WEBSITE SECURITY IN CORPORATE AMERICA Automated Scanning

Transcription

1 WEBSITE SECURITY IN CORPORATE AMERICA Survey conducted by IDG Connect on behalf of Symantec

2 IT Managers are Confident, but Corporate America is Running Big Risks We often think of malware as being designed to sit beneath the radar, collecting data in stealth mode, for the purposes of fraud or corporate espionage. Increasingly however, we re witnessing attacks on corporations designed to cause substantial economic losses via wholesale destruction. For example, the Shamoon malware that recently hit Saudi Arabia-based Aramco (the world s largest oil company) and RasGas (a Qatar-based gas company) corrupted files on tens of thousands of workstations, overwriting the Master Boot Records. These malware attacks, which may well have targeted website vulnerabilities, resulted in destruction on an industrial scale. At Aramco, IT professionals were forced to replace 30,000 PCs and laptops. RasGas meanwhile, had to shut down all communications, and the company s website was forced offline 1. In the face of what looks like a new destructive strategy, how secure are the websites of corporate America? We asked 100 IT managers working in small, medium and large companies in the United States. Back came an emphatic answer: 0% How secure is your website(s)? 15% 55% 19% 11% 74% of respondents told us that the sites for which they re responsible are totally secure or very secure. A further 15% said their sites are reasonably secure. The number of respondents who described their corporate websites as insecure was precisely zero. Yet behind this huge vote of confidence in website security, there s cause for concern. 33% of respondents said their organizations never conduct vulnerability scans or assessments of their websites. 11% of respondents replied don t know when asked whether their organizations websites are secure. Asked to describe their level of vulnerability to each of the top six threat vectors identified by Symantec s in-house research, an average of 30% said don t know in each case. In the case of brute force attacks, six out of ten (59%) answered don t know. Overall, 13% answered don t know in the case of all six threats. 38% of respondents said it is very unlikely that their corporate sites are vulnerable to cross-site scripting a technique identified by Symantec, the sponsor of this study, as the no.1 website-based threat to corporate websites. Our survey data suggests that American companies can expect to suffer an online security breach once every four years. Yet a substantial number of companies and organizations appear unprepared. The companies who fail to conduct assessments include small-, medium- and large-sized enterprises, many of them operating in consumer-facing vertical sectors, including entertainment, healthcare and retail. The result is a high stakes game of risk that threatens reputations and revenues right across the economy. (1) BBC News, Shamoon virus targets energy sector infrastructure, 17th August

3 Website Security in Corporate America: How Big are the Risks? How secure is your website(s)? The don t knows: What s the likelihood that your site(s) suffer from the following vulnerabilities? 0% 15% 55% 19% 11% We test for vulnerabilities every month. We never test for vulnerabilities. SMall companies (1-999) MID -SIZEd companies (1,000-4,999) LARGE companies (5,000+)

4 Large Companies and Generalist IT Managers Worry Less Overall, the IT managers we surveyed seem bullishly confident about website security. 19% of respondents told us that their corporate websites are totally secure. A further 55% describe their sites as very secure. Not one of the IT managers we surveyed told us that their companies sites were insecure. Confidence is highest among IT professionals in large organizations (more than 5,000 employees). In large organizations, 83% of IT professionals describe their sites as totally or very secure. Only 3% describe their sites as reasonably secure. Inside mid-sized organizations (1,000-4,999 employees), a slightly smaller proportion of respondents (72%) describe their sites as totally or very secure. However, the number who describe their sites as reasonably secure jumps dramatically to 22%. Inside small companies and organizations (less than 1,000 employees), the number who describe their sites as totally or very secure drops to 65%. Here, the number who opt for reasonably secure is 23%, very close to the number inside mid-sized companies. The data suggests that mid-sized companies have much in common with small companies including confidence levels that are somewhat less bullish than those encountered at large companies. In both small and mid-sized companies, around one-fifth of respondents (22%-23%) lack confidence in the security of their sites to a significant extent. Seniority appears to make no difference to levels of confidence. All of our respondents were IT managers, but some described themselves as decision-makers, while others described themselves as influencers or recommenders. Confidence levels were broadly similar among both groups. However, technically-orientated IT managers were significantly less likely (68%) to describe their organization s sites as very or totally secure when compared with IT managers in general roles (79%). Not surprisingly, technically-orientated IT managers seem more cautious when it comes to making ambitious statements about website security. Perceptions of security, by company size SMall companies (1-999) MID -Sized companies (1,000-4,999) LARGE companies (5,000+)

