WEBSITE SECURITY IN CORPORATE AMERICA Automated Scanning
|
|
- Gordon Hubbard
- 8 years ago
- Views:
Transcription
1 WEBSITE SECURITY IN CORPORATE AMERICA Survey conducted by IDG Connect on behalf of Symantec
2 IT Managers are Confident, but Corporate America is Running Big Risks We often think of malware as being designed to sit beneath the radar, collecting data in stealth mode, for the purposes of fraud or corporate espionage. Increasingly however, we re witnessing attacks on corporations designed to cause substantial economic losses via wholesale destruction. For example, the Shamoon malware that recently hit Saudi Arabia-based Aramco (the world s largest oil company) and RasGas (a Qatar-based gas company) corrupted files on tens of thousands of workstations, overwriting the Master Boot Records. These malware attacks, which may well have targeted website vulnerabilities, resulted in destruction on an industrial scale. At Aramco, IT professionals were forced to replace 30,000 PCs and laptops. RasGas meanwhile, had to shut down all communications, and the company s website was forced offline 1. In the face of what looks like a new destructive strategy, how secure are the websites of corporate America? We asked 100 IT managers working in small, medium and large companies in the United States. Back came an emphatic answer: 0% How secure is your website(s)? 15% 55% 19% 11% 74% of respondents told us that the sites for which they re responsible are totally secure or very secure. A further 15% said their sites are reasonably secure. The number of respondents who described their corporate websites as insecure was precisely zero. Yet behind this huge vote of confidence in website security, there s cause for concern. 33% of respondents said their organizations never conduct vulnerability scans or assessments of their websites. 11% of respondents replied don t know when asked whether their organizations websites are secure. Asked to describe their level of vulnerability to each of the top six threat vectors identified by Symantec s in-house research, an average of 30% said don t know in each case. In the case of brute force attacks, six out of ten (59%) answered don t know. Overall, 13% answered don t know in the case of all six threats. 38% of respondents said it is very unlikely that their corporate sites are vulnerable to cross-site scripting a technique identified by Symantec, the sponsor of this study, as the no.1 website-based threat to corporate websites. Our survey data suggests that American companies can expect to suffer an online security breach once every four years. Yet a substantial number of companies and organizations appear unprepared. The companies who fail to conduct assessments include small-, medium- and large-sized enterprises, many of them operating in consumer-facing vertical sectors, including entertainment, healthcare and retail. The result is a high stakes game of risk that threatens reputations and revenues right across the economy. (1) BBC News, Shamoon virus targets energy sector infrastructure, 17th August
3 Website Security in Corporate America: How Big are the Risks? How secure is your website(s)? The don t knows: What s the likelihood that your site(s) suffer from the following vulnerabilities? 0% 15% 55% 19% 11% We test for vulnerabilities every month. We never test for vulnerabilities. SMall companies (1-999) MID -SIZEd companies (1,000-4,999) LARGE companies (5,000+)
4 Large Companies and Generalist IT Managers Worry Less Overall, the IT managers we surveyed seem bullishly confident about website security. 19% of respondents told us that their corporate websites are totally secure. A further 55% describe their sites as very secure. Not one of the IT managers we surveyed told us that their companies sites were insecure. Confidence is highest among IT professionals in large organizations (more than 5,000 employees). In large organizations, 83% of IT professionals describe their sites as totally or very secure. Only 3% describe their sites as reasonably secure. Inside mid-sized organizations (1,000-4,999 employees), a slightly smaller proportion of respondents (72%) describe their sites as totally or very secure. However, the number who describe their sites as reasonably secure jumps dramatically to 22%. Inside small companies and organizations (less than 1,000 employees), the number who describe their sites as totally or very secure drops to 65%. Here, the number who opt for reasonably secure is 23%, very close to the number inside mid-sized companies. The data suggests that mid-sized companies have much in common with small companies including confidence levels that are somewhat less bullish than those encountered at large companies. In both small and mid-sized companies, around one-fifth of respondents (22%-23%) lack confidence in the security of their sites to a significant extent. Seniority appears to make no difference to levels of confidence. All of our respondents were IT managers, but some described themselves as decision-makers, while others described themselves as influencers or recommenders. Confidence levels were broadly similar among both groups. However, technically-orientated IT managers were significantly less likely (68%) to describe their organization s sites as very or totally secure when compared with IT managers in general roles (79%). Not surprisingly, technically-orientated IT managers seem more cautious when it comes to making ambitious statements about website security. Perceptions of security, by company size SMall companies (1-999) MID -Sized companies (1,000-4,999) LARGE companies (5,000+)
