Three-quarters of network management and security professionals believe that automated tools give hackers the upper hand in evading network defenses used to secure critical assets and data, according to a survey of 1,967 security professionals conducted by RedSeal Systems and Dimensional Research.
“The attackers are getting better armed with more and more automation tools….That makes for an unfair environment”, said Mike Lloyd, chief technology officer at RedSeal.
Over 71% of respondents said that their networks are exposed to external threats due to misconfiguration of their security device infrastructure.
“You have attackers coming at you with these automated tools and you have defenders saying, ‘We are not doing that great of a job consistently defending the environment’”, Lloyd told Infosecurity. “If the people coming at you have great automation tools, you have got to realize that if you are weak anywhere, they will find a way in”, he added.
More than 50% of respondents had no idea how many of their organizations’ internal hosts were exposed to the internet. “Half of the organizations admitted to us that they actually don’t even know the extent of their boundaries”, Lloyd said.
Around the same number conceded that their vulnerability management initiatives do not allow them to prioritize remediation based on the likelihood of real-world attacks.
Over half of those surveyed were responsible for networks with over 100 security devices, suggesting that the sheer size and scale of the security infrastructure is preventing organizations from defending their systems.
“It all boils down to complexity. The IT environments are enormously complex….You have got thousands or tens of thousands of things to think about in each device, and then you have hundreds or more of these devices”, Lloyd observed. “Each detail is simple, but if you pile up enough details, it becomes to complex to handle”, he added.
Over half of chief information security officers (CISOs) said they do not believe that vulnerability assessment tools provide enough information to identify their most important security exposures.
Some 56% of CISOs said they either do not have effective metrics to measure security effectiveness or do not know if those metrics even exist; 55% of network management officials made the same admissions.
By sector, 86% of energy company employees believe hackers have more advanced automated tools, followed by 84% of government workers, 79% of telecommunications staffers, 71% of healthcare practitioners, and 70% of financial services professionals.