5 Mid-Sized Companies are Confident, But Few Test Security Monthly When it comes to approaches to security, there doesn t seem to be much in the way of middle ground. Asked when their company last tested its sites for vulnerabilities, respondents were notably polarised between those adopting a keen approach, and those who simply don t bother to test. A substantial majority of respondents say their organizations have conducted a vulnerability assessment recently. 41% say the assessment occurred within the past month. A further 17% say testing occurred between a month and six months ago. At the other extreme, 33% admitted that their corporate sites have never been assessed. We asked an additional question of respondents whose companies had tested recently: How often have you repeated the assessment? Among those organizations where respondents replied every month, confidence levels are notably higher. For example, 39% of those whose organizations conduct monthly vulnerability tests describe their corporate sites as totally secure. By contrast, among those in organizations where sites have been tested during the past 12 months, only 23% describe their sites as totally secure. Inside organizations where testing doesn t occur (33% of the total), the percentage of IT managers describing their sites as totally secure is just 6%. This seems entirely logical. It suggests that IT managers who work in no assessment workplaces understand the risks they are running, at least to some extent. Their lower levels of confidence suggest an awareness that inaction may have consequences. However, the data also points to a degree of baseless optimism. For example, IT managers at mid-sized companies profess to be confident about website security (72% say their sites are very or totally secure). Yet only a very small minority of mid-sized companies (13%) repeat vulnerability tests on a monthly basis. Their confidence may well be misplaced. We have tested for vulnerability in the past six months... SMall companies (1-999) MID -Sized companies (1,000-4,999) LARGE companies (5,000+)... and we repeat our tests every month. Inside small organizations, the same contrast emerges from the data, but it s less marked. 65% say their sites are very or totally secure, while 26% say their organizations repeat tests on a monthly basis. Inside large organizations, 83% describe their sites as very or totally secure. The proportion of respondents who conduct regular monthly tests is 38%. We might well describe the distance between high confidence levels and the relatively low numbers who undertake regular monthly testing as a vulnerability knowledge gap. This gap is most noticeable among mid-sized companies and organizations. Inside small and large organizations, it s less visible, but still a reality.

6 Linked with High Levels of Confidence We asked respondents; who tests their sites, and how do they tackle the job - by using internal assessments, third-party assessments, automated remote scans from an external provider, or in other ways. (Respondents were allowed to choose as many of the answer options as they felt were relevant.) 46% said they used internal assessments. 30% said they used third party assessments. 16% used automated remote scans. 9% said they use other methods. The way in which companies conduct assessments appears to affect IT managers levels of confidence. For example, IT managers whose organizations use automated remote scans tend to be more confident. 42% describe their websites as very secure, while 50% describe their sites as totally secure. IT managers who use internal assessments have slightly lower levels of confidence - only 23% describe their websites as totally secure. Among those using third-party assessment, the percentage who report feeling totally secure declines to 17%. Do these levels of confidence partly reflect other factors, such as the underlying frequency with which assessments are conducted? In the case of frequency at least, the answer seems to be no. Among those apparently hyper-confident users of automated scanning, for example, 58% had conducted a test during the past month, and 42% are repeating tests on a monthly basis. By contrast, a larger proportion of internal assessment users (66%) had conducted a test in the past month, and slightly less of them (45%) repeat tests on a monthly basis. Users of internal assessment, it seems, conduct tests slightly more frequently, yet they remain significantly less confident about security than IT managers whose organizations use automated remote scans. Whichever way you cut the data, automated scanning seems to be associated with higher levels of confidence. The data also suggests a clear difference in the ways in which small, medium and large organizations conduct vulnerability assessments. Large organizations Two-thirds of large organizations favour internal assessment (65%). Around one-third (31%) automated remote scanning and just 23% use third-party assessment. Medium-sized organizations Medium-sized organizations tend to use a combination of internal assessment (48%) and third-party assessment (38%). 5% of mid-sized organizations use automated scanning. Small organizations Small organizations favour internal assessment (40%) and thirdparty assessment (45%). Just 15% of small organizations use automated remote scanning. Our website(s) are totally secure WE USE INTERNAl assessments we use 3 rd pa rty assessments WE use automated scans other

