The shaky state of enterprise security

The 2004 InfoWorld Security Survey shows IT managers are worried about the effectiveness of their security systems, with good reason

Faced with a seemingly endless onslaught of virulent Internet worms, spam, and e-mail scams, less than half of IT professionals report strong confidence in the security of their enterprise networks, according to the results of the 2004 InfoWorld Security Survey.

The picture that emerged from a poll of more than 600 IT professionals in our June online survey was one of wariness in the face of a wide range of threats, from insecure operating systems to online “spoofing” attacks.

Only 38 percent of IT professionals said they are “very confident” in their enterprise security, and a mere 8 percent said they are “extremely confident” in it. A plurality of those responding, 43 percent, said they are “somewhat confident” -- hardly a ringing endorsement.

The results mirrored the June 2003 survey, when IT managers emphasized similar concerns, with 41 percent saying they were “very confident” and 8 percent indicating they were “extremely confident” in their security systems. These percentages fell within the 3.98 percent margin of error in the 2004 survey. 

IT leaders also report that lack of adequate staffing and training to shore up security measures are prime concerns. And, while Trojan horses, viruses, and worms remain the chief threats for IT leaders, application vulnerabilities are growing rapidly in importance, as an increasing number of applications are made available over the Internet.

On the defensive

But why such a sense of worry, despite efforts to fortify defenses? Try a storm of online threats, including Net and e-mail worms that buffeted corporate network defenses in the past 12 months.

The situation reached a fever pitch in March, when competing virus writers pushed out the steady stream of foul-mouthed, insult-bearing MyDoom, Netsky, and Bagel worms, sometimes releasing multiple new variants on a single day. The onslaught of virulent Internet and e-mail worms bogged down their share of networks and almost certainly dragged down the confidence of many network administrators, as well.

“You had worms like Blaster that got around [perimeter] firewalls, and that told you that your perimeter protections were not enough. That scared a lot of people,” says Alan Paller, director of research at The SANS Institute.

Survey respondents seem to agree. Nearly 30 percent of them said that malicious code, including Trojan horse Click for larger view. programs, worms, and viruses are the greatest single threat to their company’s enterprise network security. That’s similar to 2003, when Trojans, viruses, and worms were the top concern for IT administrators.

Survey respondents seem to agree. Nearly 30 percent of them said that malicious code, including Trojan horse Click for larger view. programs, worms, and viruses are the greatest single threat to their company’s enterprise network security. That’s similar to 2003, when Trojans, viruses, and worms were the top concern for IT administrators.

Keeping the wolf from the door

Despite continuing fears, survey respondents said again this year that their organization suffered only a few successful attacks on their network from malicious hackers, Trojan horse programs, worms, and other threats.

Sixty-four percent of those responding to the survey said they knew of fewer than 10 successful attacks on their network in the past year. That’s an almost identical figure to the 63 percent of respondents in the 2003 survey who said that 10 or fewer attacks breached their enterprise security defenses.

More widespread use of security technology may be a factor. Almost 90 percent of respondents said their network uses anti-virus software. Sixty-three percent use an enterprise firewall appliance, and 64 percent use anti-spam technology. Thirty-seven percent said they use network-based intrusion detection and prevention technology.

There are some dark spots in the data about network attacks. A whopping 30 percent of respondents said they didn’t know how many attacks were attempted on their network in the past 12 months. Twenty-two percent said they Click for larger view. didn’t know how many attacks had been successful during that time.

There are some dark spots in the data about network attacks. A whopping 30 percent of respondents said they didn’t know how many attacks were attempted on their network in the past 12 months. Twenty-two percent said they Click for larger view. didn’t know how many attacks had been successful during that time.

The SANS Institute’s Paller isn’t surprised by those figures. “It’s very difficult to find infected machines when the infection is meant to be kept hidden,” Paller says. “Viruses infect machines and then [malicious hackers] come in after and install code. It’s never obvious in low-profile, slow attacks. Users have no idea their machine is being controlled by somebody else

More soldiers for the defense

It’s easy to overlook evidence of low-level attacks on a company’s network, such as scans for open communications ports that might be avenues for attackers, says John Schramm, a member of the security architecture and emerging technology group at Bank of America.

Passive attacks on some high-profile corporate networks are so frequent that IT administrators commonly filter out much of the activity to study more significant attack data, Schramm says. The passive attacks are “background noise,” he says, likening them to “twisting the door knob” on corporate networks to see if the door is open.

And with 57 percent of respondents working for organizations that manage their own enterprise network security -- up from 51 percent last year -- spotting attacks often depends on having adequate staffing.

One respondent described a case in which weeks of attempted hacks on a Web application server were discovered only by chance, when an IT staffer checked log files in preparation for an external audit. The problem: The staff member responsible for doing the checks on that device was overburdened by other demands on his skeletal IT staff and hadn’t been told to prioritize the log-checking.

That may be why bodies, not boxes, were again near the top of IT professionals’ wish lists. When asked what measures they would undertake with a larger security budget, 43 percent said they would hire more IT staff dedicated to enterprise security, identical to the percentage who said the same thing in 2003 and equal with the 43 percent this year who said they’d spend the money on employee training.

