Firewalls and Anti-virus SoftwareBy Ericka Chickowski | Posted 2008-06-02 Email Print
The security risks IT managers worry about the most aren’t the same ones they spend their company’s money on. What’s going on? Baseline set out to get some answers.
The problem is that the knowledge of these risks has not resulted in corresponding actions designed to mitigate them. When we asked survey participants which five security technologies accounted for the highest share of their total security investment, the resounding leaders weren’t technologies that prevented insider theft or accidental data loss. They were—you guessed it—firewalls and anti-virus software. Approximately 59 percent reported firewalls in their top five security expenses, and 48 percent put anti-virus in that pool. Also high on the list was e-mail security, including anti-spam technology, which 36 percent of survey respondents placed in their top five.
The gap between the security spend and today’s risks was distressing, if not particularly surprising, to the security experts we informed about the survey results.
“For most organizations—even some of the larger Fortune 1000 companies we work with—security spending is not even close to being in line with the risks and threats they are trying to address,” says Adam Muntner, co-founder of QuietMove, a security consultancy in Scottsdale, Ariz. As a security assessor and penetration tester, he sees plenty of companies relying on older network-centric technologies as their only protection. In some cases, they aren’t even up to date with the technologies offered by this network-based security approach.
*View the research that was the basis for this article.
“We’re working with a hospital system that has a lot of patient and research data,” Muntner says. “They have firewalls and anti-virus software, but they’ve never had an internal vulnerability management program. They don’t even have an automated vulnerability scanner.
“We convinced them of the value of having one, and they’re getting ready to put one in, but this situation is so common. In this case, they had to go to their CIO and spend a month making the case about why it was important. The thing that finally convinced the CIO was that all the other hospitals in the state are using an automated vulnerability scanner.”
Organizations such as these are ripe for attacks and slip-ups if they aren’t dedicating enough of their budget to a broader range of technologies. For example, companies that focus on anti-virus and firewall technologies without putting enough money into encryption risk high-profile data breaches through lost laptops or other mobile devices.
“It shocks me when I learn somebody’s laptop was stolen or hard drive was lost,” says ARC’s Bhatt. “Didn’t we have the Veteran’s Administration incident two years ago? How can somebody still not be encrypting the sensitive data on their devices?”
The holes left open by these perimeter-type technologies are endless. Without proper monitoring and policy enforcement, trusted insiders can easily access or steal data. Hackers can overwhelm the signature-based technologies most anti-virus vendors rely on, and they can get around firewalls by attacking the application layer and vulnerabilities left open by dodgy patch- and configuration-management practices. Cyber- criminals also find ways to sign on as trusted users due to lax authentication management.
Over the last two years, many managers have used ignorance of these growing risks as an excuse not to upgrade their security systems. But most security practitioners are well aware of the risks by now.
In some ways, the gap between understanding the current risks and spending the money to address them is just a symptom of the time it takes the mainstream to catch up with the best-practice leaders, says Bhatt, who adds that the first step is identifying these risks.