7 IT Managers Fail to Identify Major Threats In developing the research questions for this white paper, we wanted to find a way of comparing generalist IT managers perceptions of specific security threats with the reality in the wild. In particular, we wanted to discover whether generalist IT managers have a view of potential threats that s realistic, or whether they worry about the wrong kind of threats. Symantec, the sponsor of this study, collects data about global threat activity through its Global Intelligence Network. Some of this information is published in Symantec s annual Internet Security Threat Report and in monthly intelligence reports. The team behind Symantec s website, Vulnerability Assessments, also maintain a frequently-revised list of the most prevalent threats in existence 2. However, this list of threats is extremely granular (for example, the sixth most prevalent threat is listed as ISC BIND 9 DNSSEC Bogus NXDOMAIN Response Remote Cache Poisoning Vulnerability ). It seemed unfair to ask generalist IT managers who are not security specialists for their views on such a granular list of threats. Instead, we asked respondents how vulnerable their sites might be to a shorter list of more general threats, each of which we described in something close to everyday language e.g.: information leakage, authorization vulnerabilities. The don t knows: What s the likelihood that your site(s) suffer from the following vulnerabilities? The results were not encouraging. Given six broad categories of threat to assess, our respondents were largely unable to prioritise one as being more prevalent than any of the others. For example, 38% consider it very unlikely that their corporate sites are vulnerable to cross-site scripting despite the fact that CSS is routinely described in studies as the most prevalent website-based security threat. (Symantec s detailed list of vulnerabilities is among those which describe this technique as the most prevalent threat on the website.) Similarly high proportions of respondents feel largely secure against other forms of attack, including content spoofing. 43% say this is very unlikely, authorization vulnerabilities (43%), information leakage (40%), cross-site request forgeries (36%) and brute force attacks (32%). As the graphic on this page suggests, the number of IT managers who say they don t know whether their sites are vulnerable to specific threats is also high. In total, 25% answered don t know in the case of two or more specified threats. Within this group, 13% of all respondents said they didn t know how vulnerable their sites were to any of the six attack vectors mentioned in the question. (2) Symantec Internet Security Threat Report, Vol. 17 Main Report, The report is based on data from the Global Intelligence Network, which Symantec s analysts use to identify, analyse, and provide commentary on emerging trends in attacks, malicious code activity, phishing, and spam.

8 The Don t Cares: Organizations that Don t Run Vulnerability Tests One-third (33%) of respondents told us their organization had never conducted a vulnerability assessment on their websites. Predictably, only very few of these respondents 6% of the entire sample went on to describe their organization s websites as totally secure. This amounts to a clear acknowledgement of risk. By contrast, the proportion of respondents who describe their sites as totally secure rises to 32% inside organizations where testing has taken place in the past month. In organizations where testing has taken place during the past six months, the proportion is 18%. Remarkably, however, almost half of those whose organizations have never tested for vulnerabilities went on to argue that their organizations websites are very secure. Between a quarter and one-third believed it was very unlikely that their organizations websites might be affected by any of the six vulnerabilities we described in general terms (see previous tab). Only one-quarter admitted what seems obvious: that their organizations don t know how secure their websites are. Intriguingly, organization size has little to do with the propensity to willful blindness. The proportion of respondents who said their employer had never conducted tests was surprisingly similar inside small (35% of relevant respondents), medium (34%) and large (30%) organizations. Neither does vertical sector seem to be a factor. IT managers working in the following industries told us that their organizations never conducted vulnerability assessments: finance and banking; travel, entertainment and media; retail and wholesale; telecommunications and technology; healthcare, pharmaceuticals and the public sector. If you don t test for vulnerabilities, are your site(s) secure? NEVER ASSESSED organizations not performing vulnerability assessments how secure is your site?

