The Current State of IT Security

Current State of IT Security
Fourth Annual Benchmark Study
2006 Report
Carol Balkcom
Product Manager, CompTIA Security+
[email protected]
Who is CompTIA?
• CompTIA is a global trade association representing the
interests of companies and individuals in the information
technology industry
• With approximately 20,000 members, CompTIA provides
research, networking and partnering opportunities in 112
countries
• Offers 11 “vendor-neutral” certification programs ranging
from entry-level to two years of experience
• CompTIA A+, Network+ and Security+ alone account for
788,000 certifications worldwide
• Not just certification, special area-of-interest groups:
Convergence, IT Services, e-Commerce, Public Policy
Annual Security Research
• Research into security issues since 2002
• TNS Prognostics, a professional research
company, and an independent industry panel
of IT professionals in varying industries and
varying company size
• 574 respondents for 2006 report
Top Security Issues
• Virus/worm attacks continue to be the most
prevalent issue mentioned by IT workers (65%
of respondents, just as in 2004
• Lack of user awareness was mentioned second
most frequently (58%)
• Remote access (e.g. VPN) and browser-based
attacks were 3rd in importance at 48% of
respondents
Most Frequent Attacks
On the other hand, the areas where attacks had
actually occurred most frequently were
weighted somewhat differently, as shown on
the next slide…
IT Security Breaches: Areas that most often
experience security attacks in your organization
In what area (s) does your organization most
often experience security attacks? For
example, in the area of VoIP, wireless, IM, etc.
Denial of
Instant
None Service Remote
Messaging 5%
4% access
3%
9%
Virus/Worm
10%
Sample comments:
Web server
Internet, email
Email spam
Virus infection from email
Email with attachments
Web portal, unauthorized user or attacks
Other
29%
Causing downtime
Viruses
Spyware
Internet
10%
Antivirus
Wireless
access
12%
Wireless IM
Email
attachments
18%
Wireless, outside vendors, virus, firewall
problems
VPN
Worm, desktop security
No. of Responses = 481
Remote access
Email virus and worm intrusion
From Symantec’s IMLogic Threat Center – Instant
Message Threat Profile…
“Last year had a dramatic increase in the number of instant messaging
threats. With over 2,400 threats discovered in 2005, the year over year
increase [over 2004] is nearly 1700%.
IM worms are the driving force behind this spike. These threats are
particularly fast to propagate and mutate making them an attractive option
for malware authors.”
Personnel and Policy
• There was a 27% increase over 2004 in the
number of companies that now employ a
security administrator to enforce security
policy, with 57% positive responses
• But 41% of respondents still do not have a
“comprehensive written security policy”
Security breaches and their origin
• The number of serious security breaches
remained consistent between 2003 and 2005.
• Irrespective of security policy status, four out
of five serious IT security breaches in the last
year were blamed on human error or combined
human error and technical malfunction
• Of the human error, 30% was attributed to lack
of security knowledge or training
0-49 Employees
IT Security Training: Staff with Computer
Security Related Certification – By Company Size
50-249 Employees
< 25%
18%
< 25%
34%
25 - 49%
3%
50 - 74%
3%
None
73%
75 - 100%
3%
25 - 49%
4%
50 - 74%
4%
250-999 Employees
< 25%
39%
1,000-6,999 Employees
25 - 49%
10%
50 - 74%
6%
< 25%
68%
25 - 49%
5%
75 - 100%
4%
None
23%
None
37%
75 - 100%
8%
None
55%
75 - 100%
3%
7,000 Or More Employees
25 - 49%
16%
< 25%
60%
50 - 74%
7%
75 - 100%
3%
None
14%
Range of Responses: 86 to 121
Question: What percentage of the IT staff at your organization have received security related certifications (such as CompTIA Security+, CISSP,
SCP or CISM)?
According to new research from IDC, the
detection and prevention of outbound content
that violates corporate policy and government
and industry regulations is critical. This new
security market segment, which IDC has termed
outbound content compliance (OCC), will swell
to $1.9 billion in 2009.
