IT has been helping the business make connections with
partners via portals and Web applications, but it has been
punching holes in the network in the process. Insecure legacy
systems that weren’t made to be online are now fully connected,
giving more individuals than ever access to critical data. On top
of that, users have been increasingly utilizing mobile devices,
transporting data outside company walls. All this contributes to
heightened threats that can’t be addressed by traditional signature-based anti-virus software and old-guard firewalls.
“The whole perception about security is changing, as managers realize that they are letting more people come into their
organization and onto their network to access their
systems,” says Deven Bhatt, director of corporate
security for Airlines Reporting Corp. (ARC). “They
are partnering with more and more people and are
connected with everyone. And because of that,
they must have information-centric security.”
Bhatt is right: There is a growing awareness of
a new generation of risks. In our survey, we asked
security insiders what the two greatest internal
threats to security are. Thirty-three percent said
internal user ignorance of privacy regulations, and
21 percent said internal user theft of data.
They were also concerned about the loss and
theft of tech devices. Thirty-one percent put theft
of laptops and mobile devices in their top list of
worries, and 17 percent added theft and loss of portable media.
The problem is that the knowledge of these risks has not
resulted in corresponding actions designed to mitigate them.
When we asked survey participants which five security technologies accounted for the highest share of their total security
investment, the resounding leaders weren’t technologies that
prevented insider theft or accidental data loss. They were—you
guessed it—firewalls and anti-virus software. Approximately
59 percent reported firewalls in their top five security expenses,
and 48 percent put anti-virus in that pool. Also high on the
list was e-mail security, including anti-spam technology, which
36 percent of survey respondents placed in their top five.
The gap between the security spend and today’s risks
was distressing, if not particularly surprising, to the security
experts we informed about the survey results.
“For most organizations—even some of the larger Fortune
1000 companies we work with—security spending is not even
close to being in line with the risks and threats they are trying
to address,” says Adam Muntner, co-founder of QuietMove, a
security consultancy in Scottsdale, Ariz. As a security assessor
and penetration tester, he sees plenty of companies relying on
older network-centric technologies as their only protection. In
some cases, they aren’t even up to date with the technologies
offered by this network-based security approach.
“We’re working with a hospital system that has a lot of patient
and research data,” Muntner says. “They have firewalls and anti-
virus software, but they’ve never had an internal
vulnerability management program. They don’t
even have an automated vulnerability scanner.
“We convinced them of the value of having one,
and they’re getting ready to put one in, but this situa-
tion is so common. In this case, they had to go to their
CIO and spend a month making the case about why
it was important. The thing that finally convinced
the CIO was that all the other hospitals in the state
are using an automated vulnerability scanner.”
Organizations such as these are ripe for attacks
and slip-ups if they aren’t dedicating enough of
their budget to a broader range of technologies.
For example, companies that focus on anti-virus
and firewall technologies without putting enough
money into encryption risk high-profile data breaches through
lost laptops or other mobile devices.
“It shocks me when I learn somebody’s laptop was stolen
or hard drive was lost,” says ARC’s Bhatt. “Didn’t we have the
Veteran’s Administration incident two years ago? How can somebody still not be encrypting the sensitive data on their devices?”
The holes left open by these perimeter-type technologies
are endless. Without proper monitoring and policy enforcement, trusted insiders can easily access or steal data. Hackers
can overwhelm the signature-based technologies most anti-virus vendors rely on, and they can get around firewalls by
attacking the application layer and vulnerabilities left open by
dodgy patch- and configuration-management practices. Cyber-criminals also find ways to sign on as trusted users due to lax
authentication management.
For most
organizations—
even some of the
Fortune 1000
companies we
work with—
security spending
is not even close
to being in line
with the risks and
threats they are
trying to address.
—Adam Muntner, Quiet Move
TECHNOLOGIES USED MOST OFTEN
TO IMPROVE IT SECURITY
Firewalls
Anti-virus soft ware
Anti-spyware soft ware 21%
E-mail security 36%
SSL virtual private networks
Wireless security
Intrusion detection/prevention software
Web filtering
Web access control
Encryption for transmitting data & documents
Patch management
Encryption for storing data & documents
Security auditing
Database security (monitoring, encryption)
IPsec virtual private networks
Configuration management
IT SECURITY ATTACKS COMPANIES VIEW
AS GREATEST CURRENT THREATS
58%
48%
92%
90%
79%
76%
Spam e-mail attacks
Hacking of company Web sites
Distributed denial-of-service attacks
Zero-day exploits of software vulnerabilities
Attacks via botnets/Zombie PCs
Wireless attacks
Automated/scripted attacks
Encryption attacks 8%
Illegal domain hijacking 5%
BGP attacks 2%
Other types of attack 3%
45%
25%
19%
15%
20%
9%
10%
16%
12%
15%
13%
11%
11%
61%
60%
58%
57%
56%
55%
52%
52%
52%
51%
45%
43%
22%
19%
16%
14%
Currently Using
Having Highest Share
of IT Investment
