How do we develop the next generation of Cyber Specialists?

NCC have put up an interesting blog post on the challenge of developing the next generation of consultants (https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/january/developing-the-next-generation-of-cyber-risk-consultants/).

NCC’s experience goes to show how much creativity businesses are willing to commit to the task.

It’s widely recognised that the cyber security industry has some of the most critical talent shortages at the moment, and innovative thinking is needed to try to repair the shortfall of consultants available for hire.

The first challenge is the scarcity of resource. Many more vacancies than applicants is the typical headline. This is where most media outlets and magazine reviews end their scrutiny, but underneath this there are some structural topics worthy of further thought.

The most significant is what I would call the “experience levels” problem. The cyber security industry has inherited its pool of candidates from Information Assurance and Information Security fields (setting aside the debate over whether cyber security = information security), established for some time and before cyber security was driven up in priority in the recent decade. This has given the field a large number of highly-experienced professionals, now at the pinnacle of their career, whose succession has to be planned for by organisations. These are the kinds of specialists who have an seemingly infinite understanding of the field, can effortlessly navigate complex waters, and provide the backbone of corporate cyber security programmes. This has led to a high number of experienced practitioners, but very few (hardly any) mid-career experts, and until recently hardly any early-career entrants. Inevitably, this will lead to a further challenge in the coming decade as a number of highly experienced practitioners retire from the profession or are promoted up to CISO roles to focus on strategy.

The second problem is building the “pipeline of talent”. Building the pipeline of talent has been the societal and industrial response to the perceived staffing challenges in the profession. Most approaches are focused almost exclusively on the development of cyber security degree programmes in universities, and indeed universities have turbo-charged their efforts there. The efforts are helpful, and the numbers look good on paper. But it will not deliver the transformational change needed by the sector–for the very reason that in terms of experience, it will simply address the shortfall in early-career professionals but will not address the mid-career experience shortfall or the pending highly-experienced vaccum.

What this means, broadly, in terms of the three experience levels is something like this:

  • Early-career professionals are growing in number, due to training initiatives in universities. This is good, and to be applauded. But early-career professionals need mid-career managers and team leaders to direct their efforts. Despite the intense coverage in media and press, this is really Priority #3 – the solutions is being addressed and is being managed.
  • Mid-career professionals remain incredibly scarce. These practitioners are looked on to lead teams and occupy mid-level management roles, and use their years of experience to provide a sensible and measured contribution to management activities. It will be a decade or more before the growth at the early-career level begins to expand the field of candidates for these roles, and this remains an acute problem for employers. This is therefore Priority #1.
  • Highly-experienced, late-career professionals are in the market, but the pool of candidates is dropping drastically. In 5-10 years’ time, this will become something of a predicament for the domain, as cyber threats continue to expand in number and sophistication. The loss of knowledge will be a particular difficulty to overcome. This is Priority #2, and will become Priority #1 in the next decade.

It appears to me, based on this relatively simple breakdown, that the talent challenges for the field will not be overcome for two to three decades. Within the next 5-10 years we will see the impact of losing highly-experienced leaders.

Of course, companies have not stayed still and in practice what has happened in many is that cyber security professional vacancies have been staffed up by personnel switching from other, related areas. This is a form of solution, but the lack of a systematic, naturally-progressing career path will inevitably lead to some challenges further down the line. This is perhaps where initiatives like NCC’s has a lot of merit.

There are lots of other challenges to consider as well, reflected in the broader computing field. The lack of interest in STEM subjects at university has been a particular problem for many decades now. This has probably fuelled the interest in cyber-security specific degree programmes at universities, which integrate non-STEM content into a STEM core, which is obviously more appealing than a pure-STEM degree.

In some ways cyber-security programmes have side-stepped the problem. But, promoting interest in STEM careers remains challenging, and this underlying difficulty will complicate the development of talent in cyber security for decades to come. Diversity is also a goal that many in STEM and general engineering have advocated. For example, promoting technical and engineering careers for women. This is yet another challenge within the broader computing field that will complicate the development of the profession.

Efforts by companies to develop and share their structured programmes, like NCC’s, will help navigate this incredibly complicated landscape. To me there does not appear to be a single, straightforward solution, but by sharing and communicating efforts, progress will be made.

This and other internal efforts in companies underlines the need for substantial training budgets within cyber security teams and functions. This is perhaps the most tangible step businesses can take at the moment, and will be a key determinant for applicants when selecting what is likely to be multiple, competing opportunities.

Maximising your password vault security

Following on from my previous post, here are my tips to making the best use of a password vault on your PC:

  • If your vault has a password generator, use it on all future passwords and over time replace as many existing passwords as possible
  • Use a strong password for any vault Internet accounts
  • Use a different and highly secure password for local vault encryption
  • Learn all the features in the tool and how to make use of them
  • Install the vault on all frequently used devices

Finally, always use two factor authentication on critical accounts even if they are managed by the vault. At a minimum ensure a second factor is used on all email accounts.

