New Best SaaS Network Security Solutions - Sample Organization · 2020. 2. 18. · Your feedback...
Transcript of New Best SaaS Network Security Solutions - Sample Organization · 2020. 2. 18. · Your feedback...
Sample Organization
Dear Reader:
For the eighth consecutive year, Digital Defense, Inc. (DDI) has conducted our annual Insight study,
and we continue to be pleased with the participation. Your feedback provides valuable perspective that
allows us to continually evaluate and enhance our security offerings to best meet your needs.
Insight was developed with an end goal of empowering you with unbiased and relevant information
about information security practices and programs as reported by our clients. The format allows you to
examine your responses in comparison to YOUR PEERS, as well as the aggregate results for ALL
PARTICIPANTS.
Each year, based on your recommendations, we have included additional questions that are pertinent to
the current security landscape, demonstrating the importance of ongoing input from DDI clients, security
practitioners and industry influencers. This feedback strengthens the report and our ability to provide
useful and actionable intelligence to assist you as you make informed decisions regarding your
information security programs. Our mission has remained constant since the inception of Insight… to
answer persistent and difficult questions such as:
• Is my organization in step with what my peers and others are doing with respect to the use of
technology and services to thwart various information security threats?
• Is my organization adequately staffed and trained to ensure the optimal level of security to defend
against a potential security breach?
Our goal is to be a trusted partner as you navigate the changing dynamics of the information security
landscape. In closing, we are committed to helping you protect your most valuable assets against a
security attack. We believe this study can provide an important perspective as you develop and execute
your 2016 information security strategy. As always, we welcome your continued feedback and
communication.
Sincerely,
Larry Hurtado
President & CEO
Digital Defense, Inc.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential
Insight 2015 Overview
Data Sources
To capture the responses of participants for Insight 2015, Digital Defense utilized a web-based
questionnaire. The questionnaire was specifically developed to capture general, sometimes public
information about the participants, as well as other more sensitive information specific to their Information
Security program and practices.
Survey responses were anonymous and responses are presented in aggregate. This data has been
analyzed and results are presented in the following sections of the Insight 2015 report.
Section Summary
General Information
Demographic information, such as a breakdown of the participating organizations' size, location, etc., is
included in this section.
Security and Vulnerability Summary
All vulnerability data portrayed within the Insight 2015 report was gathered via the Digital Defense
Frontline™ Solutions Platform Active View workflow management system. The vulnerability data
represents vulnerabilities discovered in prior vulnerability scans or penetration tests and mitigated into
the workflow management system for assignment to organization employees or third-party vendors for
actions part of their remediation activities.
Information Security Program Overview (Security Program Ownership, Budgets, Duties and
Training)
This section focused specifically on capturing information regarding who within the participating
organization is responsible for the management of the organization's information security program,
budgetary data/purchasing influences, and training and conference participation.
Information Security Services and Compliance Services
Information regarding services currently in use or planned within the next 90 days by the participating
organization is highlighted in this section. The information is vendor-agnostic and focuses on the type of
Information Security products and services most widely available to organizations.
Information Security Policies and Programs
This section highlights the policies and programs that an organization institutes to ensure standards and
guidelines are established in alignment with best practices and regulations that facilitate a secure
environment.
Information Security Concerns
This section captured information regarding the level of concern each participating organization had with
a variety of information security threats. Participants were asked to rank the concerns in level of
importance on a five point scale from None to Very High.
Table of Contents
Executive Summary .................................................................. 5
Who Participated .................................................................. 11
Security & Vulnerability Summary .................................................................. 12
Security Program Ownership .................................................................. 14
Information Technology Budget .................................................................. 15
Information Security Budget .................................................................. 16
IT-Related Duties .................................................................. 17
IT Security-Related Duties .................................................................. 18
Information Security Training .................................................................. 19
Security Conferences .................................................................. 21
Security Services .................................................................. 22
Compliance Services .................................................................. 30
Security Policies/Programs .................................................................. 39
Security Concerns .................................................................. 44
© 2015 Digital Defense, Inc.
Report Data is Client Confidential
Sample Organization INSIGHT 2015
Executive Summary
The Executive Summary is intended to highlight key findings of the aggregated data as reported by ALL
PARTICIPANTS of the Insight 2015 study. This information will provide an "at-a-glance" view of
information security programs and practices within organizations across various industries.
Detailed findings can be examined in each section of the report. Each Digital Defense, Inc. (DDI) client
who completed the Insight questionnaire will receive a customized Insight 2015 Peer Analysis report
based on their responses and vulnerability data contained within the Frontline™ Solutions Platform
(FSP) Active View workflow management system. The sample report, available to non-clients, provides
valuable data for ALL PARTICIPANTS and a sample illustration of the peer comparison available
exclusively to DDI clients. All Insight report data is confidential and has been sanitized for use in the
comparative analysis.
Participation in the Insight 2015 study was representative of organizations across the United States in
multiple industries with primary participation received from information security professionals
employed in Banks, Credit Unions, Financial Services, Legal, Education, Healthcare and Manufacturing.
Highest Risk Vulnerabilities
The vulnerabilities most frequently identified across DDI clients through FSP are reflected below:
Top 5 Internal High Risk Vulnerabilities
• SNMP Writeable Communities
• Java Critical Patch Update - CPU-APRIL-2015
• Java Critical Patch Update - CPU-JANUARY-2015
• Java Critical Patch Update - CPU-OCTOBER-2014
• APSB15-10: Security Updates Available for Adobe Acrobat and Reader
Top 5 External High Risk Vulnerabilities
• MS15-034: Microsoft IIS HTTP.sys Remote Code Execution (Network Check)
• Apache HTTP Server 'mod_session_dbd.c' Unspecified Impact
• Apache HTTP Server Isapi_unload Remote Command Execution
• MS12-020 Remote Desktop Protocol Connect Use-After-Free Vulnerability (Network Check)
• Web Server SQL Injection
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 5 of 59
Sample Organization INSIGHT 2015
Information Security Resourcing
While the resources allocated to Information Technology & Information Security vary, results
highlight key trends across organizations of varying sizes and industries:
• The Chief Information Officer (29%), Chief Executive Officer (17%) and Vice President
of IT (17%) are primary owners of InfoSec programs.
• 94% of organizations have 5 or fewer employees devoted to Information Security.
• 65% of respondents have Information Security (IS) budgets no greater than $100,000,
while 26% have a total Information Technology (IT) budget over $500,000. Approximately
16% of respondents were unaware of IS or IT budget allocation.
• Security Awareness training is delivered to staff via multiple methods including
classroom/group presentations (62%), computer-based training (56%), content delivered through
organization’s Learning Management System (LMS) (22%), offsite events (12%) and consultants
(6%).
• Information Security specific conferences identified in rank order included:
Two specific conferences that have been in the top 5 rankings consecutively beginning with Insight
2011 are the NAFCU/CUNA-sponsored Security Events and the Vendor-sponsored
Events/Working Groups. This is reflective of the large number of survey participants in the credit
union industry. Additionally, the number of participants who do not attend conferences "None" has
remained consistent, ranking in the top 5 over the past 4 years (Insight 2012 - 2015).
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 6 of 59
Sample Organization INSIGHT 2015
Information Security Concerns
Organizations are faced daily with a number of threats that could open the door for security breaches
that potentially pose devastating losses to a firm’s bottom line and reputation. Respondents were asked
to rank their level of concern for listed security threats and weaknesses that could potentially open the
door to a breach. The chart below reflects the calculated average ranking on a scale from 0 to 4,
representing the level from no concern to very high concern.
One specific security threat that has been in the top 4 rankings since Insight 2012 has been Virus,
Worm, Malware Threats. Two threats that have been ranked in the bottom 5 since Insight 2011 are
In-House Software Development Threats and Voice Over IP/Phone System Threats.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 7 of 59
Sample Organization INSIGHT 2015
Information Security Services
The chart below illustrates the information security services utilized by ALL PARTICIPANTS.
