Ethical Hacking Survey 2009
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Ethical Hacking Survey 2009 as PDF for free.
More details
- Words: 4,322
- Pages: 15
IT Industry Survey
Ethical Hacking By Rick Blum, Director, Strategic Marketing
Highlights •
Only six percent of respondents think there is no chance that their networks or applications will be hacked in the coming year. Those with an ethical hacking budget reduce the perceived chance of being hacked by nearly one-third.
•
The top three benefits of ethical hacks, in order of importance, are improving overall security posture, protecting against theft of intellectual property and fulfilling regulatory/legislative mandates.
•
A majority of IT organizations conduct ethical hacks on wireline and wireless networks, applications and operating systems either annually or more frequently. However, in each of these categories, between 14 and 21 percent of respondents never conduct ethical hacks. The main reasons for not doing so are because management does not value this service and they don’t have the manpower and/or skills to fix potential vulnerabilities.
•
Respondents who have conducted an ethical hack in the last year have found serious vulnerabilities most often in applications and operating systems.
•
Network testing is the most important type of ethical hack for keeping information assets secure–considered critical by 60 percent of respondents.
•
Lack of experienced staff is most often cited (by 53 percent of respondents) as a significant barrier to conducting ethical hacks internally or improving ethical hacking capabilities.
•
Cost is by far the most common barrier to using an ethical hacking vendor, though most respondents have used this service in the past.
The Bottom Line IT networks are the vascular system of today’s businesses, providing pathways for information to flow throughout the organization. However, when these pathways are penetrated, they also provide attackers access to those assets, as well as the means to cripple IT systems and applications. Therefore, just as we as individuals get regular check-ups to maintain good health, it is critical for IT organizations to regularly be testing for weaknesses in networks, systems and applications that would allow access to information assets. Based on the results of this survey, IT security managers should heed the following: •
Nearly all IT systems have a vulnerability that can be exploited by a hacker intent on stealing information or causing damage. Whether this vulnerability is an unpatched application, a misconfigured router or rogue modem, unless you look, you’ll never know it’s there … not until your servers suddenly go down or proprietary information shows up on the Internet.
•
Most IT organizations will conduct ethical hacks to search for vulnerabilities at least annually, although approximately one third of IT organizations wisely test wireline networks and operating systems quarterly. Although these can be done using internal resources, a third-party vendor provides a more unbiased view.
•
With IT budgets tight right now, prioritize various types of ethical hacks by potential loss impact. Wireline networks and systems should be at the top of your list.
•
When hiring an ethical hacking vendor, first decide whether you want to work with one vendor on an ongoing basis, or instead rotate vendors to insure against any weaknesses a single vendor may have. Without a strategy, the cost and value of each purchase decision is left to chance.
Ethical Hacking
Introduction Identifying vulnerabilities in networks, applications and systems before they can be exploited is a critical step in preventing exposure of sensitive data, which can severely damage a corporation’s reputation. Smart IT organizations manage risk by conducting ethical hacks on a regular basis in order to identify vulnerabilities that need remediation, thus improving their security posture. From February 17 through March 31, 2009, BT conducted a Web-based survey on Ethical Hacking, which was completed by 222 IT professionals around the globe. This survey was designed to yield valuable insights into the usage of ethical hacking to improve network, systems and application security. Results of this survey are also compared, when appropriate, to the results of two previous ethical hacking surveys conducted by BT (formerly BT INS) published in January 2005 and March 2007. For this survey, ethical hacking, also called penetration testing, was defined as a method for verifying the true state of security controls for the protection of assets and information by simulating an attack on a network in a controlled and safe manner. Ethical hacks are typically conducted by a third party in a manner similar to naturally occurring attacks to provide an unbiased assessment of the security of a system and the viability of implemented controls, although they may be conducted using internal resources. The primary types of ethical hacks are: •
Application testing - uncovers design and logic flaws in applications that could result in the compromise or unauthorized access of your networks, systems, applications or information.
•
Network testing - identifies vulnerabilities in external and internal networks, services, protocols, convergence solutions and systems and devices, including VPN technologies.
•
Code review – examines the source code that is part of the authentication system and identifies the strengths and weaknesses of the software modules.
•
Wireless network testing – determines your network's vulnerability to an attacker with radio access to the wireless network space.
•
War dialing - identifies unauthorized modems that endanger the corporate infrastructure.
•
System hardening - analyzes possible configuration issues, running services, and vulnerabilities that reside on the system.
The survey was posted on the BT Professional Services Web site. Invitations to participate in the survey were also sent to subscribers of BT’s customer newsletter. All Web survey responses were automatically collected into a survey tool. Any questions skipped or incorrectly answered by survey respondents were not included in the tabulations. Not-applicable responses were also not included in the tabulations. Each chart includes the number of valid responses for that particular question (e.g., N=100 indicates 100 responses). Percentages shown in some charts may not sum to 100 percent due to rounding.
