The biggest security threat to most networks could be the people paid to look after them, an informal survey of IT professionals has suggested.
According to Tufin Technologies’ questioning of 100 attendees of the recent DEF CON18 hacking conference, three quarters viewed mis-configuration as the main route into a network, excluding websites.
Fifty-eight percent blamed staff for this state of affairs, 18 percent thought a lack of money for auditing was at fault, while 14 percent saw compliance as inherently flawed anyway. Eleven percent thought the ‘threat window’ changed too rapidly.
As to firewalls, 93 percent saw correctly-configured firewalls as a reliable barrier to external attacks, but only 7 percent had actually experienced such a thing between 50 and 75 percent of the time. For 73 percent of respondents, the well-configured firewall was something found on a quarter or fewer networks.
Fifty-eight percent saw outsourcing as increasing the chances of being hacked, which sounds positive until it dawns that this means that a hefty 42 percent reckon outsourcing will cause security to deteriorate further.
“It's clear that IT managers need to address the security shortcomings of their networks by remediating the network misconfiguration issue,” said Tufin CTO, Reuven Harrison. “Only by configuring their network resources correctly can companies hope to beat these security issues."
The usual caveats should be mentioned. Tufin is a firewall policy management company with a firewall misconfiguration = vulnerability message to push. Equally, the sort of people who hang around a conference like DEF CON are going to see direct penetration of networks as being important. Many will probably work in the field and take a dim view of naive idea that they can be kept out by mere security technology alone.
The survey further excluded websites – a major source of hacking vulnerability – and software vulnerabilities which litter most desktop PCs.