Vulnerability Scanning and Ethical Hacking/Penetration Testing are the highest reported services
used while VOIP/PBX Security Assessment and Application Code Analysis were the least utilized
Vulnerability Scanning and Ethical Hacking/Penetration Testing have been consistently the top 2
reported utilized services since Insight 2011. A trend reflected across Insight reports beginning in 2011
through 2015 illustrates a correlation between High Concerns and Information Security Services utilized.
For example, Virus, Worm, Malware Threats is identified as a High Concern and services to mitigate
this risk, Vulnerability Scanning and Ethical Hacking/Penetration Testing reflect the highest
reported level of usage.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 8 of 59
Sample Organization INSIGHT 2015
Compliance Services
In many organizations, compliance is the driver for the utilization of security services . Over 60% of the
respondents perform Information Security Training for Employees, Information Security Risk
Assessments, Encryption Services, and IT Audits. The least utilized compliance services include
ISO Standards, Application Source Code Audits and Forensics Services. Only 8% reported they do not
use any of the compliance services listed.
Beginning with Insight 2011, three services have consistently ranked in the top 5: Information Security
Training for Employees, Information Security Risk Assessment and IT Audits, while Forensics
Services
and Application Source Code Audit have ranked in the bottom 5 during this time period.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 9 of 59
Sample Organization INSIGHT 2015
Security Programs
The chart below reflects the most utilized programs and policies. Acceptable Use of Computer
Systems ranked highest at 93% usage, while Policies related to Securing Protected Data and
Mobile Device usage ranked the lowest at 75%, still a respectable level of usage among participants.
This demonstrates the level of importance organizations associate with security policies.
Information Security Policy: Acceptable Use of Computer Systems and Disaster Recovery
Program have been ranked as the top 2 programs/policies over the past 3 years (Insight 2013 - 2015),
while Securing Protected Data and Mobile Devices have ranked the lowest during this same time period.
This question was not included in the survey prior to 2013.
Compliance continues to be a driver for information security issues and organizations appear to be
proactive in the development of information security policies.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 10 of 59
Sample Organization INSIGHT 2015
Who Participated
Participation Information
The opportunity to participate in the study associated with the Insight report was provided to
organizations around the country. At the time of the generation of this report, organizations from 34
states elected to participate as reflected in the map below.
Peer Group Information
For the purposes of the Insight report, a peer is considered any other organization, within your industry,
that falls within the same staff size range. Based upon your input to the online Insight questionnaire, your
peer group consists of organizations between 101-250 in staff size.
13.13%17.17%
19.19%
25.25%
18.18%
2.02%
1.01%
3.03%
1.01%1-2526-5051-100101-250251-10001001-25002501-10000Over 10000I Don't Know
The opportunity to participate in the study associated with the Insight report was provided to
organizations around the country. Within your industry, organizations from a variety of staff size groups
participated, with the largest participation coming from the 101-250 staff range.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 11 of 59
Sample Organization INSIGHT 2015
Security & Vulnerability Summary
Digital Defense, Inc. has developed the Security GPA® network security metric to facilitate comparative
analysis on a familiar 4 point scale.
What is Security GPA? Think of it as a grade point average for your network. Security GPA is
calculated using a complex algorithm that takes into account both the network security posture rating
and the business risk associated with discovered vulnerabilities.
The following compares your overall Security GPA rating with the ratings of other participating
organizations. The overall rating is derived by averaging the host vulnerability ratings obtained from the
Frontline Solutions Platform Active View workflow management system.
Note: Your Security GPA shown below may not be the same as the Security GPA displayed by the Frontline portal. Insight's
Security GPA calculation does not account for any custom host prioritization values, configured within the Frontline portal, for
ease of comparison across clients. This data was captured from the Frontline Solutions Platform Active View workflow
management system as of August 14, 2015.
Internal External
3.05 3.46
3.27
3.00
2.80
2.39
Your
Security GPA
Peers
Security GPA
Average
All Participants
Security GPA
Average
Security GPA
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 12 of 59
Sample Organization INSIGHT 2015
The following section lists the top five most common high risk rating internal and external vulnerabilities
among all Insight participants. This vulnerability data was captured from the Frontline Solutions
Platform Active View workflow management system as of August 14, 2015.
Top 5 Internal High Risk Vulnerabilities Top 5 External High Risk Vulnerabilities
No High Risk Vulnerabilities Found No High Risk Vulnerabilities Found
Your Organization
• SNMP Writeable Communities
• HP JetDirect Device Page Directory Traversal
• NFS Improper UID Verification Vulnerability
• OptiPoint Default Login
• Passwordless HP JetDirect
• MS15-034: Microsoft IIS HTTP.sys Remote
Code Execution (Network Check)
Your Peers
• SNMP Writeable Communities
• Java Critical Patch Update - CPU-APRIL-2015
• Java Critical Patch Update -
CPU-JANUARY-2015
• Java Critical Patch Update -
CPU-OCTOBER-2014
• APSB15-10: Security Updates Available for
Adobe Acrobat and Reader
• MS15-034: Microsoft IIS HTTP.sys Remote
Code Execution (Network Check)
• Apache HTTP Server 'mod_session_dbd.c'
Unspecified Impact
• Apache HTTP Server Isapi_unload Remote
Command Execution
• MS12-020 Remote Desktop Protocol Connect
Use-After-Free Vulnerability (Network Check)
• Web Server SQL Injection
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 13 of 59
Sample Organization INSIGHT 2015
Security Program Ownership
Your Organization: Chief Information Security Officer (CISO)
Organizations, regardless of vertical, should have at least one individual that is ultimately responsible
for their information security program. Based upon your response to the Insight online questionnaire,
your program’s prime is referenced above. Responses from other participants are provided in the two
graphics below.
8.00%
48.00%4.00%4.00%4.00%
24.00%4.00%4.00%
Chief Executive Of f icer (CEO) 8.00%
Chief Information Of f icer (CIO) 48.00%
Chief Information Security Of f icer (CISO) 0.00%
Chief F inancial Of f icer (CFO) 4.00%
Chief Operations Of f icer (COO) 0.00%
Information Security Of f icer 4.00%
Information Systems Manager 4.00%
Vice President of IT 24.00%
Vice President of Risk Management 0.00%
Partner 4.00%
Other 4.00%
I Don't Know 0.00%
Total: 100.00%
Your Peers
17.17%
31.31%3.03%4.04%6.06%2.02%
10.10%
17.17%1.01%8.08%
Chief Executive Of f icer (CEO) 17.17%
Chief Information Of f icer (CIO) 31.31%
Chief Information Security Of f icer (CISO) 3.03%
Chief F inancial Of f icer (CFO) 4.04%
Chief Operations Of f icer (COO) 6.06%
Information Security Of f icer 2.02%
Information Systems Manager 10.10%
Vice President of IT 17.17%
Vice President of Risk Management 0.00%
Partner 1.01%
Other 8.08%
I Don't Know 0.00%
Total: 100.00%
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 14 of 59
Sample Organization INSIGHT 2015
Information Technology Budget
Of keen interest to many Boards and management teams at organizations around the country are the
budgets allocated by their peers for information security programs. Improper funding of an information
security budget can expose an organization to undue risk; however many times budget planning teams
have little insight as to what is adequate and what is overkill. With peer budget information, planning
teams have the opportunity to consider the information and make more sound budgetary decisions,
while at the same time ensuring the organization’s networks.
