ROCHESTER — One of the panelists at Thursday’s IT security panel at Lawrence Technological University conducted thousands of hours of penetration tests on corporate IT systems in 2012.
And the numbers, according to Adam Goslin, COO of Rochester-based High Bit Security, are not good for American businesses.
Nearly 96 percent of the systems were vulnerable to outside attacks, Goslin said.
“It did not seem to matter what business the clients were in,” Goslin said. “Medical, banking, mortgage, e-commerce, software, industrial design, staffing, business intelligence, insurance, accounting, legal, hospitality, and even Internet payment processors — all failed their tests… even those who were running regular vulnerability scans, or had penetration testing performed with other companies the previous year.”
The most common vulnerabilities – 58.5 percent of the total — were found in the application layer (Web applications, web services, and API’s) while doing external testing. Performed from the outside, external testing simulates a hacking attack originating anywhere from across the parking lot to across the globe.
“We were contacted by a customer after they discovered one of their web pages was being re-routed to a site selling fake merchandise,” Goslin said. “That was just the tip of the iceberg. Sensitive client data was being extracted from their systems without their knowledge. Ultimately, when we gave the findings report to their Web developer, it was an easy fix. We showed them the code changes needed and the issues were easily resolved.”
The next largest segment of vulnerabilities, 41.5 percent, were found in the network layer — the firewall, server, and infrastructure configurations.
“I feel bad for IT service providers who assure customers they are secure,” said High Bit’s chief business development officer Barbara Goushaw. “IT security is a specialty, and expecting your IT provider to know all of the ways a company can be compromised is like expecting your family doctor to do open heart surgery.”
Internal penetration testing engagements (testing performed from within the network of the target environment, similar to an attacker breaching a system via malware or Trojan) consistently show how network layer and host vulnerabilities are potentially the most devastating.
“Often, organizational focus is limited to the boundary defenses, with the erroneous belief that running external testing is sufficient.” Goslin said. “All it takes is one employee clicking on the wrong site, downloading the wrong file, or a zero-day vulnerability, and the attacker is on the internal environment. If you identify and close the vulnerabilities on internal networks and applications, you make the attacker’s job significantly more difficult. If they can’t get to the valuable data, they will move on to an easier target. Our goal is to make sure our clients are not an easy target.”
High Bit Security’s full 2012 Security Testing Review report is located at www.highbitsecurity.com/news-20130129_HBS_PR_2012_HighBitSecurityAnnualSecurityReview.php
High Bit Security is a national security services provider, providing penetration testing solutions to clients who need to protect sensitive data in industries such as health care, credit card payment, financial, or other companies that store intellectual property or personally identifiable information. High Bit Security also provides security consulting services.
More at www.HighBitSecurity.com or call (800) 757-3144.