It sure feels like the bad guys are winning.
In the ongoing cat-and-mouse game between malicious hackers and their targets – any individual, company, agency or government with information that might be profitable or useful – the bad news for the “mice” arrives with alarming regularity.
It is not just Target, although the breach late last fall of 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information remains the biggest in U.S. retail history.
It is the ongoing string of them since then: In this year alone, the more high-profile victims include UPS, P.F. Chang’s, Shaw’s, eBay, Forbes, Kickstarter, Blizzard Entertainment and Dairy Queen.
More recently, Russian hackers reportedly breached JPMorgan Chase's (JPMC) network and gained access to gigabytes of data that likely came from the files of bank employees, including executives.
Even more recently, Mozilla warned about 97,000 early testers of the Bugzilla bug tracking software that their emails and encrypted passwords had been exposed for three months. That is not the first time Mozilla, whose browser Firefox is among the more popular on the market, has had a problem with leaking passwords.
And just this week came word of a “massive hack” of Apple’s iCloud service, that resulted in a flood of nude images of dozens of female stars being posted on online message boards.
So it doesn’t seem like there would be much to dispute about W. Hord Tipton’s recent declaration in a post on Dark Reading that, “The bad guys are winning.”
Tipton, executive director of the International Information Systems Security Certification Consortium (ISC)2 and former CIO at the U.S. Department of the Interior, said this is in large measure because the bad guys are better than the good guys – that there is, a “skills gap” between hackers and defenders.
“Until the information security workforce catches up, we will continue to see the increasing success of sophisticated attacks,” he wrote.
Tom Kellermann, chief cyber-security officer for Trend Micro, would appear to agree. "Russians are more intelligent than Americans," he told CSO, following the hack of JPMC.
But other security experts, while they don’t disagree outright, say the situation is a bit more nuanced than that.
It starts with the definition of “winning.” As has been pointed out numerous times, nobody hears about it when security measures successfully thwart attacks. It’s only when security fails that there is publicity. So, attackers can fail the large majority of the time and still be “successful.”
It is also easier to be on offense than defense, as Aaron Cohen, COO and cofounder of Blackfin Security, which operates the Hacker Academy, notes.
“It’s a lot easier to know the play than to defend it,” he said. “And there’s a much bigger attack surface out there than before – you always have the low-hanging fruit.”
Richard Bejtlich, chief security strategist at FireEye and a nonresident senior fellow at the Brookings Institution, agrees, noting that attackers have the initiative.
“Cyberspace favors the offense,” he said. “Defenders are not allowed to take the initiative to degrade adversary capabilities through direct action against the intruder's resources.”
Bejtlich also said that he does not see an intruder simply gaining unauthorized access as an automatic win. “If you define it a ‘win’ for an intruder to accomplish his ultimate mission – stealing data, altering a system, degrading resources – then it is possible for intruders to lose,” he said, adding that, “preventing the consequences of unauthorized activity should be the mission for defenders.”
It is also a bit more complicated than a “skills gap,” they say. “I don’t agree that the bad guys are always smarter,” Cohen said. “I know some really smart good guys.”
The problem, he said, is that it is frequently not the professional “defenders” – the IT staff – who fail to prevent breaches. It is workers in other departments who fall for a scam like phishing or use weak passwords, or workers from third-party contractors (as was the case with Target), who open the door to attackers.
“There is no patch for human stupidity,” Cohen said.
That said, security experts do agree that defensive skills can and should be better, and that to achieve it, education in cybersecurity must improve.
It has to start, they agree, during the formative education years. “We’ve known for a while that we’re not turning out enough cyber security professionals, starting at the K-20 level,” said Michael Garvin, senior manager, product management, Cyber Security Group at Symantec.
But he and others say that is only the beginning – that to have defenders with the skills to counter the sophistication of attackers, they need hands-on, real-world experience.
“Pilots spend hundreds of hours in flight simulators before flying a real plane, gaining the skills they need and building muscle memory through repetition in a safe environment,” Garvin said.
Bejtlich agrees. “I would not want to take security classes from a professor who lacks time defending an enterprise,” he said.
That is Cohen’s message as well. “High school and college is one area where we are so far behind. You can’t train through a book,” he said, arguing that cybersecurity training has to be more practical and hands on, somewhat like a vocational school.
He said much of the training at the Hacker Academy and other available courses is real-world simulation. “Until you’re thrown into the fire, you don’t know,” he said.
However, if college and university infosec programs are going to improve, it will likely take some initiative and collaboration from the professionals. “The relationship between universities, colleges, careers services and the infosec community needs to be joined up,” said Andrew Avanessian, vice president of professional services at Avecto.
“Organizations in the IT security space need to work with schools, universities and colleges to guide and advise them on the skills and competences needed in an ever-evolving environment.”
Avanessian and others also say a computing degree is not the only path to a successful cybersecurity career. “They could be studying mathematics, engineering or management,” he said.
Bejtlich agrees, but said effective defense has to go well beyond academic training and technical expertise.
“The majority of defenders don't think strategically,” he said. ‘They are technicians at heart and think in terms of tools and tactics. They rarely incorporate operations/campaigns, strategy, and policy.”
That, he said, is the real gap. “Strategy is more important than the skills gap,” he said. “One hundred skilled people wasting their time on strategically unimportant activity is the real problem.”
That was the message from Kellermann as well. He said the Russian hackers are more intelligent, “because they think through every action they take to a point where it's incredibly strategic. They're operating at eight to 12 steps ahead on both the offensive and defensive side of the (chess) board."
It will take more than better training of the coming generation of workers, however. Experts agree that attitudes, techniques and training of all employees have to be improved within enterprises.
"One of the main barriers to defending against attacks are unwieldy and unmanageable security strategies that rely on reactive detection,” Avanessian said. “Organizations need to simplify their approach and be much more proactive. Many fail to meet even the very basic security steps recommended in the SANS 'First Five' or Australian DoD's Top 4.”
He said he regularly encounters IT departments that, “aren't focused on security, but rather on implementing the very latest technologies or broader IT solutions, forcing them to retrofit security post deployment. Security should never be an afterthought.”
Cohen said some of that has to include teaching end users. “If you teach people better, then you’re going to be more secure,” he said, but added that better teaching has to include simulated attacks, to give employees an experience beyond the theoretical.
“It’s an easy and cost-effective way to make your people better and get rid of low-hanging fruit,” he said.