The following section of the Insight report outlines the real dollars associated with information
technology spending for your organization. Information in the graphics below is broken out by your
Your Organization: $500,001-$1,000,000
4.00%16.00%
16.00%24.00%
24.00%
4.00%12.00%
$0-$5,000 0.00%
$5,001-$10,000 4.00%
$10,001-$50,000 0.00%
$50,001-$100,000 16.00%
$100,001-$250,000 16.00%
$250,001-$500,000 24.00%
$500,001-$1,000,000 24.00%
Over $1,000,000 4.00%
I Don't Know 12.00%
Total: 100.00%
Your Peers
5.05%6.06%12.12%
13.13%10.10%
11.11%15.15%
11.11%16.16%
$0-$5,000 5.05%
$5,001-$10,000 6.06%
$10,001-$50,000 12.12%
$50,001-$100,000 13.13%
$100,001-$250,000 10.10%
$250,001-$500,000 11.11%
$500,001-$1,000,000 15.15%
Over $1,000,000 11.11%
I Don't Know 16.16%
Total: 100.00%
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 15 of 59
Sample Organization INSIGHT 2015
The following section of the Insight report outlines the percentage of your information technology
budget that is consumed by information security solutions. Information in the graphics below is broken
out by your organization’s response, the averaged responses for your peer group and for all
participants.
Your Organization: $10,001-$50,000
4.00%28.00%
32.00%20.00%
4.00%12.00%
$0-$5,000 0.00%
$5,001-$10,000 4.00%
$10,001-$50,000 28.00%
$50,001-$100,000 32.00%
$100,001-$250,000 20.00%
$250,001-$500,000 4.00%
$500,001-$1,000,000 0.00%
Over $1,000,000 0.00%
I Don't Know 12.00%
Total: 100.00%
Your Peers
7.07%9.09%
27.27%22.22%11.11%
6.06%1.01%1.01%
15.15%
$0-$5,000 7.07%
$5,001-$10,000 9.09%
$10,001-$50,000 27.27%
$50,001-$100,000 22.22%
$100,001-$250,000 11.11%
$250,001-$500,000 6.06%
$500,001-$1,000,000 1.01%
Over $1,000,000 1.01%
I Don't Know 15.15%
Total: 100.00%
All Participants
Information Security Budget
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 16 of 59
Sample Organization INSIGHT 2015
IT-Related Duties
Many security practitioners feel that the number of individuals employed within an organization's
information technology (IT) department has a dramatic impact on the success, or failure, of the corporate
information security program. All too often though, organizations staff their IT departments based upon
the perceived need relative to their size instead of the complexity and security profile of their computing
infrastructure. Each organization should consider the information provided in Insight to determine if
staffing for their IT department is adequate, or needs to be "right sized" to come more in line with their
peers.
The following portrays the number of employees you indicated directly participate in IT duties, versus
the number of employees indicated by your peers and all other organizations that participated in the
study.
Your Organization: 11-25
52.00%
32.00%
16.00%
None 0.00%
1-5 52.00%
6-10 32.00%
11-25 16.00%
26-50 0.00%
51-100 0.00%
101-250 0.00%
Over 250 0.00%
I Don't Know 0.00%
Total: 100.00%
Your Peers
58.59%
9.09%19.19%
9.09%
1.01%1.01%2.02%
None 2.02%
1-5 58.59%
6-10 9.09%
11-25 19.19%
26-50 9.09%
51-100 0.00%
101-250 1.01%
Over 250 0.00%
I Don't Know 1.01%
Total: 100.00%
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 17 of 59
Sample Organization INSIGHT 2015
IT Security-Related Duties
Many security practitioners feel that the number of employees directly involved with an organization's
information security program has a dramatic impact on the success, or failure, of the program. All too
often though, organizations staff their security departments based upon the perceived need relative to
their size instead of the complexity and security profile of their organization. Each organization should
consider the information provided in Insight to determine if staffing for their information security program
is adequate, or needs to be "right sized" to come more in line with their peers.
The following portrays the number of employees you indicated directly participate in information security
duties, versus the number of employees indicated by your peers and all other organizations that
participated in the study.
Your Organization: 1-5
4.00%
88.00%
4.00%4.00%
None 4.00%
1-5 88.00%
6-10 4.00%
11-25 0.00%
26-50 0.00%
51-100 0.00%
101-250 4.00%
Over 250 0.00%
I Don't Know 0.00%
Total: 100.00%
Your Peers
7.07%
86.87%
3.03%
1.01%1.01%1.01%
None 7.07%
1-5 86.87%
6-10 3.03%
11-25 1.01%
26-50 0.00%
51-100 0.00%
101-250 1.01%
Over 250 0.00%
I Don't Know 1.01%
Total: 100.00%
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 18 of 59
Sample Organization INSIGHT 2015
Information Security Training
The following portrays the number of sessions allocated for information security training to your IT staff
by your organization versus the numbers provided by your peers and all other organizations that
participated in the study.
Your Organization: 3-4
16.00%
48.00%20.00%
16.00%
None 16.00%
1-2 48.00%
3-4 20.00%
5 or more 16.00%
I Don't Know 0.00%
Total: 100.00%
Your Peers
10.10%
52.53%23.23%
11.11%3.03%
None 10.10%
1-2 52.53%
3-4 23.23%
5 or more 11.11%
I Don't Know 3.03%
Total: 100.00%
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 19 of 59
Sample Organization INSIGHT 2015
Security Awareness Training is delivered to the average employee through various delivery channels.
The following reflects in rank order the methods in which information security training is delivered to an
average employee.
Your Organization
Internal - Staff Classroom/Group Presentations
Your Peers
Internal - Staff Classroom/Group Presentations
Computer-Based Training
Internal - Content Delivered via Learning Management System
Offsite Events (conferences, designated seminars, etc.)
Consultant
All Participants
Internal - Staff Classroom/Group Presentations
Computer-Based Training
Internal - Content Delivered via Learning Management System
Offsite Events (conferences, designated seminars, etc.)
Consultant
Information Security Training - Delivery Method
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 20 of 59
Sample Organization INSIGHT 2015
Security Conferences
While some organizations may see conferences as an unnecessary and frivolous expense, more and
more are turning to them as a venue where their security teams can network and learn from other
security professionals. Many of the conferences listed below hold not only general sessions that talk
about information security at a high level, but also hold "deep dive" sessions to educate the attendees
on the latest technical details regarding system and application exploits and what organizations can do
to avoid falling prey to them. As such, these conferences can provide value not only to the CISO, but to
the ISO as well. Organizations should evaluate the information contained within Insight to determine if
there are other conferences attended by their peers that would potentially provide value and educational
opportunities for their information security staff.
The following information portrays the information security conferences that your staff attend, versus
those that are attended by your peers and all other organizations that participated in the study.
Local Chamber of Commerce-sponsored Security Events
NAFCU/CUNA-sponsored Security Events
Vendor-sponsored Events/Working Groups
Your Organization
Vendor-sponsored Events/Working Groups
Local Chamber of Commerce-sponsored Security Events
NAFCU/CUNA-sponsored Security Events
None
ABA-sponsored Security Events
Your Peers
Vendor-sponsored Events/Working Groups
NAFCU/CUNA-sponsored Security Events
None
Local Chamber of Commerce-sponsored Security Events
Financial Service ISAC events (FS-ISAC)
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 21 of 59
Sample Organization INSIGHT 2015
Security Services
Your
Organization
no
Active Directory Implementation Assessment
0 10 20 30 40 50 60 70 80 90 100
8.00
10.10
Your Peers All Participants
% Who Currently Use
An Active Directory Implementation Security Assessment will typically look to assess the overall security of an
organization's Active Directory structure. These assessments evaluate the use of Group Policies and other user
control mechanisms which can be utilized to protect not only the end-user but the organization as whole.
Your
Organization
no
Application Code Analysis
0 10 20 30 40 50 60 70 80 90 100
0.00
4.04
Your Peers All Participants
% Who Currently Use
An Application Code Analysis entails the manual or automated evaluation of software source code in an effort to
determine if latent vulnerabilities exist that may place the user of the software at risk after it is introduced into a
production setting.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 22 of 59
Sample Organization INSIGHT 2015
Your
Organization
yes
Ethical Hacking/Penetration Testing
0 10 20 30 40 50 60 70 80 90 100
64.00
57.58
Your Peers All Participants
% Who Currently Use
Penetration Testing consists of security analysts manually testing vulnerabilities to determine whether they are
exploitable. This includes the use of automated scripts, exploits, or other types of attacks. Penetration testing is
also commonly known as ethical hacking.
