Slashdot Mirror
Most Companies Admit Their Data Is At Risk
Weblver1 writes "A recent survey of IT professionals published by web security firm Finjan shows that data-theft should be a good reason for concern. Based on answers from 1,387 professionals, 25% acknowledged that their organization has been breached. What's worse, 42% did not know and could not exclude a breach, reflecting on the number of organizations that could potentially be breached without anyone knowing after the fact. Other findings we should be concerned about include 82% of Healthcare IT respondents admitting that medical records are at risk of data-theft, and 68% of all sectors admitting sensitive corporate information can be compromised by cyber-criminals. Finjan's report is available here (PDF, registration required). This survey comes a week after Forrester Research found in their survey that IT security spending is expected to rise (or at least remain the same) — with the current level of data breaches and sensitive data that is not protected well enough, there is a good reason for it.
I really don't think this will surprise anyone in the IT industry. It's not even really news. Most data remains secure/not-stolen simply by accident.
That is just how things are. To secure data, it will not be pretty, comfortable, or cheap. In the current economic environment nobody is all set to start spending with an increase in IT budge of 250% and so insecure it will remain.
Support NYCountryLawyer RIAA vs People
...here's a quote that I often say to managers:
"Yeah, but your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should." - Jurassic Park
Unfortunately the idea of a feather in their cap from implementing a new technology carries the day.
Wouldn't a completely honest answer to this question be "yes" 100% of the time for even the best security.
I like that kind of paranoia in security people. I'm glad 42% answered yes and hope to get those numbers even higher in future.
1. Their homepage says "Finjanâ(TM)s Survey Finds that 91% of Organizations Perceive Cybercrime as a Major Business Risk." Of course they do, anyone with a website does. That doesn't mean they perceive their specific data as being at risk. Is this paradoxical? Yes, but it's also the way things work. The "it won't happen to me" complex.
2. According the TFS, Most IT Professionals say their data is at risk, not most companies. That's not the safe as companies saying it.
If companies admitted that they can never completely protect your data, people would be smarter about who gets what information about them. As with anything else, the best way to secure a customer's data is to not have it unless you absolutely need it, and to only keep it for as long as you need it.
Do you trust the people you work with? Any individual in any business can access all sorts of material information.
Maybe it will be leaked to someone outside. Maybe it will be inadvertently passed in an email reply. Maybe someone will break in and steal an unguarded laptop.
There is no way to protect any data. The medical records everyone cries over is already shared with your doctors. Do you trust their secretaries? Do you trust the software makers and the maintenance/service engineers who come to diagnose software problems?
There is no privacy, and there is no secret information. There is only information which has not yet been leaked. And your only hope is that any information that is leaked is already moot by the time it becomes public.
Their employees might, but there's no way most companies will come out and say it.
From the footnotes of the PDF:
-The anonymous survey was open to all respondents independent of geographical location, job title, company size or industry.
-The survey was web-based and aimed at respondents interested in or worried about web security threats in general and aimed at their organization. In other news, when we polled members before entering a porn site, 98% said they plan on taking measures to protect their web anonymity within the next hour. The other 2% have a very strange fetish.
...and employees are corruptible, data is at risk, unless a DRM that can't be broken is invented.
It'd say they sample is based on 42% of IT professionals and 58% of PR people.
remember how the state officials in the uncooperative admin case in san fran handed over LIVE usernames and passwords of 50-60 (?) users in the network to court as 'evidence' against the administrator ? TOTALLY proving his case ?
as long as executives, officials, non i.t. people are TOO stupid as to use security systems, breaches will continue to be easy.
Read radical news here
Personally I'd be more worried about the other 33% who seem to think they could not possibly have had their security breached.
25% acknowledged that their organization has been breached. What's worse, 42% did not know and could not exclude a breach
No, that's not worse. That's _better_. Those 42% are being realistic. Realistically, unless you're one of a tiny percentage of people who either (a) receives so little traffic they can audit it all or (b) can be 100% certain of the security of all the software they're running, you should be in one of those two categories: breached, or don't know whether you've been breached but can't exclude it.
What's _actually_ worrying is that 33% of respondents think they are in one of these two categories, when in actual fact I'd suspect the figure is less than 1%.
