IT Dogged by Security Issues, Studies Find

• By Jabulani Leffall
• 05/28/09

Software security continues to trouble IT pros, who often have to do more with less in the current recession, according to two industry-sponsored studies.

A leading attack vector seems to be Web sites, and IT pros who've had their organizations' Web sites attacked aren't alone, according to a study by software security firm WhiteHat. Eighty-two percent of Web sites have had a "high, critical or urgent issue" since the Web site's inception, according to the study, "Web site Security Statistic Report: Spring 2009."

Moreover, the troubles haven't disappeared with time. Sixty-three percent of the Web sites that WhiteHat canvassed currently have a "high, critical or urgent issue." Of the 17,000 plus security vulnerabilities identified, a little more than 7,000 remain unfixed.

The report doesn't describe the specific attacks in detail although it does list the top ten vulnerabilities. Cross-site scripting tops the list, followed by information leakage and content spoofing, among others. The report collected data between January 1, 2006 and March 31 of this year.

"One of the biggest takeaways from this report is that not all vulnerabilities are created equal, but many are very serious," said Jeremiah Grossman, WhiteHat's founder and chief technology officer for security, in an e-mailed statement. The vulnerabilities can cause serious damage by providing a means for releasing sensitive information, he added.

The attackers are out there, but are IT pros ready to do battle from the home front? Another study, commissioned by VanDyke Software, examined attitudes among IT personnel about the security of their shops, even as IT budgets are getting cut this year.

The study, "What Keeps Network Administrators Up at Night," polled 320 network and systems administrators. More than 41 percent had a decrease in security-related expenditures at their organizations, and only 22 percent saw an increase. These 2009 findings represent a reverse of the spending trend seen in 2008.

Forty-six percent of network and systems administrators "feel that their organization has not budgeted sufficiently to support current information security needs," according to the report.

"What we saw was a measurable split between those who were sleeping like babies and those who are really concerned that not enough attention is being paid to securing the system," said Jeff Van Dyke, founder of VanDyke Software.

The IT administrators in the report who had "trouble sleeping," according to Van Dyke, specifically saw challenges in managing enterprise users, as well as concerns about the security of laptops and handheld devices.

"Organizations that have automated and monitored security operations can get more bang for their buck," Van Dyke added. "But there's no substitute for vigilance about what's going on and the ability to deal with multifaceted security problems in the face of not only budgetary constraints but a demonstrated lack of commitment at some companies when it comes to security."