5 Mid-Sized Companies are Confident, But Few Test Security Monthly When it comes to approaches to security, there doesn t seem to be much in the way of middle ground. Asked when their company last tested its sites for vulnerabilities, respondents were notably polarised between those adopting a keen approach, and those who simply don t bother to test. A substantial majority of respondents say their organizations have conducted a vulnerability assessment recently. 41% say the assessment occurred within the past month. A further 17% say testing occurred between a month and six months ago. At the other extreme, 33% admitted that their corporate sites have never been assessed. We asked an additional question of respondents whose companies had tested recently: How often have you repeated the assessment? Among those organizations where respondents replied every month, confidence levels are notably higher. For example, 39% of those whose organizations conduct monthly vulnerability tests describe their corporate sites as totally secure. By contrast, among those in organizations where sites have been tested during the past 12 months, only 23% describe their sites as totally secure. Inside organizations where testing doesn t occur (33% of the total), the percentage of IT managers describing their sites as totally secure is just 6%. This seems entirely logical. It suggests that IT managers who work in no assessment workplaces understand the risks they are running, at least to some extent. Their lower levels of confidence suggest an awareness that inaction may have consequences. However, the data also points to a degree of baseless optimism. For example, IT managers at mid-sized companies profess to be confident about website security (72% say their sites are very or totally secure). Yet only a very small minority of mid-sized companies (13%) repeat vulnerability tests on a monthly basis. Their confidence may well be misplaced. We have tested for vulnerability in the past six months... SMall companies (1-999) MID -Sized companies (1,000-4,999) LARGE companies (5,000+)... and we repeat our tests every month. Inside small organizations, the same contrast emerges from the data, but it s less marked. 65% say their sites are very or totally secure, while 26% say their organizations repeat tests on a monthly basis. Inside large organizations, 83% describe their sites as very or totally secure. The proportion of respondents who conduct regular monthly tests is 38%. We might well describe the distance between high confidence levels and the relatively low numbers who undertake regular monthly testing as a vulnerability knowledge gap. This gap is most noticeable among mid-sized companies and organizations. Inside small and large organizations, it s less visible, but still a reality.
6 Linked with High Levels of Confidence We asked respondents; who tests their sites, and how do they tackle the job - by using internal assessments, third-party assessments, automated remote scans from an external provider, or in other ways. (Respondents were allowed to choose as many of the answer options as they felt were relevant.) 46% said they used internal assessments. 30% said they used third party assessments. 16% used automated remote scans. 9% said they use other methods. The way in which companies conduct assessments appears to affect IT managers levels of confidence. For example, IT managers whose organizations use automated remote scans tend to be more confident. 42% describe their websites as very secure, while 50% describe their sites as totally secure. IT managers who use internal assessments have slightly lower levels of confidence - only 23% describe their websites as totally secure. Among those using third-party assessment, the percentage who report feeling totally secure declines to 17%. Do these levels of confidence partly reflect other factors, such as the underlying frequency with which assessments are conducted? In the case of frequency at least, the answer seems to be no. Among those apparently hyper-confident users of automated scanning, for example, 58% had conducted a test during the past month, and 42% are repeating tests on a monthly basis. By contrast, a larger proportion of internal assessment users (66%) had conducted a test in the past month, and slightly less of them (45%) repeat tests on a monthly basis. Users of internal assessment, it seems, conduct tests slightly more frequently, yet they remain significantly less confident about security than IT managers whose organizations use automated remote scans. Whichever way you cut the data, automated scanning seems to be associated with higher levels of confidence. The data also suggests a clear difference in the ways in which small, medium and large organizations conduct vulnerability assessments. Large organizations Two-thirds of large organizations favour internal assessment (65%). Around one-third (31%) automated remote scanning and just 23% use third-party assessment. Medium-sized organizations Medium-sized organizations tend to use a combination of internal assessment (48%) and third-party assessment (38%). 5% of mid-sized organizations use automated scanning. Small organizations Small organizations favour internal assessment (40%) and thirdparty assessment (45%). Just 15% of small organizations use automated remote scanning. Our website(s) are totally secure WE USE INTERNAl assessments we use 3 rd pa rty assessments WE use automated scans other
7 IT Managers Fail to Identify Major Threats In developing the research questions for this white paper, we wanted to find a way of comparing generalist IT managers perceptions of specific security threats with the reality in the wild. In particular, we wanted to discover whether generalist IT managers have a view of potential threats that s realistic, or whether they worry about the wrong kind of threats. Symantec, the sponsor of this study, collects data about global threat activity through its Global Intelligence Network. Some of this information is published in Symantec s annual Internet Security Threat Report and in monthly intelligence reports. The team behind Symantec s website, Vulnerability Assessments, also maintain a frequently-revised list of the most prevalent threats in existence 2. However, this list of threats is extremely granular (for example, the sixth most prevalent threat is listed as ISC BIND 9 DNSSEC Bogus NXDOMAIN Response