WEBSITE SECURITY IN CORPORATE AMERICA Automated Scanning

(1)

IDG Connect is the demand generation division of International Data Group (IDG),

the world’s largest technology media company. Established in 2005, it utilises access to 38 million business decision makers’

details to unite technology marketers with relevant targets

from any country in the world. Committed to engaging a disparate global IT audience with

truly localised messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more

information visit:

www.idgconnectmarketers.com

WEBSITE SECURITY IN

CORPORATE AMERICA

Survey conducted by IDG Connect on behalf of Symantec

How Secure Are You? Testing Boosts Confidence Automated Scanning Threat? What Threat? Don’t Know? Don’t Care... What’s the Risk?

Conclusion Introduction

(2)

information visit:

IT Managers are Confident, but Corporate America is Running Big Risks

We often think of malware as being designed to sit beneath the

radar, collecting data in stealth mode, for the purposes of fraud or corporate espionage.

Increasingly however, we’re witnessing attacks on corporations designed to cause substantial economic losses via wholesale destruction. For example, the Shamoon malware that recently hit Saudi Arabia-based Aramco (the world’s largest oil company) and RasGas (a Qatar-based gas company) corrupted files on tens of thousands of workstations, overwriting the Master Boot Records. These malware attacks, which may well have targeted website vulnerabilities, resulted in destruction on an industrial scale. At Aramco, IT professionals were forced to replace 30,000 PCs and laptops. RasGas meanwhile, had to shut down all email communications, and the company’s website was forced offline1_.

In the face of what looks like a new destructive strategy, how secure are the websites of corporate America? We asked 100 IT managers working in small, medium and large companies in the United States. Back came an emphatic answer:

74% of respondents told us that the sites for which they’re responsible are “totally secure” or “very secure”.

A further 15% said their sites are “reasonably secure”. The number of respondents who described their corporate websites as insecure was precisely zero.

Yet behind this huge vote of confidence in website security, there’s cause for concern.

• 33% of respondents said their organizations never conduct vulnerability scans or assessments of their websites.

• 11% of respondents replied “don’t know” when asked whether their organizations´ websites are secure.

• Asked to describe their level of vulnerability to each of the top six threat vectors identified by Symantec’s in-house research, an average of 30% said “don’t know” in each case. In the case of brute force attacks, six out of ten (59%) answered “don’t know”. • Overall, 13% answered “don’t know” in the case of all six threats.

• 38% of respondents said it is very unlikely that their corporate sites are vulnerable to cross-site scripting – a technique identified by Symantec, the sponsor of this study, as the no.1 website-based threat to corporate websites.

Our survey data suggests that American companies can expect to suffer an online security breach once every four years. Yet a substantial number of companies and organizations appear unprepared.

The companies who fail to conduct assessments include small-, medium- and large-sized enterprises, many of them operating in consumer-facing vertical sectors, including entertainment, healthcare and retail. The result is a high stakes game of risk that threatens reputations and revenues right across the economy. (1) BBC News, “Shamoon virus targets energy sector infrastructure”, 17th August 2012 http://www.bbc.co.uk/news/technology-19293797

Cover Sheet

Introduction

Infographic Summary How Secure Are You? Testing Boosts Confidence Automated Scanning Threat? What Threat? Don’t Know? Don’t Care... What’s the Risk?

Conclusion

How secure is your website(s)?

15%

55%

19%

11%

(3)

information visit:

Website Security in Corporate America: How Big are the Risks?

How secure is your website(s)?

The don’t knows: What’s the likelihood that your

site(s) suffer from the following vulnerabilities?

“We test for vulnerabilities every month.”

“We never test for vulnerabilities.”

Cover Sheet Introduction

Infographic Summary

How Secure Are You? Testing Boosts Confidence Automated Scanning Threat? What Threat? Don’t Know? Don’t Care... What’s the Risk?

