Survey Taken at DEF CON 18 Reveals Overwhelming Majority of
IT Security Professionals Think a Badly Configured Network is the
Main Cause of Network Breaches Because People "Don't Know What to
Look For"
August 31, 2010 - Tufin Technologies today
announced the results of its annual "Hacking Habits" survey,
designed to better understand how trends in the hacking community
impact corporate security teams. Responses from security
professionals attending the DEF CON 18 conference in Las Vegas last
month revealed that 73% came across a misconfigured network more
than three quarters of the time - which, according to 76% of the
sample, was the easiest IT resource to exploit.
Reuven Harrison, Chief Technology Officer and Co-Founder with
the security lifecycle management specialist, was surprised to find
that 58% of respondents also viewed network misconfiguration as
being caused by IT staffers not knowing what to look for when
assessing the status of their network configurations. He said the
survey is notable because more than half the survey respondents
actually work in corporate IT. "The really big question coming out
of the survey," says Harrison, "is how to manage the risk that
organizations run dealing with the complexity that is part and
parcel of any medium-to-large sized company's security operations.
"
This question was answered by Tufin's DEF CON 18 research, which
revealed that 18% of professionals believe misconfigured networks
are the result of insufficient time or money for audits. 14% felt
that compliance audits that don't always capture security best
practices are a factor and 11% felt that threat vectors that change
faster than they can be addressed play a key role.
Automating configuration and security management is the best way
forward to solving this problem, says Harrison. With an increasing
number of self-described black (11%) and grey (46%) hat hackers
landing corporate security positions, the focus has overwhelmingly
been on how easily we can break things - less than 30% of the
sample is motivated by the desire to actually fix broken
systems.
"And when you factor in the issue that 60% of the DEF CON 18
respondents said they had a day job in the corporate world, it's
clear that IT managers need to address the security shortcomings of
their networks by remediating the network misconfiguration issue.
Only by configuring their network resources correctly can companies
hope to beat these security issues," he added. With 75% of
respondents calling themselves hackers, Harrison says that network
managers need to wake up and smell the coffee on the fact that
network misconfiguration is now a primary security issue for their
IT staff.
It's also worth noting that 43% of DEF CON 18 attendees view
planting a rogue member of staff inside a company as one of the
most successful hacking methodologies. When this issue is added to
the sizeable majority of security professionals that come across
misconfigured systems on a regular basis, you begin to realize the
scale of the security problem that networking professionals
face.
"This realization is made worse when you consider that 57% of
the security professionals we surveyed classified themselves as a
black or grey hat hacker, and 68% of respondents admitted hacking
just for fun," he said. With networks so easily penetrated, it's no
surprise that 88% believe the biggest threat to organizations lies
inside the firewall.
It's not all doom and gloom emanating from the DEF CON 18
survey, as Tufin found that 58% of attendees said they did not
believe outsourcing security to a third party increased the chances
of getting hacked, and almost half the sample believe it would not
increase the chances of any sort of security or compliance
issue.
"This disproves the commonly-held theory that the benefits of
outsourcing security are cancelled out by an even greater set of
risks. Security outsourcing has matured to the point where
companies can confidently outsource parts or all of their security
operations - especially when service providers offer automated
tools to help with network management and configuration. With cloud
computing approaching in the fast lane, this has to be good news,"
said Harrison.
Tufin's 'Hacking Habits' survey was conducted amongst 100
registered DEF CON 18 attendees. The 14-question
"Man-on-the-Street" survey was conducted by the registration desk
and outside randomly selected talks over the course of the show.
All responses were voluntary and completely anonymous. For a PDF
containing the survey questions and exact breakdown of responses,
please contact the appropriate regional media contact.