Your
Organization
no
Mobile Device Security Assessment (smartphone, tablets, etc.)
0 10 20 30 40 50 60 70 80 90 100
20.00
15.15
Your Peers All Participants
% Who Currently Use
A Mobile Device Security Assessment consists of the evaluation of an organization's implementation of mobile
devices such as BlackBerry handhelds, iPhones, and Windows Mobile devices. During the assessment, security
analysts will evaluate if the devices have been implemented in a secure fashion to avoid traffic interception
between the organization's mail server and the device, and to ensure that the device is encrypted or will
auto-wipe stored data if it lost or stolen.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 23 of 59
Sample Organization INSIGHT 2015
Your
Organization
yes
Network Security Architecture Review
0 10 20 30 40 50 60 70 80 90 100
44.00
30.30
Your Peers All Participants
% Who Currently Use
A Network Security Architecture Review consists of the evaluation of an organization's computer network
implementation. The security analyst will evaluate network and system segmentation efforts, the use of
encryption and VLAN technology, as well as what other network protection mechanisms may benefit the
organization and aid them in reaching their security goals.
Your
Organization
yes
Physical Security Review
0 10 20 30 40 50 60 70 80 90 100
44.00
40.40
Your Peers All Participants
% Who Currently Use
A Physical Security Review evaluates the physical security controls an organization has put in place to protect
the computing assets and confidential data utilized by the organization's employees. These controls may include
those associated with the corporate data center, the locking mechanisms utilized on secure area doors, video
camera placement and usage, badge systems, and other controls. Additionally, these reviews will also normally
include employee interviews where the security analyst will look to determine the general level of security
awareness within the employee population.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 24 of 59
Sample Organization INSIGHT 2015
Your
Organization
yes
Social Engineering Assessment - Onsite (office infiltration, dumpster diving, etc.)
0 10 20 30 40 50 60 70 80 90 100
24.00
23.23
Your Peers All Participants
% Who Currently Use
An Onsite Social Engineering Assessment consists of a security analyst attempting to gain access to physical
corporate resources by violating the trust of an organization's employees or trusted third-party vendors. The
security analyst will typically attempt to gain access to one or more office locations. Once access is gained, the
analyst will connect to the corporate network; collect computing assets or confidential information, and attempt to
bypass physical security controls. The security analyst may also bypass controls by using tools such as "lost"
USB fobs or CD-ROMs that are then collected by employees and utilized on the organization's computing
platforms.
Your
Organization
yes
Social Engineering Assessment - Remote (e-mail, telephone, online, etc.)
0 10 20 30 40 50 60 70 80 90 100
64.00
49.49
Your Peers All Participants
% Who Currently Use
A Remote Social Engineering Assessment consists of a security analyst attempting to gain the trust of an
organization's employees or trusted third-party vendors and elicit confidential data such as system access codes,
passwords, or even information regarding the organization's clientele. These engagements can utilize phone
calls, fraudulent e-mail content and websites, or a combination of all three attack mechanisms.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 25 of 59
Sample Organization INSIGHT 2015
Your
Organization
no
VoIP/PBX Security Assessment
0 10 20 30 40 50 60 70 80 90 100
4.00
5.05
Your Peers All Participants
% Who Currently Use
VoIP/PBX Security Assessments consist of the evaluation of an organization's Voice Over IP implementation.
These security assessments typically evaluate the security of not only of the PBX, but the handsets and actual
VoIP traffic as well. The assessments typically look to identify configuration weaknesses, the use of unneeded
services, and the use of encryption to protect voice traffic.
Your
Organization
yes
Vulnerability Scanning
0 10 20 30 40 50 60 70 80 90 100
80.00
81.82
Your Peers All Participants
% Who Currently Use
Vulnerability Scanning typically consists of the automated scanning of an organization's networks in an effort to
determine which hosts are "live" and what vulnerabilities are potentially resident on those systems. Vulnerability
scanning is also commonly referred to as a vulnerability assessment.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 26 of 59
Sample Organization INSIGHT 2015
Your
Organization
no
War Dialing
0 10 20 30 40 50 60 70 80 90 100
8.00
8.08
Your Peers All Participants
% Who Currently Use
War Dialing consists of the automated scanning of an organization's phone lines in an effort to identify open
carriers that may provide system access. War Dialing may also include the manual testing of identified "open"
lines in an effort to see if system access can actually be obtained.
Your
Organization
yes
Web Application Security Assessment
0 10 20 30 40 50 60 70 80 90 100
8.00
16.16
Your Peers All Participants
% Who Currently Use
A Web Application Security Assessment consists of testing that is very similar to that of a penetration test or
ethical hacking engagement. However, the Web Application Security Assessment focuses on the web
applications utilized by an organization and focuses on exposing cross-site scripting, SQL injection and buffer
overflow conditions that may exist within the application. Testing may be done in a "black box" or unauthenticated
fashion, or it may be conducted in a "white box" manner where the security analyst is provided one or more user
accounts.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 27 of 59
Sample Organization INSIGHT 2015
Your
Organization
no
Wireless Security Review
0 10 20 30 40 50 60 70 80 90 100
12.00
16.16
Your Peers All Participants
% Who Currently Use
A Wireless Security Review consists of the evaluation of an organization's wireless implementation. The
evaluation will typically consider how the organization has implemented encryption, the security configuration of
the organization's wireless access points, and the level at which the wireless signal "bleeds" into other areas of
the building or nearby parking structures. Additionally, the service may also include the assessment of the
organization's corporate networks to determine if rogue, unauthorized access points are presently in use.
Your
Organization
no
Other
0 10 20 30 40 50 60 70 80 90 100
4.00
6.06
Your Peers All Participants
% Who Currently Use
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 28 of 59
Sample Organization INSIGHT 2015
None of the Above
Percentage of Participants Who Do Not or Will Not Use Any of the Services Above
0 10 20 30 40 50 60 70 80 90 100
4.00
6.06
Your Peers All Participants
% Who Do Not Use
Top 3 Security Services
Participants were asked to rank the security services in order of importance to the organization's
security program. The chart below represents the top 3 ranked security services.
Social Engineering Assessment - Remote (e-mail, telephone, online, etc.)
Ethical Hacking/Penetration Testing
Vulnerability Scanning
Ethical Hacking/Penetration Testing
Social Engineering Assessment - Remote (e-mail, telephone, online, etc.)
Network Security Architecture Review
Ethical Hacking/Penetration Testing
Social Engineering Assessment - Onsite (office infiltration, dumpster diving, etc.)
Social Engineering Assessment - Remote (e-mail, telephone, online, etc.)
All Participants
Your Peers
Your Organization
Top 3 Security Services
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 29 of 59
Sample Organization INSIGHT 2015
Compliance Services
Your
Organization
no
Anti-Phishing/Vishing Services
0 10 20 30 40 50 60 70 80 90 100
28.00
31.31
Your Peers All Participants
% Who Currently Use
Anti-Phishing/Vishing Services typically consist of a monitoring component where the vendor will scan the
Internet looking for malicious sites that mimic an organization's website, home banking system, or e-commerce
platform in an attempt to capture user password or similar information. The service may also consist of a "take
down" component where the vendor will aid the organization in having a malicious website, or in the case of
Vishing, phone number disabled.
Your
Organization
no
Application Source Code Audit
0 10 20 30 40 50 60 70 80 90 100
0.00
5.05
Your Peers All Participants
% Who Currently Use
An Application Source Code Audit consists of the manual or automated evaluation of application source code to
determine if security issues such as buffer overflows or improper data sanitization issues exist. Many times an
Application Source Code Audit will be conducted as part of an organization's software development lifecycle to
ensure their applications are secure prior to being moved from a development environment to a production
setting.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 30 of 59
Sample Organization INSIGHT 2015
Your
Organization
yes
Business Impact Analysis
0 10 20 30 40 50 60 70 80 90 100
24.00
21.21
Your Peers All Participants
% Who Currently Use
A Business Impact Analysis consists of the identification of key systems and data sets utilized by an organization
on a day-to-day basis. Once these data points have been captured, a cross-functional team from the
organization will determine the monetary impact should these systems or data sets become unavailable for an
extended period of time. This information will typically feed directly into an organization's Disaster Recovery
Program to ensure that critical systems are the first to be recovered in the event of a man-made or natural
disaster.