Remote Cache Poisoning Vulnerability ). It seemed unfair to ask generalist IT managers who are not security specialists for their views on such a granular list of threats. Instead, we asked respondents how vulnerable their sites might be to a shorter list of more general threats, each of which we described in something close to everyday language e.g.: information leakage, authorization vulnerabilities. The don t knows: What s the likelihood that your site(s) suffer from the following vulnerabilities? The results were not encouraging. Given six broad categories of threat to assess, our respondents were largely unable to prioritise one as being more prevalent than any of the others. For example, 38% consider it very unlikely that their corporate sites are vulnerable to cross-site scripting despite the fact that CSS is routinely described in studies as the most prevalent website-based security threat. (Symantec s detailed list of vulnerabilities is among those which describe this technique as the most prevalent threat on the website.) Similarly high proportions of respondents feel largely secure against other forms of attack, including content spoofing. 43% say this is very unlikely, authorization vulnerabilities (43%), information leakage (40%), cross-site request forgeries (36%) and brute force attacks (32%). As the graphic on this page suggests, the number of IT managers who say they don t know whether their sites are vulnerable to specific threats is also high. In total, 25% answered don t know in the case of two or more specified threats. Within this group, 13% of all respondents said they didn t know how vulnerable their sites were to any of the six attack vectors mentioned in the question. (2) Symantec Internet Security Threat Report, Vol. 17 Main Report, The report is based on data from the Global Intelligence Network, which Symantec s analysts use to identify, analyse, and provide commentary on emerging trends in attacks, malicious code activity, phishing, and spam.
8 The Don t Cares: Organizations that Don t Run Vulnerability Tests One-third (33%) of respondents told us their organization had never conducted a vulnerability assessment on their websites. Predictably, only very few of these respondents 6% of the entire sample went on to describe their organization s websites as totally secure. This amounts to a clear acknowledgement of risk. By contrast, the proportion of respondents who describe their sites as totally secure rises to 32% inside organizations where testing has taken place in the past month. In organizations where testing has taken place during the past six months, the proportion is 18%. Remarkably, however, almost half of those whose organizations have never tested for vulnerabilities went on to argue that their organizations websites are very secure. Between a quarter and one-third believed it was very unlikely that their organizations websites might be affected by any of the six vulnerabilities we described in general terms (see previous tab). Only one-quarter admitted what seems obvious: that their organizations don t know how secure their websites are. Intriguingly, organization size has little to do with the propensity to willful blindness. The proportion of respondents who said their employer had never conducted tests was surprisingly similar inside small (35% of relevant respondents), medium (34%) and large (30%) organizations. Neither does vertical sector seem to be a factor. IT managers working in the following industries told us that their organizations never conducted vulnerability assessments: finance and banking; travel, entertainment and media; retail and wholesale; telecommunications and technology; healthcare, pharmaceuticals and the public sector. If you don t test for vulnerabilities, are your site(s) secure? NEVER ASSESSED organizations not performing vulnerability assessments how secure is your site?
9 One in Five Companies Breached Every Year For how long can an organization get away with weak security policies? Slightly more than one in ten (13%) of our respondents told us that they had fallen victim to an internet security breach during the past six months. On this basis, the average company in our survey can be expected to suffer a security breach once every four years. (Admittedly, this is a rough rule of thumb: factors other than sheer chance are involved in the selection of target companies.) The most frequently-cited successful vector of attack was information leakage, followed closely by cross-site scripting. However, cross-site scripting was implicated in more breaches resulting in a major impact than information leakage. According to respondents, the impact of security breaches can vary substantially. Around one-third (31%) of the organizations that admit to being breached described the result as a lucky escape, resulting in no impact. A larger group (54%) described the breach as having some impact or a significant impact. A further 15% of respondents cited a major impact. Although Symantec s in-house data suggests that 50% of attacks are targeted at large organizations (with more than 2,500 employees), being a small or mid-sized company is not a guarantee of safety. Small companies (those with less than 1,000 employees) account for 26% of all attacks. 19% of midsized companies in our sample reported experiencing a websitebased security breach during the past six months. In order of frequency, the remedies undertaken by organizations which suffered a security breach included the following: 1. New/improved secure sockets layer (SSL) protection 2. Improved internet security software 3. Improved firewall 4. Outsourced hosting to a secure provider Have you experienced any security breaches in the past six months? SMall companies (1-999) MID -Sized companies (1,000-4,999) LARGE companies (5,000+)