May 2009
BT
2
Ethical Hacking
Hacking Success As the incidence of networks being compromised continues to make the news on an almost daily basis, it is clear that making networks–and the applications that run over them–invulnerable to attack is extremely difficult. Recognizing this reality, 94 percent of survey respondents acknowledge that there is some likelihood that their network will be successfully hacked in the next 12 months, about on par with expectations of respondents to the 2007 survey. However, the steady drumbeat of network incursions has lowered the percentage of respondents who believe that the chance of being successfully hacked is relatively low, i.e., only 1-10 percent. In fact, only 38 percent of respondents fall into this category, down from 46 percent in the 2007 survey and 41 percent in the 2005 survey. Whether this decline is due to a more realistic view, or the recognition that attackers are becoming more proficient, the trend is distinctly in the wrong direction. The silver lining to this dark cloud is that there is a way to reduce the likelihood of being successfully hacked, and that is to conduct regular ethical hacks. This is borne out by comparing the perceptions of respondents who have an ethical hacking budget to those who don’t. On average, the latter group believes that they have a 38 percent chance of their networks and/or applications being hacked in the next 12 months. However, on average, respondents with an ethical hacking budget believe that they have only a 26 percent chance of being hacked. Clearly, setting aside some of the security budget for ethical hacking raises the perception (and in most cases the reality) of being less vulnerable to hacks.
May 2009
BT
3
Ethical Hacking
Network testing, application testing, system hardening and wireless network testing have all been conducted in the last two years by a high percentage (80 percent or more) of respondents’ IT organizations. Code review (70 percent) and war dialing (59 percent) are conducted less often, though both by a significant number of IT organizations. On the flip side, 42 percent of respondents’ IT organizations have not conducted war dialing, sometimes called modem scanning, in more than two years, and 30 percent have not conducted a code review in that same time period. While the former can be time-consuming, just one unauthorized modem can jeopardize the entire network infrastructure, which makes it well worth checking on a regular basis. To better protect their networks (wireline and wireless), operating systems and applications from attack, a majority of respondents’ IT organizations conduct each of four types of ethical hacks, although with varying degrees of regularity. These include ethical hacks that are conducted by the IT organization or by a third party. Wireline networks and operating systems are most frequently subject to ethical hacks–approximately one-third of respondents on a quarterly basis, and another 14-15 percent on a semi-annual basis. The percentage of respondents who conduct these hacks on a quarterly basis is up slightly from 2007, though not quite enough to deem this uptick significant. Applications and wireless networks don’t receive quite as much attention, with only about one quarter being ethically hacked on a quarterly basis. These figures are almost unchanged from the 2007 survey. In fact, both of these have a slightly higher percentage of respondents who never conduct hacks, although, again, not a large enough difference to indicate a significant change. As might be expected, a much higher percentage of respondents (54 percent) who conduct ethical hacks quarterly on both their wireless and wireline networks believe that the chance of being successfully hacked in the next year is 10 percent or less than the percentage of respondents (21 percent) who never conduct ethical hacks on either of these networks.
May 2009
BT
4
Ethical Hacking
We then asked those respondents whose IT organizations never conduct ethical hacks in any one of these four categories what contributes to this deficit. The most common reason (selected by 59 percent of respondents) is simply that management does not understand the value of ethical hacks and, presumably, will not allocate the time and money required to conduct them. Surprisingly, despite the extremely negative publicity that accompanies a data breach, management’s perception of the value of ethical hacking has been waning since 2005. Security professionals need to reexamine how they are presenting ethical hacking to management, perhaps with greater focus on business consequences. The next most common reason–also increasing this year compared to 2007 and 2005–for not conducting ethical hacks is that the IT organization doesn’t have the manpower and/or skills to fix vulnerabilities uncovered during the hack, which was selected by 44 percent of respondents. This “see no evil” justification for not conducting ethical hacks is one that can come back to bite an organization. Certainly, if significant vulnerabilities are found, the will would be found to fix them Similarly, 26 percent of respondents say their IT organizations don’t have the funds to fix potential vulnerabilities. Again, it’s likely that funds could be found to fix significant vulnerabilities. And even if funds weren’t forthcoming, it would still be preferable to know the problem than to have to plead ignorance when an attack brings down the ecommerce server for two days. Many fewer respondents (13 percent) are concerned about the safety of ethical hacks, and just four percent are worried that results of an ethical hack could be embarrassing. Both of these have declined significantly as issues over the last four years.
May 2009
BT
5
Ethical Hacking
We then asked respondents who have conducted at least one ethical hack in the last year either internally or using a third party to tell us for each of the four categories if the vulnerabilities they found were insignificant, moderate or serious. Overall, wireline and wireless networks are the most secure, with 48 percent of the former and 45 percent of the latter having no significant vulnerabilities. An additional 45 percent and 43 percent, respectively, had vulnerabilities with only moderate impact. Applications and operating systems did less well, although only by a small percentage. Thirty-four percent of applications had no vulnerabilities found, compared to 31 percent of operating systems. Forty-six percent of the former had moderate vulnerabilities, while 49 percent of the latter had the same. As a cautionary note, though, on average 15 percent of respondents who have conducted an ethical hack in the last year found a serious vulnerability. We suspect that percentage is even higher among respondents who have not conducted ethical hacks recently.
May 2009
BT
6
Ethical Hacking
Importance and Benefits of Ethical Hacks The reason for conducting an ethical hack, obviously, is to keep information assets secure. One survey respondent stated that “It (ethical hacking) is very important and helps save you money and reputation in the long run.” Not all types of ethical hacks, however, have equal importance in achieving these goals. For instance, respondents consider network testing as the most important type of ethical hack, with 60 percent deeming it critical, and another 35 percent saying it is very important. System hardening is also considered critical by a majority of respondents (53 percent) and somewhat critical by another 36 percent. Application testing and wireless network testing are a bit less important than network testing and system hardening, although both are considered critical or very important by more than three quarters of respondents. Code review is considered critical by 28 percent of respondents, and war dialing is critical for 21 percent. War dialing is the only type of ethical hack that more than six percent of respondents (17 percent) deem not at all important to keeping their information assets secure.