Companies can benefit greatly when select IT staff is trained to lock down application servers and other vulnerable hosts, explains John Pescatore, a vice president and research fellow at Gartner.

Click for larger view.

Alternatively, hiring third-party security consulting companies to do network audits -- the choice of 32 percent of respondents -- is generally considered a wise investment, Pescatore adds.

Flaws in the OS

But a healthy head-count and hearty perimeter defenses don’t guarantee any organization a reprieve from the next malicious hacker, especially with unpatched or just-patched holes in products by Microsoft or other major technology vendors providing a free pass into your enterprise network, the survey shows.

Forty percent of this year’s respondents said that their network has been subjected to an exploit through an operating system flaw. Twenty-four percent said their organization has been the victim of a DoS attack, and another 19 percent said that a flaw in a Web application led to exploitation.

The Sasser worm outbreak in April 2004 and early May 2004 is a perfect example. Microsoft released a flood of 20 security patches on April 13, including one for the LSASS hole in Windows XP and 2000 machines, which Microsoft labeled “critical,” along with a number of the other patches released at the time. By April 30, the Sasser worm was crawling across the Internet.

Inside many large companies, in fact, IT administrators know they’ve been lucky with past worm outbreaks but aren’t counting on their luck holding out, Schramm says.  “The fear is that one of these things will have something serious in them and [organizations] will lose a lot of systems. And perimeter devices are not going to prevent infection,” Schramm says.

Despite that, respondents remained remarkably loyal to big vendors, including Microsoft, the company 38 percent said they would trust to provide companywide enterprise security systems. “These are their strategic partners for the future,” Paller says about the apparent contradiction. “Companies are saying, ‘They may be bad, but they’re all we got.’ ”

Respondents said their level of concern about security problems stemming from Web applications, although not as high as OS-exploit worries, merited attention. Nineteen percent said that their company had been subjected to an exploit through a flaw in a Web app in the past 12 months.

But the rapid adoption of Web applications will present a potent security challenge for IT administrators in coming months, whether they realize it or not, experts say.

Application security, in particular, is almost certain to be an area of increased attention as companies move more critical functions onto the Web and open parts of their network to customers and business partners.

Fifteen percent of respondents said they use a dedicated application-layer security product and less than 9 percent said they are likely to buy an XML firewall that could block application attacks in the next year. Traditional network firewalls are more common, with 72 percent of respondents saying they use them to secure mission-critical Web applications

Companies will need more sophisticated tools than perimeter firewalls to stop attacks leveled at Web application servers and other advanced services, Schramm says.

“Application security threats like SQL injection attacks and attacks at the application layer are just easier to drive into applications,” Schramm says. “With operating-system [attacks], there are fewer things of an extremely serious nature that can be exploited from outside a well-managed environment.”

Click for larger view.

Paller says he also expects application security to get more attention in the next year, as companies come to better understand the threat from the complex attacks.

A sense of foreboding

Other threats that were only a blip on this year’s survey also have the potential to develop into major security issues that will affect most every organization doing business on the Internet.

Although concerns about malicious code (29 percent) far surpass worries about spyware (7 percent) or hackers (6 percent) among respondents, experts say the 2004 survey may be remembered as the calm before the storm.

Click for larger view.

“People are thinking that spyware is not a big threat, but in the last few months, we’ve seen spyware payloads really start to show up,” Pescatore says. “That’s [an issue] that has just exploded, according to the people [whom Gartner] is talking to.”

Also, incidents of online identity theft or phishing scams have exploded in recent months. In April alone, the Anti-Phishing Working Group recorded more than 1,100 unique phishing attacks, an almost 200-percent increase from the previous month.

The scams, which use spam and malicious Web sites designed to look such as legitimate e-businesses, pose a grave threat to companies that do business online, experts say.

In a new question on this year’s survey regarding corporate identity “spoofing,” like that used in phishing attacks, 23 percent of respondents said their company’s name has been spoofed.

“Large consumer-facing companies like banking, finance, and utilities -- anyone doing payment over the Internet or looking to save money by moving to electronic bill payment -- is affected by [phishing],” Pescatore says.

“Customers are starting to mistrust e-mail communications from enterprises,” Pescatore says.

“It’s an enormous issue, from a business and reputation standpoint,” Bank of America’s Schramm says. Unfortunately, because the attacks aren’t on the organizations themselves but on their customers, it is difficult to fight back against the phishers, Schramm says.

More awareness may be needed. This year’s survey showed respondents felt their organization’s executives were far more likely than themselves (60 percent vs. 45 percent) to be either “extremely confident” or “very confident” about enterprise security.

In the end, new threats and the changing nature of the Internet and of online business will force IT professionals to know more and more about their enterprise security.

“The old question was, ‘Do we have a firewall?’ The new question is, ‘How safe are we? How do we know?’ ” Paller says. “You have to start measuring yourself, and that means you find out shocking things -- like the systems you’re deploying are absolutely full of holes, and you had no idea.”

Like the fabled trip to the sausage factory, the new information may make IT professionals feel less secure, even as it makes them better able to anticipate and prevent attack. That, more than anything else, may be the message buried in this year’s security survey.

Click for larger view.
Click for larger view.