Month: April 2016

The National Shortage of Cyber Security Professionals

The sophistication of techniques and tactics employed by cyber criminals have ascended to a point where U.S. government and private industry must participate in a cyber “arms race” in order to protect their assets from malefactors. This arms race requires the talents of thousands of cyber security professionals to keep national information assets safe. Unfortunately, there is a dearth of talent available in the marketplace to meet this demand. As a result of this shortage, national cyber-defense capabilities are not growing to keep pace with both the number and the sophistication of these attacks on the United State’s strategic information assets. In addition, current security professionals are feeling stressed by staff shortages, which can also lead to a drop in security effectiveness.

The Center for Strategic and International Studies (CSIS) is a bipartisan think tank headquartered in Washington D.C. that focuses on defense and security policies. In their report titled “A Human Capital Crisis in Cyber Security”, they highlight a “desperate shortage” of people with the skills to “design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts” (Evans & Reader, 2013, pg. 4). Furthermore, according to the CIA’s Clandestine Information Technology Office, there are currently one thousand security specialists in the United States who have the specialized skills to operate effectively in cyberspace; however, the United States needs about ten to thirty thousand such individuals. (Evans & Reader, 2013)

Competent cyber security specialists are needed on two fronts; the first front deals with the operating and maintaining of defense systems and tools that are already in place. The second front pertains to a need for creators and designers who establish new solutions that prevent, detect and mitigate attacks. With respect to those cyber professionals who can contribute on either of these two fronts, organizations wrestle with the questions of “Where do we recruit these individuals and how do we retain them?” Right now the Executive Branch has formulated a “Comprehensive National Cybersecurity Initiative”, where one of its aims is to expand cyber education. The initiative states, “we must develop a technologically-skilled and cyber-savvy workforce and an effective pipeline of future employees. It will take a national strategy, similar to the effort to upgrade science and mathematics education in the 1950’s, to meet this challenge” (National Security Council, 2013, pg.4).

CSIS also offers four elements of a strategy that aims to fill the cyber talent pipeline. These elements are paraphrased and listed below as offered by Evans & Reader (2013, pg. 3):

  • Promote and fund the development of more rigorous curricula in our schools:
    • Several U.S. colleges, funded under the Scholarship for Service program, have been graduating security experts with advanced technical skills. The Scholarship for Service program is offered by the National Science Foundation and provides scholarships to students in cyber security under the condition that they work for the government for a period equal to the duration of the scholarship. Unfortunately, the total number of new graduates with very deep technical skills is around 200 per year.
  • Support the development and adoption of technically rigorous professional certifications that include a tough educational component and a monitored practical component:
    • Emphasize hard technical skills. Do not rely solely on written examinations as an indicator of competence.
  • Use a combination of the hiring process, the acquisition process, and training resources to raise the level of technical competence of those who build, operate, and defend governmental systems:
    • Ensure that those who are hired have the necessary skill sets to be effective. Help those that are currently employed in the security field obtain the necessary knowledge and credentials.
  • Assure there is a career path as with other disciplines, like engineering or medicine, and reward and retain those with high-level technical skills, both in the civilian workforce and in the uniformed services.

Recruiting cyber professionals with highly in-demand skills and certifications also requires special considerations and challenges. Competition for this talent creates a bidding war that may prove costly to companies. Bureaucracies and resistance to change mentalities of typical corporations need to be adjusted to consider the higher than average compensation that in-demand cyber security professionals expect. The same organizational bureaucracy presents a challenge when trying to on-board candidates quickly. Federal agencies are known to have long hiring processes as individuals wait to pass security clearances. Individuals in high demand can often times take a position at another more efficient organization during a protracted wait.

In addition, true superstars may have limited credentialing to demonstrate their expertise as self taught hackers. Other “reformed” players from cyber security’s “dark side” may be the best prospects (Barr, J., 2012 b, pg. 3).

References:

Barr, J. G. (a) (November 2012). Recruiting Cyber Security Professionals. Faulkner Information Services.

Evans, K., & Reeder, F. (2013). “A Human Capital Crisis in Cybersecurity Technical Proficiency Matters” A Report of the CSIS Commission on Cybersecurity for the 44th Presidency. Retrieved April 15, 2013 from http://csis.org/files/publication/101111_Evans_HumanCapital_Web.pdf

National Security Council. (2013). The Comprehensive National Cybersecurity Initiative. Retrieved April 15, 2013 http://www.whitehouse.gov/sites/default/files/cybersecurity.pdf

Image courtesy of cjgphotography / 123RF Stock Photo

Advertisements

The Need For Speed: Improve SQL Query Performance with Indexing

This article is also published on LinkedIn.