May 2009
BT
7
Ethical Hacking
Though the primary function of ethical hacks is to uncover vulnerabilities, there are a number of corollary benefits that can be derived from this activity. With that in mind, we presented respondents with a list of eight potential benefits that could result from conducting an ethical hack, and asked them to rank the top three in order of importance. Not surprisingly, improving their overall security posture is the number one benefit by a wide margin, being listed in the top three by 85 percent of respondents, and the most important benefit by more than 43 percent. These percentages are similar to the results in both the 2005 and 2007 surveys, except that the percentage of respondents ranking it number one jumped from 35 percent (in both surveys) to 43 percent. Also placed in their top three benefits by more than half of respondents is protecting against theft of intellectual property. Twenty-two percent of respondents list this as their top benefit, compared to 34 percent in the 2007 survey and 23 percent in the 2005 survey. Ranked very closely behind is fulfilling regulatory and/or legislative mandates, which 20 percent rank number one, up from 12 percent in 2007 and 17 percent in 2005. Taken together, 85 percent of respondents consider the top benefit of ethical hacks to be one of these three. Two other benefits were selected by more than a quarter of respondents in their top three: baselining of the current environment, and validating previous security investments. Providing justification for additional funding and the ability to do trending analyses are among the top three benefits for less than one out of six respondents.
May 2009
BT
8
Ethical Hacking
Ethical Hacking Strategy Ethical hacks can be conducted internally by the IT organization or by a third-party. The advantage of having the latter group conduct the hacks is that it more closely simulates an actual attacker in terms of knowledge of the organization’s networks and systems. Third parties also usually have greater knowledge of the latest hacking techniques and ploys. However, many IT organizations still eschew this path–at least for some types of ethical hacks. So we provided a list of potential barriers to conducting ethical hacks internally, and asked which are significant barriers to either conducting these activities, or improving their capabilities for conducting them. The significant barrier cited most often is the lack of experienced staff, a problem for 53 percent of respondents. As mentioned previously, this is one of the strengths of ethical hacking vendors. Closely related to this is a barrier faced by 39 percent of respondents: the amount of staff training required to be able to effectively conduct the ethical hack. But other reasons also plague a large percentage of respondents’ IT organizations. Other projects with a higher priority is a problem for 44 percent of respondents, unrelenting introduction of new threats for 41 percent and cost of ethical hacking products and/or tools for 40 percent. Other reasons for not using third-parties are common to many IT projects, i.e., justifying costs and benefits to upper management (35 percent), organizational and process issues (31 percent) and difficulty in implementing products and/or tools (29 percent).
May 2009
BT
9
Ethical Hacking
Most respondents who conduct ethical hacks internally also use third-party vendors of these services. As one respondent said, “An objective, third-party, ethical hacking assessment is crucial to maintaining a verifiable level of information security.” In general, ethical hacking vendors promote the following benefits of using their services: • • •
Ethical hacking specialists have more expertise and tools than in-house resources Tests can be conducted with zero-knowledge to truly mimic a random intruder Testing can be done without the knowledge of other IT employees
When deciding to use a third-party vendor, there are two typical approaches: 1) choose the best vendor and stick with them through multiple rounds of ethical hacks over time, and 2) rotate vendors on a regular basis. The thinking behind the latter strategy is to get different approaches, covering the widest possible range of simulated attacks, thus maximizing the likelihood of uncovering a vulnerability. Both approaches have their proponents and detractors. Respondents, however, consistently split evenly between employing one of these two strategies and having no strategy at all. We can only assume that those organizations with no strategy operate on an ad hoc basis, making a decision whether to use the same or a new vendor with each ethical hack. While not necessarily a terrible approach, proactively selecting a multivendor or single-source strategy is likely to yield more benefits than an ad hoc approach. Of the half of respondents who do have a defined strategy, again, their approach is fairly evenly split between rotating vendors and sticking with just one. And this has been true for the last two surveys. We then asked all respondents, whether they currently use an ethical hacking vendor or not, to tell us which of four potential barriers to using these vendors are significant for them. Slightly more than one-quarter of respondents do not see any of these barriers as significant. Of the four, though, cost is far and away the most significant, with 62 percent seeing this as a problem. None of the others register with as many as one-quarter of respondents.
May 2009
BT
10
Ethical Hacking
Security Budgets Twenty-six percent of respondents’ IT organizations have annual budgets of less than $500 thousand. Another third fall in the $500 thousand to $9.9 million range. Twenty-two percent have IT budgets of between $10 million and $49.9 million. The remaining 18 percent of respondents’ IT budgets are $50 million or more. The vast majority of respondents IT organizations spend 10 percent or less of their IT budget on security, i.e., 47 percent spend between one and five percent, and 36 percent spend between six and ten percent. Only six percent dedicate more than 20 percent of their budget for security.
