Vulnerabilities / Threats
2/23/2011
05:29 PM
50%
50%

Schwartz On Security: Security Pros' Top 2011 Threats

While application vulnerabilities and mobile devices lead the list, perhaps it's also time to tackle security's impact on productivity.

What are the top security threats facing businesses today? Finding answers to that question is essential for helping CIOs and CSOs best direct their security teams' resources -- eternally scarce time and money -- toward addressing the biggest risks facing their business.

Start with application vulnerabilities and mobile devices. That's according to a recent survey conducted by Frost & Sullivan and sponsored by the International Information Systems Security Certification Consortium, aka (ISC)2.

In the survey, 10,413 information security professionals shared their top threat concerns: application vulnerabilities (cited by 73%), mobile devices (66%), viruses and worms (65%), internal employees (63%), hackers (55%), and contractors (45%). Other concerns include cyber terrorism (44%), cloud-based services (43%), and organized crime (38%).

Interestingly, based on current mobile technology spending levels -- as well as the widespread use of related security policies -- the Frost & Sullivan report said that "mobile security could be the single most dangerous threat to organizations for the foreseeable future."

Thankfully, many organizations are addressing these mobile security concerns. Already, 70% of organizations have policies and technologies in place for securing mobile devices. Many organizations also employ mobile security tools, including data encryption (at 71% of organizations), network access control (59%), mobile VPN (52%), mobile device management (43%), remote lock-and-wipe capabilities (42%), and mobile anti-malware (28%).

Given all of the chatter over the rise of Facebook as an attack vector, what about social networks? While this threat would generally fall under the third or fourth concerns -- viruses and worms, or internal employees -- security professionals don't seem to fear Facebook as much as smartphones. Indeed, according to the Frost & Sullivan survey, 28% of organizations set no limits on accessing or using social networks from the workplace. While 60% of organizations do use content filtering and Web site blocking, only 44% set and enforce social networking usage policies.

But IT administrators and even information security professionals might also need to begin counting themselves as a security risk, according to a new study from market researcher Harris Interactive, sponsored by IT software management vendor Quest Software. Harris Interactive surveyed 1,000 U.S. employees and 500 IT decision-makers and found that 10% of employees report that they can still access systems at their previous employers.

Password security is likewise poor even for current employees. Notably, half of employees say they've shared corporate log-in credentials and even passwords with their co-workers. Hence, it's little surprise that former employees still have access to usernames and passwords that work.

The study's findings reaffirm the simple fact that most people don't take passwords seriously, according to Tim Cole, co-founder of market research firm KuppingerCole. "[The] BBC famously sent a camera team out to interview folks on the streets on London, asking them to reveal their user names and passwords and offering them a ham sandwich in return. More than half complied," he reported in a blog post.

Truly, passwords can be a drag. About 25% of survey respondents said they spend more than 30 minutes per day simply logging into various applications, databases, and other systems required to do their job. "That's two and a half hours every week, ten hours a month, 120 hours a year," said Cole. "Most CxOs could care less or are unaware of the problem. How much is that costing them? Do the math!"

It's no secret that when people must manage too many passwords, they resort to workarounds that make a mockery of securing systems with passwords. "Quest didn't actually ask if people write their passwords on Post-it notes and stick them on their computer screens, but anybody who has ever walked through a large office has seen these 'stickies of shame.' People just don't like to talk about it," said Cole.

The solution to this security threat, he said, comes in two forms: greater use of identity and access management (IAM) tools for front-line employees, as well as privileged access management tools that can both secure and audit all administrator-level access to systems. One of the biggest upsides to both technologies is that it helps employees be more productive. And if that helps sell security, overhaul ineffective password practices, and knock organizations' top threats down a few notches, perhaps more businesses should buy in.

SEE ALSO:

Schwartz On Security: Unraveling Night Dragon Attacks

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

See all stories by Mathew J. Schwartz

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.