is not just a European issue, and neither is it a political issue. Rather, it is a global challenge that impacts every corner of society. Cybersecurity mindfulness needs to be woven into the DNA of everything we do, and it starts with everything we learn.

Thousands of ISO certifications at risk of lapsing due to halted re-certification audits

Thousands of valuable ISO management system certifications earned by UK companies may now be at risk because auditors from Certification Bodies may not have been able to attend organizations’ premises to conduct essential re-certification audits during the current coronavirus pandemic.

ISO certifications risk

Worldwide, hundreds of thousands of certifications are at risk of lapsing as lockdown conditions look set to continue for the foreseeable future.

Affected organizations may incur significant financial costs

Current UKAS guidelines – unchanged since August 2016 – state that: “If [a] recertification assessment cannot be undertaken within six months [of the anniversary of the certificate being issued] the certificate should be suspended, and a new initial assessment will be required.”

To restore their certifications, affected organizations may incur financial costs easily three times higher than they were expecting to pay for their annual audits – plus considerably higher levels of time and resources – as well as having to remove any reference to their certifications from their websites and other collateral in the meantime.

“Across just three [ISO9001, ISO27001 and ISO45001] of the five ISO management system standards that we help organizations to achieve, an average of 2,500 UK certifications per month could be at risk of lapsing due to the break in audit activities – never mind all other ISO standards, and notwithstanding any backlog of audits, whenever they can resume at scale,” said Peter Rossi, Director at InfoSaaS.

Some organizations may decide not to be re-audited

The International Organization for Standardization (ISO) doesn’t publish figures for the number of certifications granted across every standard. However, there are more than 1.3 million certifications worldwide across 12 standards for which it has most recently published numbers, in the form of the ISO Survey 2018 (including ISO9001, ISO14001, ISO20000, ISO22000, ISO22301, ISO27001, ISO28000, ISO45001, ISO50001, ISO 13485, ISO37001 and ISO 39001).

Worldwide there are over 870,000 certifications for ISO9001 alone, indicating that – six months on from the start of lockdowns – over 70,000 per month may be at risk of lapsing should surveillance audits remain halted.

“The uncomfortable truth is that, under current circumstances, some organizations may decide not to be re-audited and simply to let their ISO certifications lapse. Any such de-prioritisation may, in turn, lead to an unwanted decline in standards for the likes of information security, environmental management, health and safety and quality management. This is not a good outcome for anyone,” explained Rossi.

Lack of .GOV validation and HTTPS leaves states susceptible to voter disinformation campaigns

There’s a severe lack of U.S. government .GOV validation and HTTPS encryption among county election websites in 13 states projected to be critical in the 2020 U.S. Presidential Election, a McAfee survey reveals.

election website security

Example of what a fraudulent email might look like

Malicious actors could establish false government websites

The survey found that as many as 83.3% of these county websites lacked .GOV validation across these states, and 88.9% and 90.0% of websites lacked such certification in Iowa and New Hampshire respectively.

Such shortcomings could make it possible for malicious actors to establish false government websites and use them to spread false election information that could influence voter behavior and even impact final election results.

“Without a governing body validating whether websites truly belong to the government entities they claim, it’s possible to spoof legitimate government sites with fraudulent ones,” said Steve Grobman, McAfee Senior Vice President and CTO.

“An adversary can use fake election websites for misinformation and voter suppression by targeting specific voters in swing states with misleading information on candidates, or inaccurate information on the voting process such as poll location and times.

“In this way, this malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.”

Lack of governing authority preventing .COM, .NET, .ORG, and .US domain names purchase

Government entities purchasing .GOV web domains have submitted evidence to the U.S. government that they truly are the legitimate local, county, or state governments they claimed to be.

Websites using .COM, .NET, .ORG, and .US domain names can be purchased without such validation, meaning that there is no governing authority preventing malicious parties from using these names to set up and promote any number of fraudulent web domains mimicking legitimate county government domains.

The HTTPS encryption measure assures citizens that any voter registration information shared with the site is encrypted, and that they can give greater confidence in the entity with which they are sharing that information.

Websites lacking .GOV and encryption cannot assure voters seeking election information that they are visiting legitimate county and county election websites, leaving malicious actors an opening to set up disinformation schemes.

“In many cases, these websites have been set up to provide a strong user experience versus a focus on the implications that they could be spoofed to exploit the communities they serve,” Grobman continued.