How many times have you executed a SQL query against a million plus row table and then engaged in a protracted waiting game for your results? Unfortunately, a poor database table indexing strategy can counteract the gains of the best hardware and server architectures. The positive impact that strategically applied indexes can provide to query performance should not be ignored just because one isn’t wearing a DBA hat. “You can obtain the greatest improvement in database application performance by looking first at the area of data access, including logical/physical database design, query design, and index design” (Fritchey, 2014). Understanding the basics of index application should not be eschewed and treated as an esoteric art best left to DBAs.

Make use of the Covering Index

It is important that regularly used, resource intensive queries be subjected to “covering indexes”. The aim of a covering index is to “cover” the query by including all of the fields that are referenced in WHERE or SELECT statements. Babbar, Bjeletich, Mackman, Meier and Vasireddy (2004) state, “The index ‘covers’ the query, and can completely service the query without going to the base data. This is in effect a materialized view of the query. The covering index performs well because the data is in one place and in the required order.” The benefit of a properly constructed covering index is clear; the RDBMS can find all the data columns it needs in the index without the need to refer back to the base table which drastically improves performance. Kriegel (2011) asserts, “Not all indices are created equal — If the column for which you’ve created an index is not part of your search criteria, the index will be useless at best and detrimental at worst.”

Apply a Clustered Index

More often than not, a table should have a clustered index applied so as to avoid expensive table scans by the query optimizer. It is advisable to create one clustered index per table preferably on the PRIMARY KEY column. In theory, since the primary key is the unique identifier for a row, query writers will employ the primary key in order to aid with record search performance.

“When no clustered index is present to establish a storage order for the data, the storage engine will simply read through the entire table to find what it needs. A table without a clustered index is called a heap table. A heap is just an unordered stack of data with a row identifier as a pointer to the storage location. This data is not ordered or searchable except by walking through the data, row by row, in a process called a scan” (Fritchey, 2014).

However, the caveat to applying clustered indexes on a transactional table is that the index must be reordered after every INSERT or UPDATE to the key which can add substantial overhead to those processes. Dimensional or static tables which are only accessed for join purposes are optimal for this indexing strategy.

Apply a Non-Clustered Index

Another consideration in regard to SQL performance tuning is to apply non-clustered indexes on foreign keys within frequently accessed tables. Babbar et al. (2004) advise, “Be sure to create an index on any foreign key. Because foreign keys are used in joins, foreign keys almost always benefit from having an index.”

Indexing is an Art not a Science

Always remember that indexing is considered an art and not a science. Diverse real world scenarios often call for different indexing strategies. In some instances, indexing a table may not be required. If a table is small (on a per data page basis), then a full table scan will be more efficient than processing an index and then subsequently accessing the base table to locate the rest of the row data.

Conclusion

One of the biggest detriments to SQL query performance is an insufficient indexing strategy. On one hand, under-indexing can potentially cause queries to run longer than necessary due to the costly nature of table scans against unordered heaps. This scenario must be counterbalanced by the tendency to over-index, which will negatively impact insert and update performance.

When possible, SQL practitioners and DBAs should collaborate to understand query performance as a whole; especially in a production environment. DBAs left to their own devices have the potential to create indexes without any knowledge of the queries that will utilize those indexes. This uncoordinated approach has the potential to render indexes inefficient on arrival. Conversely, it is equally important that SQL practitioners have a basic understanding of indexing as well. Placing “SELECT *” in every SQL query will negate the effectiveness of covering indexes and add additional processing overhead as compared to specifically listing the subset of fields desired.

Even if you do not have administrative access to the tables that constitute your queries, approaching your DBA with a basic understanding of indexing strategies will lead to a more effective conversation.

References

Babbar, A., Bjeletich, S., Mackman, A., Meier, J., & Vasireddy, S. (May, 2004). Improving .NET Application Performance and Scalability. Retrieved from https://msdn.microsoft.com/en-us/library/ff647793.aspx

Fritchey, Grant. ( © 2014). Sql server query performance tuning (4th ed.).

Kriegel, Alex. ( © 2011). Discovering sql: a hands-on guide for beginners.