IDC, November 30, 2005
Reporting, Training
The Computer Crime and Security Survey for 2005, the
10th year of a study by the Computer Security
Institute (CSI) and the FBI published the following:
• On Training: Respondents from all sectors but hightech and federal government do not believe their
organization invests enough in security awareness.
• On Reporting: 38 percent of respondents experienced
security intrusions but did not report them.
– Reporting to law enforcement has declined over the years
to 20 %. (Key reason: negative publicity.)
Security Breaches and their cost
• Consider the impact that specific breaches could have
on customers:
Network downtime
(Virus / Denial of Service)
Loss of productivity
(Virus / Denial of Service / Spam)
Lost data
(Trojan Horse / Virus / Worm)
Stolen data
(Spyware / Social Engineering / Key Logger)
Loss of competitive intellectual capital (Social Engineering)
Increased IT support and troubleshooting overhead (All Breaches)
Damaged Company reputation (All Breaches)
Loss of customer confidence and loss of customers due to poor
data protection
(All Breaches)
Non-compliance with regulations (such as SOX or HIPPA)
resulting in punitive action
(All Breaches)
IT Security Breach: Cost of
Security Breaches
While respondents are most likely to indicate that there was no cost associated with their breaches, the median cost
figure is put at over $11,000 for the last security breach and nearly $35,000 within last 12 months.
Last Security Breach
>$50,000
3%
$10,001 - $50,000
5%
Last 12 Months
>$50,000
5%
$0
49%
$5,001 - $10,000
6%
$10,001 - $50,000
8%
$0
51%
$5,001 - $10,000
6%
$1,001 - $5,000
13%
$501 - $1,000
9%
$1,001 - $5,000
12%
$1 - $500
15%
$501 - $1,000
8%
$1 - $500
10%
No. of Responses = 494
No. of Responses = 493
Median = $11,460.69
Median = $34,885.12
Question: In actual dollars, what was the cost of your last security breach? (Please provide your best estimate)
Question: In the last 12 months, how many major security breaches have occurred at your organization?
Right to know
IT Security Breach:
Internal Policies
Two-thirds indicate that they have a policy in place that addresses social engineering issues, and the same portion
indicate that statistics regarding breaches are only available at the IT and Executive levels.
Does your organization have an IT security
policy in place addressing the issue of social
engineering (e.g. not giving passwords out to
someone over the phone)?
How are statistics on information security
breaches distributed within or by your
organization?
Confidential only
IT/Exec access
67%
Yes
66%
Confidential
employees only
22%
No
34%
Only anonymous
information
shared
8%
No. of Responses = 557
Not confidential
shared outside
org
3%
No. of Responses = 495
IT Security Overview:
Security Enforcement
Respondents are most likely to point to antivirus and firewalls/proxy servers here. There has been growth in those
mentioning dedicated security administrators, compared to 2003; though respondents with these administrators tend to
return results that are in line with the overall averages.
2005
95.8%
Antivirus
Disaster recovery plan
43.9%
Intrusion Detection Systems
43.2%
Required security training
29.4%
Physical access control
29.1%
Required security experience
20.6%
Required security certification
19.5%
Multi-factor authentication
19.3%
Regular incident response drills
45.0%
42.3%
52.7%
49.2%
30.2%
35.6%
35.3%
35.4%
34.5%
21.8%
28.0%
n/a
n/a
24.4%
12.4%
23.5%
11.2%
9.4%
20% 40%
49.0%
30.2%
11.7%
9.8%
14.6%
n/a
Other 0.9%
0%
48.2%
51.5%
24.9%
Penetration Testing
56.5%
44.7%
52.8%
Change control process
90.8%
62.3%
56.5%
Written IT Security Policy
95.5%
93.7%
62.4%
Dedicated security administrator
2003
96.7%
90.8%
Firewalls/Proxy Servers
ISO 17799 Compliance
2004
60% 80% 100%
No. of Respondents = 574
0%
n/a
20% 40%
60% 80% 100%
No. of Respondents = 427
0%
20% 40%
60% 80% 100%
No. of Respondents = 888
Question: What technologies or practices are being employed at your organization to enforce security requirements? (Check all that apply)
IT Security Overview:
Security Services Outsourcing
Firewall administration is the most commonly offshore outsourced security service – and respondents are most likely to
indicate that this is done because it is more cost effective for their business.
