Information security mistakes are costly, damaging and all too prevalent. Given the obvious repercussions of poor information security and disclosure strategies (TJX, CardSystems, BJ’s and AOL), one is inclined to believe change agents are in place.
However, organizations continue to make seemingly avoidable mistakes when it comes to enterprise security. Last week, I wrote about the five most common security miscalculations organizations make. Let’s dive into the first one in more detail — over-relying on network defenses.
|View the Entire Series|
Misconception No. 2: Believing the Hype of Technology and Tools
Misconception No.4: Assuming Secure Software is Costly
Misconception No.5: The “Recency” Trap
If you want to comment on these or any other articles you see on CIO Update, we’d like to hear from you in our IT Management Forum. Thanks for reading.
Firewalls, intrusion prevention systems (IPS), anti-virus solutions, and intrusion detection systems (IDS) protect us from worms, detect anomalous behavior, and prevent some attacks on our networks.
These protective measures are good ones to take, however, there are problems with these solutions that many organizations don’t realize:
Application vs. Network Security
Let’s look at some research and analyst perspectives. Many of you are familiar with the Gartner statistic from 2004 (updated in 2006) that states: “Over 70% of security vulnerabilities exist at the application layer, not the network or system layer.”
The National Institute of Standards and Technology (NIST) claims this number is 92%! IDC states, “The conclusion is unavoidable: any notion that security is a matter of simply protecting the network perimeter is hopelessly out of date.”
Another interesting metric that was collected from Microsoft Developer Research is: “64% of developers are not confident in their ability to write secure applications.”
It is very telling that two out of every three developers in this survey were not confident in their ability to write secure code. It’s an interesting question you may want to ask your own developers. And while you’re at it, ask this of your budgeting process: “If over 70% of security vulnerabilities exist in the application layer vs. the network layer, are we spending over 70% of our IT security budget on application security?”
Here’s a case-in-point from an e-commerce company I worked with last year. This company had intrusion detection, intrusion prevention and a firewall in place. Because it was a large e-commerce site, we had to do testing on the actual production system.
This e-commerce system had the common “shopping basket” functionality. During testing, we put an item in our basket, did some testing and didn’t find anything, so we closed the browser and went out for lunch. When we returned, we opened the browser and noticed the item we had placed in our basket was still there.
This told us the e-commerce site used cookies — small text files that store bits of information on your machine about you and the items you have chosen during the session. We decided to find that cookie on our client and mess with it; something the security world calls “cookie poisoning.”
We opened the cookie with the world’s best hacking tool, Notepad, and found information like our session ID, the merchandise item number, a description of the item, and the price of the item. Hmmm … price. We decided to mess with that parameter and change the price from $9.95 to negative (-$9.95) and save the file with this new information.