Humans Being: Why those outages are our fault

An AlgoSec survey of information security professionals shows human error is to blame for network outages. In other news, water is wet.

So why am I writing about it?

Because as obvious as the survey headline seems, it is worth repeating, because companies still love to blame their technology for their lot in life when the failure is usually their own fault.

Let’s review some of the findings in this survey:

Of more than 100 information security professionals on why businesses struggle with network security management. Faced with increasingly complex corporate networks, the survey found that the majority of information security professionals believe human error to be the primary reason for network security disruptions.

According to the survey, 66 percent of respondents cited human error in the configuration of network devices as the most common cause of outages in the past 12 months, followed by capacity overload (14 percent) and flaws in the gateway product (9 percent). The majority of respondents claimed to have anywhere from ten to forty-nine different security gateways installed on their network. Another 15 percent of companies had more than fifty security gateways installed.

“Network and security managers are faced with an evolving landscape of both internal and external threats to corporate data,” said Prof. Avishai Wool, AlgoSec’s CTO. “At the same time, their corporate networks are constantly changing to adapt to the needs of the business – this could be working with new business partners, acquiring another company, or simply adding credit card data to the mix. Managing the sheer number of devices, not to mention the changes that these devices undergo, is a daunting task for any organization.”

The most common security gateways were firewalls, installed on 98 percent of corporate networks, along with anti-virus (found on 90 percent) and content filters (on 85 percent). Among these devices, firewalls were said to require the greatest investment of time and were held responsible for causing the most network disruptions. 73 percent of respondents cited a “high number of changes” as the primary reason for the large time investment in managing security gateways.

“The survey suggests that organizations may actually over-invest in extra capacity in fear of network outages, rather than address security management issues that can have the same impact,” said Nimmy Reichenberg, AlgoSec’s VP of Marketing.

“The only constant in network security management is that configurations are constantly changing,” continued Wool. “But often the most dangerous device on the network is the keyboard – where configuration errors are made. We need to take this responsibility out of the hands of administrators. Automation is critical to maintaining proper security and operations. Without it, too much is left to chance.”

For additional insights from the Network Security Management Survey, visit AlgoSec’s blog, Playing with Fire.Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

OK. Truth be told, I’m always skeptical of vendor-driven surveys. They have a way of being suspiciously sculpted to play into a need for everyone to run out and buy the particular vendor’s products.

But I’ve had many a conversation over coffee with very smart security practitioners who find it difficult to get excited by every reported software vulnerability.

The reason, they usually tell me, is that they lose far more sleep knowing that somewhere on their networks is a collection of bolted on devices that were badly configured by the humans who put them there.

Hackers love misconfigured systems. They are much easier to break into.

That reality gives this particular survey a bit more weight.

The findings aren’t what I would call news — hence the “water is wet” crack — but there is a glimmer of truth in there.

To AlgoSec’s credit, the findings are backed up with some suggested best practices:

ˇFactor-in ease of use when selecting security products — Which of the two do you prefer — a great security product that is misconfigured or a good security product that is well configured? Make sure to give ample weight to ease of management and configuration when selecting security products.

ˇContinuous training — it’s not enough to train your security and operations team when you first deploy a new technology. Make sure you allocate the time and budget to ensure security staff is up to speed with latest know-how.

ˇAutomate as much possible — automation is not only about operational efficiency, it’s also about reducing errors. Invest in tools that can help you automate security configuration and/or discover configuration errors.

ˇReview change management processes — change management is often the weakest link when it comes to security management. Make sure you have the processes and tools to ensure changes do not introduce new problems.

–Bill Brenner