The caveat for all of the above is do so only if it meets your requirements and risk assessment. Security is not a continuum of improvement, but a scale whose tipping point is usability.

What makes a good password vault?

Password vaults are very helpful additions to a desktop environment, particularly for personal use. They can provide secure storage of passwords, synchronisation across multiple devices, and a whole myriad of other features.

What are we trying to achieve when using a vault? What are the critical high level objectives?

  • Reducing password reuse
  • Promoting regular password change
  • Increasing password complexity (by using machine generated passwords)
  • Enhancing secure storage of passwords
  • Facilitating “digital legacy”

But capabilities can vary, so what features are good to look out for in personal password managers? Here are some good features to look out for:

  • Automated form filling, ideally on user prompt
  • Two-factor authentication for the vault access account, to allow download of the password vault (without decryption of the vault)
  • Encryption of the password vault using a local password (that is not shared with the vault host)  (an important subtlety that should not be overlooked – host authentication combined with local encryption and decryption is a significant security enhancement)
  • Browser import, to take logins from browsers and store them securely (ideally removing them from browser password stores)
  • Secure sharing with other recipients
  • Password generation, including a variety of configurable parameters such as length, complexity, etc.
  • Copy and paste features to allow passwords to be copied to the clipboard
  • Browser plugins to integrate directly with the password vault and minimise use of the clipboard as much as possible
  • Synchronisation of a password vault across devices
  • Free text storage of secrets in the password vault, for instance challenge response sentences or codes
  • Digital legacy – the ability to share credentials with another person in the event you become incapacitated or unable to use your logins
  • Automatic review of passwords for strength and quality, with advisories as appropriate
  • Finally, and importantly, a broad range of browser support, including all mainstream browsers and also mobile apps

The primary benefits of using a password vault include:

  • Reducing the potential for passwords to be stored insecurely
  • Removing the risk of data loss (and therefore loss of passwords) through the use Cloud synchronisation (also a weakness)
  • Allowing highly complex passwords to be used, minimising simple password use
  • Minimising password reuse across accounts
  • Secure storage of passwords using local encryption, minimising some but not all risks of Cloud vault storage
  • Storage of related authentication data, such as secrets and challenge response codes
  • A reduction in the use of password reset procedures, possibly maintaining the use of more secure (and cumbersome) reset methods
  • The ability for others to use your passwords when you cannot
  • Automatic review of passwords for strength and quality, ensuring you are able to maintain the strongest password posture and minimising the attack surface

Password vaults present risks and issues at the same time:

  • In my mind, the primary risk is encountered when losing a password for the vault, which usually leads to the password vault becoming inaccessible. This is a risk to availability. The solution is to maintain a hard copy of the password, e.g. in an appropriately secure location (e.g. safe).
  • A lesser risk, reduced with local vault encryption, is potentially greater exposure to duplication of a vault store by an attacker due to Internet vault storage vulnerabilities. This could come about through authentication weaknesses surrounding the vault, or other means such as side channel attacks. This of course is the flip side of vault sync capability. Ideally the vault store will be encrypted with a second layer as described above, but limiting access is obviously a desirable control to put in place as much as possible. Some vaults allow for local operation only, which could be a sensible step.
  • A Single Point of Failure (SPOF) by centralising credentials into a password vault. Here is the tradeoff with convenience. A potential mitigation is to regularly duplicate the vault and store with the password backup as above.

In many personal password vault services, the security of the vault will effectively rest in a single password. This becomes more and more crucial, as the vault is increasingly used to store new credentials. Most users are unaware of just how critical the vault password will be.

Regardless of whether the vault is locally encrypted or not, always use two-factor authentication on critical accounts contained in the vault. This will go some way to mitigating Cloud risk.

Things I don’t consider a critical feature of a password vault include VPNs, file storage, and dark web credential compromise scanning. These are undeniably useful features, but may be better addressed using separate complementary desktop security products.

I’ve intentionally not covered true enterprise password vaults much in this post, for which there are several well-known vendors, solutions and use cases.

Overall, password vaults are highly recommended in the present Internet environment, and with some experience they can turn into a powerful way of improving your digital security, minimising the risks of hacking and identity theft.

Passwords are not a particularly elegant authentication method. Long criticised, we have unfortunately not seen the critical mass needed behind federated identity or as yet unspecified distributed standards to really halt their use.

Part of the challenge there is technical, such as drawbacks with frameworks such as OAuth, but also in terms of good options for Identity Providers—the usual crowd such as Google and Twitter maybe not being the best options long term.