Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/7/2010
06:24 PM
50%
50%

Outgunned: How Security Tech Is Failing Us

Our testing shows we're spending billions on defenses that are no match for the stealthy attacks being thrown at us today. What can be done?

Information security professionals face mounting threats, hoping some mix of technology, education, and hard work will keep their companies and organizations safe. But lately, the specter of failure is looming larger.

"Pay no attention to the exploit behind the curtain" is the message from product vendors as they roll out the next iteration of their all-powerful, dynamically updating, self-defending, threat-intelligent, risk-mitigating, compliance-ensuring, nth-generation security technologies. Just pony up the money and the manpower and you'll be safe from what goes bump in the night.

Thing is, the pitch is less believable these days, and the atmosphere is becoming downright hostile.

We face more and larger breaches, increased costs, more advanced adversaries, and a growing number of public control failures. Regulation and litigation have both increased. We're still struggling with the expensive PCI initiative, an effort as controversial as its efficacy is questionable--U.S. businesses continue to hemorrhage credit card numbers and personally identifiable information. The tab for the Heartland Payment Systems breach, which compromised 130 million card numbers, is reportedly at $144 million and counting. The Stuxnet worm, a cunning and highly targeted piece of cyberweaponry, just left a trail of tens of thousands of infected PCs. Earlier this month, the FBI announced the arrest of individuals who used the Zeus Trojan to pilfer $70 million from U.S. banks. Zeus is in year three of its reign of terror, impervious to law enforcement, government agencies, and the sophisticated information security teams of the largest financial services firms on the planet.

"If you're being targeted like that, I hope to hell you have an infrastructure and information security strategy that goes far beyond just antivirus," says the IT director at a Fortune 500 pharmaceutical company.

Some do, some don't. But collectively, we've spent billions of dollars on security technologies, and we still can't curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize. Meantime, our identity management efforts guzzle funds faster than politicians before a crucial vote.

Most of the IT security vendors we interviewed for this article--and we spoke with many of them--admit that their products have flaws, are less than comprehensive, and certainly have room for improvement. But what many of them are not so forthright about is just how bad the situation is. For example, during our own tests of antivirus system effectiveness, bypassing every one of the five major AV suites we had in our lab was a trivial matter. (Our full report contains a rundown of our AV effectiveness testing.)

The situation is untenable for IT security teams. As one respondent to our InformationWeek Analytics Security Toolbox Survey put it, "Reputable vendors don't explicitly lie, but they do lie by omission."

What happened? Have we been purposely misled? Have we not spent enough money? Are we spending in the wrong places? Are our expectations too high, or is the technology too broken? Or are we just outgunned?

The scary answer is: All of the above. Recent events suggest that we are at a tipping point, and the need to reassess and adapt has never been greater. That starts with facing some hard truths and a willingness to change the status quo.

InformationWeek: Oct. 11, 2010 Issue To read the rest of the article, download a free PDF of InformationWeek magazine
(registration required)

Outgunned: How Security Technologies Are Failing Us

Become an InformationWeek Analytics subscriber: $99 per person per month, multiseat discounts available.

Subscribe and get our full report on the failure of security technology. This report includes more than 30 pages of action-oriented analysis, packed with 20 charts.
Get This And All Our Reports

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...