November 23, 2024

Dropbox Got Up to 249 National Security Requests in First Half of 2014

Posted on September 12, 2014 by in Security

Dropbox released another transparency report on Thursday and announced that moving forward, it will do so every six months in an effort to keep the public informed of its interactions with authorities.

Bart Volkmer, a lawyer with the company, revealed in a blog post that Dropbox had received 268 request for user information from law enforcement agencies between January and June of this year. In addition, while he hasn’t specified an exact number due to restrictions, the Dropbox representative said there had been 0-249 national security requests.

The company received a total of 120 search warrants and provided content (files stored in users’ accounts) and non-content (subscriber information) in 103 cases. In response to 109 subpoenas, the company hasn’t provided law enforcement with any content, but it has produced subscriber details in 89 cases. While many of the requests came from the United States, the report shows that there have been a total of 37 requests from agencies in other countries.

Volkmer has pointed out that while these numbers are small considering that the company has 300 million customers, Dropbox only complies with such requests if all legal requirements are satisfied. He claims cases in which agencies request too much information or haven’t followed proper procedures are “pushed back.”

The report also shows that the rate of data requests from governments remains steady. An interesting aspect is that agencies keep asking Dropbox not to notify targeted users. However, customers are notified as per the company’s policies, except for cases where there’s a valid court order. A total of 42 users were notified when the file sharing service was presented with search warrants, and 47 individuals were informed in the case of subpoenas.

There haven’t been any requests from governments targeting Dropbox for Business accounts, the company said.

“We’ll push for greater openness, better laws, and more protections for your information. A bill currently in Congress would do just that by reining in bulk data collection by the US government and allowing online services to be more transparent about the government data requests they receive,” Volkmer said. “Another would make it clear that government agencies must get a warrant supported by probable cause before they may demand the contents of user communications. We’ll continue to lend our support for these bills and for real surveillance reform around the world.”

While many companies publish transparency reports to keep the public informed of requests from governments, interesting details can also emerge from court documents. A perfect example are a series of recently unsealed documents showing that US authorities threatened to fine Yahoo $ 250,000 a day if it failed to comply with PRISM, the notorious surveillance program whose existence was brought to light last year by former NSA contractor Edward Snowden.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Microsoft Preps Critical Internet Explorer Security Update for Patch Tuesday

Posted on September 4, 2014 by in Security

Microsoft is set to release four security bulletins next Tuesday covering issues in Windows, Internet Explorer and other products.

Only one of the bulletins – the one dealing with Internet Explorer – is rated ‘Critical.’ The other three are classified by Microsoft as ‘Important.’

“Looks like a very light round of Microsoft Patching this month,” said Ross Barrett, senior manager of security engineering at Rapid7. “Only four advisories, of which only one is critical. The sole critical issue this month is the expected Internet Explorer role up affecting all supported (and likely some unsupported) versions.  This will be the top patching priority for this month.”

Many organizations do not routinely stay up-to-date with the latest version of the browser, noted Eric Cowperthwaite, vice president of advanced security and strategy at Core Security.

“I checked with a couple recently and they are still running two or three versions of IE behind the current version,” he said. “The IE vulnerabilities are likely to impact significant portions of the enterprise computing space. Clearly the IE vulnerabilities that will allow remote code execution on every desktop OS and most server OS is the vulnerability that should be addressed first. Because it is so widespread and requires system restarts, this is going to be challenging for most IT organizations.”

The three non-critical bulletins address issues in Windows, the .NET Framework and Microsoft Lync Server. Two of the bulletins deal with denial of service issues, while the other addresses an escalation of privilege.  

“The few number of patches expected out next week doesn’t mean you can take a pass on patching this month however,” noted Russ Ernst, director of product management at Lumension. “The critical class patch is for at least one remote code execution vulnerability in IE – likely another cumulative update for the browser.”

The updates are slated to be released Tuesday, Sept. 9.

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Hackers Demand Automakers Get Serious About Security

Posted on August 11, 2014 by in Security

A group of security researchers called upon automobile manufacturers to build cyber-security safeguards inside the software systems powering various features in modern cars.