Conclusion

SMall companies (1 - 999)

MID -SIZEd companies (1,000 - 4,999)

LARGE companies (5,000+)

15%

55%

19%

11%

(4)

information visit:

Large Companies and Generalist IT Managers Worry Less

Overall, the IT managers we surveyed seem bullishly confident

about website security. 19% of respondents told us that their corporate websites are “totally secure”. A further 55% describe their sites as “very secure”. Not one of the IT managers we surveyed told us that their companies’ sites were insecure. Confidence is highest among IT professionals in large organizations (more than 5,000 employees). In large organizations, 83% of IT professionals describe their sites as “totally” or “very” secure. Only 3% describe their sites as “reasonably secure”. Inside mid-sized organizations (1,000-4,999 employees), a slightly smaller proportion of respondents (72%) describe their sites as “totally” or “very” secure.

However, the number who describe their sites as “reasonably secure” jumps dramatically – to 22%.

Inside small companies and organizations (less than 1,000 employees), the number who describe their sites as “totally” or “very” secure drops to 65%.

Here, the number who opt for “reasonably secure” is 23%, very close to the number inside mid-sized companies.

The data suggests that mid-sized companies have much in common with small companies – including confidence levels that are somewhat less bullish than those encountered at large companies. In both small and mid-sized companies, around one-fifth of respondents (22%-23%) lack confidence in the security of their sites to a significant extent.

Seniority appears to make no difference to levels of confidence. All of our respondents were IT managers, but some described themselves as “decision-makers”, while others described themselves as “influencers” or “recommenders”. Confidence levels were broadly similar among both groups.

However, technically-orientated IT managers were significantly less likely (68%) to describe their organization’s sites as “very” or “totally” secure when compared with IT managers in general roles (79%).

Perceptions of security, by company size

How Secure Are You?

Testing Boosts Confidence Automated Scanning Threat? What Threat? Don’t Know? Don’t Care... What’s the Risk?

Conclusion

Not surprisingly, technically-orientated IT managers seem more cautious when it comes to making ambitious statements about website security.

Infographic Summary

MID -Sized companies (1,000 - 4,999)

(5)

information visit:

Mid-Sized Companies are Confident, But Few Test Security Monthly

When it comes to approaches to security, there doesn’t seem to

be much in the way of middle ground.

Asked when their company last tested its sites for vulnerabilities, respondents were notably polarised between those adopting a keen approach, and those who simply don’t bother to test. A substantial majority of respondents say their organizations have conducted a vulnerability assessment recently. 41% say the assessment occurred within the past month. A further 17% say testing occurred between a month and six months ago. At the other extreme, 33% admitted that their corporate sites have never been assessed.

We asked an additional question of respondents whose

companies had tested recently: “How often have you repeated the assessment?” Among those organizations where respondents replied “every month”, confidence levels are notably higher. For example, 39% of those whose organizations conduct monthly vulnerability tests describe their corporate sites as “totally

secure”. By contrast, among those in organizations where sites have been tested during the past 12 months, only 23% describe their sites as “totally secure”. Inside organizations where testing doesn’t occur (33% of the total), the percentage of IT managers describing their sites as “totally secure” is just 6%.

This seems entirely logical. It suggests that IT managers who work in “no assessment” workplaces understand the risks they are running, at least to some extent. Their lower levels of confidence suggest an awareness that inaction may have consequences. However, the data also points to a degree of baseless optimism. For example, IT managers at mid-sized companies profess to be confident about website security (72% say their sites are “very” or “totally” secure). Yet only a very small minority of mid-sized companies (13%) repeat vulnerability tests on a monthly basis. Their confidence may well be misplaced.

“We have tested for vulnerability

in the past six months. . .” “. . . and we repeat our tests every month.”

How Secure Are You?

Testing Boosts Confidence

Automated Scanning Threat? What Threat? Don’t Know? Don’t Care... What’s the Risk?

