Alternatively, hiring third-party security consulting companies to do network audits -- the choice of 32 percent of respondents
-- is generally considered a wise investment, Pescatore adds.
Flaws in the OS
But a healthy head-count and hearty perimeter defenses don’t guarantee any organization a reprieve from the next malicious
hacker, especially with unpatched or just-patched holes in products by Microsoft or other major technology vendors providing
a free pass into your enterprise network, the survey shows.
Forty percent of this year’s respondents said that their network has been subjected to an exploit through an operating system
flaw. Twenty-four percent said their organization has been the victim of a DoS attack, and another 19 percent said that a
flaw in a Web application led to exploitation.
The Sasser worm outbreak in April 2004 and early May 2004 is a perfect example. Microsoft released a flood of 20 security
patches on April 13, including one for the LSASS hole in Windows XP and 2000 machines, which Microsoft labeled “critical,”
along with a number of the other patches released at the time. By April 30, the Sasser worm was crawling across the Internet.
Inside many large companies, in fact, IT administrators know they’ve been lucky with past worm outbreaks but aren’t counting
on their luck holding out, Schramm says. “The fear is that one of these things will have something serious in them and [organizations]
will lose a lot of systems. And perimeter devices are not going to prevent infection,” Schramm says.
Despite that, respondents remained remarkably loyal to big vendors, including Microsoft, the company 38 percent said they
would trust to provide companywide enterprise security systems. “These are their strategic partners for the future,” Paller
says about the apparent contradiction. “Companies are saying, ‘They may be bad, but they’re all we got.’ ”
Respondents said their level of concern about security problems stemming from Web applications, although not as high as OS-exploit
worries, merited attention. Nineteen percent said that their company had been subjected to an exploit through a flaw in a
Web app in the past 12 months.
But the rapid adoption of Web applications will present a potent security challenge for IT administrators in coming months,
whether they realize it or not, experts say.
Application security, in particular, is almost certain to be an area of increased attention as companies move more critical functions onto the
Web and open parts of their network to customers and business partners.
Fifteen percent of respondents said they use a dedicated application-layer security product and less than 9 percent said they
are likely to buy an XML firewall that could block application attacks in the next year. Traditional network firewalls are
more common, with 72 percent of respondents saying they use them to secure mission-critical Web applications
Companies will need more sophisticated tools than perimeter firewalls to stop attacks leveled at Web application servers and
other advanced services, Schramm says.
“Application security threats like SQL injection attacks and attacks at the application layer are just easier to drive into
applications,” Schramm says. “With operating-system [attacks], there are fewer things of an extremely serious nature that
can be exploited from outside a well-managed environment.”
Paller says he also expects application security to get more attention in the next year, as companies come to better understand
the threat from the complex attacks.
A sense of foreboding
Other threats that were only a blip on this year’s survey also have the potential to develop into major security issues that
will affect most every organization doing business on the Internet.
Although concerns about malicious code (29 percent) far surpass worries about spyware (7 percent) or hackers (6 percent) among
respondents, experts say the 2004 survey may be remembered as the calm before the storm.
“People are thinking that spyware is not a big threat, but in the last few months, we’ve seen spyware payloads really start
to show up,” Pescatore says. “That’s [an issue] that has just exploded, according to the people [whom Gartner] is talking
to.”
Also, incidents of online identity theft or phishing scams have exploded in recent months. In April alone, the Anti-Phishing
Working Group recorded more than 1,100 unique phishing attacks, an almost 200-percent increase from the previous month.
The scams, which use spam and malicious Web sites designed to look such as legitimate e-businesses, pose a grave threat to
companies that do business online, experts say.
In a new question on this year’s survey regarding corporate identity “spoofing,” like that used in phishing attacks, 23 percent
of respondents said their company’s name has been spoofed.
“Large consumer-facing companies like banking, finance, and utilities -- anyone doing payment over the Internet or looking
to save money by moving to electronic bill payment -- is affected by [phishing],” Pescatore says.
“Customers are starting to mistrust e-mail communications from enterprises,” Pescatore says.
“It’s an enormous issue, from a business and reputation standpoint,” Bank of America’s Schramm says. Unfortunately, because
the attacks aren’t on the organizations themselves but on their customers, it is difficult to fight back against the phishers,
Schramm says.
More awareness may be needed. This year’s survey showed respondents felt their organization’s executives were far more likely
than themselves (60 percent vs. 45 percent) to be either “extremely confident” or “very confident” about enterprise security.
In the end, new threats and the changing nature of the Internet and of online business will force IT professionals to know
more and more about their enterprise security.
“The old question was, ‘Do we have a firewall?’ The new question is, ‘How safe are we? How do we know?’ ” Paller says. “You
have to start measuring yourself, and that means you find out shocking things -- like the systems you’re deploying are absolutely
full of holes, and you had no idea.”
Like the fabled trip to the sausage factory, the new information may make IT professionals feel less secure, even as it makes
them better able to anticipate and prevent attack. That, more than anything else, may be the message buried in this year’s
security survey.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
