Our recent survey on hack preparedness got me wondering if IT administrators are being honest with themselves about their computer and network security practices. This comes to mind since we repeatedly hear that hackers had access to systems for weeks or months before they are discovered.
No doubt, the administrators of those systems thought they were doing a good job with their security practices, only to find out they missed something for an extended period of time. Are these cases of willful ignorance? Or worse, are security administrators deceiving themselves and their organizations about the efficacy of their security practices?
Certainly, your users can help detect a breach by reporting service outages or a vandalized website. But some of the most damaging hacks are not so obvious. With the NeweggBusiness survey data in hand, I decided to cross-check the responses to questions about fundamental security practices that might help reveal hacks and attempts.
Checking Logs Weekly… or Weakly?
Of course, checking logs is just one important method for detecting security breaches and attempted hacks. So, I wanted to see if there was a correlation between admitted frequency of checking system and network logs versus acknowledging the likelihood of detecting a security breach that wasn’t blatantly obvious.
How long do hackers need access to cause damage?
For survey respondents who believed they would certainly detect a systems breach that wasn’t readily apparent, nearly 63% indicated they review system and network logs weekly or more often. That means that another 37% checked their logs “weakly” (less often than once a week). Considering that the time elapsed between log checks might be periods of free reign for hackers, can we honestly say those security practices are adequate?
Of those who answer that they are not likely to detect a network breach, 73% indicated they rarely review system and network logs and another 11% said their review of logs was just above rarely. So it appears that they had a realistic view of what to expect as the outcome of not making review of logs a regular and frequent habit.
Acknowledging the Greatest Security Risk, Only to (Mostly) Ignore It
We asked what they believed their greatest source of security risk is. The number one choice, at 35%, was social engineering vulnerabilities. This indicates that most respondents felt that employees are the greatest security weakness they have to deal with—well beyond network vulnerabilities, which came in second at about 23%. While some systemic protections can be put in place to help protect against this risk, most experts will agree that training employees how to not become a point of security failure is the best threat deterrent.
Training programs to manage the number 1 risk: social engineering.
That being the case, I cross tabulated those respondents who selected social engineering as their greatest threat with the earlier question about the status of their existing employee security awareness program. With so much concern about social vulnerabilities among respondents, I did not expect the result that 29% have no security education program and another 38% rely on security education sent to staff by e-mail. We will have to do another study to find out how many of those employees actually read and learn from the security e-mails.
I wondered if these respondents had few employees and thus felt they could justify the lack of a formal security awareness training program. When I ran the reports for respondents in organizations with more than 20 employees, I found that more than 32% had no security awareness program and another 38% relied on occasional security education e-mails sent to staff.
Of course many of the survey respondents are probably not in a position to require a security training program. We do hope they are honest with themselves about this and recommend one to their bosses though, since that is the current best way to manage the social engineering risk.
While the NeweggBusiness hack preparedness survey results revealed these interesting tidbits about self-reflexive views of computer and network security practices, there were other points we’ll be reporting on that are reassuring.
