Enterprise servers are among the most tantalizing targets for malicious actors due to the intellectual property and user credentials stored on them, but many IT security pros do not feel confident in their ability to prevent or detect attacks against servers, according to a new survey.
As part of its third annual survey on server security threats, Waltham, Mass.-based endpoint security vendor Bit9 asked 799 IT and security professionals to rank the risks posed to their organizations' servers. A surprising 55% of respondents rated targeted attacks and data breaches as the most pressing server security concerns, marking a major increase over the 37% that provided the same answer in 2011.
But despite awareness of targeted attacks, the security pros surveyed were uncertain of their ability to deal with such attacks. When asked whether they could protect against advanced attacks on servers, 22% said they were not confident at all, while another 59% said they were only somewhat confident. The same 59% of respondents were also only somewhat confident in their ability to detect advanced attacks on servers, with 24% not confident at all.
Perplexingly, of the 13% of respondents who were very confident in their ability to protect against advanced attacks, nearly one-quarter admitted their servers had already been breached by advanced malware. Nick Levay, chief security officer for Bit9, was left to wonder how the respondents would rate the maturity of their respective organization's security program, with his guess that many of the confident security pros are irrational in their self-assuredness.
"With the people who are very confident, some of that is blind confidence and some of that is [organizations] really working that hard to be confident. And I'd imagine it probably breaks down half and half," Levay noted. "And then conversely, there are people on the other side who are doing hard work and the reason they aren't confident is because they really know how hard it is. And then other people are not confident just because they know they suck all around."
Bit9's survey also asked security professionals what kind of servers pose the highest risk to the security of their organization. Just over half of respondents ranked Web servers as the riskiest. File servers were ranked as the second riskiest with 12%, while only 9% of respondents rated domain controllers -- where administrative rights and passwords are stored -- as the biggest security threat among servers. Such rankings don't tend to correlate with the real-world behavior of sophisticated attackers, according to Levay.
"I think this tells us something interesting about how people are interpreting risk," he said. "While in most situations, Web servers are the most publically accessible [of the servers listed], a lot of the things I've seen advanced attackers go after once they actually get inside an enterprise is usually domain controllers, database servers and file servers."
Though Levay conceded that confidence-based statistics can be tricky to interpret, he highlighted the overreliance of enterprises on antivirus technologies as a driving factor behind the lack of confidence from respondents. In fact, 92% of those surveyed said traditional antivirus (AV) was deployed to protect their servers. In comparison, 37% claimed to be using file integrity monitoring and 29% are using application whitelisting.
Levay commented that some organizations simply continue to utilize traditional AV because of purchase cycles, as many companies are unwilling to rip something out if they are still paying for it. Signature-based AV is increasingly incapable of detecting advanced malware and other threats though, he noted, with the number of attacks that utilize widely signatured tools "dropping all the time." In contrast, he said IT shops utilizing more advanced methods of endpoint security are seeing significantly fewer compromises.
"A lot people take the perspective of, 'If it's not broke, don't fix it.' And they aren't acknowledging that [traditional AV] is broke," Levay commented. "There [are] some folks who have simply not woken up to that fact yet."