Conclusion

Inside small organizations, the same contrast emerges from the data, but it’s less marked. 65% say their sites are “very” or “totally” secure, while 26% say their organizations repeat tests on a monthly basis.

Inside large organizations, 83% describe their sites as “very” or “totally” secure. The proportion of respondents who conduct regular monthly tests is 38%.

We might well describe the distance between high confidence levels and the relatively low numbers who undertake regular monthly testing as a vulnerability knowledge gap. This gap is most noticeable among mid-sized companies and organizations. Inside small and large organizations, it’s less visible, but still a reality.

Infographic Summary

(6)

information visit:

Automated Scanning Linked with High Levels of Confidence

We asked respondents; who tests their sites, and how do they

tackle the job - by using internal assessments, third-party

assessments, automated remote scans from an external provider, or in other ways. (Respondents were allowed to choose as many of the answer options as they felt were relevant.)

46% said they used internal assessments. 30% said they used third party assessments. 16% used automated remote scans. 9% said they use other methods.

The way in which companies conduct assessments appears to affect IT managers’ levels of confidence. For example, IT managers whose organizations use automated remote scans tend to be more confident. 42% describe their websites as “very secure”, while 50% describe their sites as “totally secure”. IT managers who use internal assessments have slightly lower levels of confidence - only 23% describe their websites as “totally secure”. Among those using third-party assessment, the percentage who report feeling “totally secure” declines to 17%. Do these levels of confidence partly reflect other factors, such as the underlying frequency with which assessments are conducted? In the case of frequency at least, the answer seems to be no. Among those apparently hyper-confident users of automated scanning, for example, 58% had conducted a test during the past month, and 42% are repeating tests on a monthly basis.

By contrast, a larger proportion of internal assessment users (66%) had conducted a test in the past month, and slightly less of them (45%) repeat tests on a monthly basis.

Users of internal assessment, it seems, conduct tests slightly more frequently, yet they remain significantly less confident about security than IT managers whose organizations use automated remote scans. Whichever way you cut the data, automated scanning seems to be associated with higher levels of confidence.

Automated Scanning

Threat? What Threat? Don’t Know? Don’t Care... What’s the Risk?

Conclusion

“Our website(s) are totally secure”

The data also suggests a clear difference in the ways in which small, medium and large organizations conduct vulnerability assessments.

Large organizations

Two-thirds of large organizations favour internal assessment (65%). Around one-third (31%) automated remote scanning and just 23% use third-party assessment.

Medium-sized organizations

Medium-sized organizations tend to use a combination of internal assessment (48%) and third-party assessment (38%). 5% of mid-sized organizations use automated scanning. Small organizations

Small organizations favour internal assessment (40%) and third-party assessment (45%). Just 15% of small organizations use automated remote scanning.

Testing Boosts Confidence Cover Sheet

Introduction

Infographic Summary How Secure Are You?

WE USE INTERNAl assessments

WE use automated scans

other we use 3rd_party

(7)

information visit:

IT Managers Fail to Identify Major Threats

In developing the research questions for this white paper, we wanted to find a way of comparing generalist IT managers’ perceptions of specific security threats with the reality in the wild. In particular, we wanted to discover whether generalist IT managers have a view of potential threats that’s realistic, or whether they worry about the wrong kind of threats.

Symantec, the sponsor of this study, collects data about global threat activity through its Global Intelligence Network. Some of this

information is published in Symantec’s annual Internet Security Threat Report and in monthly intelligence reports. The team behind Symantec’s website, Vulnerability

Assessments, also maintain a frequently-revised list of the most prevalent threats in existence 2_.

However, this list of threats is extremely granular (for example, the sixth most prevalent threat is listed as “ISC BIND 9 DNSSEC Bogus

NXDOMAIN Response Remote Cache Poisoning Vulnerability”). It seemed unfair to ask generalist IT managers who are not security specialists for their views on such a granular list of threats. Instead, we asked respondents how vulnerable their sites might be to a shorter list of more general threats, each of which we described in something close to everyday language e.g.: “information leakage”, “authorization vulnerabilities”.

