Vulnerabilities / Threats
2/23/2011
05:29 PM
50%
50%

Schwartz On Security: Security Pros' Top 2011 Threats

While application vulnerabilities and mobile devices lead the list, perhaps it's also time to tackle security's impact on productivity.

What are the top security threats facing businesses today? Finding answers to that question is essential for helping CIOs and CSOs best direct their security teams' resources -- eternally scarce time and money -- toward addressing the biggest risks facing their business.

Start with application vulnerabilities and mobile devices. That's according to a recent survey conducted by Frost & Sullivan and sponsored by the International Information Systems Security Certification Consortium, aka (ISC)2.

In the survey, 10,413 information security professionals shared their top threat concerns: application vulnerabilities (cited by 73%), mobile devices (66%), viruses and worms (65%), internal employees (63%), hackers (55%), and contractors (45%). Other concerns include cyber terrorism (44%), cloud-based services (43%), and organized crime (38%).

Interestingly, based on current mobile technology spending levels -- as well as the widespread use of related security policies -- the Frost & Sullivan report said that "mobile security could be the single most dangerous threat to organizations for the foreseeable future."

Thankfully, many organizations are addressing these mobile security concerns. Already, 70% of organizations have policies and technologies in place for securing mobile devices. Many organizations also employ mobile security tools, including data encryption (at 71% of organizations), network access control (59%), mobile VPN (52%), mobile device management (43%), remote lock-and-wipe capabilities (42%), and mobile anti-malware (28%).

Given all of the chatter over the rise of Facebook as an attack vector, what about social networks? While this threat would generally fall under the third or fourth concerns -- viruses and worms, or internal employees -- security professionals don't seem to fear Facebook as much as smartphones. Indeed, according to the Frost & Sullivan survey, 28% of organizations set no limits on accessing or using social networks from the workplace. While 60% of organizations do use content filtering and Web site blocking, only 44% set and enforce social networking usage policies.

But IT administrators and even information security professionals might also need to begin counting themselves as a security risk, according to a new study from market researcher Harris Interactive, sponsored by IT software management vendor Quest Software. Harris Interactive surveyed 1,000 U.S. employees and 500 IT decision-makers and found that 10% of employees report that they can still access systems at their previous employers.

Password security is likewise poor even for current employees. Notably, half of employees say they've shared corporate log-in credentials and even passwords with their co-workers. Hence, it's little surprise that former employees still have access to usernames and passwords that work.

The study's findings reaffirm the simple fact that most people don't take passwords seriously, according to Tim Cole, co-founder of market research firm KuppingerCole. "[The] BBC famously sent a camera team out to interview folks on the streets on London, asking them to reveal their user names and passwords and offering them a ham sandwich in return. More than half complied," he reported in a blog post.

Truly, passwords can be a drag. About 25% of survey respondents said they spend more than 30 minutes per day simply logging into various applications, databases, and other systems required to do their job. "That's two and a half hours every week, ten hours a month, 120 hours a year," said Cole. "Most CxOs could care less or are unaware of the problem. How much is that costing them? Do the math!"

It's no secret that when people must manage too many passwords, they resort to workarounds that make a mockery of securing systems with passwords. "Quest didn't actually ask if people write their passwords on Post-it notes and stick them on their computer screens, but anybody who has ever walked through a large office has seen these 'stickies of shame.' People just don't like to talk about it," said Cole.

The solution to this security threat, he said, comes in two forms: greater use of identity and access management (IAM) tools for front-line employees, as well as privileged access management tools that can both secure and audit all administrator-level access to systems. One of the biggest upsides to both technologies is that it helps employees be more productive. And if that helps sell security, overhaul ineffective password practices, and knock organizations' top threats down a few notches, perhaps more businesses should buy in.

SEE ALSO:

Schwartz On Security: Unraveling Night Dragon Attacks

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

See all stories by Mathew J. Schwartz

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.