“Malicious actors can pass off fake election websites and mislead large numbers of voters before detection by government organizations. A campaign close to election day could confuse voters and prevent votes from being cast, resulting in missing votes or overall loss of confidence in the democratic system.”

State counties lacking .GOV validation

Of the 1,117 counties in the survey group, 83.3% of their websites lack .GOV validation. Minnesota ranked the lowest among the surveyed states in terms of .GOV website validation with 95.4% of counties lacking U.S. government certification.

Other states severely lacking in .GOV coverage included Texas (94.9%), New Hampshire (90.0%), Michigan (89.2%), Iowa (88.9%), Nevada (87.5%), and Pennsylvania (83.6%).

Arizona had the highest percentage of main county websites validated by .GOV with 66.7% coverage, but even this percentage suggests that a third of the Grand Canyon State’s county websites are unvalidated and that hundreds of thousands of voters could still be subjected to disinformation schemes.

State counties lacking HTTPS protection

The survey found that 46.6% of county websites lack HTTPS encryption. Texas ranked the lowest in terms of encryption with 77.2% of its county websites failing to protect citizens visiting these web properties. Other states with counties lacking in encryption included Pennsylvania (46.3%), Minnesota (42.5%), and Georgia (38.4%).

Assessment of Iowa and New Hampshire

In Iowa, 88.9% of county websites lack .GOV validation, and as many as 29.3% lack HTTPS encryption. Ninety percent of New Hampshire’s county websites lack .GOV validation, and as many as 30% of the Granite State’s counties lack encryption.

Inconsistent naming standards

The research found that some states attempted to establish standard naming standards, such as www.co.[county name].[two-letter state abbreviation].us. Unfortunately, these formats were followed so inconsistently that a voter seeking election information from her county website cannot be confident that a web domain following such a standard is indeed a legitimate site.

Easy-to-remember naming formats

The research found 103 cases in which counties set up easy-to-remember, user-friendly domain names to make their election information easier to remember and access for the broadest possible audience of citizens.

Examples include www.votedenton.com, www.votestanlycounty.com, www.carrollcountyohioelections.gov, www.voteseminole.org, and www.worthelections.com.

While 93 of these counties (90.2%) protected voters visiting these sites with encryption, only two validated these special domains and websites with .GOV. This suggests that malicious parties could easily set up numerous websites with similarly named domains to spoof these legitimate sites.

Strategies for transitioning to .GOV

While only 19.3% of Ohio’s 88 county main websites have .GOV validation, the state leads McAfee’s survey with 75% of county election websites and webpages validated by .GOV certification. This leadership position appears to be the result of a state-led initiative to transition county election-related content to .GOV validated web properties.

A majority of counties have subsequently transitioned their main county websites to .GOV domains, their election-specific websites to .GOV domains, or their election-specific webpages to Ohio’s own .GOV-validated ohio.gov domain.

Such a .GOV transition strategy constitutes an interim solution until more comprehensive efforts are made at the state and federal government level through initiatives such as The DOTGOV Act of 2020. This legislation would require the Department of Homeland Security (DHS) to support .GOV adoption for local governments with technical guidance and financial support.

“Ohio has made a commendable effort to lead in driving election websites to .GOV, either directly or by using the state run ohio.gov domain,” said Grobman.

“While main county websites still largely lack .GOV validation, Ohio does provide a mechanism for voters to quickly assess if the main election website is real or potentially fake. Other states should consider such interim strategies until all county and local websites with election functions can be fully transitioned to .GOV.”

Modern security product certification best practices

IT security product manufacturers are required to achieve government mandated, standards-based certifications to get their product in market. One of the most common, aptly called Common Criteria (CC), was introduced more than two decades ago to help standardize the evaluation criteria used to validate a product’s conformance against a variety of functional security requirements.

security product certification

Its goal is to ensure that a certified product meets the rigorous level of conformance required by the internationally adopted CC standard – thereby providing end users with assurance about the product’s security posture prior to deployment.

Achieving certifications against standards like Common Criteria, or its related cryptographic validation standard FIPS 140-2, are industry and government procurement table stakes. A product’s CC and/or FIPS 140-2 validation certificate helps to demonstrate assurance, trust and denotes conformance to a rigorous evaluation process. Without these independent, third-party certifications, product vendors are limited in their ability to sell into government agencies or other regulated industries.

