Anonymous Strikes Most Fear in the Hearts of IT Security Managers
Although the notorious hactivist group Anonymous doesn't employ the scariest tactics, it still concerns security professionals more than other threats, based on a recent poll. That could be due to its potential to cause embarrassment. When Anonymous attacks a company or institution, the entire world knows, because the group gleefully makes the hack public, noted Harry Sverdlove, CTO of Bit9, which conducted the survey.
Apr 24, 2012 11:37 AM PT
Its 2012 Cyber Security Survey queried nearly 2,000 IT security experts to gauge the current state of enterprise security and otherwise identify what keeps IT executives up at night. In general, 64 percent of respondents believe their organization will be the target of a cyberattack in the next six months -- and of that amount, 61 percent believe that attack will likely to be perpetrated by hacktivists.
Other top sources of hacks include cybercriminals, at 55 percent, and nation states, specifically China and Russia, at 48 percent.
The boogeyman feared by human resource and other corporate executives -- disgruntled former executives -- was cited by just 28 percent of IT security executives in this survey.
Some Pieces Don't Fit
The data does present some discrepancies. Sixty-two percent of respondents said they most feared targeted attack methods, with malware (45 percent) and spear phishing (17 percent) techniques as the most worrisome. However, these methods are commonly used in targeted criminal and state-sponsored espionage attacks.
Concern about the attack methods commonly used by hacktivists -- that is distributed denial of service and SQL injection -- trailed at 11 percent and 4 percent, respectively.
The Embarrassment Factor
There is a reason for that discrepancy, Bit9 CTO Harry Sverdlove told the E-Commerce Times.
"IT people, like everyone else, are subject to human emotions -- namely, no one wants to be an embarrassing headline," he said.
Some of Anonymous' tactics, such as publishing individuals' personal information and photos, is a horrifying prospect for many.
Also, when Anonymous attacks a company or institution, the entire world knows, because the group gleefully makes the hack public, Sverdlove pointed out.
"Attacks by criminal groups or state-sponsored attacks are in stealth," he said, "and the company can be in control of how it is disclosed."
To some extent this fear is justified, remarked Ashley Stephenson, executive vice president of Corero Network Security.
Recent history has shown that no business is safe from becoming a victim, he told the E-Commerce Times.
"Businesses need to be proactive -- have technology and plans in place to prepare for these potential crippling attacks," Stephenson added.
"Confirming the source of each attack when the attackers themselves are actively working to remain 'anonymous' is still an ongoing challenge for enterprises and the cybersecurity industry," he explained. "We are not aware of any definitive statistics that conclusively identify the source of current threats."
Focus on the Day to Day
The survey shows that IT professionals do focus on allocating security resources based on the likelihood of which method will most likely affect them, such as malware, Sverdlove observed. Hence, the discrepancy in the responses.
"It is clear they have a realistic idea of what needs to be secured on a day to day basis," he said.
Poorly Secured Mobile Devices
Respondents also cited mobile devices and the cloud as weak spots in an enterprise's security -- and they certainly are, Sverdlove said. Only 26 percent of IT professionals feel that the security of these endpoints is effective.
However, the survey also notes that machines that score the highest for most effective security -- infrastructure servers at 40 percent and file servers at 36 percent -- have been frequent targets for hackers of late.
A Fallible Staff
This theme of overblown fears --and the subsequent overlooking of real risks -- is not new to the computer security space, security consultant Robert Siciliano told the E-Commerce Times.
In his view, it is the human element -- the fallibility of employees -- that presents the greatest risk.
"The one variable IT security specialists can't control is their own people," he said. "While budgets might be tight, a good IT security professional is resourceful and in most cases has the proper systems in place. But in the end, no amount of security will fix the human problem of gullibility and carelessness."