In an open letter to “Automotive CEOs” posted (PDF) on the I am the Cavalry website, a group of security researchers called on automobile industry executives to implement five security programs to improve car safety and safeguard them from cyberattacks. As car automation systems become more sophisticated, they need to be locked down to prevent tampering or unauthorized access. The Five Star Automotive Cyber Safety Program outlined in the letter asked industry executives for safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation.

Hacking Cars“The once distinct world of automobiles and cybersecurity have collided,” read the letter. “Now is the time for the automotive industry and the security community to connect and collaborate..”

Vehicles are “computers on wheels,” Josh Corman, CTO of Sonatype and a co-founder of I am the Cavalry, the group who penned the open letter. The group aims to bring security researchers together with representatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security.

Computers manage engines, brakes, navigation, air-conditioning, windshield wipers, entertainment systems, and other critical and non-critical components in modern cars. Security experts have warned that unless the systems are built with better security features, cyberattacks against cars could result in a physical injury to the driver and possible passengers. The five star plan can conceivably be used by consumers, ala Consumer Reports style, to understand which automakers are thinking about security, Corman said.

The first “star,” safety by design, simply means automakers should design and build automation features with security in mind. Engineers should be stopping to think about how the systems could be tampered with and then build in blocks to prevent such an attack. Automakers should also implement a secure software development program within their companies to encourage better coding and design.

Third party collaboration asks automakers to establish a formal vulnerability disclosure program, to clearly state what its policies are and who to contact. This doesn’t mean bug bounties—where companies would pay for bugs—but rather designing a process that ensures bug reports and other information from third-party researchers reach the right engineers.

Automotive Security Vulnerabilities

“Tesla already gets a star,” Corman said, noting the electronic car maker recently established such a policy.

Evidence capture is the first technical piece in the Five Star program, and asks for forensics capabilities such as events logging in car systems.

“We have black boxes in airplanes,” Corman said, noting it’s currently impossible to collect any information on why something failed in car systems. Security updates mean the issues found and reported which have been fixed actually get pushed out to individual cars in a timely and effective manner. And the final star—and the last technical piece—is segmentation and isolation, referring to keeping critical systems separate from the rest of the car’s network.

“With segmentation and isolation, we want to make sure you contain failures, so a hack to the entertainment system never disables the brakes,” said Corman.

Vehicles, transportation systems, industrial control systems, and medical devices represent some of the hottest areas of cyber research. At Black Hat this year, Charlie Miller, an engineer at Twitter, and Chris Valasek, director of vehicle security research at IOActive, demonstrated how they could remotely control vehicles by compromising non-critical systems. The panel built on last year’s research, which showed how they could take over the breaks and the car’s steering from the back seat of the car. There were sessions discussing medical device security, and a DEF CON presentation looked at how traffic control systems were not secure.

The security industry reaching out directly to the automobile industry was a good idea, said Andrew Ruffin, a former staffer for Sen. Jay Rockefeller (D-WV), a member of the Senate Commerce Committee. Ruffin attended the press conference at DEF CON 22 on Friday. “I’m encouraged by the letter and hope there’s a quick response,” said Ruffin. “I think this has some legs.”

Considering how technology has permeated practically all parts of modern life, the group wants manufacturers to think about security and start implementing security features in their designs and business processes. The goal is to start thinking about security and implementing safeguards before the major cyberattack happens, said Corman. To people who say these things take time and would require a lot of work, Corman had two words: “We know.” The time to start is now, so that in a few years, these efforts would actually show results, he said.

Along with releasing the open letter, the group participated in a closed-door session with automobile and medical device representatives in a private meeting in Las Vegas on Tuesday and plan to discuss automotive hacking at DEF CON on Sunday. There is also a change.org petition demanding automakers pay attention car safety and cybersecurity.

“When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles,” the letter said.

Signatures and instructions for signing  the petition can be found online

Podcast: Car Hacking with Charlie Miller and Chris Valasek

Related: Car-hacking Researchers Hope to Wake up Auto Industry

Related: Forget Carjacking, What about Carhacking?

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.

