Vulnerabilities / Threats
2/23/2011
05:29 PM
Connect Directly
RSS
E-Mail
50%
50%

Schwartz On Security: Security Pros' Top 2011 Threats

While application vulnerabilities and mobile devices lead the list, perhaps it's also time to tackle security's impact on productivity.

What are the top security threats facing businesses today? Finding answers to that question is essential for helping CIOs and CSOs best direct their security teams' resources -- eternally scarce time and money -- toward addressing the biggest risks facing their business.

Start with application vulnerabilities and mobile devices. That's according to a recent survey conducted by Frost & Sullivan and sponsored by the International Information Systems Security Certification Consortium, aka (ISC)2.

In the survey, 10,413 information security professionals shared their top threat concerns: application vulnerabilities (cited by 73%), mobile devices (66%), viruses and worms (65%), internal employees (63%), hackers (55%), and contractors (45%). Other concerns include cyber terrorism (44%), cloud-based services (43%), and organized crime (38%).

Interestingly, based on current mobile technology spending levels -- as well as the widespread use of related security policies -- the Frost & Sullivan report said that "mobile security could be the single most dangerous threat to organizations for the foreseeable future."

Thankfully, many organizations are addressing these mobile security concerns. Already, 70% of organizations have policies and technologies in place for securing mobile devices. Many organizations also employ mobile security tools, including data encryption (at 71% of organizations), network access control (59%), mobile VPN (52%), mobile device management (43%), remote lock-and-wipe capabilities (42%), and mobile anti-malware (28%).

Given all of the chatter over the rise of Facebook as an attack vector, what about social networks? While this threat would generally fall under the third or fourth concerns -- viruses and worms, or internal employees -- security professionals don't seem to fear Facebook as much as smartphones. Indeed, according to the Frost & Sullivan survey, 28% of organizations set no limits on accessing or using social networks from the workplace. While 60% of organizations do use content filtering and Web site blocking, only 44% set and enforce social networking usage policies.

But IT administrators and even information security professionals might also need to begin counting themselves as a security risk, according to a new study from market researcher Harris Interactive, sponsored by IT software management vendor Quest Software. Harris Interactive surveyed 1,000 U.S. employees and 500 IT decision-makers and found that 10% of employees report that they can still access systems at their previous employers.

Password security is likewise poor even for current employees. Notably, half of employees say they've shared corporate log-in credentials and even passwords with their co-workers. Hence, it's little surprise that former employees still have access to usernames and passwords that work.

The study's findings reaffirm the simple fact that most people don't take passwords seriously, according to Tim Cole, co-founder of market research firm KuppingerCole. "[The] BBC famously sent a camera team out to interview folks on the streets on London, asking them to reveal their user names and passwords and offering them a ham sandwich in return. More than half complied," he reported in a blog post.

Truly, passwords can be a drag. About 25% of survey respondents said they spend more than 30 minutes per day simply logging into various applications, databases, and other systems required to do their job. "That's two and a half hours every week, ten hours a month, 120 hours a year," said Cole. "Most CxOs could care less or are unaware of the problem. How much is that costing them? Do the math!"

It's no secret that when people must manage too many passwords, they resort to workarounds that make a mockery of securing systems with passwords. "Quest didn't actually ask if people write their passwords on Post-it notes and stick them on their computer screens, but anybody who has ever walked through a large office has seen these 'stickies of shame.' People just don't like to talk about it," said Cole.

The solution to this security threat, he said, comes in two forms: greater use of identity and access management (IAM) tools for front-line employees, as well as privileged access management tools that can both secure and audit all administrator-level access to systems. One of the biggest upsides to both technologies is that it helps employees be more productive. And if that helps sell security, overhaul ineffective password practices, and knock organizations' top threats down a few notches, perhaps more businesses should buy in.

SEE ALSO:

Schwartz On Security: Unraveling Night Dragon Attacks

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

See all stories by Mathew J. Schwartz

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3594
Published: 2014-08-22
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.