Category: Statistics

Promisec announced its findings from security audits of more than 100,000 corporate endpoints.

These audits were conducted in the first six months of 2008 in enterprises of different sizes and revealed that not even one organization was completely clean from internal threats, and the minimum number of threats found was three.

http://www.net-security.org/secworld.php?id=6350

Hackers both set up malicious blogs on the service, and inject dangerous web links and content into innocent blogs in the form of comments.

Blogspot.com accounts for 2 percent of all of the world’s malware hosted on the web.

http://www.net-security.org/malware_news.php?id=962

Respondents also reported additional business costs from compromised security, including: Loss of productivity — 61 percent in 2008 compared to 52 percent in 2006.

The CA survey results show there has been significant time and IT budget spent on IT security compliance to help meet regulations and mitigate future risk. The survey results point to Identity Access and Management (IAM) solutions as a key and growing area of security investment by large U.S. organizations. Survey respondents indicate that more than 85 percent of large U.S. organizations are using an IAM solution, with 75 percent of those organizations planning to make further IAM investments within the next 12 months.

http://www.net-security.org/secworld.php?id=6333

Sixty-six percent of respondents say their vulnerability to breaches and malicious code attacks is either the same as last year or worse.

Since when is “no worse than before” an acceptable return on investment? The solution lies in securing to specific threats. The problem is that IT lags well behind other disciplines in adopting systematic risk management processes. But those technology professionals who have made the leap into classifying IT assets, assigning values, evaluating threats, then determining where and how to mitigate risk find the process to be extremely valuable. In short, risk management principles bring rigor to information security.

Here’s one illustration from our security study of how risk management can focus companies on the most important threats: Insecure coding practices are a pox on all our houses.

Roughly half of respondents whose organizations have risk management plans in place specify security features at the time of application design.

Of those without risk management plans, just 22% focus on code security.

We need the jolt that this security study provides.

Twenty-one percent of companies never conduct security risk assessments, and of those that do, just one in five imposes the rigor of using a specialized external auditor.

This despite 63% contending with government or industry regulations related to data security, many of which don’t give adequate guidance on how to comply. Best practices are the best defense in such gray areas.
mployee data.

We had hoped that the ongoing parade of high-profile data losses would set most companies on the road to comprehensive privacy protection. So we were discouraged that the only actions to safeguard customer data that are used by more than half of companies are … informing employees of standards and putting a privacy policy on the Web site.

Fine steps, but they don’t exclude the need for encryption (used by 34%) or privacy policy audits (25%). Amazingly, 11% say they have no privacy safeguards for customer data.

We could go on, and we will. But we need to stop for a second and ask, what gives?

WHAT DO WE GET FOR THE MONEY?
There’s no blaming the financial powers that be. For nearly 30% of respondents, security accounts for at least 11% of the total IT budget.

The bad news: Viruses, phishing attacks, and worms continue to cause headaches, and companies keep pouring money into firewalls and antivirus protection.

Speculation that these product categories would fade away, or at least be assimilated into other technologies, is premature, as 13% say their vulnerability to breaches and malicious code is even worse than last year.
And they’re the only two product categories rated as effective by more than half of respondents.

Complexity, cited as the biggest security challenge by 62% of respondents. More data is ending up on the network. More agents are running on company computers, and employees expect some control over the PCs they use. As travel and energy costs skyrocket, companies are increasing the use of branch offices and teleworkers, a trend that spreads data far and wide as people expect to work securely from customer sites, home, or the coffee shop down the street. Complexity also stems from juggling multiple compliance requirements, training and educating staff and users in security awareness, and coping with increasing technical sophistication of networks.

Most organizations–63%–must comply with one or more government or industry regulations, many of them vaguely worded and offering little guidance on translating requirements into technology. To meet compliance goals, Kevin Sanchez Cherry, information systems security office program manager with a U.S. government department, says he applies best practices, which he determines by consulting a variety of sources, including the National Institute of Standards and Technology, the SANS Institute, and colleagues facing similar challenges.

Electric Insurance spends about 20% to 25% of its project planning time on risk analysis and management, says Michael Hannigan, manager of systems engineering and support. Because the entire process, from planning to postproduction, includes risk analysis, Hannigan finds potential problems are identified and addressed early.

Risk assessments primarily are used to develop mitigation policies and fix vulnerabilities; that can yield process-oriented efficiencies, such as leveraging databases to simplify asset management and policy compliance.

http://www.informationweek.com/news/security/management/showArticle.jhtml;jsessionid=TVNSCDTAPU452QSNDLPSKHSCJUNN2JVN?articleID=208800942

Sophos collected data from more than 580 PCs worldwide, 36 percent coming from UK-based computers, and found: 81 percent of corporate endpoints tested failed one or more of these basic tests 63 percent were missing at least one Microsoft security patch among Microsoft Windows operating system, Microsoft Office, Microsoft Internet Explorer, Microsoft Media Player or Flash Player 51 percent of endpoints tested had their client firewalls disabled 15 percent were running out-of date endpoint security software or had disabled their protection altogether Administrators reading these stats might think they are sitting pretty and have nothing to worry about, but I would challenge them to run this free tool and double check the security levels within their network — the findings have been staggering.

Rather than wait for a problem to arise and be forced to perform a post mortem to find the holes, administrators would be wise to take a few minutes now — it’s free, it’s easy and it might just highlight some serious vulnerabilities that can be addressed proactively.

Sophos collected data from 583 corporate endpoints for this Endpoint Assessment Test — North America represented 39 percent of the sample base, the UK made up 36 percent, while Australia and Germany contributed 11 percent and 9 percent respectively.

http://www.net-security.org/secworld.php?id=6244

E-mail is the most popular method of transferring confidential data (over 70% allow staff to transfer confidential data via e-mail), and yet over a quarter of businesses (26%) admit to losing data via e-mail.

While the threat of data loss or breach continues to increase, there are still organizations that have not invested in data security.

Respondents indicated the following as the top three reasons why: 21 percent feel that data loss prevention is not a security threat, 37 percent do not have the budget to invest in data loss prevention solutions, and 16 percent trust their employees to follow the corporate policy.

When asked about the possible impact of data breach notification legislation, 49 percent of respondents that do not currently adhere to data breach notification legislation envision their annual IT spend increasing by at least 10 percent. In comparison, only one in five (20%) respondents who currently adhere to data breach notification legislation said they have seen no change in their IT spending since the legislation’s introduction.

http://www.net-security.org/secworld.php?id=6222