Previous Columns by Fahmida Y. Rashid:


SecurityWeek RSS Feed

Apple iPhone ‘Threat to National Security’: Chinese Media

Posted on July 12, 2014 by in Security

BEIJING  – Chinese state broadcaster CCTV has accused US technology giant Apple of threatening national security through its iPhone’s ability to track and time-stamp a user’s location.

The “frequent locations” function, which can be switched on or off by users, could be used to gather “extremely sensitive data”, and even state secrets, said Ma Ding, director of the Institute for Security of the Internet at People’s Public Security University in Beijing.

The tool gathers information about the areas a user visits most often, partly to improve travel advice. In an interview broadcast Friday, Ma gave the example of a journalist being tracked by the software as a demonstration of her fears over privacy.

“One can deduce places he visited, the sites where he conducted interviews, and you can even see the topics which he is working on: political and economic,” she said.

The frequent locations function is available on iOS 7, the operating system used by the current generation of iPhones released in September 2013. “CCTV has only just discovered this?” said one incredulous Chinese microblogger.

The dispute is not the first time Apple has been embroiled in controversy in China, where its products are growing in popularity in a marketplace dominated by smartphones running Google’s Android operating system.

Apple lost a lawsuit against a Chinese state regulator over patent rights to voice recognition software such as the iPhone’s “Siri” just this week.

In March 2013 the Californian company was notably the target of criticism orchestrated by the Chinese media on behalf of consumers, who were critical of poor after-sales service.

And in 2012 the US firm paid $ 60 million to settle a dispute with another Chinese firm over the iPad trademark.

The privacy scare also reflects mutual distrust between the US and China after a series of allegations from both sides on the extent of cyber-espionage.

Leaks by former US government contractor Edward Snowden have alleged widespread US snooping on China, and this month it was reported Chinese hackers had penetrated computer networks containing personal information on US federal employees.

Apple did not immediately respond when contacted by AFP for comment.

Related: Obama Not Allowed an iPhone for Security Reasons

 

RelatedNSA Tracks Mobile Phone Locations Worldwide

© AFP 2013


SecurityWeek RSS Feed

OpenDNS Adds Targeted Attack Protection to Umbrella Security Service

Posted on July 9, 2014 by in Security

OpenDNS has enhanced its cloud-based network security service Umbrella with new capabilities designed to protect organizations against targeted attacks, the company announced on Tuesday.

The company says its monitoring systems are capable of detecting malicious traffic from the first stages of a potential targeted attack by comparing customers’ traffic to activity on OpenDNS’s global network. By providing predictive intelligence on the attackers’ network infrastructure, OpenDNS enables organizations to block attacks before any damage is caused.

OpenDNS LogoMany organizations are capable of identifying single-stage, high-volume cyberattacks, but the “noise” generated by these types of attacks makes it more difficult to detect highly targeted operations, the company explained.

According to OpenDNS, its services address this issue by providing real-time reports on global activity and detailed information for each significant event. The reports can be used by enterprises to identify ongoing or emerging targeted attacks based on whether or not the threats have a large global traffic footprint, or if they’re detected for the first time.

In order to make it easier for security teams to investigate an incident, OpenDNS provides information on the users, devices and networks from which malicious requests are sent. Information on the attackers’ infrastructure can be useful for predicting future threats and for blocking components that are being prepared for new attacks. 

“Enterprises today are challenged to keep up with the volume of attacks that are targeting their networks. Not only is the efficacy of today’s security tools declining, but when they do identify a threat they lack the context that is critical to blocking it,” said Dan Hubbard, CTO of OpenDNS. “The ability to determine the relevance and prevalence of an attack is key to prioritizing response, remediating infected hosts, and understanding the scope of the threat.”

The new capabilities are available as part of the Umbrella service based on a per user, per year subscription.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Consumers Ready for Internet of Things, But Fear Data Privacy and Security Implications: Survey

Posted on June 23, 2014 by in Security

Security vendor Fortinet released a survey that shows homeowners want to embrace the Internet of Things (IoT), but are worried about privacy and security.

In a survey of 1,801 homeowners, Fortinet found that 61 percent of U.S. respondents believe the connected house – a home where appliances and home electronics are seamlessly connected to the Internet – is “extremely likely” to become a reality during the next five years. Eighty-four percent of homeowners in China felt that way.

