US must do better in preparing professionals to help fight cyber attacks

While U.S. officials debate over what new measures, if any, to put in place to protect our economic interests, firms - both public and private – should consider what they can do to thwart these attacks from re-occurring, or to at least minimize the collective threat they pose to American business.

The plain and simple truth of the matter is that qualified information security practitioners are few and in high demand, especially as current and planned regulatory initiatives such as Sarbanes-Oxley and Dodd-Frank further constraining their availability.

Even from the perspective of the U.S. military, information security workers represent much more than basic levers of economic growth - they are a crucial component of the nascent effort to defend the nation’s information assets and our digital infrastructure. And we are losing the battle.

Given the mutual dependency of our economic and military infrastructure on the continuous availability and flow of confidential and high integrity data, one solution to solving the perpetual network probes and vulnerability scanning challenging U.S. companies is to retrain IT workers in the short term until long-term measures are put in place to protect our information infrastructure. But how can this be accomplished? After all, it takes years of technical training to produce computer and network programmers that can assist in combatting attacks from abroad. This may be true, but it is not the only way to protect U.S. economic interests.

One proven method is to train current IT workers by the thousands with the right mix of technical and managerial know-how that can be achieved in months, not years. Fortunately, the kind of training that these workers need already exists and is available through specialized training and professional credentialing agencies that specialize in information security, strategy and governance. 

While the majority of network breaches are caused by social engineering – that is, leveraging the end user as an attack vector though which unauthorized access is gained to sensitive computing assets such as communication and database servers – some other protective measures are available now and should be implemented immediately to effectively curb future exploits that can threaten even the most protected computer enclaves.

Although social engineering points to a failure at the top of the organization to link information security with corporate strategy (as well as a lack of end user training that could effectuate a first line of defense against would-be attackers), more frequent reviews of corporate strategies needs to be done, with special attention paid to ensuring that the firm’s information security strategies are aligned with business strategies.

Furthermore, sensible sharing of current attack vectors used by untrustworthy state actors from abroad against our economic assets, as witnessed by our intelligence community, needs to take place. All too often, many U.S. businesses are simply unaware as to how to best keep their firms from falling victim to common methods used by foreign actors to steal sensitive intellectual property. Less than one year ago, for example, Dupont scientist Tse Chao pleaded guilty in federal court to stealing the color white, or more specifically, the secret recipe for the firm’s Titanium Dioxide that is used to make products white, as in paint, toothpaste, and even Oreo cookie filling! You can be sure that Dupont has revised its security strategy, but what are other firms, especially those that have not yet been victimized, doing to forestall becoming victims themselves?

Infected USB drives, for example, sprinkled in corporate parking lots and commuter trains floors is a common attack methodology used by adversaries to gain access to computer networks with miniscule effort, since the workers themselves are culpable of spotting them, picking them up, and inserting them into their computers when they arrive at work. How many of us have ‘gotten the memo’ about this simple attack technique? If nothing else, security awareness training for all computer users both inside and outside the firm is absolutely necessary and can help stop nefarious activities from succeeding.

Computer worms and scripted malware, on the other hand, don’t necessarily involve human interaction and often rely on that leveraging previously reconnoitered network servers that are misconfigured or run outdated operating systems, or even unstable software that is vulnerable to getting inside corporate networks. Locating IP addresses (the addressing scheme the Internet uses to relay information) of misconfigured devices is a trivial task, since one can simply search online search to learn how to perform ‘penetration testing’ , and since most laptop and tablet users don’t know how to configure their devices and user accounts properly before plugging into the Internet, it becomes even easier to hack into systems. Perhaps more worrisome is the trend of smartphones that connect to corporate servers; these devices have paltry security features and are increasingly being used as a gateway to internal networks by hackers. Phone hacking, as famous Hollywood types have become aware, is commonplace. [hint: turn off Bluetooth unless you are using it!]

The path to train the kind of IT worker that is urgently needed today is not found in traditional academic degree programs, but instead is found in the professional credentialing agencies that specialize in identifying and developing solutions against the kinds of attacks we are witnessing daily. Of course, the traditional academic programs of study are necessary to provide deeper insight into the IT function, but the quicker path to securing America’s national economic interests is through professional information security training and credentialing associations.

Although there are literally hundreds of information security certification programs available, several in particular provide the kind of critical training that can transform interested students into ‘cyber warriors’ to stave off most of the attacks coming out of Asia. A good idea is to spend some time reviewing which certifications are in high demand (easily obtained through trade magazines) and determining which for-profit agencies offer the biggest return on training dollar. The overall objective here, of course, is to bring about a highly skilled IT workforce that possessed, for example, a thorough understanding of proper incident handling techniques so when breaches do occur, they can quickly be identified, contained, and eradicated, not to mention the payoff that firms acquire when reviewing recent unsuccessful hacking attempts and adjusting the firm’s overall security strategy. 

Furthermore, insight into common attack methods, malware analysis capabilities, network defense-in-depth techniques, and sound information security governance and policy frameworks that can boost the defensive postures of all firms and is also a necessary component of responding to the threats from network-based attacks. We simply cannot wait for a reversal in declining enrollment trends in the computing sciences to turn the tide against IT-leveraged international corporate espionage and should be doing everything we possibly can to keep our secrets protected.

While no one doubts that corporate information security policy starts at the top, the NIEs report makes it abundantly clear that current information security policies are proving ineffective. Too much trust is placed on lower-level technicians to ward off attacks on the firm. To stay ahead of so-called ‘script kiddies’ trying to hack into a company’s network is one thing, to keep away nation states hell bent on gaining access is another. This fact, coupled with the relatively miniscule amount of proven cyber warriors available today ultimately limits the ability of most firms to simply keep up with the ever-morphing catalog of millions of computer worms and viruses that grow by the thousands each day, hence the call for more certified IT security practitioners.

To protect against the potential devastation that the nefarious activities by hackers everywhere pose to all of us, it is vital stay in lockstep with the protocols being used by the most sophisticated malware purposefully designed to evade the most cleverly configured intrusion prevention & intrusion detection systems currently used throughout U.S. companies, but we are falling short. The ugly truth is that the bad guys, whoever they are, are outperforming our ability to defend our vital infrastructure and this is one race that our society cannot afford to lose.

The threats that loom over our digital infrastructure will undoubtedly multiply, causing risk to increase to untenable levels, the levels that are often associated with calamitous security breaches. So, at least for the foreseeable future, professional certifications will help to stem the tide of ever-mounting encroachment attempts, at least until academia eventually figures out a way to speed up its sometimes outmoded approach to teaching practical ways to stay abreast of a changing technological landscape.

Gabberty is a professor of information systems at Pace University in New York City and teaches graduate-level courses in systems analysis & design, telecommunications and information security. He is an alumnus of MIT and NYU’s Polytechnic Institute and has served as an expert witness in telecommunication and information security at the federal and state levels.