May 2009
BT
11
Ethical Hacking
In these tight economic times, security budgets are holding up fairly well. Twenty-eight percent of respondents expect their security budget to increase in 2009 as a percentage of the IT budget, and 24 percent expect it to increase in absolute dollars. On the other side of the coin, 22 percent of respondents expect the security budget to decline as a percentage of the IT budget, and 31 percent expect it to decline in absolute dollars. A hefty 38 percent of respondents do not specifically allocate a portion of the security budget for ethical hacking, more than in the 2007 and 2005 surveys. Sixty-nine percent of respondents allocate from 1-5 percent of their security budgets for ethical hacking, and 17 percent allocate from 6-10 percent. At the top end, just two percent of respondents spend more than 20 percent of their budgets on ethical hacking.
May 2009
BT
12
Ethical Hacking
Respondent Comments
May 2009
•
An objective third-party ethical hacking assessment is crucial to maintaining a verifiable level of information security. Although not all environments may have the financial resources to commission regular and comprehensive third-party assessments, an effort should be made to at least classify your most sensitive organizational assets and focus your resources accordingly.
•
[Ethical hacking is a] critical component of our overall security program. Keeps our internal, contracted security guys performing their best; it's a level check.
•
Ethical hacking is a necessity in order to protect company assets and stay close to the reality of unethical hacking.
•
It (ethical hacking) is very important and helps save you money and reputation in the long run.
•
It (ethical hacking) is the best way to assess the network from an outsider's perspective.
•
I think it (ethical hacking) is a must have for any serious organization today.
•
It (ethical hacking) should be a critical part of any proactive organization in today's global competitive market.
•
It's difficult to see the pimple on our face, but others can see all of our blemishes.
•
The issue with 3rd parties in our environment is the overall cost. Our environment is very large and to bring an outside team in would mean we would have to make them "full time" resources to allow them to do the hacking within a year of all segments.
•
Presentation/delivery of [ethical hacking] results and findings by external providers are "all over the map", with minimal consistency.
•
Tools and 3rd parties are expensive when you have a lot of address space as most are priced by number of IPs scanned, not actual number of hosts found.
•
Social networking sites are a huge factor in contributing to the rise of hacking activities.
•
I would love to go through the training, but it's too costly for me personally, and my employer won't [pay for it].
BT
13
Ethical Hacking
About BT
About BT IT Industry Surveys
For more than 20 years, BT has provided solutions in U.S. and Canada that help enterprises effectively use technology to drive business growth. The expertise of our employees enables us to help customers globalize their businesses in innovative and sustainable ways. Through strategic development, strong alliances and a diverse collection of best practices and methodologies, BT has emerged as a leader in networked IT services providing professional services and consultancy, managed services, and full outsourcing for business and IT transformation.
BT conducts industry survey projects intended to provide IT managers with insight into key issues impacting the ability to develop and deploy IT-infrastructure-dependent business initiatives. Previous survey report topics include: • • • • • • • • • • • • • • • • • • • • •
BT has the experience and knowledge to design, manage and operate solutions that overcome business challenges and create sustainable value in the areas of: • Secure Networking – drive cost efficiency and risk reduction across security operations while enabling greater support for compliance and productivity. • Mobility - reduce cost and increase productivity through information access and collaboration regardless of location, by simplifying the complexity attributed to the control and management of mobile assets and expenses. • Contact Center - deliver improved customer service while reducing costs and increasing operational flexibility and agent productivity. • Infrastructure Optimization – fully integrate business communications and IT infrastructures onto a single, costeffective platform to reduce infrastructure complexity while enabling streamlined centralized management, more comprehensive security monitoring and enhanced business applications performance.
Application Impact Assessment Ethical Hacking IP Address Management IPv6 IT Infrastructure Library (ITIL) IT Operations Centers Malicious Code Network Access Control Network and Systems Management Total Cost of Ownership Network Quality of Service Network Security Outsourcing and Offshoring Patch Management Performance Management and Engineering Server Virtualization Service Level Management and Service Level Agreements Storage Networking Unified Communications and Collaboration Virtual Private Networks Voice Over IP Wireless LANs
To see the results of previous surveys, go to http://www.bt.com/us/resources
For more information regarding the IT industry survey program, please contact:
• Unified Communications – unify complex network environments to connect the people, applications and devices needed to achieve business goals.
Rick Blum Director, Strategic Marketing Email: [email protected]
• Audio and Visual Conferencing – enables users to meet with colleagues—anywhere, anytime—using an electronic communications system such as a phone, personal computer or specialized video conferencing equipment. At BT we also know it is important to work with a provider who understands the nature of your business. We have built an eco-system of collaborative relationships with companies such as Microsoft, Cisco, EMC and HP enabling us to deliver integrated solutions that are flexible and focused on the things that will make your business succeed. In tailoring our global networked IT services to the needs of our customers, we offer a unique combination of global reach with local experience and knowledge, global account management and excellent customer service. We provide solutions to more than 1,000 customers in the U.S. and Canada in all major industries, and have been selected as a trusted partner by many large enterprises including Unilever, Reuters, Cadbury and Procter & Gamble. For additional information, please visit www.bt.com/globalservices or contact us at 1-888-767-2988 in the U.S. or 1-408-330-2700 worldwide.
