According to a June 2015 survey of Black Hat attendees, it’s because organizations aren’t focusing on the real threats.
Specifically, enterprises are throwing lots of money, time and staff at security, but it’s not hitting the things that truly worry security experts.
For the survey, Black Hat and Dark Reading polled 460 Black Hat USA conference attendees: 61% have full-time security job titles, 25% are security managers, almost two-thirds are Certified Information Systems Security Professionals (CISSPs), and many also hold other advanced credentials.
In other words, these are the people on the front line of battling exploits and data leaks, and they’re also the ones who develop and implement enterprise defenses.
You’d think that whatever keeps then awake at night would steer organizations’ security focus, but the responses show what the survey report calls a “troubling disparity” between priorities and resources.
The biggest worries
The majority of those polled (57%) reported that sophisticated, targeted attacks are their greatest concern.
Yet, only 26% reported that targeted attacks were among the top three spending priorities at their organizations, while only 20% said that targeted attacks were among the top three tasks where they spend the most time.
Social engineering attacks, cited as a top concern by 46% of respondents, are similarly shortchanged in time and budget, with only 31% saying that such attacks are one of their three top tasks.
The numbers justify the placement of targeted attacks at the top of their list of concerns: a recent report on phishing found that major brands are being heavily targeted, with more than half (54%) of phishing attempts being launched at just three brands: Apple, Paypal, and Chinese marketplace Taobao, each of which were hit by 20,000 unique phishing attacks during the study time.
This is the type of threat that should be accounting for the most focus: The top ten brands accounted for over 75% of all phishing and many of these saw more than 1,000 separate attacks per month.
Large enterprises aren’t the only ones at risk: niche sites, as well as individuals, also attract the attention of spear-phishers.
These attacks are called ‘sophisticated’ but successful targeting often requires nothing more than a plausible name and email address.
Respondents to the survey were allowed to pick up to three top concerns.
Besides targeted attacks and social engineering, they reported this mixed bag:
- Accidental data leaks: 21%
- Vulnerabilities in software developed in-house: 20%
- Polymorphic malware: 20%
- Cyber espionage: 20%
The survey findings show that Black Hat attendees are aware of potential exploits and attacks that could be created by outsiders, and this knowledge causes significant concern.
But it also shows that infosec pros’ concerns have shifted over the years.
Five years ago, at Black Hat 2010 in Las Vegas, attendees told Naked Security that their biggest concerns included malware, SCADA, privacy, and concerns about the cloud.
But this year’s focus at Black Hat on targeted, sophisticated attacks mirror those cited by attendees at Infosec Europe 2015, some of whom told Naked Security that “users” and “people” were among their biggest concerns: i.e., the staffers who get tricked into clicking on those targeted attacks.
The biggest resource spends
There’s a big gap between IT security spending priorities and the level of concern among security-savvy professionals.
While 57% said that targeted attacks are one of their top three priorities for spending, only 26% ranked it as being among the top three spending priorities.
These are the things that are getting the money, time and staffing, ranking the most frequently among the top three spending priorities:
- Accidental leaks: 26%
- Sophisticated attacks: 26%
- Regulatory compliance issues: 25%
- Vulnerabilities in off-the-shelf apps or systems: 23%
- Phishing and other forms of social engineering: 22%
- Vulnerabilities in apps developed in-house: 21%
Black Hat’s report proposes that the gaps may point to budgets that are failing to keep up with the latest threats, and to security professionals who aren’t managing to tune spending to coincide with their most pressing current concerns.
These are the things that are sucking up the most time during an average day of an infosec worker:
- Vulnerabilities created by an in-house development team: 35%
- Vulnerabilities in off-the-shelf applications or systems: 33%
- Phishing and other forms of social engineering: 31%
- Loss of compliance with industry or regulatory requirements: 30%
- Accidental data leaks by end users not following security policy: 26%
- Sophisticated attacks targeted directly at the organization: 20%
- Polymorphic malware that evades signature-based defenses: 14%
- Attacks or exploits on cloud systems or services: 11%
- Attacks or exploits brought in by mobile devices: 8%
- Attacks on suppliers, contractors, or other partners: 8%
- Surveillance by foreign governments or competitors: 8%
- Data theft or sabotage by malicious insiders: 7%
- Action by “hacktivists” or politically-motivated attackers: 6%
- Digital attacks on non-computer devices and systems – the Internet of Things: 6%
- Surveillance by my own government: 2%
How media and management are misguided
This hits close to home. Many of the infosec pros Black Hat surveyed felt that the perception of current threats – both in the media and among their managers and supervisors – differs from their own.
Close to half (41%) of respondents felt that the media have overplayed the issue of domestic government surveillance.
More than a quarter (27%) say that we’re focusing too much on hacktivists and politically motivated attackers.
Security pros also find that their enterprises’ management are worried about insider threats (29%), while only only 17% of security professionals feel the same.
These are the things that they think media and industry events aren’t paying enough attention to:
- Phishing and social engineering
- Accidental data leaks by end users
- New vulnerabilities introduced by off-the-shelf software
We hear you loud and clear: at Naked Security we try hard to write about the things that matter to you, but feel free to weigh in, in the comments section below. We’re always interested in hearing from you with regards to what you want us to focus on.
You can download Black Hat’s full report here.