Top IT security professionals, who maintain the security defenses that thwart a nearly constant bombardment of attacks, are acknowledging that network security weaknesses are giving cybercriminals an advantage when they probe corporate systems.
Hackers are starting to use attacks that are like machine guns against us.
Mike Lloyd, CTO, RedSeal Systems
IT organizations find themselves incapable of finding the gaps in their systems, making it difficult to maintain the layered defenses they need to protect sensitive data, according to a new report, “Hackers Versus Enterprise Security: A Survey of IT Security Professionals” developed by San Mateo, Calif.-based security risk management provider RedSeal Systems.
RedSeal interviewed nearly 2,000 security professionals at the Cisco Live and Black Hat USA conferences earlier this year. The survey found three quarters of the security professionals interviewed believe hackers have the upper hand with tools and automation.
“Security professionals all agree we are losing this war,” said Mike Lloyd, chief technology officer at RedSeal. “This is not only a startling conclusion, but it’s also interesting that security organizations are actually admitting this.”
Not only did they admit they are falling behind in the arms race, but more than 71% of those who responded indicated their networks were at risk because of improperly configured network devices. A little more than half, 53%, blamed this on their lack of ability or knowledge to generate the metrics necessary to track trends in network security posture.
Half of those who responded claimed they don’t know or don’t have any way of knowing how many hosts can be accessed from outside their network and only 41% believe the vulnerability management tools being utilized are accurately prioritizing their vulnerabilities.
So how do organizations continually fight this losing battle? “Consistency is key, prioritization is necessary,” said Lloyd, explaining that organizations need to assess the threat landscape and prioritize additional defenses based on risk. “If you can’t prioritize, you’ve got a problem.”
The RedSeal survey also found health care, energy and non-profits are at a greater risk of attack, with 86% of energy companies saying hackers have gained the advantage, 52% of non-profits claiming they lack the ability to generate the necessary metrics to track changes in security effectiveness over time, and 41% of health care companies revealing they don’t understand the full security implications of network changes until implementation.
Over 51% of chief information security officers said they don’t believe or don’t know if vulnerability assessment tools provide enough information to identify their most important security exposures, and some 56% of CISOs said they either don’t have effective metrics to measure security effectiveness or don’t know if those metrics even exist.
Hackers are deploying these attacks and outgunning security professionals through automation. Attack toolkits, which are bought and sold on the black market, make it easy for nearly anyone to probe corporate networks to find vulnerabilities that can be exploited. Defenders need to find all the ways they could possibly be breached, Lloyd said.
“Why would you use something so complex like a zero-day attack when you can use an easy door knob twister like APT?” Lloyd asked.
The Verizon Business RISK team, in cooperation with the United States Secret Service, released its 2011 Data Breach Investigations Report in April and found automated tools were used by cybercriminals in a vast majority of breaches. These tools ultimately don’t make hackers work hard to accomplish an attack. Among the Verizon report’s conclusions: 96% of real attacks could have been prevented without difficult or expensive controls.
“It goes back to consistency. IT infrastructure is moving very fast, so fast that humans are having trouble keeping up,” Lloyd said. “Hackers are starting to use attacks that are like machine guns against us.”