What types of security services are
outsourced offshore?
54%
Firewall administration
Physical access control
29%
Training
29%
Other
0%
No. of Respondents: 28
68%
21%
More reliable
Not enough resources
to handle internally
21%
Intrusion detection
Forensics
More cost effective
for our business
32%
Security architecture design
Audits/penetration testing
What were your reasons for
outsourcing offshore?
Not enough trained individuals
on staff to handle
11%
14%
4%
4%
Other
11%
20%
40%
60%
80%
% of Yes Responses
100%
0%
No. of Respondents: 28
11%
20%
40%
60%
80%
% of Yes Responses
100%
How do companies help mitigate security risk?
IT Security Overview: Current Security
Monitoring Measures
This year, audits/penetration, lessons learns, and awareness/education tie as the most commonly mentioned measures
currently in place for monitoring security performance over time. Systems baselines are much less prominent than in
2003.
2005
Audits/penetration
51.3%
Lessons Learned
48.3%
Awareness/education
48.3%
Change control tracking
Other
0%
53.4%
53.4%
54.9%
34.1%
44.3%
41.9%
19.5%
51.4%
20.6%
12.3%
15.0%
17.6%
18.5%
n/a
2.8%
20% 40%
61.0%
56.4%
36.0%
No measures currently in place
2003
48.7%
38.0%
Systems baselines
Forensics
2004
60% 80% 100%
No. of Respondents = 503
0%
20% 40%
n/a
60% 80% 100%
No. of Respondents = 296
0%
20% 40%
60% 80% 100%
No. of Respondents = 659
Question: What types of measures are currently in place at your organization for monitoring general security performance over time?
(Check all that apply)
Respondent Profiles:
Budget
Respondents are most likely to report that about 5% of their IT budget is spent on computer security, which is consistent
with 2004 and 2003. The percentage of respondents indicating that they have spent nothing on security
training/certification is slightly reduced from 2004.
Percentage of IT Budget Spent on
Computer Security
12%
12%
10%
0%
0%
35%
5%
42%
39%
18%
19%
19%
10%
5%
4%
5%
9%
11%
13%
2%
51-100% 1%
51-100% 0%
3%
0%
10%
9%
11%
20-50%
3%
45%
46%
29%
29%
31%
5%
15%
23%
15%
19%
20-50%
39%
10%
9%
11%
10%
15%
Percentage of IT Budget Allocated for
Security Training/Certification
2%
10%
20%
30%
40%
% of Yes Responses
2005
2004
Range of Responses: 227-565
2003
50%
0%
10%
20%
30%
40%
% of Yes Responses
2005
2004
Range of Responses: 223-560
2003
50%
IT Security Training: Staff with
Computer Security Related Training
Administrator-level employees continue to be the most likely to receive security training.
77%
Administrator Level
Manager Level
53%
2003
77%
80%
54%
51%
Director Level
50%
49%
34%
Engineering Level
49%
49%
51%
41%
36%
37%
34%
42%
Help Desk technicians Manager Level
Project Managers
39%
Product Developers
32%
27%
26%
Executive Staff
31%
34%
26%
25%
20%
18%
Other users
0%
No. of Respondents = 477
2004
20%
40%
60%
80%
100%
% of Yes Responses
Question: What levels of staff generally receive security training at your organization? (Check all that apply)
n = 291
n = 606
IT Security Awareness Training: Has It Reduced
Number of Major Security Breaches?
The overwhelming majority of respondents indicate that IT security awareness training has reduced the number of major
security breaches suffered.
Yes
84%
No
16%
No. of Responses = 183
Question: Do you think the number of major security breaches in your organization have been reduced since your organization’s security
awareness training/education? (A major security breach is one that causes real harm, has confidential information taken, or if business is
interrupted.)
IT Security Awareness Training:
One Thing to Improve (Sample Comments)
More frequent reinforcement
Understanding importance of maintaining privacy of customer data
Keep records of scores and give more training to those that score low.
Outlined accountability
Recurring training
Retention
Keeping ahead of everyone else
Emphasis on email and internet use. Pshing, scams, email virus's etc
Security awareness training/education seems adequate.