But the excitement over the prospect is tempered by security concerns. A majority of respondents (69 percent) globally said they were extremely or somewhat concerned a connected appliance could result in data breach of sensitive information. Among U.S. homeowners, the figure was 68 percent. When asked how they would feel if a connected device in their home was secretly or anonymously collecting information about them and sharing it with third-parties, 62 percent said they would feel “completely violated and extremely angry to the point where I would take action.” The strongest responses came from South Africa, Malaysia and the U.S., with the U.S. coming in at 67 percent.

Fifty-seven percent of respondents in the U.S. also agreed with the statement that “privacy is important to me, and I do not trust how this type of data may be used.”

“The Internet of Things promises many benefits to end-users, but also presents grave security and data privacy challenges,” said John Maddison, vice president of marketing at Fortinet , in a statement. “Crossing these hurdles will require clever application of various security technologies, including remote connection authentication, virtual private networks between end-users and their connected homes, malware and botnet protection, and application security − applied on premises, in the cloud and as an integrated solution by device manufacturers.”

Many of respondents said they felt they should have access to any data collected by a connected home appliance. Sixty-six percent said that only themselves or others whom they have given permission should have access to this information. In the U.S., the number was 70 percent, with about a quarter also stating they thought the device manufacturer or their Internet Service Provider (ISP) should have access to the collected data as well.

Forty-two percent said the government should regulate collected data, while 11 percent said regulation should be enforced by an independent, non-governmental organization. In the United States, only 34 percent of respondents felt the government should regulate collected data.

Still, the respondents felt the device manufacturers should be primarily responsible for securing the device if a vulnerability is found. Forty-eight percent of all those surveyed agreed that the manufacturer is responsible for updating and patching their technology. However, almost 31 percent responded that it was the responsibility of the homeowner to keep the device up to date.  

“The battle for the Internet of Things has just begun,” Maddison said. “According to industry research firm IDC, the IoT market is expected to hit $ 7.1 trillion by 2020. The ultimate winners of the IoT connected home will come down to those vendors who can provide a balance of security and privacy vis-à-vis price and functionality.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

eBay, Security Experts Say Database Dump is Fake

Posted on May 24, 2014 by in Security

Security experts and eBay have confirmed that a recent user database being advertised on Pastebin was not obtained as a result of the data breach suffered by the online marketplace earlier this year.

On May 21, eBay admitted that its corporate network had been breached sometime between late February and early March 2014. The attackers compromised the login credentials of a small number of employees and used the data to gain access to the details of eBay’s 145 million customers. The breach was discovered only in early May.

While there’s no evidence that financial information has been compromised, or that PayPal customers are impacted, the cybercriminals have managed to gain access to names, email addresses, physical addresses, phone numbers, dates of birth and encrypted passwords.

It’s uncertain who is behind the attack, but other cybercriminals and scammers are already trying to profit from the incident. Experts have reported seeing a higher number of PayPal and eBay phishing attacks, and, a post on Pastebin was found offering to sell 145,312,663 eBay customer records for 1.453 Bitcoin (around $ 750).

The seller has published a sample of 12,663 names, password hashes, email addresses, physical addresses, phone numbers and dates of birth allegedly belonging to eBay customers in the Asia-Pacific region.

Both security experts and eBay have analyzed the sample and determined that the data is fake. eBay representatives say none of the credentials appear to belong to customers.

Security expert Kenn White has also analyzed the data and found that it appears to originate from older leaks.

Security blogger Brian Krebs also believes that the data is fake. Allison Nixon, a threat researcher with Deloitte & Touche LLP, has told Krebs that the scammers are most likely hoping that security companies will purchase the data for research purposes.

In its official data breach announcement, eBay failed to disclose how it encrypts customer passwords, but  company representatives have told Reuters that a “sophisticated, proprietary hashing and salting technology” is used to protect them. On Twitter, eBay noted that passwords are hashed and salted, and there is no evidence that the encryption has been broken.