(FTR: my company is in the 'breached' category. We had a worm infect one of our servers via a BIND bug back in 2000 or so, although the infection was apparently unsuccessful... it seemed to rely on there being a line feed on the end of the last line of /etc/inetd.conf, and our file didn't have one. I can't, obviously, rule out any breaches since then, but am reasonably confident there haven't been any.)
Depending how you look at the question, shouldn't those numbers be closer to 100%?
We're talking about IT people, here, a group whose job it is to believe in risk (whether that be from intruders or just hardware failure) and try to mitigate it. They also tend to think in absolutes, and are likely to interpret the question that way (i.e. view it as "no" risk instead of "low" risk). To believe that your data are absolutely safe and that it would be impossible for something bad to happen would seem to me like a sign of incompetence.
Moreover, if there were no perceived risk, many of them would have no jobs. So I'm surprised the number is not higher.
My guess is this survey tells us mostly about how people interpreted the question.
Until someone can quantify these risks, the whole survey is pointless. Although it does make a nice, juicy headline for the innumerate masses.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
From TFA:
I'd be more interested in those who DID believe they could spot a cracker after the fact.
I'm not talking "what's this daemon running on my server" or "why are all these warez on my server".
I'm talking someone cracking your server and copying your data last year. Without installing anything that could be traced.
There are very few people who really know that their systems have not been cracked. And those people would be the ones who would be instantly aware if they were cracked tomorrow.
I'm fighting with our programmers right now about how they should put confidential information on our website. They want to link from the website in our DMZ to the database server behind our firewall. So anyone who can crack the webserver has a direct line to our database server.
But all of the other approaches are "too hard" or "too time consuming".
I don't think I've ever worked with a system that couldn't be breached if someone wanted to bad enough and IT professionals in charge of them are likely to know exactly how to do it. There's a big difference in a system that could possibly be breached by criminals with intimate knowledge of it and a system that is realistically at significant risk. Asking paranoid IT pros if their systems are vulnerable is likely not a great indicator of the likelihood of them being breached. Of course, asking overconfident ones is probably a worse indicator.
I will say that some medical records are probably the easiest things in the world to get a hold of. Small private practices generally don't have the knowledge or resource to properly secure their data. A lot of them leave patients in exam rooms alone with a computer, often connected to the internet, for extended periods of time. Not necessarily bad if decent security practices are in place but again, small practices generally don't have the knowledge to have them or just don't feel the need to enforce them.
I know a guy who did some IT work for several small practices and he still contends that MAC Authentication is about as good as security gets for wireless networks and his clients have all the faith in the world in his judgment. Until those networks get breached and someone leaves enough evidence behind to prove him wrong, its likely those networks will be open to the world.
Plural, you monkeys.
Haida Manga
...Hospital/Reasearch center in a major U.S. city.
May I have your social security number please?
Most companies admit they run Windows.
you had me at #!
> What's worse, 42% did not know and could not exclude a breach, reflecting on the number
> of organizations that could potentially be breached without anyone knowing after the
> fact.
Perhaps that merely indicates that 42% know that it is impossible to exclude the possibility of an undetected breach with absolute certainty.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
In related news, most companies admit they run Windows.
Wow. What a text book troll. Didn't know you still existed (your slashdot ID suggests you're an original slashdot troll).
...
...
Disclaimer: I am no MS fanboy. [This is typed on FF3 on Leopard, but I also run Windows and Ubuntu in VMs.]
Are you just trying the laffy-taffy equivalent of a slashdot joke from 1999? Or do you seriously believe that this security is still a "Microsoft problem"? The problem is that nobody can "comprehend" their large pile of software which is comprised of the foundational pile (languages, APIs, frameworks, etc.) and their own additional pile. To do "security" you really have to do "correctness". Most software vendors cannot even define "correct" behavior for their apps (they're so unwieldy), let alone prove their implementation follows the "correct" behavior model. Here are a couple examples to refresh your aging memory
Debian OpenSSL - SSH keys
Redhat's tight-lipped, who-knows-how-bad-of-shape-we're-in incident that at least required new code signing keys.
Apple's constant delay in shipping patches to all the open source software in their large pile of code they call "OS X"
The stream of iPhone security bugs (and this is our next generation of enterprise messaging portables?)
And the daily deluge of SQLi, Command Exec, XSS, CSRF, PHP file includes, etc., on Milw0rm.
Not even the academics can help us (at least not at the moment). Proving that a program is "safe" for any possible input turns out to be as difficult as the Halting Problem (which is undecidable).
