You just can't win when the bad guys have cooler toys

There's a growing sense among IT security practitioners that they are outgunned by hackers who have automated their attacks.

That's one of the big takeaways from a survey security vendor RedSeal recently conducted with 1,967 professionals at the recent Cisco Live and Black Hat USA conferences.

Of those surveyed, 75 percent said automated tools give hackers the upper hand in evading the defensive systems most enterprises use to protect their critical assets and data.

A vast majority of those surveyed said their employers -- for the most part large organizations -- cannot maintain necessary layered defenses based on their inability to determine where gaps in those systems exist.


--Over 71 percent of respondents admitted that their networks are exposed to external threats due to misconfiguration issues present in their security device infrastructure.

--More than 50 percent had no idea how many of their organizations’ internal hosts were actually exposed to the Internet.

--Roughly 52 percent conceded that their vulnerability management initiatives don’t allow them to prioritize remediation based on the likelihood of real-world attacks.

“Consistent application of network security controls across even medium sized networks has transcended human ability,” RedSeal CTO Dr. Mike Lloyd said in a press release. “For many years there’s been the notion of an arms race between IT security professionals and attackers; what this survey proves is that the good guys understand they’re facing a truly daunting task to keep up.”

More from the report:

Over 50 percent of those surveyed were responsible fornetworks containing over 100 or more such devices, suggesting that the sheer size and scale of today’s security infrastructure is preventing organizations from adequately maintaining defense. And while many security regulations and industry leaders have recommended for years that enterprises adopt a more metrics-driven approach toward measuring the effectiveness of security infrastructure, only 47 percent of respondents said that their employers do so today.

Vertical trends:

Some 86 percent of energy company employees believe hackers have more advanced automated tools, followed by 84 percent of government workers, 79 percent of telecommunications staffers, 71 percent of healthcare practitioners and 70 percent of financial services professionals, respectively.

Management lacks top-down visibility into risks:

Over 51 percent of chief information security officers said they don’t believe, or don’t know that vulnerability assessment tools provide enough information to identify their most important security exposures.

Some 56 percent of CISOs said they either don’t have effective metrics to measure security effectiveness or don’t know if those metrics even exist; 55 percent of network management officials made the same admissions.

Survey Methodology:

During July (Cisco Live) and August (Black Hat) 2011, RedSeal invited conference attendees to fill out an informational survey created by Dimensional Research on the topic of network security management, hackers and automation. A total of 1,967 respondents completed the survey. Participants included CISOs (5 percent), CIO/VP of IT (7 percent), Network management (46 percent), Network security (27 percent) and Security management (16 percent) professionals. Participants represented a wide range of industry verticals. Respondents were not compensated for participating in this survey.

Follow this link to the full report:

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Healthcare records for sale on Dark Web