Your
Organization
yes
Data Loss Prevention (DLP)
0 10 20 30 40 50 60 70 80 90 100
40.00
32.32
Your Peers All Participants
% Who Currently Use
Data Loss Prevention consists of the use of a network appliance or software package to monitor an organization's
networks and determine if confidential or protected data is being digitally released in an unauthorized fashion to
individuals or organizations outside the company. These appliances or packages utilize definitions similar to
those used in IDS/IPS platforms, but will also periodically sync with an onboard or remote database to capture
data types specific to the organization that should be monitored for items such as account numbers, identification
numbers, etc.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 31 of 59
Sample Organization INSIGHT 2015
Your
Organization
yes
Encryption Services (E-mail/File System)
0 10 20 30 40 50 60 70 80 90 100
76.00
64.65
Your Peers All Participants
% Who Currently Use
Encryption Services typically consist of the use of an appliance or software package that encrypts corporate
e-mail and/or sensitive files. These services may be utilized by key personnel within an organization, or may be
deployed enterprise wide to ensure that all sensitive data is protected accordingly.
Your
Organization
no
Forensics Services
0 10 20 30 40 50 60 70 80 90 100
8.00
4.04
Your Peers All Participants
% Who Currently Use
Forensics Services consist of the evaluation of one or more computer platforms that have been compromised by
an external or internal attacker. These services are typically utilized to determine where the attack originated
from, how the system was compromised, what was done after the compromise, and if the system was utilized to
attack other external or internal systems. Organizations should utilize a vendor that has certified, experienced
forensics staff who will not jeopardize the organization's ability to enter into litigation with the forensics data should
that course of action be expected.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 32 of 59
Sample Organization INSIGHT 2015
Your
Organization
no
Information Security Risk Assessment
0 10 20 30 40 50 60 70 80 90 100
68.00
65.66
Your Peers All Participants
% Who Currently Use
An Information Security Risk Assessment consists of identifying the critical data and systems utilized by an
organization and then evaluating the risks they may be exposed to from external or internal sources. Based upon
the findings of the evaluation, the organization can then determine the level of risk being presented and then
decide to mitigate, transfer, accept, or defer the risk. Information Security Risk Assessments are typically
conducted as cross-functional engagements due to the need to capture data points from system/data owners and
users alike.
Your
Organization
no
Information Security Training for Clients
0 10 20 30 40 50 60 70 80 90 100
4.00
11.11
Your Peers All Participants
% Who Currently Use
Security Training for Clients consists of web-based training that focuses on common and easily understood
security practices such as password development, how to avoid phishing attacks, and the importance of anti-virus
software. Typically the training will also include short, easy to complete quizzes and the ability to easily forward
the training information to family, friends, and coworkers.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 33 of 59
Sample Organization INSIGHT 2015
Your
Organization
no
Information Security Training for Employees
0 10 20 30 40 50 60 70 80 90 100
76.00
71.72
Your Peers All Participants
% Who Currently Use
Security Training for Employees consists of programs, delivered in person or via web-based means, which
educate organization personnel on information security basics such as strong password construction and how to
thwart social engineering attacks. Typically, the training will also consist of testing to measure content retention
by the employee and completion certificate issuance at the end of the program.
Your
Organization
no
ISO Standards
0 10 20 30 40 50 60 70 80 90 100
4.00
3.03
Your Peers All Participants
% Who Currently Use
ISO Standards are generally accepted information security and risk management best practices by the
International Organization for Standardization. Examples include ISO 31000 (Risk Management) and ISO 27001
(Information Security Management Systems).
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 34 of 59
Sample Organization INSIGHT 2015
Your
Organization
yes
IT Audit (Programs, Policies, Practices)
0 10 20 30 40 50 60 70 80 90 100
76.00
59.60
Your Peers All Participants
% Who Currently Use
An IT Audit consists of the manual evaluation of an organization's IT security controls and practices. Typically
the service will be completed by an IT auditor or security analyst and utilizes internal corporate policies, industry
best practices, and regulatory requirements as a baseline for the audit. At completion, the audit is meant to
provide a holistic picture of the organization's practices and where gaps exist that potentially place the
organization at risk.
Your
Organization
no
Online Policy Management
0 10 20 30 40 50 60 70 80 90 100
4.00
9.09
Your Peers All Participants
% Who Currently Use
Online Policy Management consists of the use of applications, typically web-based in nature, to manage, update,
and track employee review and acceptance of corporate policies. Typically organizations will create virtual policy
handbooks and then assign these at the department or individual level for review. Employee reviews are then
tracked, along with any employee feedback, and can be subsequently reported on for compliance and audit
needs.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 35 of 59
Sample Organization INSIGHT 2015
Your
Organization
no
Security Policy Development/Review
0 10 20 30 40 50 60 70 80 90 100
52.00
44.44
Your Peers All Participants
% Who Currently Use
Security Policy Development and Review engagements consist of two parts. If the organization has a defined
policy set, the set is often evaluated against industry best practice and regulatory requirements to identify any
potential gaps. Based upon the review, the organization may then opt to have the vendor develop additional
policies or provide policy templates to the organization for their editing and use.
Your
Organization
no
Virtual Host Implementation Assessment
0 10 20 30 40 50 60 70 80 90 100
4.00
4.04
Your Peers All Participants
% Who Currently Use
A Virtual Host Implementation Assessment consists of the security evaluation of a virtual operating system
operating in a single instance on a workstation, or running concurrently with multiple other operating systems on
a corporate server. The assessment will evaluate the manner in which the operating system has been
implemented to ensure that there are proper security controls in place that prevent the compromise of the host
operating system or other virtual instances in the event of an attack. Additionally, the security analyst will typically
also evaluate the organization's virtual machine hardening and implementation practices and policies to identify
gaps that may exist.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 36 of 59
Sample Organization INSIGHT 2015
Your
Organization
yes
Website Compliance Review
0 10 20 30 40 50 60 70 80 90 100
32.00
24.24
Your Peers All Participants
% Who Currently Use
A Website Compliance Review consists of the evaluation of an organization's website to ensure that it is in
compliance with regulatory requirements. These requirements may range from the manner in which a financial
organization advertises loan rates, to the way in which a commercial organization advertises certain special
offers or utilizes images or video. These reviews are typically done in a manual fashion as each page contained
within a website must be evaluated for consistency with the organization's internal requirements and those from
any regulatory body.
Your
Organization
no
Other
0 10 20 30 40 50 60 70 80 90 100
0.00
1.01
Your Peers All Participants
% Who Currently Use
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 37 of 59
Sample Organization INSIGHT 2015
None of the Above
Percentage of Participants Who Do Not or Will Not Use Any of the Services Above
0 10 20 30 40 50 60 70 80 90 100
4.00
6.06
Your Peers All Participants
% Who Do Not Use
Top 3 Compliance Services
Participants were asked to rank the compliance services in order of importance to the organization's
compliance program. The chart below represents the top 3 ranked compliance services.
IT Audit (programs, policies, practices)
Information Security Training for Employees
Encryption Services (e-mail/file System)
IT Audit (programs, policies, practices)
Data Loss Prevention (DLP)
Information Security Training for Employees
Data Loss Prevention (DLP)
Information Security Training for Employees
Encryption Services (e-mail/file System)
All Participants
Your Peers
Your Organization
Top 3 Compliance Services
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 38 of 59
Sample Organization INSIGHT 2015
Security Policies/Programs
Your
Organization
yes
Business Continuity Plan
0 10 20 30 40 50 60 70 80 90 100
96.00
81.82
Your Peers All Participants
% Who Currently Use
A Business Continuity Plan documents and defines the programs and practices put in place by an organization
to ensure the ongoing operations of the business. Business Continuity Plans are considered an information
security best practice and are typically required for companies operating in regulated industry such as banking.,
healthcare, energy, etc.