This is all EXACTLY why all the comments that said ~ "I'm more concerned about the security pros who said unauthorized disclosure wasn't possible" are DEAD ON. So, use the following pseudo code to create the correct response
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
It's a tacit admission that's one step away: We don't really care about it.
When it comes to customer data, though, it's nothing a few well-placed convictions for willful negligence won't solve.
Where's the Google Translate tool where "SourceLanguage=PsychoticRamblings"?
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
I'm the Chef Information Security Officer of a large organization based in Manhattan and I'm here to confess - our data is at risk. The CIA's data is at risk, the NSA's data is at risk, everything's at risk. This is something the board knows, and a concept that all business-people understand. So Finjan is essentially telling us how many people understand reality as opposed to describing the magnitude of the "at risk" data population.
Personally, I've dealt with Finjan's "marketing machine" several times and one important thing to note is this -- Finjan is simply a Web proxy that does filtering to mitigate the risk of your employees hitting a malicious site and compromising their workstations.
This is obviously a large concern, because a workstation breach is, in effect, an internal breach and this could be used as a vector to compromise internal data. But Finjan's solution is something that is not unique, and is easily mitigated by other proxies (we use Bluecoat) that offer more functionality, anti-spyware, anti-virus, even using something other than Internet Explorer would be helpful.
The likeliest disclosure usually happen from lost devices - thumb drives, PDAs, Blackberrys, and laptops.
Companies like Finjan use statistics like this in an effort to sell a product that isn't really a market leader. I think some call that FUD.
"Other findings we should be concerned about include 82% of Healthcare IT respondents admitting that medical records are at risk of data-theft" Is anyone else concerned about the 18% of healthcare IT respondents who DON'T think that medical records are at risk? I mean seriously - that's nearly a fifth of the people questioned in charge of IT for the healthcare industry who think that their systems are actually invulnerable to attack. So far as I'm concerned, that kind of attitude is the biggest threat to IT security there is.
If people really understood about information security and countermeasures they'd probably close all their accounts, burn all their personal papers and do all their business under a randomly rotated set of deniable assumed names, in cash. That's pretty much how corporations and political figures do it -- they never do business in their own name without a layer of paper corporations or expendable underlings between themselves and an actual decision. In the current climate that's the only way to reliably build personal brand equity.
It isn't a bad idea actually... But me, I like a little risk. It's the spice of life. Now and then I'll even drink out of a public fountain, or (gasp) check my email over somebody else's network. Not on a Windows box, though. That's not exciting -- just irresponsible.
Help stamp out iliturcy.
I use to be a programmer for a local state mental hospital. They had me make a report that would print each patient's name, physical description, SSN, DOB, and last known address.
I have no idea why they needed the report, but I SURE hope they did a fine job of shredding it when they were done with it.
So our data was as secure as an orderly could make a printed report secure.
An interesting note: Out of every 100 people, 58 knew if they've been breached or not, 25 knew they have been. That's just over 43%. That's the scary part.
"That's so plausible, I can't believe it!" - Leela
Most all data in commercial and government systems are "exposed" or "compromised" to one degree or another virtually all the time. Should each citizen therefore be mailed 100 breach notices every day? Legally and ethically speaking, we do not have a competent definition of what is and is not a security breach. The result is confusion and excessive anxiety on the part of data holders, data subjects, legal authorities and the media. Ben http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html
Benjamin Wright, Dallas, Texas, benjaminwright.us
As I sit here reading this, I am waiting on deployment scripts to finish running for our monthly production deployment. This month is "PCI Compliance" month - lots of security & permissions changes, auditing, etc. going into prod tonight. Should be done in about three hours... :-( ZZZZZzzzzzzzzzzzz...............
The reality of off site backups alone might make a lot of hosting/managed server customers cringe. How many companies go to the expense of security to deliver the off site backups to a safety deposit box in a bank or somewhere similarly secure? How many have the backups sitting for free in the trunk of an employee's car?
Loose lips lose spit.
This security survey from informationweek (registration required) said the same thing. Worse, when you get into the report, few companies are acutally using encryption for back-ups and think physical access control is good enough.
It's a mess out there kids and not getting any better.
I just wonder if the response to this article (or lack of response as compared to responses to a lot of other [types] of articles here on /.) is an indication of the state of concern for this important topic.
cjacobs001