CSI Survey 2007, Part 3: Tech and Tribulations
In this final part of the series, we examine the security technologies companies employ to protect their networks. That is, when they even bother...
When it comes to employing security technologies, firewalls and antivirus are the main variants that everyone seems to use. The key, of course, is to ensure that these are configured properly and updated regularly to account for new attack types.
VPNs and spyware detection software come in at a distant third and fourth (VPNs were added to the list just this year). Most of the technologies were at the same usage levels as last year with one glaring exception: server-based access control lists dropped from 70% to 56%. This may be due to a tendency to rely on single-sign-on (SSO) methodologies as well as other forms of authentication and access. This likely reflects the evolution in how we communicate and network between organizations. And since we're using all this technology, we need to verify that it's being used accurately.
Companies are investing in internal audits primarily as a method to determine whether there are problems or not. While the figures suggest less than 65% are performing such audits, it is at least being done. It's important to recognize that doing audits of the systems can be helpful at reducing internal issues and uncovering weaknesses and vulnerabilities.
But in addition to technology, the individual must be trained to understand how security works and why it's important to them. To this end, security awareness training is paramount.
I'm a firm believer that awareness training is actually one of the best forms of security you can have for an organization because it means everyone gets involved in security and you have far more eyes looking for breaches than just your own. So it is disconcerting that awareness training still is on the lower rung of importance for many companies.
Less than 20% of companies don't have any training and an additional 35% don't verify that their training was effective. Using anecdotal experiences or written/digital testing are not necessarily effective methods of determining the effectiveness of training. Written/digital tests are just methods of determining how well one tests or understands the questions of a test while verbal anecdotal are based on how our minds interpret particular situations.
Verifying how often or the types of support calls or types of incidents as well as doing social engineering testing are more valid methods of testing the effectiveness of training. Very similar to the situational testing undertaken by various response agencies to simulate disasters, this kind of testing is as close to real world without causing damage to the company. This also allows us to see how we react to situations and whether additional training or changing the existing training is necessary.
Awareness training is important to some but it may be targeted at specific individual types. Respondents to this year's survey said that network security, security management and security policies were important for training. This kind of training is often done at a higher level than the average employee and there may be a gap in security as a result of this. Certainly the IT administrators and other IT staff are getting the necessary training but the bulk of the population in organizations may be missing out on something that is critical for the sake of company security.
Knowing, as they say, is half the battle. And many organizations aren't that interested, it seems, in necessarily knowing or learning overall.
Also, it appears that they are tight lipped as well. 50% said that they do not belong to an information sharing organization. I find this rather disturbing, as sharing information about attack types and detected vulnerabilities is critical. I've long been an advocate of full disclosure and believe it's even more important now as systems become even more complex than they were even 5 years ago.
While some may infer that exploits only occur when a patch is released, the reality is that exploits are constantly being created and explored. They become more numerous after patches, certainly, but creating patches can take time and if we know about the vulnerability beforehand we may be able to put in place stopgap measures that minimize the impact. This would help reduce any potential bad publicity that might occur should a system be compromised prior to a patch release.
In fact, negative publicity still likely remains the main reason as to why few companies go to law enforcement or get legal advice after an incident. The mainstream media doesn't truly understand security and when a breach happens, they only publish the details that will attract eyeballs rather than facts that explain how to properly deal with the issue or that the company did all necessary due diligence possible.
The last portion of the survey covered the effects of Sarbanes-Oxley, or rather, the perceived effects. While most feel it has been effective there are is large chunk -- about 25% -- that feels it hasn't. While SOX was meant to encourage more of a corporate policy or adherence to security, it may not be as effective as planned. It may also be due to a lack of understanding as to why it would be helpful. This would tie into security training again, specifically non-technical training along the lines of awareness and understanding of the impact of security in general.
All public companies need to comply with SOX and the rules it sets forth help to encourage effective processes. In fact, these processes can streamline security and make it easier to detect flaws in systems.
One of the newer items was an open-ended question as to what is the major security issue that an organization will face over the next couple of years. Not surprisingly, most of the responses centered on data protection and legal issues and compliance. Without a doubt data protection is critical as is ensuring that we meet or exceed any new laws. Dealing with both of these requires non-technical solutions and more of a managerial bent. I wonder if most of the respondents to this open-ended question were from managerial positions.
As with previous years, the CSI survey is invaluable to the IT security industry at giving us a peek into how we tick. Robert Richardson and his crew do an excellent job at providing us the glimpse we need to better understand our own nature. While there are always more questions and more input we would want in the survey, without it we wouldn't have an idea as to how security is truly viewed by those in the industry.
And as I've said repeatedly, knowing is half the battle.
This article was first published on EnterpriseITPlanet.com.