Risk
5/29/2008
10:01 AM
Keith Ferrell
Keith Ferrell
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Secure Computing Tells Where Your Biggest Insecurity Is: Inside Your Company, That's Where!

What are IT security professionals most scared of? Their companies' own employees, that's what.

What are IT security professionals most scared of? Their companies' own employees, that's what.According to a Secure Computing new survey of IT directors, the biggest problem they face lies inside their own organizations. Survey took place at a European conference, but I'd wager the concern levels are about the same here -- be nice if Secure Computing would do a comparison survey.

Of the 103 IT pros surveyed, more than 80 percent said that deliberate internal data theft and inadvertent employee-caused data leaks were their largest worries.

Hackers placed low on the list of big headaches -- less than 20 percent -- while e-mail is the IT department prime technology of concern.

That last will be worth watching -- the survey respondents listed a variety of Web 2.0 security worries (viruses, spam, data leaks.) If 2.0 concerns move to the top of the list, look for browsers to move past e-mail in the top app-worry spot.

As far as insider threats, my guess is that one will remain at the top of top threat-concerns, particularly as employees -- not just IT employees -- become more confident (whether it's justified or not) that they "know" what they're doing with keyboard and mouse, creating a perfect storm potential for inadvertent data leaks.

On the deliberate side, as employees become equipped with better and more powerful personal technology that can be used to grab data, look for endpoint vulnerabilities to become the increasigly dominant worry-spot.

Fortunately, most small and midsize business are able to a) have a better sense of all of their employees' nature, skills and potential (good and bad) and can also b) more easily put into place the policies and practices that limit the risks of employee data-leak mistakes and train sharp eyes (digital and otherwise) on potential employee data-crimes.

For bMighty's take on handling insider threats look here.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3991
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu pa...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.