10 IT managers in the United States say they are extremely confident about the security of their organizations websites. A total of 74% say their sites are very or totally secure. Confidence is highest among IT professionals in large organizations (more than 5,000 employees). 83% of these IT professionals describe their sites as totally or very secure. Only 3% say their sites are reasonably secure. Inside small and mid-sized organizations, the percentage of respondents who say their sites are merely reasonably secure jumps to around one in five. The proportion who say their sites are totally or very secure declines to 72% (in the case of mid-sized companies) and 65% (small companies). What explains these high levels of confidence? Some of it comes down to how recently and how frequently vulnerability testing has been carried out. On this, IT managers are polarised. 41% say their employer has conducted a website vulnerability assessment during the past month. However, 33% admitted that their corporate sites have never been tested. Levels of confidence are noticeably lower inside never test workplaces. They re higher where testing has been conducted during the past month. And they re higher still in companies and organizations where testing occurs regularly, every month. Levels of confidence also seem to be higher than average in workplaces where automated remote scanning is used. However, the data also points to a degree of baseless optimism. Almost half of those whose organizations have never tested for vulnerabilities find it possible to argue that their organization s websites are very secure. In particular, IT managers at mid-sized companies profess to be confident about website security (72% say their sites are very or totally secure). Yet only a very small minority of mid-sized companies (13%) repeat vulnerability tests on a monthly basis. Inside small organizations, a similar contrast emerges. 65% say their sites are very or totally secure, yet only 26% say their organizations repeat tests on a monthly basis. All of this points to significant risk-taking. But how credible are the calculations (formal or informal) that underpin such risk-taking? Our data suggests that, on average, one in five companies suffers a security breach every year 1. Among respondents who have suffered breaches, 15% told us that the effect had been major. Website vulnerabilities represent a clear and present danger. It makes sense to protect against them by (for example) using a vulnerability assessment such as that offered free by Symantec with every purchase of an Extended Validation or Pro SSL Certificate. The resulting combination of SSL encryption, vulnerability assessment and website malware scanning helps sites provide visitors with a safer online experience, extending security beyond https to public-facing webpages. By contrast, the approach of organizations that remain complacent remains deeply problematic. Neither consumers nor shareholders can easily tell whether an organization has weak security policies. Both can end up as the victims of an approach to risk management of which they were never aware - and to which they didn t consent. (1) All information contained in this report comes from IDG Connect research, conducted in October 2012 on behalf of Symantec, of 100 IT Professionals across the United States of America.
FEELING VULNERABLE? YOU SHOULD BE.
VULNERABILITY ASSESSMENT FEELING VULNERABLE? YOU SHOULD BE. CONTENTS Feeling Vulnerable? You should be 3-4 Summary of Research 5 Did you remember to lock the door? 6 Filling the information vacuum 7 Quantifying
More informationGlobal IT Security Risks: 2012
Global IT Security Risks: 2012 Kaspersky Lab is a leading developer of secure content and threat management solutions and was recently named a Leader in the Gartner Magic Quadrant for Endpoint Protection
More informationState of Network Security 2014
State of Network Security 2014 An AlgoSec Survey Copyright 2014. AlgoSec, Inc. All rights reserved. Executive Summary A survey of 142 information security and network operations professionals and application
More informationEXECUTIVE BRIEF. IT and Business Professionals Say Website Attacks are Persistent and Varied. In this Paper
Sponsored by IT and Business Professionals Say Website Attacks are Persistent and Varied EXECUTIVE BRIEF In this Paper Thirty percent of IT and business professionals say their organization was attacked
More informationGlobal IT Security Risks
Global IT Security Risks June 17, 2011 Kaspersky Lab leverages the leading expertise in IT security risks, malware and vulnerabilities to protect its customers in the best possible way. To ensure the most
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationSeptember 20, 2013 Senior IT Examiner Gene Lilienthal
Cyber Crime September 20, 2013 Senior IT Examiner Gene Lilienthal The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank
More informationWhat is Penetration Testing?
White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking
More informationSecurity survey in the United States
Security survey in the United States This document contains the results of a survey on network security in 455 small and medium sized businesses, conducted in the United States in October/November 2007.
More informationFINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES
FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES Kaspersky Lab 2 Corporate IT Security Risks Survey details: More than 5,500 companies in 26 countries around the world
More informationWhitepaper. Ten questions that every IT manager should ask. A Buyer s Guide to Hosted Security: www.exponential-e.com
Whitepaper A Buyer s Guide to Hosted Security: Ten questions that every IT manager should ask www.exponential-e.com Introduction to hosted security Information security remains the number one concern of
More informationSMALL BUSINESS REPUTATION & THE CYBER RISK
SMALL BUSINESS REPUTATION & THE CYBER RISK Executive summary In the past few years there has been a rapid expansion in the development and adoption of new communications technologies which continue to
More informationPerceptions About Network Security Survey of IT & IT security practitioners in the U.S.
