Vulnerabilities / Threats
2/23/2011
05:29 PM
Connect Directly
RSS
E-Mail
50%
50%

Schwartz On Security: Security Pros' Top 2011 Threats

While application vulnerabilities and mobile devices lead the list, perhaps it's also time to tackle security's impact on productivity.

What are the top security threats facing businesses today? Finding answers to that question is essential for helping CIOs and CSOs best direct their security teams' resources -- eternally scarce time and money -- toward addressing the biggest risks facing their business.

Start with application vulnerabilities and mobile devices. That's according to a recent survey conducted by Frost & Sullivan and sponsored by the International Information Systems Security Certification Consortium, aka (ISC)2.

In the survey, 10,413 information security professionals shared their top threat concerns: application vulnerabilities (cited by 73%), mobile devices (66%), viruses and worms (65%), internal employees (63%), hackers (55%), and contractors (45%). Other concerns include cyber terrorism (44%), cloud-based services (43%), and organized crime (38%).

Interestingly, based on current mobile technology spending levels -- as well as the widespread use of related security policies -- the Frost & Sullivan report said that "mobile security could be the single most dangerous threat to organizations for the foreseeable future."

Thankfully, many organizations are addressing these mobile security concerns. Already, 70% of organizations have policies and technologies in place for securing mobile devices. Many organizations also employ mobile security tools, including data encryption (at 71% of organizations), network access control (59%), mobile VPN (52%), mobile device management (43%), remote lock-and-wipe capabilities (42%), and mobile anti-malware (28%).

Given all of the chatter over the rise of Facebook as an attack vector, what about social networks? While this threat would generally fall under the third or fourth concerns -- viruses and worms, or internal employees -- security professionals don't seem to fear Facebook as much as smartphones. Indeed, according to the Frost & Sullivan survey, 28% of organizations set no limits on accessing or using social networks from the workplace. While 60% of organizations do use content filtering and Web site blocking, only 44% set and enforce social networking usage policies.

But IT administrators and even information security professionals might also need to begin counting themselves as a security risk, according to a new study from market researcher Harris Interactive, sponsored by IT software management vendor Quest Software. Harris Interactive surveyed 1,000 U.S. employees and 500 IT decision-makers and found that 10% of employees report that they can still access systems at their previous employers.

Password security is likewise poor even for current employees. Notably, half of employees say they've shared corporate log-in credentials and even passwords with their co-workers. Hence, it's little surprise that former employees still have access to usernames and passwords that work.

The study's findings reaffirm the simple fact that most people don't take passwords seriously, according to Tim Cole, co-founder of market research firm KuppingerCole. "[The] BBC famously sent a camera team out to interview folks on the streets on London, asking them to reveal their user names and passwords and offering them a ham sandwich in return. More than half complied," he reported in a blog post.

Truly, passwords can be a drag. About 25% of survey respondents said they spend more than 30 minutes per day simply logging into various applications, databases, and other systems required to do their job. "That's two and a half hours every week, ten hours a month, 120 hours a year," said Cole. "Most CxOs could care less or are unaware of the problem. How much is that costing them? Do the math!"

It's no secret that when people must manage too many passwords, they resort to workarounds that make a mockery of securing systems with passwords. "Quest didn't actually ask if people write their passwords on Post-it notes and stick them on their computer screens, but anybody who has ever walked through a large office has seen these 'stickies of shame.' People just don't like to talk about it," said Cole.

The solution to this security threat, he said, comes in two forms: greater use of identity and access management (IAM) tools for front-line employees, as well as privileged access management tools that can both secure and audit all administrator-level access to systems. One of the biggest upsides to both technologies is that it helps employees be more productive. And if that helps sell security, overhaul ineffective password practices, and knock organizations' top threats down a few notches, perhaps more businesses should buy in.

SEE ALSO:

Schwartz On Security: Unraveling Night Dragon Attacks

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

See all stories by Mathew J. Schwartz

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio