Tufin Techologies "Hacking Habits" Survey Cites misconfigured networks as the main cause of breaches
Survey taken at DEF CON18 Reveals Overwhelming Majority of IT Security Professionals Think a Badly Configured Network is the Main Cause of Network Breaches Because IT "Don't Know What to Look For"
Reuven Harrison, Chief Technology Officer and Co-Founder with the security lifecycle management specialist, was surprised to find that 58% of respondents also viewed network misconfiguration as being caused by IT staffers not knowing what to look for when assessing the status of their network configurations. He said the survey is notable because more than half the survey respondents actually work in corporate IT. "The really big question coming out of the survey," says Harrison, "is how to manage the risk that organizations run dealing with the complexity that is part and parcel of any mediumtolarge sized company's security operations.
This question was answered by Tufin's DEF CON18 research, which revealed that 18% of professionals believe misconfigured networks are the result of insufficient time or money for audits. 14% felt that compliance audits that don't always capture security best practices are a factor and 11% felt that threat vectors that change faster than they can be addressed play a key role.
Automating configuration and security management is the best way forward to solving this problem, says Harrison. With an increasing number of selfdescribed black (11%) and grey (46%) hat hackers landing corporate security positions, the focus has overwhelmingly been on how easily we can break things - less than 30% of the sample is motivated by the desire to actually fix broken systems.
"And when you factor in the issue that 60% of the DEF CON18 respondents said they had a day job in the corporate world, it's clear that IT managers need to address the security shortcomings of their networks by remediating the network misconfiguration issue. Only by configuring their network resources correctly can companies hope to beat these security issues," he added. With 75% of respondents calling themselves hackers, Harrison says that network managers need to sit up and smell the coffee on the fact that network misconfiguration is now a primary security issue for their IT staff.
It's also worth noting that 43% of DEF CON18 attendees view planting a rogue member of staff inside a company as one of the most successful hacking methodologies. When this issue is added to the sizeable majority of security professionals that come across misconfigured systems on a regular basis, you begin to realize the scale of the security problem that networking professionals face.
"This realization is made worse when you consider that 57% of the security professionals we surveyed classified themselves as a black or grey hat hacker, and 68% of respondents admitted hacking just for fun," he said. With networks so easily penetrated, it's no surprise that 88% believe the biggest threat to organizations lies inside the firewall.
It's not all doom and gloom emanating from the DEF CON18 survey, as Tufin found that 58% of attendees said they did not believe outsourcing security to a third party increased the chances of getting hacked, and almost half the sample believe it would not increase the chances of any sort of security or compliance issue.
"This disproves the commonlyheld theory that the benefits of outsourcing security are cancelled out by an even greater set of risks. Security outsourcing has matured to the point where companies can confidently outsource parts or all of their security operations - especially when service providers offer automated tools to help with network management and configuration. With cloud computing approaching in the fast lane, this has to be good news," said Harrison.
Tufin's 'Hacking Habits' survey was conducted amongst 100 registered DEF CON 18 attendees. The 14question "Manonthe-Street" survey was conducted by the registration desk and outside randomly selected talks over the course of the show. All responses were voluntary and completely anonymous. For a pdf containing the survey questions and exact breakdown of responses, please contact the appropriate regional media contact.
About DEF CON 18
DEF CON is one of the oldest continuous running hacker conventions around, and also one of the largest. The convention, founded by hacker Dark Tangent, (a.k.a Jeff Moss) as a onetime party for an individual hacker. Since then, it has turned into one of the preeminent hacking conventions. The full history of the event can be found in an interview by founder Jeff Moss at http://www.youtube.com/watch?v=lg6bQMTjHCE.
Code to embed into web version of release (so readers can view the video as opposed to having to click on a link)
<object width="500" height="405"><param name="movie" value="http://www.youtube.com/v/lg6bQMTjHCE?fs=1&hl=en_US&rel=0&border=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/lg6bQMTjHCE?fs=1&hl=en_US&rel=0&border=1" type="application/xshockwaveflash" allowscriptaccess="always" allowfullscreen="true" width="500" height="405"></embed></object>
Tufin(TM) is the leading provider of Security Lifecycle Management solutions that enable companies to costeffectively manage their network security policy, comply with regulatory standards, and minimize IT risk. Tufin's products SecureTrack(TM) and SecureChange(TM) Workflow help security operations teams to manage change, minimize risks and dramatically reduce manual, repetitive tasks through automation. With a combination of accuracy and simplicity, Tufin empowers security officers to perform reliable audits and demonstrate compliance with corporate and government standards. Founded in 2005 by leading firewall and business systems experts, Tufin serves more than 550 customers in industries from telecom and financial services to energy, transportation and pharmaceuticals. A respected member of the network security community, Tufin partners with leading vendors including Check Point, Cisco, Juniper Networks, Fortinet and F5, and is committed to setting the gold standard for technological innovation and dedicated customer service. For more information visit www.tufin.com, or follow Tufin on:
Twitter at http://twitter.com/TufinTech,
LinkedIn at http://www.linkedin.com/...,
FaceBook at http://www.facebook.com/...,
The Tufin Blog at http://tufintech.wordpress.com/...,