Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity Snapshot: 6 Things That Matter Right Now

Cybersecurity Snapshot -- Sept 2

Topics that are top of mind for the week ending Sept. 2 | Shift-left efforts falling short. What CISOs earn and what stresses them out. The quantum computing risk for critical infrastructure. Securing machine learning systems. And much more!

1 – Shift left: Still a work in progress

Shifting security left – meaning, starting security checks earlier in the software development process – has been widely hailed. But, as a new study shows, adoption of “shift left” practices is falling short.

In the study “Software Security During Modern Code Review: The Developer’s Perspective,” University of Zurich researchers interviewed 10 developers and polled another 182 online, and found:

  • Developers acknowledge the importance of security code reviews, and view it as their responsibility, but it’s not top of mind for them.
  • Most companies expect developers to do security code reviews, but many don’t provide them with security training.
  • Developers rank a lack of security training and knowledge as their main security-related challenge.
  • Developers are often unclear on who’s responsible for what regarding application security, and thus they may neglect doing their part.
  • They report struggling with assessing the security of third-party software libraries and the security of the interaction between app code components.

Challenges developers face concerning security during code reviews

Snapshot #9 -- image 1
(Source: “Software Security during Modern Code Review: The Developer’s Perspective” study, University of Zurich, Aug. 2022)

The researchers recommend that companies do a better job of educating developers about security and of motivating them to review code by providing incentives and recognition.

More information:

2 – All you ever wanted to know about CISOs in 2022

How much do CISOs earn? Which career paths do they take to become a CISO? How long do they stay at their jobs? What keeps them up at night?

You can find answers to those – and many more – questions in the “2022 Global Chief Information Security Officer (CISO) Survey” from executive search firm Heidrick & Struggles.

Key findings from the survey, which polled 327 CISOs from the U.S., Europe and Asia-Pacific:

  • Regarding the most significant threats facing their organizations, most respondents included ransomware (67%), followed by insider threats (32%), nation/state attacks (31%) and malware attacks (21%.)
  • CISOs’ team size grew compared with last year, reflecting the increasing investment in cybersecurity by organizations.
  • CISOs have broad visibility with their board of directors, with 88% saying they present to either the full board or to a board committee.
  • Median cash compensation for CISOs in the U.S. rose to $584,000 from $509,000 in 2021. Total compensation, including equity grants and other incentives, increased to $971,000 from $936,000.
  • Regarding tenure length, 77% of respondents have been at their current job for at least three years, up from 56% of respondents in 2021’s survey.
  • When asked about “personal risks,” CISOs ranked stress at the top (59%), followed by burnout and by higher-than-usual staff turnover
Snapshot #9 -- image 2
(Source: “2022 Global Chief Information Security Officer (CISO) Survey” from Heidrick & Struggles, August 2022.)

More information:

3 – Guidance for securing ML and AI systems

Machine learning (ML) and artificial intelligence (AI) have become ubiquitous across all types of applications, which makes them an attractive target for cybercriminals – and creates a need for security teams to protect these systems.

The latest guidance for combatting “adversarial machine learning” attacks comes from the U.K.’s National Cyber Security Centre (NCSC), which has just published a set of security principles for systems that have ML technology.

As an NCSC data science researcher explains in a blog post, to test software for vulnerabilities and weaknesses, one must understand how it works, but this is often difficult with ML, for a variety of reasons. 

In its guidance, the NCSC addresses critical ML weaknesses and challenges; the differences between ML security and standard cybersecurity; and its development of specific security principles.

More information:

4 – Struggling to fill IT, cybersecurity jobs? Look for non-tech candidates

The shortage of IT workers remains a global problem, and is particularly pronounced in cybersecurity, so what’s a hiring manager to do? A popular suggestion is to consider candidates without tech experience. A new article from McKinsey & Co. backs it up as a good idea.

Titled “Overcoming the fear factor in hiring tech talent,” it’s based on an analysis of anonymized online work histories of about 280,000 tech pros. Here’s a stat that jumps out: 44% transitioned to IT from non-IT occupations. And almost three in five U.S. IT managers started in non-IT roles.

Other interesting findings about these IT pros:

  • 70% started in professional services, healthcare or other science, technology, engineering and mathematics (STEM) fields.
  • Common first IT roles included app developer, IT support and document manager.
  • They show a stronger ability to acquire new IT skills than their IT “lifer” counterparts.
  • They tend to move quickly up the ladder to more specialized, sophisticated roles in areas like cybersecurity.

Recommendations for finding good candidates include:

  • Look for motivated candidates within your own organization.
  • Make bold hiring decisions and consider “soft skills” like:
    • Analytical mind
    • Attention to detail
    • Problem solving ability
    • Adaptability
    • Communication skills
  • Don’t rule out mid-career workers who are eager for a change.
  • Once they’re in IT, provide them with plenty of training and education.

More information:

5 – CISA: Critical infrastructure must prep for quantum computing threat 

Here’s a heads up for critical infrastructure organizations: Quantum computing is coming and you should start preparing for its cybersecurity risk now.

What’s the problem? When they become available, possibly around 2030, powerful quantum computers will break existing public-key cryptographic algorithms, which would create a global data-privacy and security disaster.

Consequently, the U.S. government is trying to get the country ready. For example, “quantum resistant” cryptographic algorithms are being developed, an effort slated for completion in 2024 with the release of a new standard.

The government is also providing guidance to cybersecurity teams, as we’ve explained in this blog. However, critical infrastructure faces particularly complex challenges, so the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a guide for this sector.

Snapshot #9 -- image 3

Here are some key takeaways:

  • Among the 55 national critical infrastructure functions provided by government and businesses, these four will offer foundational support via products, patches and software:
    • Providers of online content and communication services
    • Providers of identity management services
    • IT providers
    • Protectors of sensitive information
  • Because their hardware is geographically dispersed and has a long replacement lifecycle, organizations with industrial control systems (ICS) should factor quantum-computing risks into new hardware purchases.
  • NCF providers that store confidential data long-term must prevent “catch and exploit” attacks, in which hackers try to steal this data and decrypt it once quantum computers are available. 

CISA also reiterated the importance of taking steps now, like inventorying the systems and applications that use public-key cryptography, as well as the most critical data to be secured long-term. 

More information:

6 – Quick takes

Here’s a roundup of vulnerabilities, trends, news and incidents to put on your radar screen.

  • Microsoft is warning about a malware called MagicWeb, “a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server.” MagicWeb is being used by the Nobelium APT – of SolarWinds fame – to maintain persistent access to compromised environments. More information and analysis from Redmond Magazine, ZDNet and Dark Reading
  • Ransomware attacks surged 47% in July compared with June, with the new Lockbit 3.0 variant accounting for most of the attacks (52), according to NCC Group.
  • LastPass, provider of a popular password manager app, disclosed that an intruder accessed parts of its dev environment and stole portions of source code, but said no customer data was compromised.
  • Wordpress is recommending users update to the latest version because it patches three security issues, including a SQL injection bug.
  • Google has launched a bug bounty program specifically for vulnerabilities found in any of its open source projects.
  • Atlassian warned about a critical severity vulnerability in BitBucket Server and Data Center 7.0.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training