Vulnerabilities / Threats
2/23/2011
05:29 PM
Connect Directly
RSS
E-Mail
50%
50%

Schwartz On Security: Security Pros' Top 2011 Threats

While application vulnerabilities and mobile devices lead the list, perhaps it's also time to tackle security's impact on productivity.

What are the top security threats facing businesses today? Finding answers to that question is essential for helping CIOs and CSOs best direct their security teams' resources -- eternally scarce time and money -- toward addressing the biggest risks facing their business.

Start with application vulnerabilities and mobile devices. That's according to a recent survey conducted by Frost & Sullivan and sponsored by the International Information Systems Security Certification Consortium, aka (ISC)2.

In the survey, 10,413 information security professionals shared their top threat concerns: application vulnerabilities (cited by 73%), mobile devices (66%), viruses and worms (65%), internal employees (63%), hackers (55%), and contractors (45%). Other concerns include cyber terrorism (44%), cloud-based services (43%), and organized crime (38%).

Interestingly, based on current mobile technology spending levels -- as well as the widespread use of related security policies -- the Frost & Sullivan report said that "mobile security could be the single most dangerous threat to organizations for the foreseeable future."

Thankfully, many organizations are addressing these mobile security concerns. Already, 70% of organizations have policies and technologies in place for securing mobile devices. Many organizations also employ mobile security tools, including data encryption (at 71% of organizations), network access control (59%), mobile VPN (52%), mobile device management (43%), remote lock-and-wipe capabilities (42%), and mobile anti-malware (28%).

Given all of the chatter over the rise of Facebook as an attack vector, what about social networks? While this threat would generally fall under the third or fourth concerns -- viruses and worms, or internal employees -- security professionals don't seem to fear Facebook as much as smartphones. Indeed, according to the Frost & Sullivan survey, 28% of organizations set no limits on accessing or using social networks from the workplace. While 60% of organizations do use content filtering and Web site blocking, only 44% set and enforce social networking usage policies.

But IT administrators and even information security professionals might also need to begin counting themselves as a security risk, according to a new study from market researcher Harris Interactive, sponsored by IT software management vendor Quest Software. Harris Interactive surveyed 1,000 U.S. employees and 500 IT decision-makers and found that 10% of employees report that they can still access systems at their previous employers.

Password security is likewise poor even for current employees. Notably, half of employees say they've shared corporate log-in credentials and even passwords with their co-workers. Hence, it's little surprise that former employees still have access to usernames and passwords that work.

The study's findings reaffirm the simple fact that most people don't take passwords seriously, according to Tim Cole, co-founder of market research firm KuppingerCole. "[The] BBC famously sent a camera team out to interview folks on the streets on London, asking them to reveal their user names and passwords and offering them a ham sandwich in return. More than half complied," he reported in a blog post.

Truly, passwords can be a drag. About 25% of survey respondents said they spend more than 30 minutes per day simply logging into various applications, databases, and other systems required to do their job. "That's two and a half hours every week, ten hours a month, 120 hours a year," said Cole. "Most CxOs could care less or are unaware of the problem. How much is that costing them? Do the math!"

It's no secret that when people must manage too many passwords, they resort to workarounds that make a mockery of securing systems with passwords. "Quest didn't actually ask if people write their passwords on Post-it notes and stick them on their computer screens, but anybody who has ever walked through a large office has seen these 'stickies of shame.' People just don't like to talk about it," said Cole.

The solution to this security threat, he said, comes in two forms: greater use of identity and access management (IAM) tools for front-line employees, as well as privileged access management tools that can both secure and audit all administrator-level access to systems. One of the biggest upsides to both technologies is that it helps employees be more productive. And if that helps sell security, overhaul ineffective password practices, and knock organizations' top threats down a few notches, perhaps more businesses should buy in.

SEE ALSO:

Schwartz On Security: Unraveling Night Dragon Attacks

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

See all stories by Mathew J. Schwartz

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.