Your
Organization
yes
Disaster Recovery Program
0 10 20 30 40 50 60 70 80 90 100
96.00
88.89
Your Peers All Participants
% Who Currently Use
A Disaster Recovery Plan outlines the activities that need to be undertaken by management and staff in the event
of a man made or natural disaster. Disaster Recovery Plans typically contain call trees, system recovery
procedures, hot site usage requirements, disaster declaration authority, and press/media management.
Organizations operating in regulated industries are typically required, by regulation or law, to have a robust
Disaster Recovery Plan in place and to test their plan at least annually.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 39 of 59
Sample Organization INSIGHT 2015
Your
Organization
yes
Incident Response Program
0 10 20 30 40 50 60 70 80 90 100
88.00
82.83
Your Peers All Participants
% Who Currently Use
An Incident Response Plan defines how an organization will respond to an information security related event.
While many companies have these plans in place to deal with virus or malware outbreaks, more and more firms
are expanding them to cover security breaches and non-disaster related events. Incident Response Plans define
not only how an incident is to be declared and addressed, but also how the organization will socialize the event
with customers, regulators and law enforcement.
Your
Organization
yes
Information Security Policy: Acceptable Use of Computer Systems
0 10 20 30 40 50 60 70 80 90 100
96.00
92.93
Your Peers All Participants
% Who Currently Use
An Acceptable Use Policy will clearly define what activities employees (management and staff) are and are not
allowed conduct and that employees should have no expectation of privacy or content ownership while using
corporate computing platforms. Historically only addressing the use of workstations and laptops, most
Acceptable Use Policy content has been expanded to encompass the use of non-traditional computing devices
such as tablets and smartphones.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 40 of 59
Sample Organization INSIGHT 2015
Your
Organization
yes
Information Security Policy: Internet/Social Media
0 10 20 30 40 50 60 70 80 90 100
92.00
80.81
Your Peers All Participants
% Who Currently Use
An Internet/Social Media policy will typically define what online activities employees are allowed to engage in on
behalf of the company. The policy may also outline any limitations of personal online activity and require that
employees clearly state that their views are their own and not that of their employer. This ensures that any
libelous statements are attributable to and the responsibility of the employee and not a reflection of the beliefs of
the company.
Your
Organization
yes
Information Security Policy: Mobile Devices
0 10 20 30 40 50 60 70 80 90 100
84.00
73.74
Your Peers All Participants
% Who Currently Use
A Mobile Device Policy will typically contain content similar to that of an Acceptable Use Policy. However, it may
also contain content that defines prohibited activities such as the use of "App Stores" or whether or not the
employee is allowed to use their personal device for corporate activities.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 41 of 59
Sample Organization INSIGHT 2015
Your
Organization
yes
Information Security Policy: Physical Security
0 10 20 30 40 50 60 70 80 90 100
92.00
84.85
Your Peers All Participants
% Who Currently Use
A Physical Security Policy will typically define the required security controls that must be maintained by
employees. This may include the proper use of access badges, the requirement to maintain a clean desk, and
how security systems (cameras, badges, etc.) will be deployed and utilized within the company.
Your
Organization
yes
Information Security Policy: Securing Protected Data
0 10 20 30 40 50 60 70 80 90 100
80.00
74.75
Your Peers All Participants
% Who Currently Use
A Securing Protected Data Policy will typically contain content that can be found in clean desk, physical
security, and encryption policies. It may also contain content associated with data classification to ensure that
employees understand what data is considered public knowledge and what should be considered confidential.
Typically, this policy will also define which other "security" policies will be put in place and will define minimum
security standards for "protected" data.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 42 of 59
Sample Organization INSIGHT 2015
Your
Organization
no
Other
0 10 20 30 40 50 60 70 80 90 100
4.00
1.01
Your Peers All Participants
% Who Currently Use
None of the Above
Percentage of Participants Who Do Not or Will Not Use Any of the Services Above
0 10 20 30 40 50 60 70 80 90 100
0.00
1.01
Your Peers All Participants
% Who Do Not Use
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 43 of 59
Sample Organization INSIGHT 2015
Advanced Persistent Threats (APT)
Your
Organization
High None:
Small:
Moderate:
High:
Very High:
3.03%
16.16%
49.49%
20.20%
11.11%
0.00%
12.00%
64.00%
16.00%
8.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Brand Infringement
Your
Organization
Small None:
Small:
Moderate:
High:
Very High:
15.15%
55.56%
21.21%
6.06%
2.02%
12.00%
60.00%
12.00%
12.00%
4.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Browser-based attacks
Your
Organization
High None:
Small:
Moderate:
High:
Very High:
2.02%
10.10%
37.37%
34.34%
16.16%
4.00%
20.00%
32.00%
24.00%
20.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Security Concerns
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 44 of 59
Sample Organization INSIGHT 2015
Business Continuity Risks
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
2.02%
17.17%
50.51%
24.24%
6.06%
0.00%
32.00%
44.00%
16.00%
8.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Cloud Computing Threats
Your
Organization
Small None:
Small:
Moderate:
High:
Very High:
8.08%
32.32%
36.36%
21.21%
2.02%
4.00%
44.00%
28.00%
16.00%
8.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Data Center Physical Security Threats
Your
Organization
Small None:
Small:
Moderate:
High:
Very High:
8.08%
52.53%
33.33%
4.04%
2.02%
12.00%
64.00%
12.00%
4.00%
8.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 45 of 59
Sample Organization INSIGHT 2015
Data Loss (via e-mail, file sharing, etc.)
