olly - Fotolia
Time and time again, post-mortem examinations of major data breach incidents at enterprises like Target Corp. and Home Depot Inc. indicate that IT and business leaders consistently failed to understand data breach risks and the security controls needed to prevent them. Now, newly revealed survey results suggest that many business decision-makers may be overconfident in their organizations' security controls, potentially setting themselves up for disaster.
Tripwire Inc.'s Foundational Security Controls survey polled 404 IT professionals and 302 executives from retail, energy and financial services organizations in the U.S. and U.K about their confidence levels in foundational security controls -- including hardware and software inventorying, system hardening, and patch and vulnerability management -- as well as how comfortable they were with global security standards such as PCI DSS, SOX, COBIT and ISO 27001.
More than three-quarters of IT professionals and executives claimed that they feel "confident" in their ability to implement basic security measures within their organizations, a clear contradiction to both what several sources including the Verizon Data Breach Investigations Report have reported -- and what the events and incidents that have already occurred this year have proven.
With basic security measure confidence coming in at 77%, the questions must be asked: Why the disconnect? If so many execs and IT pros believe they can implement these measures, why do so many organizations fall victim to basic attack vectors?
As the latest DBIR revealed earlier this year, 92% of incidents researched over the past decade can be mapped into nine basic patterns, for which organizations have a plethora of information on how to mitigate; the Verizon research team recommended controls in the DBIR; and the SANS Institute maintains its Critical Security Controls for Effective Cyber Defense list to help organizations implement the controls needed to ward off basic security issues.
Unfortunately, enterprises have long struggled with even the most basic information security defenses. In March 2013, a Center for Strategic and International Studies report revealed that 95% of successful breaches could have been prevented had the victims put simple or intermediate security controls in place.
So are IT pros and execs experiencing a false reality, or did Verizon's DBIR data not represent reality correctly?
"It's not surprising that IT and security professionals have confidence in foundational security controls," said Jane Holl Lute, president and CEO of the Council on CyberSecurity, in comments to Information Security Buzz. "The controls are instrumental in defending against common cyberattacks and lay the foundation for effective defense against more sophisticated intrusions." However, as Lute said, to be effective, these controls must be implemented consistently and efficiently across the organization as a whole.
Tom Sager, chief technologist and a founding member of the Council on CyberSecurity, reiterated this importance, saying, "You must get a solid security foundation in place, or you will waste much of your money, technology and -- worst of all -- the time and energy of your people." But, Sager said, foundational controls are merely foundational, not complete; more must be done to truly achieve security in the real world.
Chris Conacher, manager of security development for Tripwire, offered another reason why the perceived confidence is different from the reality of enterprise security, and it's not due to the lack of knowledge of basic security measures.
"The key issue," Conacher said, "is the ability of an organization to maintain a consistent security posture while trying to exist within the real world of limited available resources and various business pressures."
Confidence in capabilities is fine, but the facts in the 2014 DBIR cannot be denied. Business execs and IT pros alike would be well-served to put their security controls to the test before an incident occurs. Many would likely gain a humbling new perspective.
In other news
- BinaryLife Inc.'s Web browser-testing website BrowserStack revealed Wednesday that the recently disclosed Bash vulnerability was the reason an attacker was able to gain unauthorized access to its server and steal its users' email addresses. According to a press release, the breach occurred on an old prototype machine, built prior to 2012, and had not been properly patched to address the Shellshock flaw. During the attack, the intruder was able to access the company's Amazon Web Services API access key and secret key, using them to create fake credentials and copy a table from one of BrowserStack's backup disks. While the disk-copying action sent an alert to the company, the attacker got away with an email list and later used it to send a fraudulent email, stating that BrowserStack would be shut down. BrowserStack has since patched its systems and, it said, taken action to prevent further issues.
- Shortly following the release of details of a phishing study from researchers at Google Inc. and the University of California at San Diego, the Web was abuzz with sensationalized articles claiming 45% of users fall victim to phishing attacks. Gary Warner, director of research in computer forensics at the University of Alabama, followed up these fact-bending stories with a blog post dissecting the true numbers within the study as well as what it actually revealed about phishing scams today. While the root of the 45% claim can be traced back to Google's own blog post (note, the study did reveal that, when broken down by individual page, the success rate of phishing sites averaged 13% with the lowest 3% and highest 45%), the findings highlight not only that old phishing scams remain effective, but also the importance of presenting facts in a true -- and contextual -- matter.
- The ISACA 2014 IT Risk/Reward Barometer revealed that while 94% of U.S. consumers are aware of the recent slew of data breaches at retailers across the country, few have done anything to prevent themselves from falling victim. Out of the more than 1,100 respondents, only 45% had changed their online password/PIN, while 23% started using cash more often than credit cards. While 28% of respondents claimed they shop less frequently at retailers that have been breached in the past, 30% of those surveyed said their purchasing habits have not changed at all. The study, which also reported on the risks and rewards of wearable technology and the Internet of Things in the workplace, also reported that 56% of organizations don't have a BYOD policy that addresses wearable tech. Though enterprises' perceived risk of the Internet of Things was higher than the benefit (35% vs. 31%), when it comes to individuals, the benefits (46%) outweigh the risks (30%).
Learn more about getting back to basics to improve security.
Get help using the 2014 Verizon DBIR to improve information security controls.