Faced with a seemingly endless onslaught of virulent Internet worms, spam, and e-mail scams, less than half of IT professionals
report strong confidence in the security of their enterprise networks, according to the results of the 2004 InfoWorld Security Survey.
The picture that emerged from a poll of more than 600 IT professionals in our June online survey was one of wariness in the
face of a wide range of threats, from insecure operating systems to online “spoofing” attacks.
Only 38 percent of IT professionals said they are “very confident” in their enterprise security, and a mere 8 percent said
they are “extremely confident” in it. A plurality of those responding, 43 percent, said they are “somewhat confident” -- hardly
a ringing endorsement.
The results mirrored the June 2003 survey, when IT managers emphasized similar concerns, with 41 percent saying they were
“very confident” and 8 percent indicating they were “extremely confident” in their security systems. These percentages fell
within the 3.98 percent margin of error in the 2004 survey.
IT leaders also report that lack of adequate staffing and training to shore up security measures are prime concerns. And,
while Trojan horses, viruses, and worms remain the chief threats for IT leaders, application vulnerabilities are growing rapidly
in importance, as an increasing number of applications are made available over the Internet.
On the defensive
But why such a sense of worry, despite efforts to fortify defenses? Try a storm of online threats, including Net and e-mail
worms that buffeted corporate network defenses in the past 12 months.
The situation reached a fever pitch in March, when competing virus writers pushed out the steady stream of foul-mouthed, insult-bearing
MyDoom, Netsky, and Bagel worms, sometimes releasing multiple new variants on a single day. The onslaught of virulent Internet
and e-mail worms bogged down their share of networks and almost certainly dragged down the confidence of many network administrators,
as well.
“You had worms like Blaster that got around [perimeter] firewalls, and that told you that your perimeter protections were
not enough. That scared a lot of people,” says Alan Paller, director of research at The SANS Institute.
Survey respondents seem to agree. Nearly 30 percent of them said that malicious code, including Trojan horse
programs, worms, and viruses are the greatest single threat to their company’s enterprise network security. That’s similar
to 2003, when Trojans, viruses, and worms were the top concern for IT administrators.
Keeping the wolf from the door
Despite continuing fears, survey respondents said again this year that their organization suffered only a few successful attacks
on their network from malicious hackers, Trojan horse programs, worms, and other threats.
Sixty-four percent of those responding to the survey said they knew of fewer than 10 successful attacks on their network in
the past year. That’s an almost identical figure to the 63 percent of respondents in the 2003 survey who said that 10 or fewer
attacks breached their enterprise security defenses.
More widespread use of security technology may be a factor. Almost 90 percent of respondents said their network uses anti-virus
software. Sixty-three percent use an enterprise firewall appliance, and 64 percent use anti-spam technology. Thirty-seven
percent said they use network-based intrusion detection and prevention technology.
There are some dark spots in the data about network attacks. A whopping 30 percent of respondents said they didn’t know how
many attacks were attempted on their network in the past 12 months. Twenty-two percent said they
didn’t know how many attacks had been successful during that time.
The SANS Institute’s Paller isn’t surprised by those figures. “It’s very difficult to find infected machines when the infection
is meant to be kept hidden,” Paller says. “Viruses infect machines and then [malicious hackers] come in after and install
code. It’s never obvious in low-profile, slow attacks. Users have no idea their machine is being controlled by somebody else
More soldiers for the defense
It’s easy to overlook evidence of low-level attacks on a company’s network, such as scans for open communications ports that
might be avenues for attackers, says John Schramm, a member of the security architecture and emerging technology group at
Bank of America.
Passive attacks on some high-profile corporate networks are so frequent that IT administrators commonly filter out much of
the activity to study more significant attack data, Schramm says. The passive attacks are “background noise,” he says, likening
them to “twisting the door knob” on corporate networks to see if the door is open.
And with 57 percent of respondents working for organizations that manage their own enterprise network security -- up from
51 percent last year -- spotting attacks often depends on having adequate staffing.
One respondent described a case in which weeks of attempted hacks on a Web application server were discovered only by chance,
when an IT staffer checked log files in preparation for an external audit. The problem: The staff member responsible for doing
the checks on that device was overburdened by other demands on his skeletal IT staff and hadn’t been told to prioritize the
log-checking.
That may be why bodies, not boxes, were again near the top of IT professionals’ wish lists. When asked what measures they
would undertake with a larger security budget, 43 percent said they would hire more IT staff dedicated to enterprise security,
identical to the percentage who said the same thing in 2003 and equal with the 43 percent this year who said they’d spend
the money on employee training.
Companies can benefit greatly when select IT staff is trained to lock down application servers and other vulnerable hosts,
explains John Pescatore, a vice president and research fellow at Gartner.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