Perceptions About Network Security Survey of IT & IT security practitioners in the U.S. Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2011 Ponemon
More informationDENIAL OF SERVICE: HOW BUSINESSES EVALUATE THE THREAT OF DDOS ATTACKS IT SECURITY RISKS SPECIAL REPORT SERIES
DENIAL OF SERVICE: HOW BUSINESSES EVALUATE THE IT SECURITY RISKS SPECIAL REPORT SERIES Kaspersky Lab 2 Corporate IT Security Risks Survey details: More than 5500 companies in 26 countries around the world
More informationState of Web Application Security
State of Web Application Security Executive Summary Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2011 Ponemon Institute Research
More informationNorth Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division
More informationIT SECURITY RISKS SURVEY 2014: A BUSINESS APPROACH TO MANAGING DATA SECURITY THREATS
IT SECURITY RISKS SURVEY 2014: A BUSINESS APPROACH TO MANAGING DATA SECURITY THREATS Contents Introduction... 2 Key figures... 3 Methodology... 4 Concerns and priorities of IT managers: data comes first...
More informationMAXIMUM PROTECTION, MINIMUM DOWNTIME
MANAGED SERVICES MAXIMUM PROTECTION, MINIMUM DOWNTIME Get peace of mind with proactive IT support Designed to protect your business, save you money and give you peace of mind, Talon Managed Services is
More informationUS companies experience and attitudes towards security threats
US companies experience and attitudes towards security threats Q u a n t i t a t i v e s u r v e y w i t h i n L a r g e a n d M e d i u m c o m p a n i e s i n t h e U S A Objectives Determine the existing
More informationResearch Results. April 2015. Powered by
Research Results April 2015 Powered by Introduction Where are organizations investing their IT security dollars, and just how confident are they in their ability to protect data form a variety of intrusions?
More informationSecure communication between accountants and their clients: The role of the client portal
Secure communication between accountants and their clients: The role of the client portal The importance of security An audience poll conducted at a recent ICAEW event revealed that, when it came to cloud
More informationSecurity from the Cloud
Security from the Cloud Remote Vulnerability Scanning Writer: Peter Technical Review: David Contact: info@hackertarget.com Published: April 2008 Summary: This white paper describes advantages of using
More informationToken Security or Just Token Security? A Vanson Bourne report for Entrust
Token Security or Just Token Security? A Vanson Bourne report for Entrust Foreword In 2011, Entrust Inc., an identity-based security company, partnered with respected technology research firm Vanson Bourne
More informationState of Security Survey GLOBAL FINDINGS
2011 State of Security Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding
More informationWhat s Holding Back the Cloud?
MAY 2012 Peer Research What s Holding Back the Cloud? Intel Survey on Increasing IT Professionals Confidence in Cloud Security Why You Should Read This Document This report captures key findings from a
More informationGlobal Corporate IT Security Risks: 2013
Global Corporate IT Security Risks: 2013 May 2013 For Kaspersky Lab, the world s largest private developer of advanced security solutions for home users and corporate IT infrastructures, meeting the needs
More informationImpact of Data Breaches
Research Note Impact of Data Breaches By: Divya Yadav Copyright 2014, ASA Institute for Risk & Innovation Applicable Sectors: IT, Retail Keywords: Hacking, Cyber security, Data breach, Malware Abstract:
More informationNETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES
NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES September, 2015 Derek E. Brink, CISSP, Vice President and Research Fellow IT Security and IT GRC Report Highlights p2 p4 p6 p7 SMBs need to adopt a strategy
More informationInformation Security Awareness Training. Course Outline. Provides a brief orientation to the topics covered in the module.
Information Security Awareness Training Course Outline Module 1 Information security risks 1. explain what information security means. 2. define the four aspects of information security. 3. understand
More informationresearch report: field service, mobility & the cloud
research report: field service, mobility & the cloud An exclusive Field Service News research report exploring if, how and why field service companies are using the Cloud and mobile in 2015 FIELD SERVICE
More information2014 REPORT ON THE STATE OF DATA BACKUP FOR SMBS
2014 REPORT ON THE STATE OF DATA BACKUP FOR SMBS BUSINESSES RUN ON DATA. To ensure that data is available to keep a business running, every small to medium sized business (SMB) needs to be prepared and
More informationGuide Antivirus. You wouldn t leave the door to your premises open at night. So why risk doing the same with your network?