Your
Organization
High None:
Small:
Moderate:
High:
Very High:
2.02%
13.13%
37.37%
36.36%
11.11%
4.00%
12.00%
28.00%
48.00%
8.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Denial of Service Attacks
Your
Organization
High None:
Small:
Moderate:
High:
Very High:
2.02%
28.28%
47.47%
18.18%
4.04%
4.00%
24.00%
44.00%
16.00%
12.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Disaster Recovery/Business Continuity Threats
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
1.01%
26.26%
45.45%
21.21%
6.06%
0.00%
36.00%
40.00%
16.00%
8.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 46 of 59
Sample Organization INSIGHT 2015
Employee Negligence
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
1.01%
16.16%
40.40%
28.28%
14.14%
0.00%
8.00%
36.00%
32.00%
24.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Hacker External (unknown party)
Your
Organization
High None:
Small:
Moderate:
High:
Very High:
2.02%
10.10%
44.44%
31.31%
12.12%
0.00%
12.00%
32.00%
36.00%
20.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Hacker Internal (employee, trusted 3rd party)
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
2.02%
27.27%
43.43%
22.22%
5.05%
4.00%
16.00%
28.00%
40.00%
12.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 47 of 59
Sample Organization INSIGHT 2015
Incident Response Threats
Your
Organization
Small None:
Small:
Moderate:
High:
Very High:
1.01%
22.22%
51.52%
21.21%
4.04%
0.00%
16.00%
52.00%
20.00%
12.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Information Security Policy Issues
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
4.04%
34.34%
40.40%
18.18%
3.03%
0.00%
36.00%
40.00%
20.00%
4.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Information Security Threats Caused By Employee Actions
Your
Organization
High None:
Small:
Moderate:
High:
Very High:
1.01%
15.15%
34.34%
34.34%
15.15%
0.00%
4.00%
28.00%
44.00%
24.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 48 of 59
Sample Organization INSIGHT 2015
Information Security Training for Clients
Your
Organization
None None:
Small:
Moderate:
High:
Very High:
22.22%
31.31%
29.29%
12.12%
5.05%
24.00%
24.00%
32.00%
16.00%
4.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Information Security Training for Employees
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
2.02%
21.21%
43.43%
25.25%
8.08%
0.00%
8.00%
56.00%
24.00%
12.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
In-House Software Development Threats
Your
Organization
Small None:
Small:
Moderate:
High:
Very High:
35.35%
39.39%
21.21%
3.03%
1.01%
32.00%
48.00%
12.00%
4.00%
4.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 49 of 59
Sample Organization INSIGHT 2015
Mobile Device Threats (i.e. iPad, iPhone, Blackberry, etc)
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
6.06%
33.33%
36.36%
22.22%
2.02%
0.00%
36.00%
40.00%
20.00%
4.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
PHI (HIPAA) Information Compromises
Your
Organization
None None:
Small:
Moderate:
High:
Very High:
36.36%
32.32%
20.20%
8.08%
3.03%
48.00%
28.00%
12.00%
4.00%
8.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Phishing/Vishing Threats
Your
Organization
High None:
Small:
Moderate:
High:
Very High:
1.01%
13.13%
40.40%
32.32%
13.13%
0.00%
8.00%
36.00%
44.00%
12.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 50 of 59
Sample Organization INSIGHT 2015
PII (Personal Identification Information) Compromises
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
2.02%
12.12%
36.36%
35.35%
14.14%
0.00%
4.00%
48.00%
36.00%
12.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Social Engineering Threats - Onsite (dumpster diving, office infiltration)
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
4.04%
29.29%
42.42%
20.20%
4.04%
0.00%
28.00%
40.00%
24.00%
8.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Social Engineering Threats - Remote (phone, e-mail)
Your
Organization
High None:
Small:
Moderate:
High:
Very High:
3.03%
12.12%
28.28%
42.42%
14.14%
0.00%
0.00%
24.00%
56.00%
20.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 51 of 59
Sample Organization INSIGHT 2015
Use of Encryption within the Enterprise
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
4.04%
29.29%
40.40%
17.17%
9.09%
0.00%
36.00%
24.00%
28.00%
12.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Virtualization Threats
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
6.06%
40.40%
46.46%
3.03%
4.04%
0.00%
52.00%
40.00%
0.00%
8.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Virus, Worm, Malware Threats
Your
Organization
High None:
Small:
Moderate:
High:
Very High:
1.01%
10.10%
37.37%
39.39%
12.12%
0.00%
8.00%
36.00%
44.00%
12.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 52 of 59
Sample Organization INSIGHT 2015
Voice Over IP / Phone System Threats
Your
Organization
Small None:
Small:
Moderate:
High:
Very High:
10.10%
51.52%
27.27%
9.09%
2.02%
8.00%
64.00%
16.00%
4.00%
8.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Website Attacks
Your
Organization
Very High None:
Small:
Moderate:
High:
Very High:
4.04%
29.29%
46.46%
17.17%
3.03%
0.00%
28.00%
40.00%
24.00%
8.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
Website Compliance
Your
Organization
Moderate None:
Small:
Moderate:
High:
Very High:
6.06%
43.43%
39.39%
10.10%
1.01%
0.00%
56.00%
32.00%
8.00%
4.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 53 of 59
Sample Organization INSIGHT 2015
Wireless Security Threats
Your
Organization
Small None:
Small:
Moderate:
High:
Very High:
10.10%
35.35%
43.43%
9.09%
2.02%
12.00%
40.00%
40.00%
4.00%
4.00%
None:
Small:
Moderate:
High:
Very High:
Your PeersYour Peers
All Participants
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 54 of 59
Sample Organization INSIGHT 2015
Security Concerns Glossary
Advanced Persistent Threats (APT): An Advanced Persistent Threat is typically a hidden, clandestine manner
by which an attacker gains control of one or more applications or computer systems within an organizations
networks for use in future nefarious acts. These threats may remain hidden for days, weeks, or even months
before they are discovered.
Brand Infringement: Brand Infringement is typically associated with the unauthorized use of an organization's
brand (trademarks, service marks, logos, etc.). Many times the issues associated with brand infringement are
the result of the marks being utilized as part of a phishing attack or other fraudulent website. Other instances
may include the use of the marks on blogs or social networking sites.
Browser-based attacks: Browser-based attacks are typically defined as those attacks that occur when a
computer user visits a website hosting malicious code that causes the compromise of an application or operating
system. These types of attacks are typically most successful when the computer user's web browser software is
out of date, or if they are using liberal security settings within the browser. Other types of browser-based
attacks include cross-site scripting attacks and man-in-the-middle attacks against encrypted sessions.
Business Continuity Risks: A Business Continuity Plan (BCP) is closely tied to the findings associated with a
corporate Business Impact Analysis (BIA).
The BIA process identifies key systems within an organization and the monetary impact experienced by the
organization when those systems become unavailable for use by staff or clientele. Based upon the findings of
the BIA, the BCP defines the time frame in which those systems must be recovered for the organization to
remain viable and what actions the management and staff of the organization must take to minimize the
monetary losses of the company during periods of extended down time.
Cloud Computing Threats: Cloud Computing Threats are typically associated with the dangers that present
themselves via the use of cloud-based services such as online CRM systems, or web-based office automation
tools. As these services are typically offered via third-party vendors, the contracting organization will not
typically own, manage or maintain any hardware or software. As such, organizations should evaluate not only
the security practices of the vendor, but their financial standing as well. Further, contractual provisions should
be put in place that clearly define data ownership as well as breach notifications.
Data Center Physical Security Threats: Data Center Physical Security Threats include the ability of an
attacker to bypass door locks and badging systems as well as the failure of an organization to properly
implement closed-circuit camera systems, locked server racks, heat and humidity sensors, fire extinguishing
systems, and biometrics access systems. These threats, alone or combined, place an organization's critical
systems and data at risk of loss or compromise.
Data Loss (via e-mail, file sharing, etc.): Data Loss entails the exposure of sensitive, non-public information to
outside parties who may not have authorized access to the information. This information may include driver's
license or other ID numbers, social security numbers, passwords, or other information. Information may be
disclosed through corporate e-mail resulting in an accidental or intentional release of this information outside the
organization. Information in the form of electronic media such as back-up tapes, or hard-copy information such
as account statements, may be lost via a breach associated with a third-party vendor.
Denial of Service Attacks: Denial of Service Attacks can impact a single system or an entire network segment.
While there are multiple variants, the most common is a distributed denial-of-service attack, where multiple
computing platforms spread across the Internet are utilized by an attacker to flood an organization with so much
traffic (web requests, etc.) that the organization's systems simply cannot address all of the legitimate and
illegitimate traffic. As a result, legitimate users are unable to gain access to the organization's resources,
resulting in a loss of business and revenue.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 55 of 59
Sample Organization INSIGHT 2015
Disaster Recovery/Business Continuity Threats: A Business Continuity Plan (BCP) is closely tied to the
Business Impact Analysis (BIA) and Disaster Recovery Program (DRP) of an organization. The BIA process
identifies key systems within an organization and the impact experienced when those systems become
unavailable for use by staff or clientele. Based upon the findings of the BIA, the BCP defines the timeframe in
which those systems must be recovered for the organization to remain viable. The DRP is much more granular
defining the policies and procedures associated with the recovery of the key systems. The primary threat
associated with these plans and programs is the lack of proper testing and periodic updating to ensure they
remain relevant.
Employee Negligence: Employee Negligence is typically defined as actions taken by an employee that places
the employee or the employer in jeopardy. Often the employee's actions are not malicious in nature; rather the
employee takes actions while being unaware of the potential impact the action may have to the organization. An
example of Employee Negligence is leaving sensitive information out on their desk after working hours where it
can easily be seen or stolen by cleaning crews or others.
Hacker External (unknown party): External Hacker attacks are not necessarily attacks perpetrated solely
against Internet facing computing platforms; rather they are defined as attacks conducted by individuals who are
not employees of the organization. These attacks may be in the form of network reconnaissance and
vulnerability scanning, or include targeted attacks against individual systems and applications. Attacks can also
take the form of compromised internal computing platforms used to "hop" from one system to the next, exploiting
multiple vulnerabilities along the way in an effort to gain access to more and more confidential and proprietary
information.
