News

Symantec: Online Security Concerns Growing in the Workplace

• By Kurt Mackie
• April 10, 2008

Now, a pair of reports from Symantec Security Response -- including the 13th annual "Global Internet Security Threat Report" (available as a PDF here) released on Tuesday -- reveal that such actions may imperil some enterprise environments, especially given the rise of browser-based hacking and concerns about security in the Web 2.0 era.

Symantec culled its findings from several sources, including data gathered from network-monitoring software in the hundreds of countries where the security software consultancy does business. Symantec also relied on research gleaned from third-party sources, such as other security firms, exploit research sites and its own security-monitoring blogs. The report covers statistics gathered for the period between July and December of 2007.

"What we find increasingly is that these attacks, using the Internet as a vector, leverage three things: a mature underground economy for hackers, client-side attack toolkits such as bots, and the wildcard: human behavior in the workforce," said Ben Greenbaum, senior research manager for Symantec Security Response. "And it's unfortunate but true that there is no security patch to block the vulnerabilities of social engineering."

Among the key findings in Symantec's "Global Internet Security Threat Report" are some staggering numbers, including the 711,912 new threats discovered in 2007, compared to just 125,243 in 2006. That's an increase of 468 percent.

The report also highlighted several enterprise system weakness trends that are germane to IT pros looking to balance the new work/life spillover in their IT administration space. According to the report, 58 percent of respondent-documented vulnerabilities in the third and fourth quarters of last year affected Web-based software or applications. Of those vulnerabilities, 72 percent were deemed "easily exploitable."

The report also found from its respondents that between Apple, Sun Microsystems and Microsoft, it was Redmond that had the shortest security patch research and turnaround time with a six-day flip. On the other hand, Sun's average patch development lead period last year was 157 days.

Here's another development from the report that may foster immediate concern in some IT shops: Of all the patches rolled out by Sun, Microsoft and Hewlett-Packard that were deemed either medium or critical (high-severity), more than 50 percent were intended to fix either Web browser or client-side vulnerabilities in the OS and related applications, or both.

Tuesday's report comes on the heels of a related study conducted by Symantec last month that explores IT risk management and its relationship to the "millennial" or post-mainframe workforce. Symantec worked with Applied Research-West to measure IT risk issues surrounding the emerging millennial workforce within companies in the United States. The study took responses from 600 people, who were split into three groups of 200. The groups comprised IT executives, rank-in-file "millennial" end users born after 1980, and members of what Symantec deemed the "older" workforce (born before 1980).

Here are a few of those findings:

• More younger workers of the millennial ilk (66 percent) tend to access Web 2.0 applications, download file-sharing software and use interactive Internet features much more frequently than their older counterparts (13 percent). The latter are probably more busy, experts say, because they tend to be in managerial positions. This probably accounts for the large percentage of users on Facebook and MySpace during office hours.



• Younger workers also tend to take their work home with them on mobile devices such as smart phones and BlackBerrys, storing backup files or even live workflow files on home computers, personal laptops and home servers.



• Another important point that came out of this report is that 89 percent of the IT managers surveyed conceded that enterprise risk in the IT space has increased over the last five years, and almost half of those mangers think younger workers have something to do with that risk, posing a "significant new challenge" in the workplace, according to Symantec.

Speaking on the phone from the RSA Conference in San Francisco -- where many security pros and analysts are in attendance this week -- Andrew Storms opined: "What we take away from these studies and the recent trusted Web site hacks is that this can be applied to Web 2.0 or anything that is Internet-based."

Storms is the director of IT security operations at San Francisco-based nCircle Network Security. He added that these open secrets now have their basis in usable data for tech managers to take to their companies' finance departments, where they should make their concerns heard as a safeguard against hacks and disappointing IT controls audit results.

"It's different when you have only colloquial evidence but you're seeing with recent events and reports such as these that it's spelled out in plain English with accompanying numbers," Storms said.