Security pros say that hackers have the upper hand

The numbers don’t lie: now, more than ever, security professionals feel outgunned by attackers and the level of automation employed in most campaigns against enterprise IT infrastructure, according to a new survey published by RedSeal Systems and Dimensional Research.

Interviews with 1,967 professionals at the recent Cisco Live and Black Hat USA conferences found that more than 75 percent of network management and security professionals believe that automated tools give hackers the upper hand in evading the defensive systems utilized by most enterprises to protect their critical assets and data.

Further compounding the issue, a vast majority of those IT pros surveyed reported that their employers – for the most part large organizations – cannot maintain necessary layered defenses based on their inability to determine where gaps in those systems exist.

Among the finidings:

  • Over 71 percent of respondents admitted that their networks are exposed to external threats due to misconfiguration issues present in their security device infrastructure.
  • More than 50 percent had no idea how many of their organizations’ internal hosts were actually exposed to the Internet.
  • Roughly 52 percent conceded that their vulnerability management initiatives don’t allow them to prioritize remediation based on the likelihood of real-world attacks.

Over 50 percent of those surveyed were responsible for networks containing over 100 or more such devices, suggesting that the sheer size and scale of today’s security infrastructure is preventing organizations from adequately maintaining defense.

And while many security regulations and industry leaders have recommended for years that enterprises adopt a more metrics-driven approach toward measuring the effectiveness of security infrastructure, only 47 percent of respondents said that their employers do so today.

“More surprising than the overwhelming perception among today’s professionals that hackers have the upper hand, based on attack automation and gaps in enterprise defense, is that so few have access to metrics that demonstrate how well security infrastructure is working,” said David Gehringer, Senior Research Analyst for Dimensional Research. “The numbers bear out that there’s genuine concern among practitioners that they lack the tools and information needed to stop the threats that their organizations face.”

Other key findings include:

  • Some 86 percent of energy company employees believe hackers have more advanced automated tools, followed by 84 percent of government workers, 79 percent of telecommunications staffers, 71 percent of healthcare practitioners and 70 percent of financial services professionals, respectively.
  • 51 percent of chief information security officers said they don’t believe, or don’t know that vulnerability assessment tools provide enough information to identify their most important security exposures.
  • Some 56 percent of CISOs said they either don’t have effective metrics to measure security effectiveness or don’t know if those metrics even exist; 55 percent of network management officials made the same admissions.

“Consistent application of network security controls across even medium sized networks has transcended human ability,” said Dr. Mike Lloyd, Chief Technology Officer at RedSeal. “For many years there’s been the notion of an arms race between IT security professionals and attackers; what this survey proves is that the good guys understand they’re facing a truly daunting task to keep up.”