Unfortunately, the endpoint risk is not improving. This year's State of the Endpoint Risk study by Ponemon Institute, and commissioned by Lumension Security, Inc., to track endpoint risk, organizational threat strategy and resource availability has found the flood of mobile devices entering corporate networks, advanced persistent threats (APTs) and third-party application vulnerabilities are the primary challenges IT professionals will face in 2013. But, just a few years ago, these concerns barely made the list.
A top concern in the report was the proliferation of personally-owned mobile devices in the workplace. About 80 percent surveyed said that laptops and mobile devices pose a serious risk to their organization's networks.
It’s because of the consumerization of IT, according to George Tubin, senior security strategist at Trusteer, who sat down with TechZone360 for an interview. The consumerization of IT and the evolving smartphone and tablet market make mobile devices a more integral part of people’s lives. People want to be connected and want to use their devices, which has become an extension of themselves for everything, said Tubin. Bringing an unknown device onto the corporate network brings dangers.
“Thank Apple! And, this is new to IT. IT is used to having a standard desktop image that is tightly controlled. Allowing corporate network access by a device with an unknown security profile is dangerous. With hackers actively searching for valuable vulnerabilities and cybercriminals, and nation-states looking to launch APTs and general corporate espionage, mobile devices provide a new, unfamiliar channel to access the corporate network,” he said.
Image via Shutterstock
With only 13 percent stating they use stricter security standards for personal over corporate-owned devices and 29 percent reporting no security strategy for employee-owned devices at all, there is a disconnect between awareness and action.
There is a disconnect for many reasons, according to Tubin. “Some don't fully understand the dangers. Some are pressured into allowing personal device access before they can study and implement appropriate controls and many security controls hobble the device which isn't a very attractive option for personally owned devices,” he continued.
In the 2012 survey, only nine percent of respondents said mobile devices were a rising threat. This year, 73 percent rank mobile as one of the greatest risks within the IT environment. Additionally, this year's study found that IT professionals view third-party applications as a major security threat. In fact, 67 percent of those surveyed reported they viewed third-party applications as a significant risk – second to mobile security risk.
“App vulnerabilities have been a problem since the beginning of s/w,” explained Tubin. “The recent problem is the growing complexity of s/w, the growing cybercrime market and the increasing value of finding app vulnerabilities. Hackers can earn hundreds of thousands of dollars for identifying critical vulnerabilities that allow for underlying system exploits.”
In previous years, the server environment, data centers and operating system vulnerabilities were cited as primary concerns. With the proliferation of mobile devices, along with the range of software used in today's enterprise environment, IT practitioners are worried about the attack vectors these third party tools could bring into corporate networks.
"Clearly, IT is concerned but ill-equipped to deal with these issues,” said Clawson. “This may be due to lack of budget or lack of confidence in the tools they have at their disposal. We need to ensure that these issues are being raised to the C-suite, so that IT can secure the tools and funds they need to deal with this ever-growing challenge.”
The biggest challenge for 2013 is advanced persistent threats (APTs). APTs have been around for some time, starting with state-sponsored attacks and now evolving into private attacks.
“The problem with APT is that most companies don't know when they're the victim of this type of attack, and if they do discover it, very few report it. Stealing data does not leave the same trail as stealing money and is therefore much more difficult to discover,” said Tubin.
Whereas worms were a concern in earlier reports, today's IT teams consider APTs and hacktivism a global threat as 36 percent of respondents said they viewed APTs as a "significant" threat to their environments. Just 24 percent of respondents held this view last year. Only 12 percent stated that current anti-virus/anti-malware technology is effective in protecting their IT endpoints from malware risk.
Dr. Larry Ponemon, chairman and founder, the Ponemon Institute, said, “With the rise of hacktivism and advanced persistent threats, along with the sheer number of malware incidents we are seeing today, IT simply cannot keep up with the bad guys.”
Edited by Rachel Ramsey