However, users are advised to change their passwords as a precaution. While some have criticized the company for not forcing password resets, as Australian security expert Troy Hunt highlights, that might not be such a good idea.

First of all, if the passwords are stored cryptographically and the company is confident that the information can’t be cracked easily, forcing a reset may be “overkill.” Furthermore, as Hunt explains, resetting the passwords of 145 million people at the same time and asking them to visit the site to set new ones might be too much for eBay’s servers, and it could be like launching a DDOS attack against themselves.

Another important aspect emphasized by Hunt and other security experts is the fact that it took eBay such a long time to detect the breach.

“What I find very distressful is the fact that the breach occurred 2 months ago and they found out just two weeks ago,” IT security expert Sorin Mustaca told SecurityWeek.

As far as disclosing information about the incident, Mustaca noted, “eBay is very careful in what they disclose because they are afraid of being sued. And indeed, I’ve seen in the media that there are already some attempts to sue them over their practices in what the security of the network is concerned.”

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Cloud Security Alliance Releases Update to Software Defined Perimeter (SDP)

Posted on May 2, 2014 by in Security

LONDON – Infosecurity Europe – The Cloud Security Alliance (CSA), a not-for-profit organization which promotes the use of best practices for providing security assurance within cloud computing, announced the release of two key documents related to the CSA’s Software Defined Perimeter (SDP), an initiative to create the next generation network security architecture. The SDP Version 1.0 Implementation Specification and SDP Hackathon Results Report provide important updates on the SDP security framework and deployment in protecting application infrastructures from network-based attacks.  CSA will be providing press briefings about SDP developments at Infosecurity Europe.

The SDP, a collaboration between some of the world’s largest users of cloud computing within CSA’s Enterprise User Council, is a new approach to security that mitigates network-based attacks by creating dynamically provisioned perimeters for clouds, demilitarized zones, and data center infrastructures. 

Cloud Security AllianceThe SDP Version 1.0 Implementation Specification being released today provides a detailed description of the base architecture.  Version 1.0 provides the necessary information to design and implement a highly secure network system for a wide variety of use cases.  As part of the updated framework, key concepts comprising the SDP, such as Single Packet Authorization (SPA) and Mutual Transport Layer Security (TLS) have undergone extensive review.  Additionally, a number of CSA members, including some of the largest global companies, have SDP pilots in place.

Also being released today, the SPD Hackathon Results Report Whitepaper provides a detailed explanation of the SDP concept, its multiple layers of security controls, and the results of the hacking contest. The Hackathon, announced by Alan Boehme of Coca Cola at the CSA Summit at RSA 2014, invited hackers worldwide to attack a server defended by the SDP.  While more than 10 billion packets were fired at the SDP from around the world, no attacker broke through even the first of five layers of security controls specified by the SDP architecture.

“The Hackathon provides critical validation for the multi-layer SDP security model. Even after 10 billion attack packets, no one was able to crack even the first layer of SDP security controls during the event,” said Junaid Islam, co-chair of the SDP Working Group and CTO of new CSA corporate member Vidder, Inc. “Its the goal of this research initiative to keep testing SDP against real life attack scenarios to provide the highest level of security for cloud, mobile computing and the Internet of Things applications.” 

In releasing the SDP Version 1.0 Implementation Specification, the SDP working group is providing the industry with a validated and proven concept for cloud-based security models and has also announced an open call for participation for the development of version 2.0.  According to Bob Flores, former CTO of the CIA and Chief Executive Officer of Applicology Incorporated and SDP Working Group Co-Chair, now is the time for interested experts to get involved.  “Today’s release of SPD 1.0 will enable sufficient industry participation and feedback to allow CSA to release version 2.0 at the CSA Congress US taking place Sept 17-19 in San Jose, CA.

“The new SDP specification, together with the results of the Hackathon, represent the tremendous progress and confidence we have in making this framework part of every organization’s security posture in the future,” said Jim Reavis, CEO of the CSA.  “Now it is time for the industry to join us in the next phase of the SDP, version 2.0, to make the framework stronger and even more secure against outside attacks.”