Tracking scores
Enforcement of rules
People could pay attention and make sure the physical security rules are followed
Making it mandatory for users and administrators
Ensure that everyone is serious about security.
Comprehension
Question: What is the most important thing that can be improved about your organization’s security awareness training/education?
Training/Certification ROI
• As a rule, respondents believe that there is
significant return on investment (ROI) for
security training and certification, with the
median ROI at $10,000 or more.
IT Security Training: ROI
Median results for estimated ROI on security training and certification are similar, at $10,000 and $11,555; respectively.
Average Response in US Dollars
ROI on IT security training
(193)
$10,000
$6,135,334.80
ROI on security certification
(148)
$7,093,050.80
0
( ) = No. of Responses
Median Response
2000000
4000000
6000000
8000000
$11,555
10000000
US Dollars ($)
Question: In your opinion, how much money has your organization saved, in total, by the improvement of IT security due to IT security training for
the above issues?
IT Security Training:
Certification and Improved Security
Nearly 60% indicate that staff certification has improved IT security – and in much the same ways as training (increasing awareness, boosting
abilities at identifying potential risks, improving security measures, and increasing staff response time).
Has staff security certification
improved IT security?
How has security certification
improved IT security?
Ability of staff to identify potential
security risks
69%
Increased awareness
No
42%
65%
63%
Better security measures
60%
Ability of staff to respond quicker
Yes
58%
Fewer incidents
52%
Better security policies
No. of Responses = 278
Other
50%
1%
0%
20%
40%
60%
% of Yes Responses
No. of Respondents = 161
80%
100%
CompTIA Security+
What is it?
• A CompTIA Security+
certification validates technical
knowledge required of
foundation-level security
practitioners.
Who is it for?
• Those with two years
experience in networking
• Those who hold CompTIA’s A+
and Network+ or equivalent
certifications
• Those who conduct daily,
hands-on security analysis and
prevention/remediation activities
Employee benefits
• Proven understanding of
security best practices and
proof of transferable skills.
• Viable career path leading to
high-level security jobs in enduser, security-specific and
consultative organizations.
Employer benefits
• Increased employee job
satisfaction, and reduced
turnover.
• Assurance that security will be
handled by qualified
professionals, leading to higher
sales through enhanced
customer trust.
Security+ Founding Organizations
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
VeriSign
Symantec
Entrust
RSA Security
Microsoft
Sun Microsystems
IBM / Tivoli Software Group
Novell
Olympus Security Group
Motorola
VCCS - Institute of Excellence for
Information Technology
Information Systems Security
Association (ISSA)
Information Systems Audit and
Control Association (ISACA)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
National Institute of Standards
& Technology (NIST)
Argonne National Laboratory
U.S. Secret Service
Federal Bureau of
Investigation
Cybersmuggling Center –
U.S. Customs
New Horizons Computer
Learning Centers
Course Technology
Tech-Connect
Ascendant Learning
Marcraft International
ElementK
Sybex
Security+ Recognition
CompTIA Security+ is recognized as a requirement, recommended option or applicable
credit in leading organizations and programs (partial list)
•
•
•
•
•
•
•
•
•
•
•
•
•
Microsoft
• MCSA, MCSE, MCSA: Security, MCSE: Security
Symantec Security Technology Architect
IBM - Tivoli Software Sales and Security Staff
Information Systems Audit and Control Association (ISACA) – CISM certification
Information Systems Forensics Association (ISFA) – CIFI certification
Network General – SCM (Sniffer Certified Master)
Olympus Security Group – Professional Consultants
Ascendant Learning – Security Certified Professional (SCP)
Sun Microsystems – Professional Security Consultants
Planet 3 Wireless
HIPAA Academy CHSS program
Hitachi Information Systems
Verisign
Detail: CompTIA Security+
•
•
Vendor-neutral (not product-specific) certification
Developed with input from industry, academia and
government from over 30 countries worldwide and covers
these domains:
•
•
•
•
•
General Security Concepts
Communication Security
Infrastructure Security
Basics of Cryptography
Operational / Organizational Security
Goal:
Provide validation of two years practical experience with
security on the path toward greater career advancement
Discussion, questions
Thank you!