The hacker 'skills gap' may be more of a strategy gap

It sure feels like the bad guys are winning.

In the ongoing cat-and-mouse game between malicious hackers and their targets any individual, company, agency or government with information that might be profitable or useful the bad news for the "mice" arrives with alarming regularity.

It is not just Target, although the breach late last fall of 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information remains the biggest in U.S. retail history.

[Why Russian hackers are beating us]

It is the ongoing string of them since then: In this year alone, the more high-profile victims include UPS, P.F. Chang's, Shaw's, eBay, Adobe, Forbes, Kickstarter, Blizzard Entertainment and Dairy Queen.

More recently, Russian hackers reportedly breached JPMorgan Chase's (JPMC) network and gained access to gigabytes of data that likely came from the files of bank employees, including executives.

Even more recently, Mozilla warned about 97,000 early testers of the Bugzilla bug tracking software that their emails and encrypted passwords had been exposed for three months. That is not the first time Mozilla, whose browser Firefox is among the more popular on the market, has had a problem with leaking passwords.

And just this week came word of a "massive hack" of Apple's iCloud service, that resulted in a flood of nude images of dozens of female stars being posted on online message boards.

So it doesn't seem like there would be much to dispute about W. Hord Tipton's recent declaration in a post on Dark Reading that, "The bad guys are winning."

Tipton, executive director of the International Information Systems Security Certification Consortium (ISC)2 and former CIO at the U.S. Department of the Interior, said this is in large measure because the bad guys are better than the good guys that there is, a "skills gap" between hackers and defenders.

"Until the information security workforce catches up, we will continue to see the increasing success of sophisticated attacks," he wrote.

Tom Kellermann, chief cyber-security officer for Trend Micro, would appear to agree. "Russians are more intelligent than Americans," he told CSO, following the hack of JPMC.

But other security experts, while they don't disagree outright, say the situation is a bit more nuanced than that.

It starts with the definition of "winning." As has been pointed out numerous times, nobody hears about it when security measures successfully thwart attacks. It's only when security fails that there is publicity. So, attackers can fail the large majority of the time and still be "successful."

It is also easier to be on offense than defense, as Aaron Cohen, COO and cofounder of Blackfin Security, which operates the Hacker Academy, notes.

"It's a lot easier to know the play than to defend it," he said. "And there's a much bigger attack surface out there than before you always have the low-hanging fruit."

Richard Bejtlich, chief security strategist at FireEye and a nonresident senior fellow at the Brookings Institution, agrees, noting that attackers have the initiative.

"Cyberspace favors the offense," he said. "Defenders are not allowed to take the initiative to degrade adversary capabilities through direct action against the intruder's resources."

[Survey: Most hackers do it for the lulz]

Bejtlich also said that he does not see an intruder simply gaining unauthorized access as an automatic win. "If you define it a win' for an intruder to accomplish his ultimate mission stealing data, altering a system, degrading resources then it is possible for intruders to lose," he said, adding that, "preventing the consequences of unauthorized activity should be the mission for defenders."

It is also a bit more complicated than a "skills gap," they say. "I don't agree that the bad guys are always smarter," Cohen said. "I know some really smart good guys."

The problem, he said, is that it is frequently not the professional "defenders" the IT staff who fail to prevent breaches. It is workers in other departments who fall for a scam like phishing or use weak passwords, or workers from third-party contractors (as was the case with Target), who open the door to attackers.

"There is no patch for human stupidity," Cohen said.

That said, security experts do agree that defensive skills can and should be better, and that to achieve it, education in cybersecurity must improve.

It has to start, they agree, during the formative education years. "We've known for a while that we're not turning out enough cyber security professionals, starting at the K-20 level," said Michael Garvin,(senior manager, product management, Cyber Security Group at Symantec.

But he and others say that is only the beginning that to have defenders with the skills to counter the sophistication of attackers, they need hands-on, real-world experience.

"Pilots spend hundreds of hours in flight simulators before flying a real plane, gaining the skills they need and building muscle memory through repetition in a safe environment," Garvin said.

[Hackers could be fair game for deadly force, cyberwar experts say]

Bejtlich agrees. "I would not want to take security classes from a professor who lacks time defending an enterprise," he said.

That is Cohen's message as well. "High school and college is one area where we are so far behind. You can't train through a book," he said, arguing that cybersecurity training has to be more practical and hands on, somewhat like a vocational school.

He said much of the training at the Hacker Academy and other available courses is real-world simulation. "Until you're thrown into the fire, you don't know," he said.

However, if college and university infosec programs are going to improve, it will likely take some initiative and collaboration from the professionals. "The relationship between universities, colleges, careers services and the infosec community needs to be joined up," said Andrew Avenessian, vice president of professional services at Avecto.

"Organizations in the IT security space need to work with schools, universities and colleges to guide and advise them on the skills and competences needed in an ever-evolving environment."

Avenessian and others also say a computing degree is not the only path to a successful cybersecurity career. "They could be studying mathematics, engineering or management," he said.

Bejtlich agrees, but said effective defense has to go well beyond academic training and technical expertise.

"The majority of defenders don't think strategically," he said. They are technicians at heart and think in terms of tools and tactics. They rarely incorporate operations/campaigns, strategy, and policy."

That, he said, is the real gap. "Strategy is more important than the skills gap," he said. "One hundred skilled people wasting their time on strategically unimportant activity is the real problem."

That was the message from Kellermann as well. He said the Russian hackers are more intelligent, "because they think through every action they take to a point where it's incredibly strategic. They're operating at eight to 12 steps ahead on both the offensive and defensive side of the (chess) board."

It will take more than better training of the coming generation of workers, however. Experts agree that attitudes, techniques and training of all employees have to be improved within enterprises.

[Should companies hire criminal hackers?]

"One of the main barriers to defending against attacks are unwieldy and unmanageable security strategies that rely on reactive detection," Avenessian said. "Organizations need to simplify their approach and be much more proactive. Many fail to meet even the very basic security steps recommended in the SANS 'First Five' or Australian DoD's Top 4."

He said he regularly encounters IT departments that, "aren't focused on security, but rather on implementing the very latest technologies or broader IT solutions, forcing them to retrofit security post deployment. Security should never be an afterthought."

Cohen said some of that has to include teaching end users. "If you teach people better, then you're going to be more secure," he said, but added that better teaching has to include simulated attacks, to give employees an experience beyond the theoretical.

"It's an easy and cost-effective way to make your people better and get rid of low-hanging fruit," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Blizzard EntertainmenthackersJPMorgan ChaseapplicationsKickstartersecurity strategySecurity Leadershipupsdata protectionTargetFirefoxsecurityebaysoftware

More about AppleBlizzardBlizzard EntertainmentCSOeBayFireEyeInternational Information Systems Security Certification ConsortiumMozillaSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place