Where are the sources of security incidents?

Security incidents come in all shapes and sizes. They can affect availability, confidentiality or integrity. Shortinfosec organized a Linkedin poll to observe the opinions of the professionals on what are the sources of security incident that they deem most frequent.

The poll has 56 respondents , and there is no scientific selection of respondent groups to have a full blown research result. However, this small still nicely represents the issues by frequency that organizations are coping with.

The poll question was What is the most frequent incident type that is affecting your organization?
Five answers were suggested

  • Network Issue or Outage
  • External Hacker Attack
  • Internal Hacker Attack
  • Software Error Causing Data Corruption
  • Human Error Causing Data Corruption

The poll was open for all Linkedin users for 20 days, with invitations sent to the linkedin connections and groups.

Results and analysis
After the closing of the poll, the following results were observed:
Most respondents (66%) select network issues as the primary source of security incidents. Data corruption due to human error takes the second place with 18%, and data corruption due to software error with 13%.

However, the demographics of the responses also indicate different view of the issues from a different executive level. Network issue is selected as a primary source of security incidents by operational personnel. Management levels have also voted on this option, but the majority of issues of networking are felt by operational teams.


The second most frequent issue is human error, and this is an incident which is mostly identified by managers (more then 75%). In reality, a human operator within a company has significant abilities to work within the information system of the company. Human errors can happen for any number of reasons, and paired with the abilities of the human operator within the systems, very significant errors can occur corrupting data, causing erroneous calculations. And such data corruptions are easily felt across the entire company, hence the votes by management.


The third most frequent issue is data corruption due to software errors. These should have a much lower frequency then human errors, but the impact of such errors can be very wide ranging - since the error is embedded within the information system.



External hacker attack was chosen as the least frequent issue. But this only presents the view of the internal users. It is quite possible that internal users do not have the full scope of hacker attacks - they are not detected, or corporate procedures prevent distribution of information about hacker attacks.


Conclusion
The overall poll, while not conforming to standards for academic research, it still provides the following insights - operational people are plagued by network issues (availability), while managers are plagued by data corruptions (integrity).
Very few identify actual breach of confidentiality as a top issue in security incidents. It seems that the corporate world is either well protected against confidentiality breaches, or is still relatively blind to them. We would bet on the latter.


Talkback and comments are most welcome

Related posts
Thrown in the Fire - Database Corruption Investigation
The SLA Lesson: software bug blues
Security risks and measures in software development

Managing the permanent security issue of Top Management

Regardless of procedures and policies, a company can have a nearly permanent security issue in top management. This issue results from the speed with which top management requires their services delivered and, more than probably, their lack of an information assurance degree - or even an understanding of what information assurance is, for that matter. No top manager wants to be bothered with the problems and challenges that security and IT guys are facing with their wishes. They want them resolved, preferably yesterday.

The security issue of top management results from their lack of time and insistence that everything works when they request it. Usually that means that the security request aspects of the solution have not been researched or even familiarized with. All this results in a half-baked workaround solution.

We will provide two examples of security issues that can easily arise:

  1. The manager requests a new gadget - like a smart phone, tablet computer or a new 'bling computer' with a different OS. Procurement is quick to purchase the new device for the top manager that orders it. When the new gadget arrives procurement informs him in a CYA (Cover Your A*s) approach that they have done their job. The manager expects it to run immediately, so this is what usually happens:
    • the gadget is set-up as fast as possible, using the basic instructions from the Internet or what little experience an engineer has with the gadget.
    • help to install the gadget is solicited from any current users of the gadget, who also assist in set-up to the best of their knowledge, but with little concern about security or compliance to corporate standards
    • the gadget is configured to provide all or most corporate services as used by the manager on the standard corporate computers.
    • The end result is a device which can connect to most of the corporate services, but which is rarely properly secured. If the gadget is stolen, there will be a whole lot of grief for security guys.
  2. The manager wants to open photos on a foreign USB - a guest arrives at the managers office, and he/she has an USB stick with photos. The manager wants to see the photos on his computer.
    • If the manager's computer has permissions to open a USB, he/she will read the USB, possibly opening a virus or Trojan.
    • If the manager's computer doesn't have permissions to open USB, it will be rushed through operations to enable access. Again, the end result can be a executing a virus or a trojan
    • If not captured properly, a Trojan may enter the computer network of the corporation, and collect data or cause havoc

The harsh reality is that these situations will happen, and cannot be avoided in most corporate environments. So what can be done to mitigate these situations?
1. Have antivirus with very frequent auto-updating and realtime scanning installed on everything. Even if an infected USB is inserted, this mitigates the risk of the virus/trojan infecting a corporate compoter.
2. When configuring a new gadget, educate the IT team to first set up security - they should find out how to install/activate antivirus, put up a firewall and set up password protection for using the device. Even if you have limited amount of time with the gadget, it will have deterrents in place to reduce the risk of a stolen device.
3. Try to set-up the gadgets so they don't store corporate data locally - Access mail via IMAP or webmail, and computer services via VPN. Even if the gadget is stolen, all it takes is a password reset.
3. Have a good relationship to procurement - if they give you just a day advanced notice that there will be new gadgets, that is a day more to read up and prepare for a more proper configuration.

Talkback and comments are most welcome

Related posts
TrueCrypt Full Disk Encryption Review
Brief reminder - The value of a stolen corporate laptop
Tutorial - Breaking Weak Encryption With Excel

Engaging a team for a security analysis

Being involved in a security project requires lot of resources: a good measure of knowledge, a huge measure of experience, some amount of software and personnel. Usually time is in short supply, so this is compensated by more computers or more people.


  • The first option is to use a computer and a piece of software. While there are a lot of automated tools that a security consultant can use, these are not really smart.
    • For penetration tests - most vulnerability scanning systems are 'loud' as hell and will be immediately detected by any IPS/IDS system. Also, such systems are very rarely successful at any penetration unless properly tweaked and configured by a human operator.
    • For procedural assessment, that software is just a set of questions forming a checklist. The problem is that every organization has specifics in their security organization, and the actual procedural posture of security needs to be understood by an expert operator in order to properly answer the questions in a checklist.

  • The second option is to hire a freelancer team. Presently, there are a very large number of people looking for a freelance gig as security analysts. Some of them publish their expertise through social networking sites, others just use job search sites to look for an engagement. But this is a nightmare in itself for at least two reasons:
    • Unknown amount of expertise - when hiring someone for a security job, unless you know his/her previous work it is very difficult to know whether he/she will deliver the expertise. Please note that the CV of a person can say anything without much means of confirmation - references for previous security engagements are very rarely given by clients.
    • Unknown agenda - even if he/she is a great expert, you will open the doors of a corporation to that person. Unless you are 100% certain of his/her professional agenda, you may find yourself in a lot of legal trouble if there is a disclosure of confidentiality or even malicious attack from someone in your freelancer team.

As Alan Weiss points out, you should only get into partnerships if you can multiply the profit by a hundred, not double it. And in cases of security analysis, you can easily deplete your profit with a choice of a wrong team, let alone be stuck with some legal issues.

Talkback and comments are most welcome

Related posts
Tutorial - Secure Web Based Job Application
8 Steps to Better Securing Your Job Application

Designed by Posicionamiento Web