However, organizations continue to make seemingly avoidable mistakes when it comes to enterprise security. Last week, I wrote about the five most common security miscalculations organizations make. Lets dive into the first one in more detail over-relying on network defenses.
|View the Entire Series|
The Five Most Common Misconceptions of Enterprise Security Misconception No. 2: Believing the Hype of Technology and Tools Misconception No.4: Assuming Secure Software is Costly
Firewalls, intrusion prevention systems (IPS), anti-virus solutions, and intrusion detection systems (IDS) protect us from worms, detect anomalous behavior, and prevent some attacks on our networks.
These protective measures are good ones to take, however, there are problems with these solutions that many organizations dont realize:
Application vs. Network Security
Lets look at some research and analyst perspectives. Many of you are familiar with the Gartner statistic from 2004 (updated in 2006) that states: Over 70% of security vulnerabilities exist at the application layer, not the network or system layer.
The National Institute of Standards and Technology (NIST) claims this number is 92%! IDC states, The conclusion is unavoidable: any notion that security is a matter of simply protecting the network perimeter is hopelessly out of date.
Another interesting metric that was collected from Microsoft Developer Research is: 64% of developers are not confident in their ability to write secure applications.
It is very telling that two out of every three developers in this survey were not confident in their ability to write secure code. Its an interesting question you may want to ask your own developers. And while youre at it, ask this of your budgeting process: If over 70% of security vulnerabilities exist in the application layer vs. the network layer, are we spending over 70% of our IT security budget on application security?
Heres a case-in-point from an e-commerce company I worked with last year. This company had intrusion detection, intrusion prevention and a firewall in place. Because it was a large e-commerce site, we had to do testing on the actual production system.
This e-commerce system had the common shopping basket functionality. During testing, we put an item in our basket, did some testing and didnt find anything, so we closed the browser and went out for lunch. When we returned, we opened the browser and noticed the item we had placed in our basket was still there.
This told us the e-commerce site used cookies small text files that store bits of information on your machine about you and the items you have chosen during the session. We decided to find that cookie on our client and mess with it; something the security world calls cookie poisoning.
We opened the cookie with the worlds best hacking tool, Notepad, and found information like our session ID, the merchandise item number, a description of the item, and the price of the item. Hmmm price. We decided to mess with that parameter and change the price from $9.95 to negative (-$9.95) and save the file with this new information.