The results were not encouraging. Given six broad categories of threat to assess, our respondents were largely unable to prioritise one as being more prevalent than any of the others. For example, 38% consider it very unlikely that their corporate sites are vulnerable to cross-site scripting – despite the fact that CSS is routinely described in studies as the most prevalent

website-based security threat. (Symantec’s detailed list of vulnerabilities is among those which describe this technique as the most prevalent threat on the website.)

Similarly high proportions of respondents feel largely secure against other forms of attack, including content spoofing. 43% say this is very unlikely, authorization vulnerabilities (43%), information leakage (40%), cross-site request forgeries (36%) and brute force attacks (32%).

As the graphic on this page suggests, the number of IT managers who say they don’t know whether their sites are vulnerable to specific threats is also high. In total, 25% answered “don’t know” in the case of two or more specified threats. Within this group, 13% of all respondents said they didn’t know how vulnerable their sites were to any of the six attack vectors mentioned in the question.

Automated Scanning

Threat? What Threat?

Don’t Know? Don’t Care... What’s the Risk?

Conclusion Cover Sheet Introduction

Infographic Summary How Secure Are You? Testing Boosts Confidence

The don’t knows: What’s the likelihood that your

site(s) suffer from the following vulnerabilities?

(2) Symantec Internet Security Threat Report, Vol. 17 Main Report, 2011. The report is based on data from the Global Intelligence Network, which Symantec’s analysts use to identify, analyse, and provide commentary on emerging trends in attacks, malicious code activity, phishing, and spam.

(8)

information visit:

The Don’t Cares: Organizations that Don’t Run Vulnerability Tests

One-third (33%) of respondents told us their organization had

never conducted a vulnerability assessment on their websites. Predictably, only very few of these respondents – 6% of the entire sample – went on to describe their organization’s websites as “totally secure”.

This amounts to a clear acknowledgement of risk. By contrast, the proportion of respondents who describe their sites as “totally secure” rises to 32% inside organizations where testing has taken place in the past month. In organizations where testing has taken place during the past six months, the proportion is 18%.

Remarkably, however, almost half of those whose organizations have never tested for vulnerabilities went on to argue that their organizations’ websites are “very secure”. Between a quarter and one-third believed it was “very unlikely” that their organizations’ websites might be affected by any of the six vulnerabilities we described in general terms (see previous tab).

Automated Scanning Threat? What Threat?

Don’t Know? Don’t Care...

What’s the Risk? Conclusion

Only one-quarter admitted what seems obvious: that their organizations don’t know how secure their websites are.

Intriguingly, organization size has little to do with the propensity to willful blindness. The proportion of respondents who said their employer had never conducted tests was surprisingly similar inside small (35% of relevant respondents), medium (34%) and large (30%) organizations.

Neither does vertical sector seem to be a factor. IT managers working in the following industries told us that their

organizations never conducted vulnerability assessments: finance and banking; travel, entertainment and media; retail and wholesale; telecommunications and technology; healthcare, pharmaceuticals and the public sector.

If you don’t test for vulnerabilities, are your site(s) secure?

organizations not performing vulnerability assessments how secure is your site?

NEVER ASSESSED

(9)

information visit:

One in Five Companies Breached Every Year

For how long can an organization get away with weak security policies? Slightly more than one in ten (13%) of our respondents told us that they had fallen victim to an internet security breach during the past six months. On this basis, the average company in our survey can be expected to suffer a security breach once every four years. (Admittedly, this is a rough rule of thumb: factors other than sheer chance are involved in the selection of target companies.)

The most frequently-cited successful vector of attack was information leakage, followed closely by cross-site scripting. However, cross-site scripting was implicated in more breaches resulting in a major impact than information leakage.