Hacker Internal (employee, trusted 3rd party): Internal Hacker attacks are not necessarily attacks
perpetrated solely against internal, non-Internet facing computing platforms; rather they are defined as attacks
conducted by individuals who are employees of the organization. These attacks may range from network
reconnaissance and vulnerability scanning, to target attacks against individual systems and applications.
Attacks can also leverage compromised internal computing platforms to "hop" from one system to the next,
exploiting multiple vulnerabilities along the way in an effort to gain access to more and more confidential and
proprietary information.
Incident Response Threats: Incident Response Threats typically are seen in one of two areas. The first issue
is typically that the incident response program has not been adequately tested and as a result does not
adequately address threats that may be experienced by an organization's staff. The second issue is that many
incident response programs are not reviewed and updated on at least an annual basis to ensure that the
program addresses new threats that may not have been relevant at the time the program was initially
constructed. In either instance, the organization and its computing platforms can be placed at risk of exposure
and compromise.
Information Security Policy Issues: There are two primary issues that are typically associated with an
organization's information security policies. The first is that the existing policies are many times not reviewed on
at least an annual basis in order to incorporate any needed updates. Secondly, and just as important, is the
lack of new policies being added to the existing set to address new security practices and/or technologies that
have been implemented by the organization. In either case, an organization can easily be placed at risk due to
the fact that staff members do not fully understand what practices are and are not allowed.
Information Security Threats Caused By Employee Actions: Employee Caused Security Threats can
present themselves in a variety of fashions. Employees may inadvertently bring viruses or other malware into
the workplace by working on files at home, or may browse websites which seek to exploit vulnerabilities on the
employee's computer workstation. As well, employees may fall victim to social engineering attacks and release
highly sensitive data outside the organization, or may violate general security practices such as "ghosting" other
employees at badge entry areas.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 56 of 59
Sample Organization INSIGHT 2015
Information Security Training for Clients: Security Training for Clientele is nearly as important as staff
security training for most organizations. While the level of risk associated with clientele system usage is
typically lower than that of staff members, they can still place an organization at risk via unsafe computing
practices. As an example, clientele who do not properly maintain their computer workstation anti-virus and
anti-malware software may expose the organization to fraud if their usernames and passwords are compromised
in some fashion.
Information Security Training for Employees: An organization's staff is often the weakest link within the entire
security program. Staff left untrained, or poorly trained, regarding information security best practices, can lead
to the circumvention of almost any security control put in place. Poorly developed passwords, falling for social
engineering attacks, or lack of adherence to physical security controls, are typically all the result of staff
members who have not received the proper level of information security training. These same individuals, due to
their actions, put an organization at risk for loss or other information security related exposures.
In-House Software Development Threats: In-House Software Development threats typically present
themselves through vulnerabilities that have been introduced into applications utilized by an organization's staff
or clientele. If an organization does not have a robust software development lifecycle that includes security
testing, there is a high probability that applications, and later updates to the applications, will contain weakness
such as buffer overflows, SQL insertion problems, and other issues that could potentially be exploited by
attackers.
Mobile Device Threats (i.e. iPad, iPhone, Blackberry, etc): Threats associated with mobile devices include,
but are not limited to, data exposure due to lost or stolen devices, malware introduced via applications loaded by
the user to the device, and access to corporate information via the use of weak passwords on the device.
PHI (HIPAA) Information Compromises: Compromises of PHI typically occur within medical facilities, however
they can also be seen within other companies where the information is collected as part of on-boarding
employees and determining what medications or ailments they have. Regardless of the type of company, all PHI
should be secured when not in use. Should a breach of PHI occur, there may be stiff monetary penalties levied
against the company.
Phishing/Vishing Threats: Phishing and Vishing attacks occur via the use of fraudulent e-mail messages,
websites, and phone numbers. These technologies are utilized by individuals or crime rings in an effort to elicit
confidential username and password information from computer users. Typically, during a phishing attack, a
fraudulent website that mimics a legitimate business is established and then, via e-mail-based attacks, users are
directed to the site. Vishing attacks take this one step further via the use of fraudulent VoIP platforms that
provide a "live person" to contact.
PII (Personal Identification Information) Compromises: Compromises of PII can occur within any type of
business, regardless as to what vertical the business is in. PII should be secured at all times when not in use. PII
includes Social Security numbers, ID numbers, and any other information that is not public record. There is a
potential for harsh monetary penalties depending upon the size of the breach and the information that was
stolen.
Social Engineering Threats - Onsite (dumpster diving, office infiltration): Social engineering is the act of
taking advantage of a person's trust to gain access to confidential information about the person, their employer,
or their clientele. Onsite social engineering occurs during a face-to-face encounter where the attacker may
utilize fake credentials or attire to elicit the desired response, or where the attacker uses intimidation or deceit to
gain access to the desired information. Social engineering attacks can occur in companies of all sizes, and can
be perpetrated by individuals outside the organization as well as current employees.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 57 of 59
Sample Organization INSIGHT 2015
Social Engineering Threats - Remote (phone, e-mail): Social Engineering is the act of taking advantage of a
person's trust to gain access to confidential information about the person, their employer, or their clientele.
Remote social engineering attacks can occur during phone or e-mail based conversations where the attacker
may use intimidation or deceit to gain access to the desired information. Social engineering attacks can occur
in companies of all sizes, and can be perpetrated by individuals outside the organization as well as current
employees.
Use of Encryption within the Enterprise: Encryption usage in most organizations will typically fall into one of
three camps: e-mail encryption, hard drive encryption, and database encryption. E-mail encryption is the most
commonly utilized due to the need to protect clear-text e-mail messages. Second would be the use of hard drive
encryption, typically seen in use on laptop computers to protect data stored on the hard drive in the event the
equipment is lost or stolen. Last would be the use of database encryption, typically it is the last implemented due
to the cost and complexity of most database encryption methods. The most common issues associated with
encryption are poor governing policy development as well as weak implementation planning.
Virtualization Threats: Virtualization Threats are typically seen within virtual machine implementations that have
been poorly configured and hardened. Without properly securing each virtual machine a single virtual instance
can place multiple systems at risk and can cause the compromise of an entire virtual machine implementation as
well as the data the virtual machines process, store, or transmit.
Virus, Worm, Malware Threats: Virus, Worm, and Malware Threats tend to impact systems if they are behind
on operating system and application vulnerability patches. Virus and malware attacks will typically occur from
opening infected files or e-mails, or visiting malicious websites. Worm attacks tend to originate from other
computing platforms that have already become infected by the worm.
Voice Over IP / Phone System Threats: Voice Over IP / Phone System Threats are associated with a variety
of issues that can impact phone platforms of all types. These threats include call interception by a known or
unknown party, toll fraud, call recording, call manager software tampering, the disabling of VoIP encryption
controls, and attacks that deny service to users, the PBX, or both.
Website Attacks: Website Attacks are hacking and penetration attempts that focus on the web-based assets of
an organization. These attacks may be launched to compromise the website itself to alter content, or to use the
compromised website as a pivot point to launch an attack against other corporate systems that may have a
"trust" relationship with the website server.
Website Compliance: Website Compliance is a concern for every organization that has an Internet presence
in place. Almost without exception, every organization will have some type regulatory requirement that they must
comply with on their website, home banking system, or e-commerce site. These requirements could include
privacy notices, disclosures regarding loan or deposit rates, fair advertising requirements, and disclosures
regarding the use of copyrighted materials such as photos, music, or video images.
Wireless Security Threats: Wireless Security Threats can exist with both authorized and unauthorized wireless
implementations. Typically, authentication issues, implementing inadequate encryption, signal bleeding, and/or
improper hardening is/are the biggest concern(s) with authorized wireless implementation. Unauthorized
wireless implementations can be difficult to detect and due to their rogue nature, may place an entire corporate
network at risk. As such, organizations should consider periodic sweeps to detect and remove unauthorized
access points that may have been attached to one or more network segments.
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 58 of 59
Sample Organization INSIGHT 2015
END OF REPORT
© 2015 Digital Defense, Inc.
Report Data is Client Confidential Page 59 of 59