May 2009
BT
14
Offices worldwide The services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract. © British Telecommunications plc 2009 05/01/2009
Ethical Hacking By Rick Blum, Director, Strategic Marketing
Highlights •
Only six percent of respondents think there is no chance that their networks or applications will be hacked in the coming year. Those with an ethical hacking budget reduce the perceived chance of being hacked by nearly one-third.
•
The top three benefits of ethical hacks, in order of importance, are improving overall security posture, protecting against theft of intellectual property and fulfilling regulatory/legislative mandates.
•
A majority of IT organizations conduct ethical hacks on wireline and wireless networks, applications and operating systems either annually or more frequently. However, in each of these categories, between 14 and 21 percent of respondents never conduct ethical hacks. The main reasons for not doing so are because management does not value this service and they don’t have the manpower and/or skills to fix potential vulnerabilities.
•
Respondents who have conducted an ethical hack in the last year have found serious vulnerabilities most often in applications and operating systems.
•
Network testing is the most important type of ethical hack for keeping information assets secure–considered critical by 60 percent of respondents.
•
Lack of experienced staff is most often cited (by 53 percent of respondents) as a significant barrier to conducting ethical hacks internally or improving ethical hacking capabilities.
•
Cost is by far the most common barrier to using an ethical hacking vendor, though most respondents have used this service in the past.
The Bottom Line IT networks are the vascular system of today’s businesses, providing pathways for information to flow throughout the organization. However, when these pathways are penetrated, they also provide attackers access to those assets, as well as the means to cripple IT systems and applications. Therefore, just as we as individuals get regular check-ups to maintain good health, it is critical for IT organizations to regularly be testing for weaknesses in networks, systems and applications that would allow access to information assets. Based on the results of this survey, IT security managers should heed the following: •
Nearly all IT systems have a vulnerability that can be exploited by a hacker intent on stealing information or causing damage. Whether this vulnerability is an unpatched application, a misconfigured router or rogue modem, unless you look, you’ll never know it’s there … not until your servers suddenly go down or proprietary information shows up on the Internet.
•
Most IT organizations will conduct ethical hacks to search for vulnerabilities at least annually, although approximately one third of IT organizations wisely test wireline networks and operating systems quarterly. Although these can be done using internal resources, a third-party vendor provides a more unbiased view.
•
With IT budgets tight right now, prioritize various types of ethical hacks by potential loss impact. Wireline networks and systems should be at the top of your list.
•
When hiring an ethical hacking vendor, first decide whether you want to work with one vendor on an ongoing basis, or instead rotate vendors to insure against any weaknesses a single vendor may have. Without a strategy, the cost and value of each purchase decision is left to chance.
Ethical Hacking
Introduction Identifying vulnerabilities in networks, applications and systems before they can be exploited is a critical step in preventing exposure of sensitive data, which can severely damage a corporation’s reputation. Smart IT organizations manage risk by conducting ethical hacks on a regular basis in order to identify vulnerabilities that need remediation, thus improving their security posture. From February 17 through March 31, 2009, BT conducted a Web-based survey on Ethical Hacking, which was completed by 222 IT professionals around the globe. This survey was designed to yield valuable insights into the usage of ethical hacking to improve network, systems and application security. Results of this survey are also compared, when appropriate, to the results of two previous ethical hacking surveys conducted by BT (formerly BT INS) published in January 2005 and March 2007. For this survey, ethical hacking, also called penetration testing, was defined as a method for verifying the true state of security controls for the protection of assets and information by simulating an attack on a network in a controlled and safe manner. Ethical hacks are typically conducted by a third party in a manner similar to naturally occurring attacks to provide an unbiased assessment of the security of a system and the viability of implemented controls, although they may be conducted using internal resources. The primary types of ethical hacks are: •
Application testing - uncovers design and logic flaws in applications that could result in the compromise or unauthorized access of your networks, systems, applications or information.
•
Network testing - identifies vulnerabilities in external and internal networks, services, protocols, convergence solutions and systems and devices, including VPN technologies.
•
Code review – examines the source code that is part of the authentication system and identifies the strengths and weaknesses of the software modules.
•
Wireless network testing – determines your network's vulnerability to an attacker with radio access to the wireless network space.
•
War dialing - identifies unauthorized modems that endanger the corporate infrastructure.
•
System hardening - analyzes possible configuration issues, running services, and vulnerabilities that reside on the system.
The survey was posted on the BT Professional Services Web site. Invitations to participate in the survey were also sent to subscribers of BT’s customer newsletter. All Web survey responses were automatically collected into a survey tool. Any questions skipped or incorrectly answered by survey respondents were not included in the tabulations. Not-applicable responses were also not included in the tabulations. Each chart includes the number of valid responses for that particular question (e.g., N=100 indicates 100 responses). Percentages shown in some charts may not sum to 100 percent due to rounding.