You wouldn t leave the door to your premises open at night. So why risk doing the same with your network? Most businesses know the importance of installing antivirus products on their PCs to securely protect
More informationFive reasons SecureData should manage your web application security
Five reasons SecureData should manage your web application security Introduction: The business critical web From online sales to customer self-service portals, web applications are now crucial to doing
More informationIntroduction: 1. Daily 360 Website Scanning for Malware
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
More informationWHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?
WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber
More informationA6- Sensitive Data Exposure
OWASP Vulnerabilities and Attacks Simplifie d: Business Manager Series Part 2 Have you heard of the times when Fantastic Frank from Randomland was furious? Money and critical data was being stolen from
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationFinding Email Security in the Cloud
WHITE PAPER: FINDING EMAIL SECURITY IN THE CLOUD Finding Email Security in the Cloud CONTENTS Introduction 3 I. Why Good Enough Security is Never Good Enough 3 Mind your security gaps 4 II. Symantec Email
More informationNOVEMBER 2014 CYBER & DATA SECURITY RISK SURVEY CONTENT:
NOVEMBER 2014 CYBER & DATA SECURITY RISK SURVEY CONTENT: 2 KEY FINDINGS 3 PREVALENCE OF CYBER LIABILITY INSURANCE POLICIES 4 MOST EMPLOYERS FACE SUBSTANTIAL CYBER RISK 7 KNOWLEDGE AND PERCEPTION MATTER
More informationAshley Jelleyman FBCS CITP M Inst. ISP Head of Information Assurance. Privacy vs Security. You Can t Have Both At the same time
Ashley Jelleyman FBCS CITP M Inst. ISP Head of Information Assurance Privacy vs Security You Can t Have Both At the same time We can look at privacy in a number of ways Sometimes we as individuals willing
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationCloud-Client Enterprise Security Impact Report Increased Protection at a Lower Cost
y Cloud-Client Enterprise Security Impact Report Increased Protection at a Lower Cost An Osterman Research White Paper Published January 2009 SPONSORED BY onsored by Phone: +1 877-21-TREND www.trendmicro.com/go/smartprotection
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationEnterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security
Enterprise Security Governance Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security Governance and Organisational Model Risk Mgmt & Reporting Digital Risk & Security
More informationThe Benefits of SSL Content Inspection ABSTRACT
The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More information2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security
2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009
More informationNetwork Security Landscape
Cole p01.tex V3-07/28/2009 3:46pm Page 1 Network Security Landscape COPYRIGHTED MATERIAL IN THIS PART Chapter 1 State of Network Security Chapter 2 New Approaches to Cyber Security Chapter 3 Interfacing
More informationReducing the Cost and Complexity of Web Vulnerability Management
WHITE PAPER: REDUCING THE COST AND COMPLEXITY OF WEB..... VULNERABILITY.............. MANAGEMENT..................... Reducing the Cost and Complexity of Web Vulnerability Management Who should read this
More information2015 TRUSTWAVE GLOBAL SECURITY REPORT
2015 TRUSTWAVE GLOBAL SECURITY REPORT Rahul Samant Trustwave Australia WHY DO CYBERCRIMINALS DO WHAT THEY DO? 1,425% Return on Investment (ROI) Estimated ROI for a one-month ransomware campaign Based on
More informationHow To Protect Your Business From A Cyber Attack
Intelligence FIRST helping your business make better decisions Cyber security Keeping your business resilient Cyber security is about keeping your business resilient in the modern technological age. It
More information2015 State of the Network SURVEY. Exclusive Research from Network World
2015 State of the Network SURVEY Exclusive Research from Network World EXECUTIVE SUMMARY Networking Advancements Are Leading to IT Transformation Security and cloud drive technology decisions The transformation
More informationHope for the best, prepare for the worst:
Hope for the best, prepare for the worst: Why your customers will demand self-service back-up Presented by Ridley Ruth, COO 2014 a record year for hacking! 100K+ WordPress sites infected by mysterious
More information2012 NCSA / Symantec. National Small Business Study
2012 NCSA / Symantec National Small Business Study National Cyber Security Alliance Symantec JZ Analytics October 2012 Methodology and Sample Characteristics JZ Analytics was commissioned by the National