According to respondents, the impact of security breaches can vary substantially. Around one-third (31%) of the organizations that admit to being breached described the result as a lucky escape, resulting in “no impact”. A larger group (54%) described the breach as having some impact or a significant impact. A further 15% of respondents cited a “major impact”.

Although Symantec’s in-house data suggests that 50% of attacks are targeted at large organizations (with more than 2,500 employees), being a small or mid-sized company is not a guarantee of safety. Small companies (those with less than 1,000 employees) account for 26% of all attacks. 19% of mid-sized companies in our sample reported experiencing a website-based security breach during the past six months.

In order of frequency, the remedies undertaken by organizations which suffered a security breach included the following:

1. New/improved secure sockets layer (SSL) protection 2. Improved internet security software

3. Improved firewall

4. Outsourced hosting to a secure provider

Automated Scanning Threat? What Threat? Don’t Know? Don’t Care...

What’s the Risk?

Conclusion Cover Sheet Introduction

Have you experienced any security

breaches in the past six months?

(10)

information visit:

Conclusion

IT managers in the United States say they are extremely

confident about the security of their organizations’ websites. A total of 74% say their sites are “very” or “totally” secure. Confidence is highest among IT professionals in large

organizations (more than 5,000 employees). 83% of these IT professionals describe their sites as “totally” or “very” secure. Only 3% say their sites are “reasonably secure”. Inside small and mid-sized organizations, the percentage of respondents who say their sites are merely “reasonably” secure jumps to around one in five. The proportion who say their sites are “totally or “very” secure declines to 72% (in the case of mid-sized companies) and 65% (small companies). What explains these high levels of confidence? Some of it comes down to how recently and how frequently vulnerability testing has been carried out.

On this, IT managers are polarised. 41% say their employer has conducted a website vulnerability assessment during the past month. However, 33% admitted that their corporate sites have never been tested.

Levels of confidence are noticeably lower inside “never test” workplaces. They’re higher where testing has been conducted during the past month. And they’re higher still in companies and organizations where testing occurs regularly, every month. Levels of confidence also seem to be higher than average in workplaces where automated remote scanning is used.

However, the data also points to a degree of baseless optimism. Almost half of those whose organizations have never tested for vulnerabilities find it possible to argue that their organization’s websites are “very secure”.

In particular, IT managers at mid-sized companies profess to be confident about website security (72% say their sites are “very” or “totally” secure). Yet only a very small minority of mid-sized companies (13%) repeat vulnerability tests on a monthly basis. Inside small organizations, a similar contrast emerges. 65% say

Infographic Summary How Secure Are You? Testing Boosts Confidence Automated Scanning Threat? What Threat? Don’t Know? Don’t Care... What’s the Risk?

Conclusion

their sites are “very” or “totally” secure, yet only 26% say their organizations repeat tests on a monthly basis.

All of this points to significant risk-taking. But how credible are the calculations (formal or informal) that underpin such risk-taking? Our data suggests that, on average, one in five companies suffers a security breach every year 1_{. Among}

respondents who have suffered breaches, 15% told us that the effect had been “major”.

Website vulnerabilities represent a clear and present danger. It makes sense to protect against them by (for example) using a vulnerability assessment such as that offered free by Symantec with every purchase of an Extended Validation or Pro SSL Certificate. The resulting combination of SSL encryption, vulnerability assessment and website malware scanning helps sites provide visitors with a safer online experience, extending security beyond https to public-facing webpages.

By contrast, the approach of organizations that remain complacent remains deeply problematic. Neither consumers nor shareholders can easily tell whether an organization has weak security policies. Both can end up as the victims of an approach to risk management of which they were never aware - and to which they didn’t consent.

(1)_{All information contained in this report comes from IDG Connect research,}

conducted in October 2012 on behalf of Symantec, of 100 IT Professionals across the United States of America.