Tufin Technologies has announced the results of its annual 'Hacking Habits' survey, designed to better understand how trends in the hacking community impact corporate security teams. Responses from security professionals attending the recent DEF CON18 conference in Las Vegas revealed that 73% came across a misconfigured network more than three quarters of the time which, according to 76% of the sample, was the easiest IT resource to exploit.
Reuven Harrison, Chief Technology Officer and Co-Founder with the security lifecycle management specialist, was surprised to find that 58% of respondents also viewed network misconfiguration as being caused by IT staffers not knowing what to look for when assessing the status of their network configurations. He said the survey is notable because more than half the survey respondents actually work in corporate IT. "The really big question coming out of the survey," says Harrison, "is how to manage the risk that organizations run dealing with the complexity that is part and parcel of any medium-to-large sized company's security operations. "
This question was answered by Tufin's DEF CON18 research, which revealed that 18% of professionals believe misconfigured networks are the result of insufficient time or money for audits. 14% felt that compliance audits that don't always capture security best practices are a factor and 11% felt that threat vectors that change faster than they can be addressed play a key role.
Automating configuration and security management is the best way forward to solving this problem, says Harrison. With an increasing number of self-described black (11%) and grey (46%) hat hackers landing corporate security positions, the focus has overwhelmingly been on how easily we can break things - less than 30% of the sample is motivated by the desire to actually fix broken systems.
"And when you factor in the issue that 60% of the DEF CON18 respondents said they had a day job in the corporate world, it's clear that IT managers need to address the security shortcomings of their networks by remediating the network misconfiguration issue. Only by configuring their network resources correctly can companies hope to beat these security issues," he added. With 75% of respondents calling themselves hackers, Harrison says that network managers need to sit up and smell the coffee on the fact that network misconfiguration is now a primary security issue for their IT staff.
It's also worth noting that 43% of DEF CON18 attendees view planting a rogue member of staff inside a company as one of the most successful hacking methodologies. When this issue is added to the sizeable majority of security professionals that come across misconfigured systems on a regular basis, you begin to realize the scale of the security problem that networking professionals face.
"This realisation is made worse when you consider that 57% of the security professionals we surveyed classified themselves as a black or grey hat hacker, and 68% of respondents admitted hacking just for fun," he said. With networks so easily penetrated, it's no surprise that 88% believe the biggest threat to organizations lies inside the firewall.
It's not all doom and gloom emanating from the DEF CON18 survey, as Tufin found that 58% of attendees said they did not believe outsourcing security to a third party increased the chances of getting hacked, and almost half the sample believe it would not increase the chances of any sort of security or compliance issue.
"This disproves the commonly-held theory that the benefits of outsourcing security are cancelled out by an even greater set of risks. Security outsourcing has matured to the point where companies can confidently outsource parts or all of their security operations - especially when service providers offer automated tools to help with network management and configuration. With cloud computing approaching in the fast lane, this has to be good news," said Harrison.
Tufin's 'Hacking Habits' survey was conducted amongst 100 registered DEF CON 18 attendees. The 14-question 'Man-on-the-Street' survey was conducted by the registration desk and outside randomly selected talks over the course of the show. All responses were voluntary and completely anonymous. For a pdf containing the survey questions and exact breakdown of responses, please contact the appropriate regional media contact.