May 2009
BT
2
Ethical Hacking
Hacking Success As the incidence of networks being compromised continues to make the news on an almost daily basis, it is clear that making networks–and the applications that run over them–invulnerable to attack is extremely difficult. Recognizing this reality, 94 percent of survey respondents acknowledge that there is some likelihood that their network will be successfully hacked in the next 12 months, about on par with expectations of respondents to the 2007 survey. However, the steady drumbeat of network incursions has lowered the percentage of respondents who believe that the chance of being successfully hacked is relatively low, i.e., only 1-10 percent. In fact, only 38 percent of respondents fall into this category, down from 46 percent in the 2007 survey and 41 percent in the 2005 survey. Whether this decline is due to a more realistic view, or the recognition that attackers are becoming more proficient, the trend is distinctly in the wrong direction. The silver lining to this dark cloud is that there is a way to reduce the likelihood of being successfully hacked, and that is to conduct regular ethical hacks. This is borne out by comparing the perceptions of respondents who have an ethical hacking budget to those who don’t. On average, the latter group believes that they have a 38 percent chance of their networks and/or applications being hacked in the next 12 months. However, on average, respondents with an ethical hacking budget believe that they have only a 26 percent chance of being hacked. Clearly, setting aside some of the security budget for ethical hacking raises the perception (and in most cases the reality) of being less vulnerable to hacks.
May 2009
BT
3
Ethical Hacking
Network testing, application testing, system hardening and wireless network testing have all been conducted in the last two years by a high percentage (80 percent or more) of respondents’ IT organizations. Code review (70 percent) and war dialing (59 percent) are conducted less often, though both by a significant number of IT organizations. On the flip side, 42 percent of respondents’ IT organizations have not conducted war dialing, sometimes called modem scanning, in more than two years, and 30 percent have not conducted a code review in that same time period. While the former can be time-consuming, just one unauthorized modem can jeopardize the entire network infrastructure, which makes it well worth checking on a regular basis. To better protect their networks (wireline and wireless), operating systems and applications from attack, a majority of respondents’ IT organizations conduct each of four types of ethical hacks, although with varying degrees of regularity. These include ethical hacks that are conducted by the IT organization or by a third party. Wireline networks and operating systems are most frequently subject to ethical hacks–approximately one-third of respondents on a quarterly basis, and another 14-15 percent on a semi-annual basis. The percentage of respondents who conduct these hacks on a quarterly basis is up slightly from 2007, though not quite enough to deem this uptick significant. Applications and wireless networks don’t receive quite as much attention, with only about one quarter being ethically hacked on a quarterly basis. These figures are almost unchanged from the 2007 survey. In fact, both of these have a slightly higher percentage of respondents who never conduct hacks, although, again, not a large enough difference to indicate a significant change. As might be expected, a much higher percentage of respondents (54 percent) who conduct ethical hacks quarterly on both their wireless and wireline networks believe that the chance of being successfully hacked in the next year is 10 percent or less than the percentage of respondents (21 percent) who never conduct ethical hacks on either of these networks.
May 2009
BT
4
Ethical Hacking
We then asked those respondents whose IT organizations never conduct ethical hacks in any one of these four categories what contributes to this deficit. The most common reason (selected by 59 percent of respondents) is simply that management does not understand the value of ethical hacks and, presumably, will not allocate the time and money required to conduct them. Surprisingly, despite the extremely negative publicity that accompanies a data breach, management’s perception of the value of ethical hacking has been waning since 2005. Security professionals need to reexamine how they are presenting ethical hacking to management, perhaps with greater focus on business consequences. The next most common reason–also increasing this year compared to 2007 and 2005–for not conducting ethical hacks is that the IT organization doesn’t have the manpower and/or skills to fix vulnerabilities uncovered during the hack, which was selected by 44 percent of respondents. This “see no evil” justification for not conducting ethical hacks is one that can come back to bite an organization. Certainly, if significant vulnerabilities are found, the will would be found to fix them Similarly, 26 percent of respondents say their IT organizations don’t have the funds to fix potential vulnerabilities. Again, it’s likely that funds could be found to fix significant vulnerabilities. And even if funds weren’t forthcoming, it would still be preferable to know the problem than to have to plead ignorance when an attack brings down the ecommerce server for two days. Many fewer respondents (13 percent) are concerned about the safety of ethical hacks, and just four percent are worried that results of an ethical hack could be embarrassing. Both of these have declined significantly as issues over the last four years.
May 2009
BT
5
Ethical Hacking
We then asked respondents who have conducted at least one ethical hack in the last year either internally or using a third party to tell us for each of the four categories if the vulnerabilities they found were insignificant, moderate or serious. Overall, wireline and wireless networks are the most secure, with 48 percent of the former and 45 percent of the latter having no significant vulnerabilities. An additional 45 percent and 43 percent, respectively, had vulnerabilities with only moderate impact. Applications and operating systems did less well, although only by a small percentage. Thirty-four percent of applications had no vulnerabilities found, compared to 31 percent of operating systems. Forty-six percent of the former had moderate vulnerabilities, while 49 percent of the latter had the same. As a cautionary note, though, on average 15 percent of respondents who have conducted an ethical hack in the last year found a serious vulnerability. We suspect that percentage is even higher among respondents who have not conducted ethical hacks recently.
May 2009
BT
6
Ethical Hacking
Importance and Benefits of Ethical Hacks The reason for conducting an ethical hack, obviously, is to keep information assets secure. One survey respondent stated that “It (ethical hacking) is very important and helps save you money and reputation in the long run.” Not all types of ethical hacks, however, have equal importance in achieving these goals. For instance, respondents consider network testing as the most important type of ethical hack, with 60 percent deeming it critical, and another 35 percent saying it is very important. System hardening is also considered critical by a majority of respondents (53 percent) and somewhat critical by another 36 percent. Application testing and wireless network testing are a bit less important than network testing and system hardening, although both are considered critical or very important by more than three quarters of respondents. Code review is considered critical by 28 percent of respondents, and war dialing is critical for 21 percent. War dialing is the only type of ethical hack that more than six percent of respondents (17 percent) deem not at all important to keeping their information assets secure.
