Responses to a survey from attendees of the DEFCON 18 conference revealed that 73% came across a misconfigured network more than three quarters of the time – which, according to 76% of the sample, was the easiest IT resource to exploit.
Results revealed that 18% of professionals believe misconfigured networks are the result of insufficient time or money for audits. 14% felt that compliance audits that don’t always capture security best practices are a factor and 11% felt that threat vectors that change faster than they can be addressed play a key role.
Automating configuration and security management is the best way forward to solving this problem, says Harrison. With an increasing number of self-described black (11%) and grey (46%) hat hackers landing corporate security positions, the focus has overwhelmingly been on how easily we can break things – less than 30% of the sample is motivated by the desire to actually fix broken systems.
It’s also worth noting that 43% of respondents view planting a rogue member of staff inside a company as one of the most successful hacking methodologies. When this issue is added to the sizeable majority of security professionals that come across misconfigured systems on a regular basis, you begin to realize the scale of the security problem that networking professionals face.
“This realization is made worse when you consider that 57% of the security professionals we surveyed classified themselves as a black or grey hat hacker, and 68% of respondents admitted hacking just for fun,” said Reuven Harrison, CTO at Tufin. With networks so easily penetrated, it’s no surprise that 88% believe the biggest threat to organizations lies inside the firewall.
It’s not all doom and gloom emanating from the survey, as 58% of attendees said they did not believe outsourcing security to a third party increased the chances of getting hacked, and almost half the sample believe it would not increase the chances of any sort of security or compliance issue.
The “Hacking Habits” survey was conducted amongst 100 registered DEFCON 18 attendees. The 14-question survey was conducted by the registration desk and outside randomly selected talks over the course of the show. All responses were voluntary and completely anonymous.