SOURCE Cloud Security Alliance

Previous Columns by SecurityWeek News:


SecurityWeek RSS Feed

Don’t Forget DNS Server Security

Posted on March 17, 2014 by in Security

Late last August, some visitors to the New York Times website received an unexpected surprise – the website was down.

The source of the interruption was not a power outage or even a denial-of-service attack. Instead, it was a battle against a DNS hijacking attempt believed to be connected to hacktivsts with the Syrian Electronic Army.

The attack was one of several in 2013 that focused on DNS (domain name system) infrastructure, and security experts don’t expect this year to be all that different – meaning organizations need to stay aware of DNS security threats. 

Just last month, domain registrar and hosting provider Namecheap was hit with a distributed denial-of-service (DDoS) attack targeting its DNS platform that impacted roughly 300 sites. Beyond DDoS, attackers can also compromise a ame server and redirect DNS queries to a name server under their control. 

“DNS providers are often targets of attack because they are a central point for disrupting all services, web, mail, chat, etc. for an organization,” said Michael Hamelin, lead X-Force security architect at IBM. “The DNS server is the roadmap for the Internet, and once disrupted, services that are the lifeblood of the organization such as web, mail, and chat become inaccessible. If a DNS provider goes down, it could mean that thousands of customers have their digital presence temporarily erased.”

In the case of the New York Times, the attack that affected their users occurred when someone accessed a reseller account on Melbourne IT’s systems and changed the DNS records for nytimes.com as well as other domain names such as twitter.co.uk. This kind of password theft can have far-reaching implications, said Hamelin, who recommended DNS providers use two-factor authentication and “enable a restricted IP block requiring all edits to be made internally on the network.”

“Organizations need to understand that just because they have outsourced their hosting and DNS, it doesn’t mean that they’re guaranteed that the vendor has taken adequate security precautions to provide a highly available and secure service,” he said. “The organization needs to anticipate their DNS may become a target of an attack, and implement countermeasures such using two different DNS systems and/or hosting providers.”

By its very nature, DNS is one of the weaker links in many infrastructures, said Vann Abernethy, senior product manager at NSFOCUS, adding that the company had seen an increase in both DDoS attacks on DNS infrastructure last year as well as the use of DNS to amplify traffic. Juxtaposed with the critical nature of its operation, its status as a weak link makes it an enticing target for attacks, he said.

“There are quite a few variants of DDoS attacks that can be executed against DNS servers, such as DNS Query Flood – a resource consumption attack aimed at a single infrastructure,” Abernethy said. “And there are new ones cropping up as well.”

Among those is a technique similar to a DNS amplification attack that relies on the attacker sending a query with fake subdomains that the victim DNS server cannot resolve, flooding the DNS authoritative servers it must contact, he said.

Fortunately, there are a number of actions organizations can take to improve DNS security. For starters, don’t run open resolvers, advised Mark Beckett, vice president of marketing for DNS security vendor Secure64.

“Open resolvers allow anyone on the internet to query a DNS resolver, and are widely used by botnets to inflict damage,” he said. “[Also] don’t allow spoofed IP addresses to exit your network. Organizations should set egress filters so that only packets with IP addresses within their network address space are allowed to exit their network. This eliminates the ability of the attack to spoof any IP address that it wishes from an infected machine.”

He also suggested organization use rate limiting capabilities within their DNS server if possible, and monitor the network to detect any sudden spikes in DNS packet rates or inbound or outbound DNS traffic volume.

“Early detection of an attack can allow an organization to take defensive measures (like blocking attack traffic upstream at the router or firewall) before the attack is severe enough to impact their users or their network,” he said.

DNS-related attacks will continue to be a theme of 2014, Hamelin said, noting there aren’t a lot of steps in place to protect organizations from a hijacked DNS server or its clients.

“Attackers are focused on ROI [return on investment] and attacking a DNS server could be a great way to have a large impact with little effort,” he said. 

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

High Demand Pushes Average Cyber Security Salary Over $93,000

Posted on March 12, 2014 by in Security

Despite concerns over unemployment and the challenging job market, the IT job market has been fairly healthy, and demand for cyber-security professionals remained high in 2013, according to a new jobs study.

