Security Problems with the Web

There are not many sets of ubiquitous shortcomings that affect all web users equally. Universal shortcomings that at affect all or most equally are the problems that get fixed first. If not, it may be that the security risk associated is deemed acceptable.
 
Further one organization may benefit from a security hole that harms another.  Activities that benefit from security exceptions are not just criminal organizations.  Journalists, whistle-blowers, and democratic movements benefit from security holes.  The diversity of security scenarios underscores the problem of cyber security and why so many cyber security problems exist.  The variety of security contexts, situations, needs, and configurations points to the most significant security concern with the web: a lack of talented, trained IT security professionals.
 
From Root9B Technologies CEO and former UBS Paine Webber chairman Joe Grano: “If you were to ask and answer the following question: ‘What do JPMorgan Chase, Home Depot, Target, Sony, IRS all have in common?’ It’s not that they just got hacked. It’s that despite spending $1 billion on their firewalls, they were exploited. So what it says is, as a country, we have to take a whole new level of protection.” (Wisner 2016) It is Grano's contention that the root problem is a lack of training. Again Grano, "The challenge is we have to train our CSOs and our CTOs, they’ve never been trained in cyber. They’re very, very talented people, you know, creating a network, give me a process to transact transactions – now they have to be trained in cyber."(Wisner 2016)
 
Many authors have proposed that ordinary users are the biggest security concern.  While they are a concern, I think technical leadership is the larger issue since professional leaders are building the systems that expose ordinary people.  IT too often deploys technical capabilities first, then secures them as threats are developed by opportunists looking to capitalize on the data and capabilities that may have been accidentally exposed. 
 
Professional security staff is not ready to handle the threats that are evolving, while at the same time they are increasing the available attack surface! From MacAfee: "Over time, what we call perimeter inversion or outside-in happens: Applications and devices that were once directed primarily to the corporate network and data center are now directed primarily to the Internet and cloud, with the data center hosting limited processing and storage only for core intellectual property." (mcafee.com et al. 2016)

McAfee also points out that cyber-threats are advancing.  Nation states and organized crime are advancing the threat by bringing sophistication by having the resources to develop sophisticated threats (mcafee.com et al. 2016).  It is against this backdrop that new security professional finds themselves requiring a multitude of skills to combat a diverse, sophisticated cyber-threat landscape.  Here are a few of the web threats McAfee identifies for 2016:

Cloud computing.  Most tend to worry about the security of the cloud provider itself.  However few tend to think about the resources it gives to the cyber attacker.  From McAffee: "Cloud computing will also provide tremendous resources to criminals in the form of computing and storage capacity, plus the ability to appear and disappear at the click of a mouse. Law enforcement organizations will find it challenging to shut down an entire cloud service provider for the behavior of its criminal clients..." (mcafee.com et al. 2016)
 
Digital exhaust. Digital exhaust is the data we give away purposefully.  Most don't realize the cumulative amount of data leaked by companies, their employees or private users that are harvested without even breaking into to a secured system.  A criminal will combine public information with data from comprised or snooped-on systems to collect identities to sell them. (mcafee.com et al. 2016)
 
Payment systems. Payment systems seem to be an area where the benefits appear to outweigh potential risk, and the risk appears to be acceptable.  Credit companies have endured a system fraught with security holes.  Credit companies have allowed technology to remain relatively static, not advancing to meet the threat.  From McAfee: "We see little innovation in attack methods associated with debit and credit cards. Most attacks approach payment card theft in the same way they have for the past 10 years, by attacking payment mechanisms or the databases containing card data. Once they have obtained the card data, they sell it as quickly as possible and pocket the profit." (mcafee.com et al. 2016). In short, it seems to this author, that credit companies have to this point deemed credit card theft losses to be acceptable since they have not moved to address them seriously as an industry.
 
The are numerous threats to the web.  If we want to consider just a few resources. From Symantec we can see a number of current threats:

• A New Zero-Day Vulnerability Discovered Each Week (symantec.com 2016)
• Vulnerabilities Found in Three Quarters of Websites (symantec.com 2016)
• Ransomware Increased 35 Percent (symantec.com 2016)
• Companies aren’t reporting the full extent breaches (symantec.com 2016)
• Spear-Phishing Campaigns Targeting Employees Increased 55 Percent (symantec.com 2016)

And then there is OWASP:

• Top 10 2013-A2-Broken Authentication and Session Management (owasp.org 2015)
• Top 10 2013-A5-Security Misconfiguration (owasp.org 2013)

And the list goes on.  How can any of these situations be resolved?  Which threat is the most important? The complexity of identifying the most important threat depends on the situation where the threat is realized, and it will be realized differently in almost every situation.  The situation requires talented, trained, sophisticated security professionals.  Is is the contention of the author that the need for trained security professionals and the current lack of supply is the most significant web security problem today. 
 
​Until the need for trained security professionals is recognized, organizations and governments will not invest in developing this talent.  The US federal government has started to recognize the size of the need, but companies are still behind in this issue.  Once the problem is more clearly identified, consortiums can be developed to work together on how to develop this needed talent.
 
References:

Mcafee.com, Antoniewicz, B., Bee, C., Campbell, T., Davis, G., Dooley, C., . . . Macaulay, T. (2016). McAfee Labs 2016 Threats Predictions. Retrieved September 7, 2016, from http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf
 
Jacobs, Stuart (2015-12-01). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance (IEEE Press Series on Information and Communication Networks Security) (Kindle Locations 7895-7897). Wiley. Kindle Edition.

Owasp.org. (2013, June 23). Top 10 2013-A5-Security Misconfiguration. Retrieved September 08, 2016, from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration

Owasp.org. (2015, February 3). Top 10 2013-A2-Broken Authentication and Session Management. Retrieved September 08, 2016, from https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management

Symantec.com. (2016). 2016 Internet Security Threat Report. Retrieved September 08, 2016, from https://www.symantec.com/security-center/threat-report

Wisner, M. (2016, September 7). America's Businesses Losing the Battle Against Hackers | Fox Business. Retrieved September 07, 2016, from http://www.foxbusiness.com/features/2016/09/07/americas-businesses-losing-battle-against-hackers.html