Security Professionals Might Be Overconfident

CU360
January 17, 2008 | COMMENTS

Results of two recent surveys show that from year to year, technology is helping to improve information security. The need for vigilance continues, however, as threat types continually shift.

While the frequency of security events held steady against last year's findings, there are real concerns that security executives might be overconfident, according to the “2007 E-Crime Watch Survey” conducted by CSO Magazine in cooperation with the U.S. Secret Service Agency, Carnegie Mellon's CERT® Program, and Microsoft Corporation.

"There's little doubt that organizations have learned a tremendous amount about security in the past five years and are making serious headway in understanding and combating threats," said Bob Bragdon, publisher of CSO Magazine . "At the same time, we saw signs in this study that organizations think they have things handled, which is concerning given the recent rise in targeted, financially motivated attacks."

While 57% of participants say they're increasingly concerned about the potential effects of e-crime, and 49% of them said they experienced an e-crime in 2006 vs. 38% the prior year, other responses suggested they're not prioritizing security as much as they have in previous years. For example, 69% of respondents said they're more prepared to deal with those threats than they have been in the past, but these same organizations said they've trimmed spending on IT security 5% and corporate security 15%.

"You should never let down your guard when it comes to cybersecurity," said Jeff Jones, director of Trustworthy Computing for Microsoft. "Crime is a fact of life in the digital world just as it is in the physical world. Even with the best security posture, you must still steadily guard against potential threat."

Insiders vs. Outsiders

Part of guarding against threat is to understand its source, and the survey posed several questions to compare cybercrimes by insiders and outsiders.

When asked who caused more damage (in terms of cost or operations), results were fairly close (insiders 34%, outsiders 37%, unknown 29%). But by their actions, participants indicated they may not be giving as much attention to insider threats as would seem justified. Respondents indicated substantial drops in use of background checks, account/ password management policies, employee monitoring, and employee security awareness training.

"It's important that organizations are proactive in their approach to mitigating insider threats," says CERT's Dawn Cappelli. "Defense-in-depth isn't just about putting adequate technology in place, it's also about paying attention to your people and implementing policies and procedures to reduce the likelihood of an insider attack."

The potential for damage from an insider attack is clear. As opposed to widespread attacks not focused on an individual organization, insider attacks were targeted at their specific organizations. Survey results show that most insiders targeted proprietary information, including intellectual property, and customer and financial information. Unauthorized access to or use of corporate information, systems, or networks was the most common insider e-crime.

Also of note was a shift in the methods being used by insiders to commit e-crimes. The use of social engineering techniques (gaining access through manipulation of a person or persons who can permit or facilitate access to a system or data) jumped to become the number one method followed by individuals using compromised accounts, copying information to mobile devices like USB drives or iPods, and use of their own account. Reported insider use of sophisticated technologies like password crackers or sniffers jumped from 17% of organizations last year to 31% this year.

Concerning e-crimes by outsiders, respondents reported marked jumps in the illegal generation of SPAM e-mail and phishing attacks. The top five e-crimes perpetrated by outsiders were: virus, worms or other malicious code; unauthorized access or use of information, systems or networks; illegal generation of SPAM e-mail; spyware (not including adware); denial of service attacks; and phishing.

Most e-crimes, perpetrated inside or outside, are handled internally without involving legal action or law enforcement. That finding unsettles experts, given the number of crimes involving information theft and the breach-notification laws that have been passed. Respondents' reasons for not referring crimes for legal action are that either the damage level was insufficient to warrant prosecution, there was a lack of evidence, or that they could not identify the individuals responsible.

Best Practices

The survey found that the most effective technologies were: Statefull firewalls, access controls, electronic access controls, application layer firewalls, and host-based anti-virus. The least effective technologies were: manual patch management, surveillance, password complexity, badging, and RBL-based SPAM filtering.

These results show high levels of confidence in traditional perimeter technologies. But these all have limited effectiveness—enterprise perimeters are no longer clearly defined and the respondents' reliance on traditional perimeter technologies may leave them exposed to attacks that bypass the perimeter.

On the other hand, organizations are relying on processes and policies to secure against insider threats. Inappropriate-use policies and segregation of duties—tools that have always been available to management—are finding increased acceptance as means to ensure compliance and supplement technology in securing information assets.

Results of the “2007 E-Crime Watch Survey,” along with highlights of the 5th Annual Global State of Information Security, were presented in a webcast from Perimeter Security, a CUNA Strategic Services partner firm.