The number of job postings for cyber-security positions grew twice as fast as the number for overall IT job postings in 2013, Burning Glass Technologies found in its latest installment of the Job Market Intelligence report. There were 209,749 national postings for cyber-security jobs in 2013, and the average salary for a cyber-security posting was $ 93,028, according to the report, which is compiled by reviewing job postings across 32,000 online sites daily. In comparison, the average salary for all IT job postings was $ 77,642.

“These postings are growing twice as fast as IT jobs overall, and now represent 10 percent of all IT job postings,” the report said.

Cyber Security Salary When considered against the backdrop of increased number of data breaches, distributed denial-of-service attacks, online fraud, and cyber-espionage being reported each day, it’s no surprise the cyber-security job market is booming. Over 17 major retailers and financial institutions were targeted in 2013 alone, and according to the FBI, nearly 300,000 cyber-crimes were reported in the past year, resulting in losses of over $ 525 million.

Security is no longer restricted to just technology companies or financial institutions, as retailers such as Target and organizations in charge of critical infrastructure such as the electric grid grapple with skilled adversaries who take advantage of holes in the network defenses to cause damage. “If you have sensitive data, you are a security company,” David Lindsay, a senior product manager at Coverity, said in an earlier interview.

Burning Glass released the report last week, hours after the Labor Department reported the U.S. Economy added 175,000 jobs in February. The Labor Department said the biggest growth nationwide was in the professional services sector, which includes technology jobs. According to the Burning Glass report, 38 percent of those technology jobs are cyber-security positions. Manufacturing, defense, finance, insurance, and health care sectors also had high demand for cyber-security jobs, Burning Glass found.

While there are many jobs, Burning Glass said they are concentrated in three major hubs: Washington, D.C., New York, and San Francisco/Bay Area. The Washington, D.C. metropolitan area had the most cybersecurity job postings in 2013, with more than 23,000 listings, followed by New York City with just over 15,000, Burning Glass said in its report. The San Francisco-San Jose corridor, which includes the Silicon Valley, had more than 12,000 listings. Chicago and Dallas rounded out the top 5.

The demand for skilled cyber-security professionals in the federal government and for the contracting firms that work on government contractors explains the high numbers for the D.C.-area. In a state-by-state analysis, Burning Glass found that Virginia ranked second in the number of cybersecurity job listings, and Maryland ranked sixth. As would be expected considering its concentration of technology companies, California ranked first in the number of open jobs.

The report highlighted the oft-discussed skills gap, as well. The demand is there for cyber-security professionals, but cyber-security jobs took 24 percent longer—45 days as opposed to 36 days for other IT jobs—to fill, Burning Glass found. Cyber-security jobs also took 36 percent longer than all job postings.

“The demand for cybersecurity talent appears to be outstripping supply,” said Matt Sigelman, CEO of Burning Glass.

One reason for the gap may be because employers are looking for significant educational background and experience, with two-third of postings requiring at least four years of experience and 84 percent looking for applicants with at least a bachelor’s degree. About half of all cyber-security positions requested at least one professional certification, such as Certified Information System Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (Security+), and Certified Information Security Manager (CISM).

Sigelman noted that 50,000 job postings in 2013 required applicants to have the Certified Information Systems Security Professional (CISSP) credential, but there were only 60,000 such certified professionals at the moment. And considering that CISSP requires four years of full-time cyber-security experience, it’s not possible to “fast track” professionals to meet the demand.

“This is a huge gap between supply and demand,” Sigelman said.

The difficulty in finding cyber-security professionals to fill positions was part of the conversation at last month’s RSA Conference in San Francisco, as well.

Andy Ellis, CSO of Akamai, noted on the security gaps panel that the problem wasn’t a dearth of skilled individuals, but rather that “We’re writing job descriptions that are unrealistic.” The panel emphasized that cyber-security professionals need to be able to communicate with business stakeholders and be able to show how security affects the business bottom line.

With the jobs market booming for cyber-security professionals, it seems there are plenty of opportunities for them to show off what they can do.

Related: Report Shows Extreme Demand for Skilled Security Professionals

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.

Previous Columns by Fahmida Y. Rashid:


SecurityWeek RSS Feed