May 2009
BT
7
Ethical Hacking
Though the primary function of ethical hacks is to uncover vulnerabilities, there are a number of corollary benefits that can be derived from this activity. With that in mind, we presented respondents with a list of eight potential benefits that could result from conducting an ethical hack, and asked them to rank the top three in order of importance. Not surprisingly, improving their overall security posture is the number one benefit by a wide margin, being listed in the top three by 85 percent of respondents, and the most important benefit by more than 43 percent. These percentages are similar to the results in both the 2005 and 2007 surveys, except that the percentage of respondents ranking it number one jumped from 35 percent (in both surveys) to 43 percent. Also placed in their top three benefits by more than half of respondents is protecting against theft of intellectual property. Twenty-two percent of respondents list this as their top benefit, compared to 34 percent in the 2007 survey and 23 percent in the 2005 survey. Ranked very closely behind is fulfilling regulatory and/or legislative mandates, which 20 percent rank number one, up from 12 percent in 2007 and 17 percent in 2005. Taken together, 85 percent of respondents consider the top benefit of ethical hacks to be one of these three. Two other benefits were selected by more than a quarter of respondents in their top three: baselining of the current environment, and validating previous security investments. Providing justification for additional funding and the ability to do trending analyses are among the top three benefits for less than one out of six respondents.
May 2009
BT
8
Ethical Hacking
Ethical Hacking Strategy Ethical hacks can be conducted internally by the IT organization or by a third-party. The advantage of having the latter group conduct the hacks is that it more closely simulates an actual attacker in terms of knowledge of the organization’s networks and systems. Third parties also usually have greater knowledge of the latest hacking techniques and ploys. However, many IT organizations still eschew this path–at least for some types of ethical hacks. So we provided a list of potential barriers to conducting ethical hacks internally, and asked which are significant barriers to either conducting these activities, or improving their capabilities for conducting them. The significant barrier cited most often is the lack of experienced staff, a problem for 53 percent of respondents. As mentioned previously, this is one of the strengths of ethical hacking vendors. Closely related to this is a barrier faced by 39 percent of respondents: the amount of staff training required to be able to effectively conduct the ethical hack. But other reasons also plague a large percentage of respondents’ IT organizations. Other projects with a higher priority is a problem for 44 percent of respondents, unrelenting introduction of new threats for 41 percent and cost of ethical hacking products and/or tools for 40 percent. Other reasons for not using third-parties are common to many IT projects, i.e., justifying costs and benefits to upper management (35 percent), organizational and process issues (31 percent) and difficulty in implementing products and/or tools (29 percent).
May 2009
BT
9
Ethical Hacking
Most respondents who conduct ethical hacks internally also use third-party vendors of these services. As one respondent said, “An objective, third-party, ethical hacking assessment is crucial to maintaining a verifiable level of information security.” In general, ethical hacking vendors promote the following benefits of using their services: • • •
Ethical hacking specialists have more expertise and tools than in-house resources Tests can be conducted with zero-knowledge to truly mimic a random intruder Testing can be done without the knowledge of other IT employees
When deciding to use a third-party vendor, there are two typical approaches: 1) choose the best vendor and stick with them through multiple rounds of ethical hacks over time, and 2) rotate vendors on a regular basis. The thinking behind the latter strategy is to get different approaches, covering the widest possible range of simulated attacks, thus maximizing the likelihood of uncovering a vulnerability. Both approaches have their proponents and detractors. Respondents, however, consistently split evenly between employing one of these two strategies and having no strategy at all. We can only assume that those organizations with no strategy operate on an ad hoc basis, making a decision whether to use the same or a new vendor with each ethical hack. While not necessarily a terrible approach, proactively selecting a multivendor or single-source strategy is likely to yield more benefits than an ad hoc approach. Of the half of respondents who do have a defined strategy, again, their approach is fairly evenly split between rotating vendors and sticking with just one. And this has been true for the last two surveys. We then asked all respondents, whether they currently use an ethical hacking vendor or not, to tell us which of four potential barriers to using these vendors are significant for them. Slightly more than one-quarter of respondents do not see any of these barriers as significant. Of the four, though, cost is far and away the most significant, with 62 percent seeing this as a problem. None of the others register with as many as one-quarter of respondents.
May 2009
BT
10
Ethical Hacking
Security Budgets Twenty-six percent of respondents’ IT organizations have annual budgets of less than $500 thousand. Another third fall in the $500 thousand to $9.9 million range. Twenty-two percent have IT budgets of between $10 million and $49.9 million. The remaining 18 percent of respondents’ IT budgets are $50 million or more. The vast majority of respondents IT organizations spend 10 percent or less of their IT budget on security, i.e., 47 percent spend between one and five percent, and 36 percent spend between six and ten percent. Only six percent dedicate more than 20 percent of their budget for security.