More informationADC Survey GLOBAL FINDINGS
ADC Survey GLOBAL FINDINGS CONTENTS Executive Summary...4 Methodology....8 Finding 1: Attacks Getting More Difficult to Defend... 10 Finding 2: Attacks Driving High Costs to Organizations.... 14 Finding
More informationSimplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Smartphones and tablets are invading the workplace along with the security risks they bring with them. Every day these devices go unchecked by standard vulnerability management processes, even as malware
More informationCYBER STREETWISE. Open for Business
CYBER STREETWISE Open for Business As digital technologies transform the way we live and work, they also change the way that business is being done. There are massive opportunities for businesses that
More informationThe battle to contain fraud is as old as
22 SPONSORED FEATURE COMBATTING DIGITAL FRAUD Combatting digital fraud Combatting digital fraud has become a strategic business issue for today s CIOs. The battle to contain fraud is as old as business
More informationMobile Security Landscape in 2014 - A Report
The Mobile Security Landscape in 2014 Securing BYOD in today s connected workplace A report by: Copyright 2014. All rights Reserved. The Role for Mobile Operators in Enterprise Mobility Security Working
More informationADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT
ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations
More informationThe Impact of Cybercrime on Business
The Impact of Cybercrime on Business Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil Sponsored by Check Point Software Technologies Independently conducted
More informationPublic-Facing Websites: A Loaded Gun Pointing at Customers, Partners and Employees
Public-Facing Websites: A Loaded Gun Pointing at Customers, Partners and Employees The Importance of Incorporating Digital Property Security Into Your IT Strategy Public-Facing Websites: A Loaded Gun Pointing
More informationBEST PRACTICE GUIDE TO SMALL BUSINESS PROTECTION: BACKUP YOUR SMALL BUSINESS INFORMATION
BEST PRACTICE GUIDE TO SMALL BUSINESS PROTECTION: BACKUP YOUR SMALL BUSINESS INFORMATION ENTER YOUR BUSINESS depends on electronic customer lists, confidential information and business records. Protecting
More informationEnd to End Security do Endpoint ao Datacenter
do Endpoint ao Datacenter Piero DePaoli & Leandro Vicente Security Product Marketing & Systems Engineering 1 Agenda 1 Today s Threat Landscape 2 From Endpoint: Symantec Endpoint Protection 3 To Datacenter:
More informationSMALL BUSINESS PRESENTATION
STOP.THINK.CONNECT NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION ABOUT STOP.THINK.CONNECT. In 2009, President Obama issued the Cyberspace Policy Review, which tasked the Department
More informationDAMAGE CONTROL: THE COST OF SECURITY BREACHES IT SECURITY RISKS SPECIAL REPORT SERIES
DAMAGE CONTROL: THE COST OF SECURITY BREACHES IT SECURITY RISKS SPECIAL REPORT SERIES Kaspersky Lab 2 Corporate IT Security Risks Survey details: More than 5500 companies in 26 countries around the world
More informationSYMANTEC 2010 SMB INFORMATION PROTECTION SURVEY. Symantec 2010 SMB Information Protection Survey. Global Data
SYMANTEC 2010 SMB INFORMATION PROTECTION SURVEY Symantec 2010 SMB Information Protection Survey Global Data June 2010 CONTENTS Executive Summary...3 Methodology...4 Finding 1: SMBs serious about information
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationInternet threats: steps to security for your small business
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
More informationYOUR HIPAA RISK ANALYSIS IN FIVE STEPS
Ebook YOUR HIPAA RISK ANALYSIS IN FIVE STEPS A HOW-TO GUIDE FOR YOUR HIPAA RISK ANALYSIS AND MANAGEMENT PLAN 2015 SecurityMetrics YOUR HIPAA RISK ANALYSIS IN FIVE STEPS 1 YOUR HIPAA RISK ANALYSIS IN FIVE
More informationBuilding a Business Case:
Building a Business Case: Cloud-Based Security for Small and Medium-Size Businesses table of contents + Key Business Drivers... 3... 4... 6 A TechTarget White Paper brought to you by Investing in IT security
More informationBUSINESS SURVEYS 2015
February 2016 BUSINESS SURVEYS 2015 The state of information security in companies in the EMEA region, and the attitudes of their IT experts and managers CONTENTS Executive summary............................
More informationGLOBAL IT SECURITY RISKS SURVEY 2014 DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACKS
GLOBAL IT SECURITY RISKS SURVEY 2014 DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACKS Table of Contents THE MAIN FINDINGS... 2 METHODOLOGY... 4 DDOS ATTACK FREQUENCEY... 5 FINANCIAL AND REPUTATIONAL IMPACT...