9 One in Five Companies Breached Every Year For how long can an organization get away with weak security policies? Slightly more than one in ten (13%) of our respondents told us that they had fallen victim to an internet security breach during the past six months. On this basis, the average company in our survey can be expected to suffer a security breach once every four years. (Admittedly, this is a rough rule of thumb: factors other than sheer chance are involved in the selection of target companies.) The most frequently-cited successful vector of attack was information leakage, followed closely by cross-site scripting. However, cross-site scripting was implicated in more breaches resulting in a major impact than information leakage. According to respondents, the impact of security breaches can vary substantially. Around one-third (31%) of the organizations that admit to being breached described the result as a lucky escape, resulting in no impact. A larger group (54%) described the breach as having some impact or a significant impact. A further 15% of respondents cited a major impact. Although Symantec s in-house data suggests that 50% of attacks are targeted at large organizations (with more than 2,500 employees), being a small or mid-sized company is not a guarantee of safety. Small companies (those with less than 1,000 employees) account for 26% of all attacks. 19% of midsized companies in our sample reported experiencing a websitebased security breach during the past six months. In order of frequency, the remedies undertaken by organizations which suffered a security breach included the following: 1. New/improved secure sockets layer (SSL) protection 2. Improved internet security software 3. Improved firewall 4. Outsourced hosting to a secure provider Have you experienced any security breaches in the past six months? SMall companies (1-999) MID -Sized companies (1,000-4,999) LARGE companies (5,000+)

10 IT managers in the United States say they are extremely confident about the security of their organizations websites. A total of 74% say their sites are very or totally secure. Confidence is highest among IT professionals in large organizations (more than 5,000 employees). 83% of these IT professionals describe their sites as totally or very secure. Only 3% say their sites are reasonably secure. Inside small and mid-sized organizations, the percentage of respondents who say their sites are merely reasonably secure jumps to around one in five. The proportion who say their sites are totally or very secure declines to 72% (in the case of mid-sized companies) and 65% (small companies). What explains these high levels of confidence? Some of it comes down to how recently and how frequently vulnerability testing has been carried out. On this, IT managers are polarised. 41% say their employer has conducted a website vulnerability assessment during the past month. However, 33% admitted that their corporate sites have never been tested. Levels of confidence are noticeably lower inside never test workplaces. They re higher where testing has been conducted during the past month. And they re higher still in companies and organizations where testing occurs regularly, every month. Levels of confidence also seem to be higher than average in workplaces where automated remote scanning is used. However, the data also points to a degree of baseless optimism. Almost half of those whose organizations have never tested for vulnerabilities find it possible to argue that their organization s websites are very secure. In particular, IT managers at mid-sized companies profess to be confident about website security (72% say their sites are very or totally secure). Yet only a very small minority of mid-sized companies (13%) repeat vulnerability tests on a monthly basis. Inside small organizations, a similar contrast emerges. 65% say their sites are very or totally secure, yet only 26% say their organizations repeat tests on a monthly basis. All of this points to significant risk-taking. But how credible are the calculations (formal or informal) that underpin such risk-taking? Our data suggests that, on average, one in five companies suffers a security breach every year 1. Among respondents who have suffered breaches, 15% told us that the effect had been major. Website vulnerabilities represent a clear and present danger. It makes sense to protect against them by (for example) using a vulnerability assessment such as that offered free by Symantec with every purchase of an Extended Validation or Pro SSL Certificate. The resulting combination of SSL encryption, vulnerability assessment and website malware scanning helps sites provide visitors with a safer online experience, extending security beyond https to public-facing webpages. By contrast, the approach of organizations that remain complacent remains deeply problematic. Neither consumers nor shareholders can easily tell whether an organization has weak security policies. Both can end up as the victims of an approach to risk management of which they were never aware - and to which they didn t consent. (1) All information contained in this report comes from IDG Connect research, conducted in October 2012 on behalf of Symantec, of 100 IT Professionals across the United States of America.