May 2009
BT
11
Ethical Hacking
In these tight economic times, security budgets are holding up fairly well. Twenty-eight percent of respondents expect their security budget to increase in 2009 as a percentage of the IT budget, and 24 percent expect it to increase in absolute dollars. On the other side of the coin, 22 percent of respondents expect the security budget to decline as a percentage of the IT budget, and 31 percent expect it to decline in absolute dollars. A hefty 38 percent of respondents do not specifically allocate a portion of the security budget for ethical hacking, more than in the 2007 and 2005 surveys. Sixty-nine percent of respondents allocate from 1-5 percent of their security budgets for ethical hacking, and 17 percent allocate from 6-10 percent. At the top end, just two percent of respondents spend more than 20 percent of their budgets on ethical hacking.
May 2009
BT
12
Ethical Hacking
Respondent Comments
May 2009
•
An objective third-party ethical hacking assessment is crucial to maintaining a verifiable level of information security. Although not all environments may have the financial resources to commission regular and comprehensive third-party assessments, an effort should be made to at least classify your most sensitive organizational assets and focus your resources accordingly.
•
[Ethical hacking is a] critical component of our overall security program. Keeps our internal, contracted security guys performing their best; it's a level check.
•
Ethical hacking is a necessity in order to protect company assets and stay close to the reality of unethical hacking.
•
It (ethical hacking) is very important and helps save you money and reputation in the long run.
•
It (ethical hacking) is the best way to assess the network from an outsider's perspective.
•
I think it (ethical hacking) is a must have for any serious organization today.
•
It (ethical hacking) should be a critical part of any proactive organization in today's global competitive market.
•
It's difficult to see the pimple on our face, but others can see all of our blemishes.
•
The issue with 3rd parties in our environment is the overall cost. Our environment is very large and to bring an outside team in would mean we would have to make them "full time" resources to allow them to do the hacking within a year of all segments.
•
Presentation/delivery of [ethical hacking] results and findings by external providers are "all over the map", with minimal consistency.
•
Tools and 3rd parties are expensive when you have a lot of address space as most are priced by number of IPs scanned, not actual number of hosts found.
•
Social networking sites are a huge factor in contributing to the rise of hacking activities.
•
I would love to go through the training, but it's too costly for me personally, and my employer won't [pay for it].
BT
13
Ethical Hacking
About BT
About BT IT Industry Surveys
For more than 20 years, BT has provided solutions in U.S. and Canada that help enterprises effectively use technology to drive business growth. The expertise of our employees enables us to help customers globalize their businesses in innovative and sustainable ways. Through strategic development, strong alliances and a diverse collection of best practices and methodologies, BT has emerged as a leader in networked IT services providing professional services and consultancy, managed services, and full outsourcing for business and IT transformation.
BT conducts industry survey projects intended to provide IT managers with insight into key issues impacting the ability to develop and deploy IT-infrastructure-dependent business initiatives. Previous survey report topics include: • • • • • • • • • • • • • • • • • • • • •
BT has the experience and knowledge to design, manage and operate solutions that overcome business challenges and create sustainable value in the areas of: • Secure Networking – drive cost efficiency and risk reduction across security operations while enabling greater support for compliance and productivity. • Mobility - reduce cost and increase productivity through information access and collaboration regardless of location, by simplifying the complexity attributed to the control and management of mobile assets and expenses. • Contact Center - deliver improved customer service while reducing costs and increasing operational flexibility and agent productivity. • Infrastructure Optimization – fully integrate business communications and IT infrastructures onto a single, costeffective platform to reduce infrastructure complexity while enabling streamlined centralized management, more comprehensive security monitoring and enhanced business applications performance.
Application Impact Assessment Ethical Hacking IP Address Management IPv6 IT Infrastructure Library (ITIL) IT Operations Centers Malicious Code Network Access Control Network and Systems Management Total Cost of Ownership Network Quality of Service Network Security Outsourcing and Offshoring Patch Management Performance Management and Engineering Server Virtualization Service Level Management and Service Level Agreements Storage Networking Unified Communications and Collaboration Virtual Private Networks Voice Over IP Wireless LANs
To see the results of previous surveys, go to http://www.bt.com/us/resources
For more information regarding the IT industry survey program, please contact:
• Unified Communications – unify complex network environments to connect the people, applications and devices needed to achieve business goals.
Rick Blum Director, Strategic Marketing Email: [email protected]
• Audio and Visual Conferencing – enables users to meet with colleagues—anywhere, anytime—using an electronic communications system such as a phone, personal computer or specialized video conferencing equipment. At BT we also know it is important to work with a provider who understands the nature of your business. We have built an eco-system of collaborative relationships with companies such as Microsoft, Cisco, EMC and HP enabling us to deliver integrated solutions that are flexible and focused on the things that will make your business succeed. In tailoring our global networked IT services to the needs of our customers, we offer a unique combination of global reach with local experience and knowledge, global account management and excellent customer service. We provide solutions to more than 1,000 customers in the U.S. and Canada in all major industries, and have been selected as a trusted partner by many large enterprises including Unilever, Reuters, Cadbury and Procter & Gamble. For additional information, please visit www.bt.com/globalservices or contact us at 1-888-767-2988 in the U.S. or 1-408-330-2700 worldwide.
May 2009
BT
14
Offices worldwide The services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract. © British Telecommunications plc 2009 05/01/2009
Related Documents
Ethical Hacking Survey 2009
June 2020 9
Ethical Hacking
May 2020 11
Ethical Hacking
July 2020 6
Ethical Hacking
November 2019 29
Ethical Hacking Rhartley
October 2019 13