The security threats organizations are most concerned about [Q&A]
The cybersecurity landscape is constantly evolving and organizations need to stay up to date if they're to adequately protect themselves.
At the end of last year, O'Reilly released its 2024 State of Security survey, which analyzes the threats that concern frontline practitioners most, the projects they're implementing to safeguard systems and infrastructure, the skills companies are hiring for, and more.
We spoke to Mike Loukides, VP of emerging tech at O'Reilly, to discuss the findings and what they mean for businesses.
BN: What are the top security threats that frontline practitioners are most concerned about in 2024, and how are these threats evolving?
ML: The top three threats in our survey were phishing, network intrusion, and ransomware. They're all closely related: a phish is a precursor to network intrusion, and ransomware can't happen without network intrusion.
What's changed is that phishes are becoming much more focused. This is often called 'spear phishing,' and it's been on the radar for several years now -- but we're seeing it more frequently in the wild. Instead of getting a generic request that's vague on all the important details, you get an email from someone highly placed in your company asking you to do something for a specific high value project. It will be email that looks like it couldn't possibly have come from someone else. And it will require you to authorize a payment, log in to a bogus server, etc. It requires a fair amount of research, but when you can make a phish so targeted, the success rate skyrockets. You might wonder how an attacker would know so much about your company -- and the truth is that nobody is as careful with information as they should be. People talk, waitstaff overhear things, and sooner or later, a lot of people have access to information that they shouldn't.
Ransomware has also evolved. There are a lot of new toolkits; ransomware as a service is a real business; and it's often highly specialized, with different vendors serving different parts of the attack. But what's more important is the change in culture. Several years ago, we wrote a report saying that there was usually honor among thieves. If you paid the ransom, you were likely to get your data back. Not only is that no longer true, but your data is likely to end up on the black market. Or the attack will involve extortion because of what the attackers discover in your data.
We also saw that security teams are concerned about attacks against AI, specifically, prompt injection. This will become more important as AI penetrates further into our workplaces.
BN: What types of projects are organizations prioritizing to safeguard their systems and infrastructure against these threats?
ML: Multi-factor authentication (MFA) has become almost universal. A victim might give up their password, but it's nowhere near as big a help to the attacker if they also need to guess a 6-digit code that's texted to the victim's phone. (There are attacks against messaging, but they're still rare, and both Android and iOS have messaging protocols with more sophisticated protections.)
Zero trust is appearing everywhere -- I was pleasantly surprised that many companies have zero trust projects completed, under way, or planned for the next year. Zero trust means that all clients (whether or not they're human) are required to authenticate themselves to all servers, and then they're only granted the permissions they need to do their job. It not only makes attacks more difficult, but it also limits the damage an attacker can do if they get in.
Many companies had ongoing projects involving endpoint security. Endpoint security has to do with the way devices move around. Somebody goes home and brings their laptop with company data. Now it's moved from a secure network to an unknown network. Or they go to a coffee shop with their cell phone in their pocket. Now the cell phone has moved to a network that's almost certainly insecure. If an attacker can plant malware on a device when it's on an insecure network, that malware can do damage when it moves to a secure network. So, making sure that all endpoint devices are secure -- up-to-date on patches, their users practice good security hygiene, and so on -- is critical.
BN: How are cybersecurity practitioners leveraging new technologies like AI and automation to enhance security operations and reduce vulnerabilities?
ML: AI can be very good at logfile analysis and intrusion detection -- in short, anything that requires keeping watch over large data flows. It isn't close to real time, but it's better than human analysis.
I've seen papers claiming that, while AI is not particularly good at generating secure code, it can do a better job of analyzing code for vulnerabilities. I still see that as a research project, though. I've seen AI point out fairly trivial vulnerabilities, but I don't think it could find a subtle memory safety problem. And I'm not convinced that it helps to let AI find the easy problems while leaving the difficult ones to humans. This situation will probably improve, though.
There's potential for AI to help digest and summarize all the information that security professionals must deal with. There are tens of thousands of CVEs per year. Any serious software operation has thousands of dependencies. Any dependency can have any number of vulnerabilities. This is where an AI that ingested and summarized all the important information, including your organization's software bill of materials, could be extremely useful. If that product doesn't exist, it should -- there's a startup idea.
BN: Which cybersecurity skills are in the highest demand for companies looking to strengthen their teams, and which certifications are becoming essential to verify these competencies?
ML: The certifications most often required by employers, and most highly desired by our respondents, were CISSP and CompTIA Security+. That's no surprise. Security+ is a well-known entry-level certification, and CISSP is an in-depth certification for senior professionals. There was also a lot of interest in CISM (Certified Information Security Manager) and CEH (Certified Ethical Hacker). The popularity of CEH shows that penetration testing and red teaming skills are very important.
Though the biggest signal from our survey may be the number of people who answered, 'Other' when asked what certifications they wanted to obtain, or were required by their employer. There are hundreds of security certifications, so their answers were all over the map. But if I had to pick one group of certifications out of 'other' it looked like the security certifications offered by the major cloud vendors were getting traction.
Image credit: belchonock/depositphotos.com