The "No Network is 100% Secure" series
- The Security Expertise Shortage -
A White Paper

Predictions about IT challenges in 2010:

1. 2010 should be the year that organizations begin to seriously focus on the recruiting, training and retention of cyber security professionals. One of the critical and growing problems IT Managers face is the shrinking pool of technical cyber-security talent. There is more and more evidence (anecdotal though it may be) that organizations with weak security skills simply cannot protect their systems and information from the current level of hacker and attacker skills. A recent report by Booz Allen Hamilton stated that "the pipeline of potential new talent is inadequate" and that "there are concerns that America is not developing enough IT experts, creating labor shortages in both the public and private sector." In the public sector the 'retirement-bubble' we've been hearing about for a couple of years now is becoming very real and we need to begin growing the next generation of cyber-security experts now. We also need to better utilize the already skilled aging workforce that is currently viewed as being "too old" by many not terribly bright Managers and organizations. In many cases, companies are offering early retirement to get rid of exactly the skilled Engineers they are going to need to meet these new challenges moving forward. Despite the economic and funding difficulties facing most organizations, those who choose ignore this issue do so at their own great peril.

2. Social Media -- It's not just a fad anymore. It's a fundamental shift in the way we communicate. I think by now we all understand that the security issues around social media aren't so much technical in nature but are, well, Social. Because social media is all about the weakest link and hardest to control aspect of the security chain (people), phishing and the growing array of tactics cyber-criminals use to exploit, dupe and deceive will continue to expand. So, while the traditional hackers are still out there (see prediction 5), cyber criminals have figured out that it's easier to just let us hack ourselves. The result will be a vast increase in the number of incidents related to loss of Personally Identifiable Information (PII) and consequently, new and more regulations for both business and government to protect PII and other sensitive data.

3. Critical Infrastructure -- There will be increasing discussions, initiatives and government compliance mandates on private sector companies operating critical infrastructure such as power generation, power distribution, water distribution, and others. See our Aurora White Paper for details. Actions might even include intervention or granting of emergency authority. There's been too much media coverage to continue ignoring these threats. The same security deficiencies we see every day in our home and work computers are vulnerabilities that can impact control systems within the nation's critical infrastructure arena. And even though some may consider it hyperbole no one can deny that the attack surface is growing. In my opinion, it is becoming increasingly likely that the next terrorist or foreign Government attack on America will be targeted at SCADA systems that control vital functions such as the power grid or air traffic control. The federal government will likely begin discussing the lack of comprehensive oversight in these areas and will address it with new regulations requiring stringent and more frequent audits and more security controls among other things.

4. Security in the Cloud. Managed security services (MSS) in the cloud is currently not yet anywhere near where it should be. However, I believe it will receive much more attention as security companies continue to expand their service offerings. Budgets are going in the wrong direction and organizations simply can't afford to ignore the significant savings afforded by consolidation and outsourcing to cloud solutions. Email hygiene (anti-spam filtering and anti-virus scanning) is a good example of a relatively low risk solution that works well in the cloud. MSS for IDS/IPS monitoring, vulnerability scanning, and web application scanning start to look like very rational decisions when the budgets are decreasing and internal staffing is down or the skill of the staff isn't adequate (see prediction 1).

5. Cyber Crime. Hackers writing viruses, hackers breaking into systems by circumventing security controls, hackers compromising the integrity of data, and hackers causing cyber vandalism are still out there and still doing their dirty deeds. This type of computer hacking however tends to fall into a different category than the new era of cyber criminal whose sole motivation is money. The bad news about these cyber criminals is that you can't simply call them opportunists because they are both creative and smart, and the one thing that hasn't changed throughout human history is that criminals congregate where the money is. Cyber criminals are no different and as long as the barriers to entry remain low (they are) and the risk of getting caught is almost zero (it is), cyber-crime is going to blossom. While the on-line economy grows, so do the cyber crime opportunities.

2010 will see continued growth in crime and the exploitation of people through social media technologies that allow cyber criminals to prey on all of us by means of credit card fraud, phishing, identity theft, and distribution of child pornography. Crimeware such as keystroke loggers and those programs that steal passwords and compromise web browsers that then point to fake websites are the cyber crime du jour. Ransomware is a particularly nasty form of cyber crime where victim's computers are infected, the data and/or files are encrypted and the victims are forced to pay a ransom for the encryption key. A new variation of Ransomware adds a twist that blocks internet access and requires the victim to send a text message (at a premium rate of course) for the code to free the data.

The Cloud will get worse before it gets better. But it will get better. The Cloud is going to win. It's faster. It's better. It's cheaper. But there are security issues, and they're not simply the sort of problems that can be worked out by taking a CIO out to lunch and promising everything's going to be OK. Genuine, technical security faults in cloud technology will garner a huge amount of attention. The faults will eventually be addressed, because existing investments are so very high.

About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
IT employment challenges of the 21st century
Competency Certifications White Paper
ISO/IEC 27005:2008 Standard for Security Risk Management
High value sites recent hacks
Still more 2009 hacks in the news
OpenID White Paper
Employment reference checking white paper
Firewall White Paper
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Ghostnet White Paper
Cryptography White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting