New Best SaaS Network Security Solutions - Sample Organization · 2020. 2. 18. · Your feedback...

Sample Organization

Dear Reader:

For the eighth consecutive year, Digital Defense, Inc. (DDI) has conducted our annual Insight study,

and we continue to be pleased with the participation. Your feedback provides valuable perspective that

allows us to continually evaluate and enhance our security offerings to best meet your needs.

Insight was developed with an end goal of empowering you with unbiased and relevant information

about information security practices and programs as reported by our clients. The format allows you to

examine your responses in comparison to YOUR PEERS, as well as the aggregate results for ALL

PARTICIPANTS.

Each year, based on your recommendations, we have included additional questions that are pertinent to

the current security landscape, demonstrating the importance of ongoing input from DDI clients, security

practitioners and industry influencers. This feedback strengthens the report and our ability to provide

useful and actionable intelligence to assist you as you make informed decisions regarding your

information security programs. Our mission has remained constant since the inception of Insight… to

answer persistent and difficult questions such as:

• Is my organization in step with what my peers and others are doing with respect to the use of

technology and services to thwart various information security threats?

• Is my organization adequately staffed and trained to ensure the optimal level of security to defend

against a potential security breach?

Our goal is to be a trusted partner as you navigate the changing dynamics of the information security

landscape. In closing, we are committed to helping you protect your most valuable assets against a

security attack. We believe this study can provide an important perspective as you develop and execute

your 2016 information security strategy. As always, we welcome your continued feedback and

communication.

Sincerely,

Larry Hurtado

President & CEO

Digital Defense, Inc.

© 2015 Digital Defense, Inc.

Report Data is Client Confidential

Insight 2015 Overview

Data Sources

To capture the responses of participants for Insight 2015, Digital Defense utilized a web-based

questionnaire. The questionnaire was specifically developed to capture general, sometimes public

information about the participants, as well as other more sensitive information specific to their Information

Security program and practices.

Survey responses were anonymous and responses are presented in aggregate. This data has been

analyzed and results are presented in the following sections of the Insight 2015 report.

Section Summary

General Information

Demographic information, such as a breakdown of the participating organizations' size, location, etc., is

included in this section.

Security and Vulnerability Summary

All vulnerability data portrayed within the Insight 2015 report was gathered via the Digital Defense

Frontline™ Solutions Platform Active View workflow management system. The vulnerability data

represents vulnerabilities discovered in prior vulnerability scans or penetration tests and mitigated into

the workflow management system for assignment to organization employees or third-party vendors for

actions part of their remediation activities.

Information Security Program Overview (Security Program Ownership, Budgets, Duties and

Training)

This section focused specifically on capturing information regarding who within the participating

organization is responsible for the management of the organization's information security program,

budgetary data/purchasing influences, and training and conference participation.

Information Security Services and Compliance Services

Information regarding services currently in use or planned within the next 90 days by the participating

organization is highlighted in this section. The information is vendor-agnostic and focuses on the type of

Information Security products and services most widely available to organizations.

Information Security Policies and Programs

This section highlights the policies and programs that an organization institutes to ensure standards and

guidelines are established in alignment with best practices and regulations that facilitate a secure

environment.

Information Security Concerns

This section captured information regarding the level of concern each participating organization had with

a variety of information security threats. Participants were asked to rank the concerns in level of

importance on a five point scale from None to Very High.

Table of Contents

Executive Summary .................................................................. 5

Who Participated .................................................................. 11

Security & Vulnerability Summary .................................................................. 12

Security Program Ownership .................................................................. 14

Information Technology Budget .................................................................. 15

Information Security Budget .................................................................. 16

IT-Related Duties .................................................................. 17

IT Security-Related Duties .................................................................. 18

Information Security Training .................................................................. 19

Security Conferences .................................................................. 21

Security Services .................................................................. 22

Compliance Services .................................................................. 30

Security Policies/Programs .................................................................. 39

Security Concerns .................................................................. 44


Report Data is Client Confidential

Sample Organization INSIGHT 2015

Executive Summary

The Executive Summary is intended to highlight key findings of the aggregated data as reported by ALL

PARTICIPANTS of the Insight 2015 study. This information will provide an "at-a-glance" view of

information security programs and practices within organizations across various industries.

Detailed findings can be examined in each section of the report. Each Digital Defense, Inc. (DDI) client

who completed the Insight questionnaire will receive a customized Insight 2015 Peer Analysis report

based on their responses and vulnerability data contained within the Frontline™ Solutions Platform

(FSP) Active View workflow management system. The sample report, available to non-clients, provides

valuable data for ALL PARTICIPANTS and a sample illustration of the peer comparison available

exclusively to DDI clients. All Insight report data is confidential and has been sanitized for use in the

comparative analysis.

Participation in the Insight 2015 study was representative of organizations across the United States in

multiple industries with primary participation received from information security professionals

employed in Banks, Credit Unions, Financial Services, Legal, Education, Healthcare and Manufacturing.

Highest Risk Vulnerabilities

The vulnerabilities most frequently identified across DDI clients through FSP are reflected below:

Top 5 Internal High Risk Vulnerabilities

• SNMP Writeable Communities

• Java Critical Patch Update - CPU-APRIL-2015

• Java Critical Patch Update - CPU-JANUARY-2015

• Java Critical Patch Update - CPU-OCTOBER-2014

• APSB15-10: Security Updates Available for Adobe Acrobat and Reader

Top 5 External High Risk Vulnerabilities

• MS15-034: Microsoft IIS HTTP.sys Remote Code Execution (Network Check)

• Apache HTTP Server 'mod_session_dbd.c' Unspecified Impact

• Apache HTTP Server Isapi_unload Remote Command Execution

• MS12-020 Remote Desktop Protocol Connect Use-After-Free Vulnerability (Network Check)

• Web Server SQL Injection


Report Data is Client Confidential of 59


Information Security Resourcing

While the resources allocated to Information Technology & Information Security vary, results

highlight key trends across organizations of varying sizes and industries:

• The Chief Information Officer (29%), Chief Executive Officer (17%) and Vice President

of IT (17%) are primary owners of InfoSec programs.

• 94% of organizations have 5 or fewer employees devoted to Information Security.

• 65% of respondents have Information Security (IS) budgets no greater than $100,000,

while 26% have a total Information Technology (IT) budget over $500,000. Approximately

16% of respondents were unaware of IS or IT budget allocation.

• Security Awareness training is delivered to staff via multiple methods including

classroom/group presentations (62%), computer-based training (56%), content delivered through

organization’s Learning Management System (LMS) (22%), offsite events (12%) and consultants

(6%).

• Information Security specific conferences identified in rank order included:

Two specific conferences that have been in the top 5 rankings consecutively beginning with Insight

2011 are the NAFCU/CUNA-sponsored Security Events and the Vendor-sponsored

Events/Working Groups. This is reflective of the large number of survey participants in the credit

union industry. Additionally, the number of participants who do not attend conferences "None" has

remained consistent, ranking in the top 5 over the past 4 years (Insight 2012 - 2015).




Information Security Concerns

Organizations are faced daily with a number of threats that could open the door for security breaches

that potentially pose devastating losses to a firm’s bottom line and reputation. Respondents were asked

to rank their level of concern for listed security threats and weaknesses that could potentially open the

door to a breach. The chart below reflects the calculated average ranking on a scale from 0 to 4,

representing the level from no concern to very high concern.

One specific security threat that has been in the top 4 rankings since Insight 2012 has been Virus,

Worm, Malware Threats. Two threats that have been ranked in the bottom 5 since Insight 2011 are

In-House Software Development Threats and Voice Over IP/Phone System Threats.




Information Security Services

The chart below illustrates the information security services utilized by ALL PARTICIPANTS.

Vulnerability Scanning and Ethical Hacking/Penetration Testing are the highest reported services

used while VOIP/PBX Security Assessment and Application Code Analysis were the least utilized

Vulnerability Scanning and Ethical Hacking/Penetration Testing have been consistently the top 2

reported utilized services since Insight 2011. A trend reflected across Insight reports beginning in 2011

through 2015 illustrates a correlation between High Concerns and Information Security Services utilized.

For example, Virus, Worm, Malware Threats is identified as a High Concern and services to mitigate

this risk, Vulnerability Scanning and Ethical Hacking/Penetration Testing reflect the highest

reported level of usage.




Compliance Services

In many organizations, compliance is the driver for the utilization of security services . Over 60% of the

respondents perform Information Security Training for Employees, Information Security Risk

Assessments, Encryption Services, and IT Audits. The least utilized compliance services include

ISO Standards, Application Source Code Audits and Forensics Services. Only 8% reported they do not

use any of the compliance services listed.

Beginning with Insight 2011, three services have consistently ranked in the top 5: Information Security

Training for Employees, Information Security Risk Assessment and IT Audits, while Forensics

Services

and Application Source Code Audit have ranked in the bottom 5 during this time period.




Security Programs

The chart below reflects the most utilized programs and policies. Acceptable Use of Computer

Systems ranked highest at 93% usage, while Policies related to Securing Protected Data and

Mobile Device usage ranked the lowest at 75%, still a respectable level of usage among participants.

This demonstrates the level of importance organizations associate with security policies.

Information Security Policy: Acceptable Use of Computer Systems and Disaster Recovery

Program have been ranked as the top 2 programs/policies over the past 3 years (Insight 2013 - 2015),

while Securing Protected Data and Mobile Devices have ranked the lowest during this same time period.

This question was not included in the survey prior to 2013.

Compliance continues to be a driver for information security issues and organizations appear to be

proactive in the development of information security policies.




Who Participated

Participation Information

The opportunity to participate in the study associated with the Insight report was provided to

organizations around the country. At the time of the generation of this report, organizations from 34

states elected to participate as reflected in the map below.

Peer Group Information

For the purposes of the Insight report, a peer is considered any other organization, within your industry,

that falls within the same staff size range. Based upon your input to the online Insight questionnaire, your

peer group consists of organizations between 101-250 in staff size.

13.13%17.17%

19.19%

25.25%

18.18%

2.02%

1.01%

3.03%

1.01%1-2526-5051-100101-250251-10001001-25002501-10000Over 10000I Don't Know

The opportunity to participate in the study associated with the Insight report was provided to

organizations around the country. Within your industry, organizations from a variety of staff size groups

participated, with the largest participation coming from the 101-250 staff range.




Security & Vulnerability Summary

Digital Defense, Inc. has developed the Security GPA® network security metric to facilitate comparative

analysis on a familiar 4 point scale.

What is Security GPA? Think of it as a grade point average for your network. Security GPA is

calculated using a complex algorithm that takes into account both the network security posture rating

and the business risk associated with discovered vulnerabilities.

The following compares your overall Security GPA rating with the ratings of other participating

organizations. The overall rating is derived by averaging the host vulnerability ratings obtained from the

Frontline Solutions Platform Active View workflow management system.

Note: Your Security GPA shown below may not be the same as the Security GPA displayed by the Frontline portal. Insight's

Security GPA calculation does not account for any custom host prioritization values, configured within the Frontline portal, for

ease of comparison across clients. This data was captured from the Frontline Solutions Platform Active View workflow

management system as of August 14, 2015.

Internal External

3.05 3.46

3.27

3.00

2.80

2.39

Your

Security GPA

Peers

Security GPA

Average

All Participants

Security GPA

Average

Security GPA




The following section lists the top five most common high risk rating internal and external vulnerabilities

among all Insight participants. This vulnerability data was captured from the Frontline Solutions

Platform Active View workflow management system as of August 14, 2015.

Top 5 Internal High Risk Vulnerabilities Top 5 External High Risk Vulnerabilities

No High Risk Vulnerabilities Found No High Risk Vulnerabilities Found

Your Organization


• HP JetDirect Device Page Directory Traversal

• NFS Improper UID Verification Vulnerability

• OptiPoint Default Login

• Passwordless HP JetDirect

• MS15-034: Microsoft IIS HTTP.sys Remote

Code Execution (Network Check)

Your Peers


• Java Critical Patch Update - CPU-APRIL-2015

• Java Critical Patch Update -

CPU-JANUARY-2015

• Java Critical Patch Update -

CPU-OCTOBER-2014

• APSB15-10: Security Updates Available for

Adobe Acrobat and Reader

• MS15-034: Microsoft IIS HTTP.sys Remote

Code Execution (Network Check)

• Apache HTTP Server 'mod_session_dbd.c'

Unspecified Impact

• Apache HTTP Server Isapi_unload Remote

Command Execution

• MS12-020 Remote Desktop Protocol Connect

Use-After-Free Vulnerability (Network Check)

• Web Server SQL Injection

All Participants




Security Program Ownership

Your Organization: Chief Information Security Officer (CISO)

Organizations, regardless of vertical, should have at least one individual that is ultimately responsible

for their information security program. Based upon your response to the Insight online questionnaire,

your program’s prime is referenced above. Responses from other participants are provided in the two

graphics below.

8.00%

48.00%4.00%4.00%4.00%

24.00%4.00%4.00%

Chief Executive Of f icer (CEO) 8.00%

Chief Information Of f icer (CIO) 48.00%

Chief Information Security Of f icer (CISO) 0.00%

Chief F inancial Of f icer (CFO) 4.00%

Chief Operations Of f icer (COO) 0.00%

Information Security Of f icer 4.00%

Information Systems Manager 4.00%

Vice President of IT 24.00%

Vice President of Risk Management 0.00%

Partner 4.00%

Other 4.00%

I Don't Know 0.00%

Total: 100.00%

Your Peers

17.17%

31.31%3.03%4.04%6.06%2.02%

10.10%

17.17%1.01%8.08%

Chief Executive Of f icer (CEO) 17.17%

Chief Information Of f icer (CIO) 31.31%

Chief Information Security Of f icer (CISO) 3.03%

Chief F inancial Of f icer (CFO) 4.04%

Chief Operations Of f icer (COO) 6.06%

Information Security Of f icer 2.02%

Information Systems Manager 10.10%

Vice President of IT 17.17%

Vice President of Risk Management 0.00%

Partner 1.01%

Other 8.08%

I Don't Know 0.00%

Total: 100.00%

All Participants




Information Technology Budget

Of keen interest to many Boards and management teams at organizations around the country are the

budgets allocated by their peers for information security programs. Improper funding of an information

security budget can expose an organization to undue risk; however many times budget planning teams

have little insight as to what is adequate and what is overkill. With peer budget information, planning

teams have the opportunity to consider the information and make more sound budgetary decisions,

while at the same time ensuring the organization’s networks.

The following section of the Insight report outlines the real dollars associated with information

technology spending for your organization. Information in the graphics below is broken out by your

Your Organization: $500,001-$1,000,000

4.00%16.00%

16.00%24.00%

24.00%

4.00%12.00%

$0-$5,000 0.00%

$5,001-$10,000 4.00%

$10,001-$50,000 0.00%

$50,001-$100,000 16.00%

$100,001-$250,000 16.00%

$250,001-$500,000 24.00%

$500,001-$1,000,000 24.00%

Over $1,000,000 4.00%

I Don't Know 12.00%

Total: 100.00%

Your Peers

5.05%6.06%12.12%

13.13%10.10%

11.11%15.15%

11.11%16.16%

$0-$5,000 5.05%

$5,001-$10,000 6.06%

$10,001-$50,000 12.12%

$50,001-$100,000 13.13%

$100,001-$250,000 10.10%

$250,001-$500,000 11.11%

$500,001-$1,000,000 15.15%

Over $1,000,000 11.11%

I Don't Know 16.16%

Total: 100.00%

All Participants




The following section of the Insight report outlines the percentage of your information technology

budget that is consumed by information security solutions. Information in the graphics below is broken

out by your organization’s response, the averaged responses for your peer group and for all

participants.

Your Organization: $10,001-$50,000

4.00%28.00%

32.00%20.00%

4.00%12.00%

$0-$5,000 0.00%

$5,001-$10,000 4.00%

$10,001-$50,000 28.00%

$50,001-$100,000 32.00%

$100,001-$250,000 20.00%

$250,001-$500,000 4.00%

$500,001-$1,000,000 0.00%

Over $1,000,000 0.00%

I Don't Know 12.00%

Total: 100.00%

Your Peers

7.07%9.09%

27.27%22.22%11.11%

6.06%1.01%1.01%

15.15%

$0-$5,000 7.07%

$5,001-$10,000 9.09%

$10,001-$50,000 27.27%

$50,001-$100,000 22.22%

$100,001-$250,000 11.11%

$250,001-$500,000 6.06%

$500,001-$1,000,000 1.01%

Over $1,000,000 1.01%

I Don't Know 15.15%

Total: 100.00%

All Participants

Information Security Budget




IT-Related Duties

Many security practitioners feel that the number of individuals employed within an organization's

information technology (IT) department has a dramatic impact on the success, or failure, of the corporate

information security program. All too often though, organizations staff their IT departments based upon

the perceived need relative to their size instead of the complexity and security profile of their computing

infrastructure. Each organization should consider the information provided in Insight to determine if

staffing for their IT department is adequate, or needs to be "right sized" to come more in line with their

peers.

The following portrays the number of employees you indicated directly participate in IT duties, versus

the number of employees indicated by your peers and all other organizations that participated in the

study.

Your Organization: 11-25

52.00%

32.00%

16.00%

None 0.00%

1-5 52.00%

6-10 32.00%

11-25 16.00%

26-50 0.00%

51-100 0.00%

101-250 0.00%

Over 250 0.00%

I Don't Know 0.00%

Total: 100.00%

Your Peers

58.59%

9.09%19.19%

9.09%

1.01%1.01%2.02%

None 2.02%

1-5 58.59%

6-10 9.09%

11-25 19.19%

26-50 9.09%

51-100 0.00%

101-250 1.01%

Over 250 0.00%

I Don't Know 1.01%

Total: 100.00%

All Participants




IT Security-Related Duties

Many security practitioners feel that the number of employees directly involved with an organization's

information security program has a dramatic impact on the success, or failure, of the program. All too

often though, organizations staff their security departments based upon the perceived need relative to

their size instead of the complexity and security profile of their organization. Each organization should

consider the information provided in Insight to determine if staffing for their information security program

is adequate, or needs to be "right sized" to come more in line with their peers.

The following portrays the number of employees you indicated directly participate in information security

duties, versus the number of employees indicated by your peers and all other organizations that

participated in the study.


4.00%

88.00%

4.00%4.00%

None 4.00%

1-5 88.00%

6-10 4.00%

11-25 0.00%

26-50 0.00%

51-100 0.00%

101-250 4.00%

Over 250 0.00%

I Don't Know 0.00%

Total: 100.00%

Your Peers

7.07%

86.87%

3.03%

1.01%1.01%1.01%

None 7.07%

1-5 86.87%

6-10 3.03%

11-25 1.01%

26-50 0.00%

51-100 0.00%

101-250 1.01%

Over 250 0.00%

I Don't Know 1.01%

Total: 100.00%

All Participants




Information Security Training

The following portrays the number of sessions allocated for information security training to your IT staff

by your organization versus the numbers provided by your peers and all other organizations that

participated in the study.


16.00%

48.00%20.00%

16.00%

None 16.00%

1-2 48.00%

3-4 20.00%

5 or more 16.00%

I Don't Know 0.00%

Total: 100.00%

Your Peers

10.10%

52.53%23.23%

11.11%3.03%

None 10.10%

1-2 52.53%

3-4 23.23%

5 or more 11.11%

I Don't Know 3.03%

Total: 100.00%

All Participants




Security Awareness Training is delivered to the average employee through various delivery channels.

The following reflects in rank order the methods in which information security training is delivered to an

average employee.

Your Organization

Internal - Staff Classroom/Group Presentations

Your Peers


Computer-Based Training

Internal - Content Delivered via Learning Management System

Offsite Events (conferences, designated seminars, etc.)

Consultant

All Participants


Computer-Based Training

Internal - Content Delivered via Learning Management System

Offsite Events (conferences, designated seminars, etc.)

Consultant

Information Security Training - Delivery Method




Security Conferences

While some organizations may see conferences as an unnecessary and frivolous expense, more and

more are turning to them as a venue where their security teams can network and learn from other

security professionals. Many of the conferences listed below hold not only general sessions that talk

about information security at a high level, but also hold "deep dive" sessions to educate the attendees

on the latest technical details regarding system and application exploits and what organizations can do

to avoid falling prey to them. As such, these conferences can provide value not only to the CISO, but to

the ISO as well. Organizations should evaluate the information contained within Insight to determine if

there are other conferences attended by their peers that would potentially provide value and educational

opportunities for their information security staff.

The following information portrays the information security conferences that your staff attend, versus

those that are attended by your peers and all other organizations that participated in the study.

Local Chamber of Commerce-sponsored Security Events

NAFCU/CUNA-sponsored Security Events

Vendor-sponsored Events/Working Groups

Your Organization




None

ABA-sponsored Security Events

Your Peers



None


Financial Service ISAC events (FS-ISAC)

All Participants




Security Services

Your

Organization

no

Active Directory Implementation Assessment

0 10 20 30 40 50 60 70 80 90 100

8.00

10.10

Your Peers All Participants

% Who Currently Use

An Active Directory Implementation Security Assessment will typically look to assess the overall security of an

organization's Active Directory structure. These assessments evaluate the use of Group Policies and other user

control mechanisms which can be utilized to protect not only the end-user but the organization as whole.

Your

Organization

no

Application Code Analysis

0 10 20 30 40 50 60 70 80 90 100

0.00

4.04


% Who Currently Use

An Application Code Analysis entails the manual or automated evaluation of software source code in an effort to

determine if latent vulnerabilities exist that may place the user of the software at risk after it is introduced into a

production setting.




Your

Organization

yes

Ethical Hacking/Penetration Testing

0 10 20 30 40 50 60 70 80 90 100

64.00

57.58


% Who Currently Use

Penetration Testing consists of security analysts manually testing vulnerabilities to determine whether they are

exploitable. This includes the use of automated scripts, exploits, or other types of attacks. Penetration testing is

also commonly known as ethical hacking.

Your

Organization

no

Mobile Device Security Assessment (smartphone, tablets, etc.)

0 10 20 30 40 50 60 70 80 90 100

20.00

15.15


% Who Currently Use

A Mobile Device Security Assessment consists of the evaluation of an organization's implementation of mobile

devices such as BlackBerry handhelds, iPhones, and Windows Mobile devices. During the assessment, security

analysts will evaluate if the devices have been implemented in a secure fashion to avoid traffic interception

between the organization's mail server and the device, and to ensure that the device is encrypted or will

auto-wipe stored data if it lost or stolen.




Your

Organization

yes

Network Security Architecture Review

0 10 20 30 40 50 60 70 80 90 100

44.00

30.30


% Who Currently Use

A Network Security Architecture Review consists of the evaluation of an organization's computer network

implementation. The security analyst will evaluate network and system segmentation efforts, the use of

encryption and VLAN technology, as well as what other network protection mechanisms may benefit the

organization and aid them in reaching their security goals.

Your

Organization

yes

Physical Security Review

0 10 20 30 40 50 60 70 80 90 100

44.00

40.40


% Who Currently Use

A Physical Security Review evaluates the physical security controls an organization has put in place to protect

the computing assets and confidential data utilized by the organization's employees. These controls may include

those associated with the corporate data center, the locking mechanisms utilized on secure area doors, video

camera placement and usage, badge systems, and other controls. Additionally, these reviews will also normally

include employee interviews where the security analyst will look to determine the general level of security

awareness within the employee population.




Your

Organization

yes

Social Engineering Assessment - Onsite (office infiltration, dumpster diving, etc.)

0 10 20 30 40 50 60 70 80 90 100

24.00

23.23


% Who Currently Use

An Onsite Social Engineering Assessment consists of a security analyst attempting to gain access to physical

corporate resources by violating the trust of an organization's employees or trusted third-party vendors. The

security analyst will typically attempt to gain access to one or more office locations. Once access is gained, the

analyst will connect to the corporate network; collect computing assets or confidential information, and attempt to

bypass physical security controls. The security analyst may also bypass controls by using tools such as "lost"

USB fobs or CD-ROMs that are then collected by employees and utilized on the organization's computing

platforms.

Your

Organization

yes

Social Engineering Assessment - Remote (e-mail, telephone, online, etc.)

0 10 20 30 40 50 60 70 80 90 100

64.00

49.49


% Who Currently Use

A Remote Social Engineering Assessment consists of a security analyst attempting to gain the trust of an

organization's employees or trusted third-party vendors and elicit confidential data such as system access codes,

passwords, or even information regarding the organization's clientele. These engagements can utilize phone

calls, fraudulent e-mail content and websites, or a combination of all three attack mechanisms.




Your

Organization

no

VoIP/PBX Security Assessment

0 10 20 30 40 50 60 70 80 90 100

4.00

5.05


% Who Currently Use

VoIP/PBX Security Assessments consist of the evaluation of an organization's Voice Over IP implementation.

These security assessments typically evaluate the security of not only of the PBX, but the handsets and actual

VoIP traffic as well. The assessments typically look to identify configuration weaknesses, the use of unneeded

services, and the use of encryption to protect voice traffic.

Your

Organization

yes

Vulnerability Scanning

0 10 20 30 40 50 60 70 80 90 100

80.00

81.82


% Who Currently Use

Vulnerability Scanning typically consists of the automated scanning of an organization's networks in an effort to

determine which hosts are "live" and what vulnerabilities are potentially resident on those systems. Vulnerability

scanning is also commonly referred to as a vulnerability assessment.




Your

Organization

no

War Dialing

0 10 20 30 40 50 60 70 80 90 100

8.00

8.08


% Who Currently Use

War Dialing consists of the automated scanning of an organization's phone lines in an effort to identify open

carriers that may provide system access. War Dialing may also include the manual testing of identified "open"

lines in an effort to see if system access can actually be obtained.

Your

Organization

yes

Web Application Security Assessment

0 10 20 30 40 50 60 70 80 90 100

8.00

16.16


% Who Currently Use

A Web Application Security Assessment consists of testing that is very similar to that of a penetration test or

ethical hacking engagement. However, the Web Application Security Assessment focuses on the web

applications utilized by an organization and focuses on exposing cross-site scripting, SQL injection and buffer

overflow conditions that may exist within the application. Testing may be done in a "black box" or unauthenticated

fashion, or it may be conducted in a "white box" manner where the security analyst is provided one or more user

accounts.




Your

Organization

no

Wireless Security Review

0 10 20 30 40 50 60 70 80 90 100

12.00

16.16


% Who Currently Use

A Wireless Security Review consists of the evaluation of an organization's wireless implementation. The

evaluation will typically consider how the organization has implemented encryption, the security configuration of

the organization's wireless access points, and the level at which the wireless signal "bleeds" into other areas of

the building or nearby parking structures. Additionally, the service may also include the assessment of the

organization's corporate networks to determine if rogue, unauthorized access points are presently in use.

Your

Organization

no

Other

0 10 20 30 40 50 60 70 80 90 100

4.00

6.06


% Who Currently Use




None of the Above

Percentage of Participants Who Do Not or Will Not Use Any of the Services Above

0 10 20 30 40 50 60 70 80 90 100

4.00

6.06


% Who Do Not Use

Top 3 Security Services

Participants were asked to rank the security services in order of importance to the organization's

security program. The chart below represents the top 3 ranked security services.



Vulnerability Scanning



Network Security Architecture Review


Social Engineering Assessment - Onsite (office infiltration, dumpster diving, etc.)


All Participants

Your Peers

Your Organization

Top 3 Security Services




Compliance Services

Your

Organization

no

Anti-Phishing/Vishing Services

0 10 20 30 40 50 60 70 80 90 100

28.00

31.31


% Who Currently Use

Anti-Phishing/Vishing Services typically consist of a monitoring component where the vendor will scan the

Internet looking for malicious sites that mimic an organization's website, home banking system, or e-commerce

platform in an attempt to capture user password or similar information. The service may also consist of a "take

down" component where the vendor will aid the organization in having a malicious website, or in the case of

Vishing, phone number disabled.

Your

Organization

no

Application Source Code Audit

0 10 20 30 40 50 60 70 80 90 100

0.00

5.05


% Who Currently Use

An Application Source Code Audit consists of the manual or automated evaluation of application source code to

determine if security issues such as buffer overflows or improper data sanitization issues exist. Many times an

Application Source Code Audit will be conducted as part of an organization's software development lifecycle to

ensure their applications are secure prior to being moved from a development environment to a production

setting.




Your

Organization

yes

Business Impact Analysis

0 10 20 30 40 50 60 70 80 90 100

24.00

21.21


% Who Currently Use

A Business Impact Analysis consists of the identification of key systems and data sets utilized by an organization

on a day-to-day basis. Once these data points have been captured, a cross-functional team from the

organization will determine the monetary impact should these systems or data sets become unavailable for an

extended period of time. This information will typically feed directly into an organization's Disaster Recovery

Program to ensure that critical systems are the first to be recovered in the event of a man-made or natural

disaster.

Your

Organization

yes

Data Loss Prevention (DLP)

0 10 20 30 40 50 60 70 80 90 100

40.00

32.32


% Who Currently Use

Data Loss Prevention consists of the use of a network appliance or software package to monitor an organization's

networks and determine if confidential or protected data is being digitally released in an unauthorized fashion to

individuals or organizations outside the company. These appliances or packages utilize definitions similar to

those used in IDS/IPS platforms, but will also periodically sync with an onboard or remote database to capture

data types specific to the organization that should be monitored for items such as account numbers, identification

numbers, etc.




Your

Organization

yes

Encryption Services (E-mail/File System)

0 10 20 30 40 50 60 70 80 90 100

76.00

64.65


% Who Currently Use

Encryption Services typically consist of the use of an appliance or software package that encrypts corporate

e-mail and/or sensitive files. These services may be utilized by key personnel within an organization, or may be

deployed enterprise wide to ensure that all sensitive data is protected accordingly.

Your

Organization

no

Forensics Services

0 10 20 30 40 50 60 70 80 90 100

8.00

4.04


% Who Currently Use

Forensics Services consist of the evaluation of one or more computer platforms that have been compromised by

an external or internal attacker. These services are typically utilized to determine where the attack originated

from, how the system was compromised, what was done after the compromise, and if the system was utilized to

attack other external or internal systems. Organizations should utilize a vendor that has certified, experienced

forensics staff who will not jeopardize the organization's ability to enter into litigation with the forensics data should

that course of action be expected.




Your

Organization

no

Information Security Risk Assessment

0 10 20 30 40 50 60 70 80 90 100

68.00

65.66


% Who Currently Use

An Information Security Risk Assessment consists of identifying the critical data and systems utilized by an

organization and then evaluating the risks they may be exposed to from external or internal sources. Based upon

the findings of the evaluation, the organization can then determine the level of risk being presented and then

decide to mitigate, transfer, accept, or defer the risk. Information Security Risk Assessments are typically

conducted as cross-functional engagements due to the need to capture data points from system/data owners and

users alike.

Your

Organization

no

Information Security Training for Clients

0 10 20 30 40 50 60 70 80 90 100

4.00

11.11


% Who Currently Use

Security Training for Clients consists of web-based training that focuses on common and easily understood

security practices such as password development, how to avoid phishing attacks, and the importance of anti-virus

software. Typically the training will also include short, easy to complete quizzes and the ability to easily forward

the training information to family, friends, and coworkers.




Your

Organization

no

Information Security Training for Employees

0 10 20 30 40 50 60 70 80 90 100

76.00

71.72


% Who Currently Use

Security Training for Employees consists of programs, delivered in person or via web-based means, which

educate organization personnel on information security basics such as strong password construction and how to

thwart social engineering attacks. Typically, the training will also consist of testing to measure content retention

by the employee and completion certificate issuance at the end of the program.

Your

Organization

no

ISO Standards

0 10 20 30 40 50 60 70 80 90 100

4.00

3.03


% Who Currently Use

ISO Standards are generally accepted information security and risk management best practices by the

International Organization for Standardization. Examples include ISO 31000 (Risk Management) and ISO 27001

(Information Security Management Systems).




Your

Organization

yes

IT Audit (Programs, Policies, Practices)

0 10 20 30 40 50 60 70 80 90 100

76.00

59.60


% Who Currently Use

An IT Audit consists of the manual evaluation of an organization's IT security controls and practices. Typically

the service will be completed by an IT auditor or security analyst and utilizes internal corporate policies, industry

best practices, and regulatory requirements as a baseline for the audit. At completion, the audit is meant to

provide a holistic picture of the organization's practices and where gaps exist that potentially place the

organization at risk.

Your

Organization

no

Online Policy Management

0 10 20 30 40 50 60 70 80 90 100

4.00

9.09


% Who Currently Use

Online Policy Management consists of the use of applications, typically web-based in nature, to manage, update,

and track employee review and acceptance of corporate policies. Typically organizations will create virtual policy

handbooks and then assign these at the department or individual level for review. Employee reviews are then

tracked, along with any employee feedback, and can be subsequently reported on for compliance and audit

needs.




Your

Organization

no

Security Policy Development/Review

0 10 20 30 40 50 60 70 80 90 100

52.00

44.44


% Who Currently Use

Security Policy Development and Review engagements consist of two parts. If the organization has a defined

policy set, the set is often evaluated against industry best practice and regulatory requirements to identify any

potential gaps. Based upon the review, the organization may then opt to have the vendor develop additional

policies or provide policy templates to the organization for their editing and use.

Your

Organization

no

Virtual Host Implementation Assessment

0 10 20 30 40 50 60 70 80 90 100

4.00

4.04


% Who Currently Use

A Virtual Host Implementation Assessment consists of the security evaluation of a virtual operating system

operating in a single instance on a workstation, or running concurrently with multiple other operating systems on

a corporate server. The assessment will evaluate the manner in which the operating system has been

implemented to ensure that there are proper security controls in place that prevent the compromise of the host

operating system or other virtual instances in the event of an attack. Additionally, the security analyst will typically

also evaluate the organization's virtual machine hardening and implementation practices and policies to identify

gaps that may exist.




Your

Organization

yes

Website Compliance Review

0 10 20 30 40 50 60 70 80 90 100

32.00

24.24


% Who Currently Use

A Website Compliance Review consists of the evaluation of an organization's website to ensure that it is in

compliance with regulatory requirements. These requirements may range from the manner in which a financial

organization advertises loan rates, to the way in which a commercial organization advertises certain special

offers or utilizes images or video. These reviews are typically done in a manual fashion as each page contained

within a website must be evaluated for consistency with the organization's internal requirements and those from

any regulatory body.

Your

Organization

no

Other

0 10 20 30 40 50 60 70 80 90 100

0.00

1.01


% Who Currently Use




None of the Above


0 10 20 30 40 50 60 70 80 90 100

4.00

6.06


% Who Do Not Use

Top 3 Compliance Services

Participants were asked to rank the compliance services in order of importance to the organization's

compliance program. The chart below represents the top 3 ranked compliance services.

IT Audit (programs, policies, practices)


Encryption Services (e-mail/file System)

IT Audit (programs, policies, practices)





Encryption Services (e-mail/file System)

All Participants

Your Peers

Your Organization

Top 3 Compliance Services




Security Policies/Programs

Your

Organization

yes

Business Continuity Plan

0 10 20 30 40 50 60 70 80 90 100

96.00

81.82


% Who Currently Use

A Business Continuity Plan documents and defines the programs and practices put in place by an organization

to ensure the ongoing operations of the business. Business Continuity Plans are considered an information

security best practice and are typically required for companies operating in regulated industry such as banking.,

healthcare, energy, etc.

Your

Organization

yes

Disaster Recovery Program

0 10 20 30 40 50 60 70 80 90 100

96.00

88.89


% Who Currently Use

A Disaster Recovery Plan outlines the activities that need to be undertaken by management and staff in the event

of a man made or natural disaster. Disaster Recovery Plans typically contain call trees, system recovery

procedures, hot site usage requirements, disaster declaration authority, and press/media management.

Organizations operating in regulated industries are typically required, by regulation or law, to have a robust

Disaster Recovery Plan in place and to test their plan at least annually.




Your

Organization

yes

Incident Response Program

0 10 20 30 40 50 60 70 80 90 100

88.00

82.83


% Who Currently Use

An Incident Response Plan defines how an organization will respond to an information security related event.

While many companies have these plans in place to deal with virus or malware outbreaks, more and more firms

are expanding them to cover security breaches and non-disaster related events. Incident Response Plans define

not only how an incident is to be declared and addressed, but also how the organization will socialize the event

with customers, regulators and law enforcement.

Your

Organization

yes

Information Security Policy: Acceptable Use of Computer Systems

0 10 20 30 40 50 60 70 80 90 100

96.00

92.93


% Who Currently Use

An Acceptable Use Policy will clearly define what activities employees (management and staff) are and are not

allowed conduct and that employees should have no expectation of privacy or content ownership while using

corporate computing platforms. Historically only addressing the use of workstations and laptops, most

Acceptable Use Policy content has been expanded to encompass the use of non-traditional computing devices

such as tablets and smartphones.




Your

Organization

yes

Information Security Policy: Internet/Social Media

0 10 20 30 40 50 60 70 80 90 100

92.00

80.81


% Who Currently Use

An Internet/Social Media policy will typically define what online activities employees are allowed to engage in on

behalf of the company. The policy may also outline any limitations of personal online activity and require that

employees clearly state that their views are their own and not that of their employer. This ensures that any

libelous statements are attributable to and the responsibility of the employee and not a reflection of the beliefs of

the company.

Your

Organization

yes

Information Security Policy: Mobile Devices

0 10 20 30 40 50 60 70 80 90 100

84.00

73.74


% Who Currently Use

A Mobile Device Policy will typically contain content similar to that of an Acceptable Use Policy. However, it may

also contain content that defines prohibited activities such as the use of "App Stores" or whether or not the

employee is allowed to use their personal device for corporate activities.




Your

Organization

yes

Information Security Policy: Physical Security

0 10 20 30 40 50 60 70 80 90 100

92.00

84.85


% Who Currently Use

A Physical Security Policy will typically define the required security controls that must be maintained by

employees. This may include the proper use of access badges, the requirement to maintain a clean desk, and

how security systems (cameras, badges, etc.) will be deployed and utilized within the company.

Your

Organization

yes

Information Security Policy: Securing Protected Data

0 10 20 30 40 50 60 70 80 90 100

80.00

74.75


% Who Currently Use

A Securing Protected Data Policy will typically contain content that can be found in clean desk, physical

security, and encryption policies. It may also contain content associated with data classification to ensure that

employees understand what data is considered public knowledge and what should be considered confidential.

Typically, this policy will also define which other "security" policies will be put in place and will define minimum

security standards for "protected" data.




Your

Organization

no

Other

0 10 20 30 40 50 60 70 80 90 100

4.00

1.01


% Who Currently Use

None of the Above


0 10 20 30 40 50 60 70 80 90 100

0.00

1.01


% Who Do Not Use




Advanced Persistent Threats (APT)

Your

Organization

High None:

Small:

Moderate:

High:

Very High:

3.03%

16.16%

49.49%

20.20%

11.11%

0.00%

12.00%

64.00%

16.00%

8.00%

None:

Small:

Moderate:

High:

Very High:

Your PeersYour Peers

All Participants

Brand Infringement

Your

Organization

Small None:

Small:

Moderate:

High:

Very High:

15.15%

55.56%

21.21%

6.06%

2.02%

12.00%

60.00%

12.00%

12.00%

4.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Browser-based attacks

Your

Organization

High None:

Small:

Moderate:

High:

Very High:

2.02%

10.10%

37.37%

34.34%

16.16%

4.00%

20.00%

32.00%

24.00%

20.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Security Concerns




Business Continuity Risks

Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

2.02%

17.17%

50.51%

24.24%

6.06%

0.00%

32.00%

44.00%

16.00%

8.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Cloud Computing Threats

Your

Organization

Small None:

Small:

Moderate:

High:

Very High:

8.08%

32.32%

36.36%

21.21%

2.02%

4.00%

44.00%

28.00%

16.00%

8.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Data Center Physical Security Threats

Your

Organization

Small None:

Small:

Moderate:

High:

Very High:

8.08%

52.53%

33.33%

4.04%

2.02%

12.00%

64.00%

12.00%

4.00%

8.00%

None:

Small:

Moderate:

High:

Very High:


All Participants




Data Loss (via e-mail, file sharing, etc.)

Your

Organization

High None:

Small:

Moderate:

High:

Very High:

2.02%

13.13%

37.37%

36.36%

11.11%

4.00%

12.00%

28.00%

48.00%

8.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Denial of Service Attacks

Your

Organization

High None:

Small:

Moderate:

High:

Very High:

2.02%

28.28%

47.47%

18.18%

4.04%

4.00%

24.00%

44.00%

16.00%

12.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Disaster Recovery/Business Continuity Threats

Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

1.01%

26.26%

45.45%

21.21%

6.06%

0.00%

36.00%

40.00%

16.00%

8.00%

None:

Small:

Moderate:

High:

Very High:


All Participants




Employee Negligence

Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

1.01%

16.16%

40.40%

28.28%

14.14%

0.00%

8.00%

36.00%

32.00%

24.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Hacker External (unknown party)

Your

Organization

High None:

Small:

Moderate:

High:

Very High:

2.02%

10.10%

44.44%

31.31%

12.12%

0.00%

12.00%

32.00%

36.00%

20.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Hacker Internal (employee, trusted 3rd party)

Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

2.02%

27.27%

43.43%

22.22%

5.05%

4.00%

16.00%

28.00%

40.00%

12.00%

None:

Small:

Moderate:

High:

Very High:


All Participants




Incident Response Threats

Your

Organization

Small None:

Small:

Moderate:

High:

Very High:

1.01%

22.22%

51.52%

21.21%

4.04%

0.00%

16.00%

52.00%

20.00%

12.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Information Security Policy Issues

Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

4.04%

34.34%

40.40%

18.18%

3.03%

0.00%

36.00%

40.00%

20.00%

4.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Information Security Threats Caused By Employee Actions

Your

Organization

High None:

Small:

Moderate:

High:

Very High:

1.01%

15.15%

34.34%

34.34%

15.15%

0.00%

4.00%

28.00%

44.00%

24.00%

None:

Small:

Moderate:

High:

Very High:


All Participants




Information Security Training for Clients

Your

Organization

None None:

Small:

Moderate:

High:

Very High:

22.22%

31.31%

29.29%

12.12%

5.05%

24.00%

24.00%

32.00%

16.00%

4.00%

None:

Small:

Moderate:

High:

Very High:


All Participants


Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

2.02%

21.21%

43.43%

25.25%

8.08%

0.00%

8.00%

56.00%

24.00%

12.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

In-House Software Development Threats

Your

Organization

Small None:

Small:

Moderate:

High:

Very High:

35.35%

39.39%

21.21%

3.03%

1.01%

32.00%

48.00%

12.00%

4.00%

4.00%

None:

Small:

Moderate:

High:

Very High:


All Participants




Mobile Device Threats (i.e. iPad, iPhone, Blackberry, etc)

Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

6.06%

33.33%

36.36%

22.22%

2.02%

0.00%

36.00%

40.00%

20.00%

4.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

PHI (HIPAA) Information Compromises

Your

Organization

None None:

Small:

Moderate:

High:

Very High:

36.36%

32.32%

20.20%

8.08%

3.03%

48.00%

28.00%

12.00%

4.00%

8.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Phishing/Vishing Threats

Your

Organization

High None:

Small:

Moderate:

High:

Very High:

1.01%

13.13%

40.40%

32.32%

13.13%

0.00%

8.00%

36.00%

44.00%

12.00%

None:

Small:

Moderate:

High:

Very High:


All Participants




PII (Personal Identification Information) Compromises

Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

2.02%

12.12%

36.36%

35.35%

14.14%

0.00%

4.00%

48.00%

36.00%

12.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Social Engineering Threats - Onsite (dumpster diving, office infiltration)

Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

4.04%

29.29%

42.42%

20.20%

4.04%

0.00%

28.00%

40.00%

24.00%

8.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Social Engineering Threats - Remote (phone, e-mail)

Your

Organization

High None:

Small:

Moderate:

High:

Very High:

3.03%

12.12%

28.28%

42.42%

14.14%

0.00%

0.00%

24.00%

56.00%

20.00%

None:

Small:

Moderate:

High:

Very High:


All Participants




Use of Encryption within the Enterprise

Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

4.04%

29.29%

40.40%

17.17%

9.09%

0.00%

36.00%

24.00%

28.00%

12.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Virtualization Threats

Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

6.06%

40.40%

46.46%

3.03%

4.04%

0.00%

52.00%

40.00%

0.00%

8.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Virus, Worm, Malware Threats

Your

Organization

High None:

Small:

Moderate:

High:

Very High:

1.01%

10.10%

37.37%

39.39%

12.12%

0.00%

8.00%

36.00%

44.00%

12.00%

None:

Small:

Moderate:

High:

Very High:


All Participants




Voice Over IP / Phone System Threats

Your

Organization

Small None:

Small:

Moderate:

High:

Very High:

10.10%

51.52%

27.27%

9.09%

2.02%

8.00%

64.00%

16.00%

4.00%

8.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Website Attacks

Your

Organization

Very High None:

Small:

Moderate:

High:

Very High:

4.04%

29.29%

46.46%

17.17%

3.03%

0.00%

28.00%

40.00%

24.00%

8.00%

None:

Small:

Moderate:

High:

Very High:


All Participants

Website Compliance

Your

Organization

Moderate None:

Small:

Moderate:

High:

Very High:

6.06%

43.43%

39.39%

10.10%

1.01%

0.00%

56.00%

32.00%

8.00%

4.00%

None:

Small:

Moderate:

High:

Very High:


All Participants




Wireless Security Threats

Your

Organization

Small None:

Small:

Moderate:

High:

Very High:

10.10%

35.35%

43.43%

9.09%

2.02%

12.00%

40.00%

40.00%

4.00%

4.00%

None:

Small:

Moderate:

High:

Very High:


All Participants




Security Concerns Glossary

Advanced Persistent Threats (APT): An Advanced Persistent Threat is typically a hidden, clandestine manner

by which an attacker gains control of one or more applications or computer systems within an organizations

networks for use in future nefarious acts. These threats may remain hidden for days, weeks, or even months

before they are discovered.

Brand Infringement: Brand Infringement is typically associated with the unauthorized use of an organization's

brand (trademarks, service marks, logos, etc.). Many times the issues associated with brand infringement are

the result of the marks being utilized as part of a phishing attack or other fraudulent website. Other instances

may include the use of the marks on blogs or social networking sites.

Browser-based attacks: Browser-based attacks are typically defined as those attacks that occur when a

computer user visits a website hosting malicious code that causes the compromise of an application or operating

system. These types of attacks are typically most successful when the computer user's web browser software is

out of date, or if they are using liberal security settings within the browser. Other types of browser-based

attacks include cross-site scripting attacks and man-in-the-middle attacks against encrypted sessions.

Business Continuity Risks: A Business Continuity Plan (BCP) is closely tied to the findings associated with a

corporate Business Impact Analysis (BIA).

The BIA process identifies key systems within an organization and the monetary impact experienced by the

organization when those systems become unavailable for use by staff or clientele. Based upon the findings of

the BIA, the BCP defines the time frame in which those systems must be recovered for the organization to

remain viable and what actions the management and staff of the organization must take to minimize the

monetary losses of the company during periods of extended down time.

Cloud Computing Threats: Cloud Computing Threats are typically associated with the dangers that present

themselves via the use of cloud-based services such as online CRM systems, or web-based office automation

tools. As these services are typically offered via third-party vendors, the contracting organization will not

typically own, manage or maintain any hardware or software. As such, organizations should evaluate not only

the security practices of the vendor, but their financial standing as well. Further, contractual provisions should

be put in place that clearly define data ownership as well as breach notifications.

Data Center Physical Security Threats: Data Center Physical Security Threats include the ability of an

attacker to bypass door locks and badging systems as well as the failure of an organization to properly

implement closed-circuit camera systems, locked server racks, heat and humidity sensors, fire extinguishing

systems, and biometrics access systems. These threats, alone or combined, place an organization's critical

systems and data at risk of loss or compromise.

Data Loss (via e-mail, file sharing, etc.): Data Loss entails the exposure of sensitive, non-public information to

outside parties who may not have authorized access to the information. This information may include driver's

license or other ID numbers, social security numbers, passwords, or other information. Information may be

disclosed through corporate e-mail resulting in an accidental or intentional release of this information outside the

organization. Information in the form of electronic media such as back-up tapes, or hard-copy information such

as account statements, may be lost via a breach associated with a third-party vendor.

Denial of Service Attacks: Denial of Service Attacks can impact a single system or an entire network segment.

While there are multiple variants, the most common is a distributed denial-of-service attack, where multiple

computing platforms spread across the Internet are utilized by an attacker to flood an organization with so much

traffic (web requests, etc.) that the organization's systems simply cannot address all of the legitimate and

illegitimate traffic. As a result, legitimate users are unable to gain access to the organization's resources,

resulting in a loss of business and revenue.




Disaster Recovery/Business Continuity Threats: A Business Continuity Plan (BCP) is closely tied to the

Business Impact Analysis (BIA) and Disaster Recovery Program (DRP) of an organization. The BIA process

identifies key systems within an organization and the impact experienced when those systems become

unavailable for use by staff or clientele. Based upon the findings of the BIA, the BCP defines the timeframe in

which those systems must be recovered for the organization to remain viable. The DRP is much more granular

defining the policies and procedures associated with the recovery of the key systems. The primary threat

associated with these plans and programs is the lack of proper testing and periodic updating to ensure they

remain relevant.

Employee Negligence: Employee Negligence is typically defined as actions taken by an employee that places

the employee or the employer in jeopardy. Often the employee's actions are not malicious in nature; rather the

employee takes actions while being unaware of the potential impact the action may have to the organization. An

example of Employee Negligence is leaving sensitive information out on their desk after working hours where it

can easily be seen or stolen by cleaning crews or others.

Hacker External (unknown party): External Hacker attacks are not necessarily attacks perpetrated solely

against Internet facing computing platforms; rather they are defined as attacks conducted by individuals who are

not employees of the organization. These attacks may be in the form of network reconnaissance and

vulnerability scanning, or include targeted attacks against individual systems and applications. Attacks can also

take the form of compromised internal computing platforms used to "hop" from one system to the next, exploiting

multiple vulnerabilities along the way in an effort to gain access to more and more confidential and proprietary

information.

Hacker Internal (employee, trusted 3rd party): Internal Hacker attacks are not necessarily attacks

perpetrated solely against internal, non-Internet facing computing platforms; rather they are defined as attacks

conducted by individuals who are employees of the organization. These attacks may range from network

reconnaissance and vulnerability scanning, to target attacks against individual systems and applications.

Attacks can also leverage compromised internal computing platforms to "hop" from one system to the next,

exploiting multiple vulnerabilities along the way in an effort to gain access to more and more confidential and

proprietary information.

Incident Response Threats: Incident Response Threats typically are seen in one of two areas. The first issue

is typically that the incident response program has not been adequately tested and as a result does not

adequately address threats that may be experienced by an organization's staff. The second issue is that many

incident response programs are not reviewed and updated on at least an annual basis to ensure that the

program addresses new threats that may not have been relevant at the time the program was initially

constructed. In either instance, the organization and its computing platforms can be placed at risk of exposure

and compromise.

Information Security Policy Issues: There are two primary issues that are typically associated with an

organization's information security policies. The first is that the existing policies are many times not reviewed on

at least an annual basis in order to incorporate any needed updates. Secondly, and just as important, is the

lack of new policies being added to the existing set to address new security practices and/or technologies that

have been implemented by the organization. In either case, an organization can easily be placed at risk due to

the fact that staff members do not fully understand what practices are and are not allowed.

Information Security Threats Caused By Employee Actions: Employee Caused Security Threats can

present themselves in a variety of fashions. Employees may inadvertently bring viruses or other malware into

the workplace by working on files at home, or may browse websites which seek to exploit vulnerabilities on the

employee's computer workstation. As well, employees may fall victim to social engineering attacks and release

highly sensitive data outside the organization, or may violate general security practices such as "ghosting" other

employees at badge entry areas.




Information Security Training for Clients: Security Training for Clientele is nearly as important as staff

security training for most organizations. While the level of risk associated with clientele system usage is

typically lower than that of staff members, they can still place an organization at risk via unsafe computing

practices. As an example, clientele who do not properly maintain their computer workstation anti-virus and

anti-malware software may expose the organization to fraud if their usernames and passwords are compromised

in some fashion.

Information Security Training for Employees: An organization's staff is often the weakest link within the entire

security program. Staff left untrained, or poorly trained, regarding information security best practices, can lead

to the circumvention of almost any security control put in place. Poorly developed passwords, falling for social

engineering attacks, or lack of adherence to physical security controls, are typically all the result of staff

members who have not received the proper level of information security training. These same individuals, due to

their actions, put an organization at risk for loss or other information security related exposures.

In-House Software Development Threats: In-House Software Development threats typically present

themselves through vulnerabilities that have been introduced into applications utilized by an organization's staff

or clientele. If an organization does not have a robust software development lifecycle that includes security

testing, there is a high probability that applications, and later updates to the applications, will contain weakness

such as buffer overflows, SQL insertion problems, and other issues that could potentially be exploited by

attackers.

Mobile Device Threats (i.e. iPad, iPhone, Blackberry, etc): Threats associated with mobile devices include,

but are not limited to, data exposure due to lost or stolen devices, malware introduced via applications loaded by

the user to the device, and access to corporate information via the use of weak passwords on the device.

PHI (HIPAA) Information Compromises: Compromises of PHI typically occur within medical facilities, however

they can also be seen within other companies where the information is collected as part of on-boarding

employees and determining what medications or ailments they have. Regardless of the type of company, all PHI

should be secured when not in use. Should a breach of PHI occur, there may be stiff monetary penalties levied

against the company.

Phishing/Vishing Threats: Phishing and Vishing attacks occur via the use of fraudulent e-mail messages,

websites, and phone numbers. These technologies are utilized by individuals or crime rings in an effort to elicit

confidential username and password information from computer users. Typically, during a phishing attack, a

fraudulent website that mimics a legitimate business is established and then, via e-mail-based attacks, users are

directed to the site. Vishing attacks take this one step further via the use of fraudulent VoIP platforms that

provide a "live person" to contact.

PII (Personal Identification Information) Compromises: Compromises of PII can occur within any type of

business, regardless as to what vertical the business is in. PII should be secured at all times when not in use. PII

includes Social Security numbers, ID numbers, and any other information that is not public record. There is a

potential for harsh monetary penalties depending upon the size of the breach and the information that was

stolen.

Social Engineering Threats - Onsite (dumpster diving, office infiltration): Social engineering is the act of

taking advantage of a person's trust to gain access to confidential information about the person, their employer,

or their clientele. Onsite social engineering occurs during a face-to-face encounter where the attacker may

utilize fake credentials or attire to elicit the desired response, or where the attacker uses intimidation or deceit to

gain access to the desired information. Social engineering attacks can occur in companies of all sizes, and can

be perpetrated by individuals outside the organization as well as current employees.




Social Engineering Threats - Remote (phone, e-mail): Social Engineering is the act of taking advantage of a

person's trust to gain access to confidential information about the person, their employer, or their clientele.

Remote social engineering attacks can occur during phone or e-mail based conversations where the attacker

may use intimidation or deceit to gain access to the desired information. Social engineering attacks can occur

in companies of all sizes, and can be perpetrated by individuals outside the organization as well as current

employees.

Use of Encryption within the Enterprise: Encryption usage in most organizations will typically fall into one of

three camps: e-mail encryption, hard drive encryption, and database encryption. E-mail encryption is the most

commonly utilized due to the need to protect clear-text e-mail messages. Second would be the use of hard drive

encryption, typically seen in use on laptop computers to protect data stored on the hard drive in the event the

equipment is lost or stolen. Last would be the use of database encryption, typically it is the last implemented due

to the cost and complexity of most database encryption methods. The most common issues associated with

encryption are poor governing policy development as well as weak implementation planning.

Virtualization Threats: Virtualization Threats are typically seen within virtual machine implementations that have

been poorly configured and hardened. Without properly securing each virtual machine a single virtual instance

can place multiple systems at risk and can cause the compromise of an entire virtual machine implementation as

well as the data the virtual machines process, store, or transmit.

Virus, Worm, Malware Threats: Virus, Worm, and Malware Threats tend to impact systems if they are behind

on operating system and application vulnerability patches. Virus and malware attacks will typically occur from

opening infected files or e-mails, or visiting malicious websites. Worm attacks tend to originate from other

computing platforms that have already become infected by the worm.

Voice Over IP / Phone System Threats: Voice Over IP / Phone System Threats are associated with a variety

of issues that can impact phone platforms of all types. These threats include call interception by a known or

unknown party, toll fraud, call recording, call manager software tampering, the disabling of VoIP encryption

controls, and attacks that deny service to users, the PBX, or both.

Website Attacks: Website Attacks are hacking and penetration attempts that focus on the web-based assets of

an organization. These attacks may be launched to compromise the website itself to alter content, or to use the

compromised website as a pivot point to launch an attack against other corporate systems that may have a

"trust" relationship with the website server.

Website Compliance: Website Compliance is a concern for every organization that has an Internet presence

in place. Almost without exception, every organization will have some type regulatory requirement that they must

comply with on their website, home banking system, or e-commerce site. These requirements could include

privacy notices, disclosures regarding loan or deposit rates, fair advertising requirements, and disclosures

regarding the use of copyrighted materials such as photos, music, or video images.

Wireless Security Threats: Wireless Security Threats can exist with both authorized and unauthorized wireless

implementations. Typically, authentication issues, implementing inadequate encryption, signal bleeding, and/or

improper hardening is/are the biggest concern(s) with authorized wireless implementation. Unauthorized

wireless implementations can be difficult to detect and due to their rogue nature, may place an entire corporate

network at risk. As such, organizations should consider periodic sweeps to detect and remove unauthorized

access points that may have been attached to one or more network segments.




END OF REPORT



New Best SaaS Network Security Solutions - Sample Organization · 2020. 2. 18. · Your feedback...

Documents

Transcript of New Best SaaS Network Security Solutions - Sample Organization · 2020. 2. 18. · Your feedback...