More informationClaranet cloud market report 2012
Claranet cloud market report 2012 Adoption trends in cloud computing For more information: claranet.co.uk - twitter.com/claranet To book an appointment or to discuss our cloud services: Call us: 0845 355
More informationCyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799
Cyber Security An Executive Imperative for Business Owners SSE Network Services www.ssenetwork.com 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799 Pretecht SM by SSE predicts and remedies
More informationSmall and Midsize Business Protection Guide
P r o t e c t i o n G u i d e : C l o s e t h e P r o t e c t i o n G a p Small and Midsize Business Protection Guide Close the protection gap and safeguard your business future Confidence in a connected
More informationIBM X-Force 2012 Cyber Security Threat Landscape
IBM X-Force 2012 Cyber Security Threat Landscape Johan Celis X-Force R&D Spokesperson Security Channel Sales Leader BeNeLux 1 Mission IBM Security Systems To protect our customers from security threats
More informationCybersecurity Report on Small Business: Study Shows Gap between Needs and Actions
SURVEY REPORT: cyber security Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions Confidence in a connected world. Executive summary An online survey revealed that while U.S.
More informationNational Cybersecurity Awareness Campaign
National Cybersecurity Awareness Campaign About Stop.Think.Connect. In 2009, President Obama issued the Cyberspace Policy Review, which tasked the Department of Homeland Security with creating an ongoing
More informationWhat a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options
White paper What a Vulnerability Assessment Scanner Can t Tell You Leveraging Network Context to Prioritize Remediation Efforts and Identify Options november 2011 WHITE PAPER RedSeal Networks, Inc. 3965
More information2012 Endpoint Security Best Practices Survey
WHITE PAPER: 2012 ENDPOINT SECURITY BEST PRACTICES SURVEY........................................ 2012 Endpoint Security Best Practices Survey Who should read this paper Small and medium business owners
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationProtecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall
Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall A FORTINET WHITE PAPER www.fortinet.com Introduction Denial of Service attacks are rapidly becoming a popular attack vector used
More informationState of Web Application Security U.S. Survey of IT & IT security practitioners
State of Web Application Security U.S. Survey of IT & IT security practitioners Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: March 2011 Ponemon
More informationWHITE PAPER WHAT HAPPENED?
WHITE PAPER WHAT HAPPENED? ENSURING YOU HAVE THE DATA YOU NEED FOR EFFECTIVE FORENSICS AFTER A DATA BREACH Over the past ten years there have been more than 75 data breaches in which a million or more
More informationVOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software
VOLUME 4 State of Software Security Report The Intractable Problem of Insecure Software December 7, 2011 Executive Summary The following are some of the most significant findings in the Veracode State
More informationAre You Ready for PCI 3.1?
Are You Ready for PCI 3.1? Are You Ready for PCI 3.1? If your hotel is not PCI compliant, it should be. Every time a customer hands over their credit card, they trust your hotel to keep their information
More informationCutting the Cost of Application Security
WHITE PAPER Cutting the Cost of Application Security Web application attacks can result in devastating data breaches and application downtime, costing companies millions of dollars in fines, brand damage,
More informationTop five strategies for combating modern threats Is anti-virus dead?
Top five strategies for combating modern threats Is anti-virus dead? Today s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce.
More informationRETHINKING CYBER SECURITY Changing the Business Conversation
RETHINKING CYBER SECURITY Changing the Business Conversation October 2015 Introduction: Diane Smith Michigan Delegate Higher Education Conference Speaker Board Member 2 1 1. Historical Review Agenda 2.
More informationIncident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com
Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationSurvey: Endpoint Security Concerns 2014 The issues keeping IT admins awake into the New Year
Survey: Endpoint Security Concerns 2014 The issues keeping IT admins awake into the New Year Intro 2014 has created uncertainty for those in charge of IT security. Not only is the threat landscape advancing
More informationWeb Vulnerability Scanner by Using HTTP Method
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 4, Issue. 9, September 2015,
More informationGuide. Email is vital - but it s not your business!
Email is vital - but it s not your business! Businesses around the world send around 100 billion emails every day and the volume shows no sign of abating any time soon. Indeed, according to research from
More informationWHITE PAPER. PCI Compliance: Are UK Businesses Ready?
WHITE PAPER PCI Compliance: Are UK Businesses Ready? Executive Summary The Payment Card Industry Data Security Standard (PCI DSS), one of the most prescriptive data protection standards ever developed,
More informationData loss prevention and endpoint security. Survey findings
Data loss prevention and endpoint security Survey findings Table of Contents Overview 3 Executive summary 4 Half of companies have lost confidential information through removable media 5 Intellectual property
More informationState of the Web 2015: Vulnerability Report. March 2015. 2015 Menlo Security Alright Reserved
State of the Web 2015: Vulnerability Report March 2015 Motivation In February 2015, security researchers http://www.isightpartners.com/2015/02/codoso/ reported that Forbes.com had been hacked. The duration
More information