When it comes to cybersecurity product development, the industry is agile by design, but security product certification methods haven’t kept pace with modern development methods and release cycles. As many developers or product managers will attest, trying to integrate legacy certification processes on top of modern development on your own is complex, expensive and often frustrating.

To complicate matters, standards-based certification programs are expanding in scope and prevalence. This means the DevOps toolchain has drastically changed the speed at which teams can bring product to market thanks to process automation. But nothing will slow a fully automated pipeline down faster than legacy, manual product certification. Why are these processes so out of sync?

At best, the intricate testing and evaluation process usually takes months to achieve certification with a product that is ready to certify. At worst, it can lead a product back to the drawing board for fixes if problems are identified through the evaluation – thereby delaying time to market. The process is time consuming and costly for development teams implementing fixes against the prescriptive requirements. This is also one of the few remaining non-automated test processes within the development environment and whether you’re managing it internally or outsourcing to a lab, the entire process is typically managed in a very manual way.

For years, security was often a last consideration in product development, but today manufacturers and regulators recognize the importance of security at design – and that security by design must include preparing for certification during design and development. Standards-based testing will benefit by a modern approach; new automation capabilities and certification process innovation means continuous iterative testing will help teams certify at the speed of development.

Here are five steps product managers and developers can take to manage the security product certification process a little more smoothly.

1. Fully vet an accredited lab partner to help you manage the test process

Ask your lab before contracting if you (as the vendor), need to develop any test harnesses or use your own resources do any of the testing and show the results. With few exceptions, your lab should be able to do close to 100% of the Protection Profile testing with their processes and tools. Set expectations in advance on your team’s required level of involvement to avoid surprises.

2. Confirm how much pricing contingency the lab is building into their model for testing

Historically, labs did not know how many rounds of testing they would need to do, because the testing was done at the end of an evaluation project with little advance insight into possible issues. This resulted in labs building in a significant risk premium. If you, as a vendor, undertake an automated Functional Gap Assessment approach to ensure product readiness before formal testing, you can confidently enter into a contract with a lab that only includes one full pass of testing. Don’t pay for unnecessary testing cycles.

3. Ask your lab how they do their gap analysis

If it’s a paper-based exercise or checklist, be aware that the process will likely miss granular details that may end up costing re-development cycles and slow your time to market. A lab that relies solely on a paper-based gap analysis may only uncover additional problems during the official testing phase, at which point you are forced to remediate the problem. The best way to determine gaps is to execute actual test cases using customized tools against the target early and often to dramatically reduce re-development risk.

4. Confirm with your lab how long the entire process takes before signing the contract

Be wary of broad or loose time frames. Armed with the results of a Functional Gap Assessment, the lab should be able to confidently commit to testing and finalization duration. There are some caveats around specific CC-scheme policies, such as the US scheme requiring last minute technical interpretations or requirements to be applicable right up until submission. A standard NDcPP formal evaluation can be completed in 60 days or less if the lab has the FGA results as inputs and is able to be “one and done” with formal testing. Don’t agree to an extended multi-month process without understanding why it will take so long and slow your time to market.

5. Check with your lab on the ownership of the project deliverables

Be wary of labs that don’t provide the consulting or documentation deliverables as works for hire. You have paid for the work and should have ownership of the documents for future use with that lab or another of your choosing.

At the end of the day, product managers and developers are equally responsible for driving better security assurance outcomes and the move to a modernized approach will yield greater results. Common Criteria can and should be a key tool in the toolbox to get us there.

Five cybersecurity certifications that provide value to employers

The cybersecurity skills gap and talent shortage continue to widen year over year as the result of a proverbial square peg and round hole situation. The peg: prospective cybersecurity practitioners are looking to break into an industry in dire need of skilled and talented individuals. The hole: hiring managers and their human resources counterparts have a near impossible task of determining which applicants vying for open positions are adequately prepared to fill cybersecurity roles. Over … More

The post Five cybersecurity certifications that provide value to employers appeared first on Help Net Security.

Women in cybersecurity can benefit from taking inventory of their personal apps

Today, technology fits into the palm of our hand. We have become accustomed to turning to it to find all sorts of answers to everyday challenges such as where to eat, where to shop, what to watch on our favorite streaming service, or even when to sleep. Technology has weaved itself into the very fabric of our lives, and many of us would be lost without it. Just as new apps get replaced by old … More

The post Women in cybersecurity can benefit from taking inventory of their personal apps appeared first on Help Net Security.