Most companies depend exclusively on perimeter defenses to protect their computer networks from intruders, a practice that appears to be more sieve than stone wall, according to a survey released yesterday by Vernier Networks, a network access management firm in Mountain View, Calif.
Surveyors found that 51 percent of those sampled said they relied on strong perimeter security, or the “doorman” approach to network protection. Once past the doorman, users have unlimited access to information on the company’s network.
The doorman, though, appears to be leaving his portal unattended, as 62 percent of the security execs admitted that intruders had occasionally gained access to their networks.
The survey sampled some 140 chief security officers (CSOs) and security executives who attended a recent nationwide seminar series on network security held by Vernier and Qualys, a vulnerability management firm in Redwood Shores, Calif.
“The perimeter isn’t as deigned as it used to be,” Qualys CEO and Chairman Philippe Courtot told TechNewsWorld. “If you let people connect to your network from the outside, you’re opening doors.”
Vernier President and CEO Simon Khalaf said that the survey revealed some “shocking” findings about the knowledge level of companies when it comes to internal network security.
“Companies did not realize how open their network and their systems are to attacks from within the company,” he told TechNewsWorld. “This has been talked about for the last year and a half, but the response has been [to do] more of the same, which is strengthening the defenses around the network versus putting security inside the network.”
Marc Borbas, product manager for e-mail security at Sophos in Vancouver, British Columbia, Canada, agreed that many organizations might be emphasizing perimeter security to the exclusion of other security layers.
Desktop No Answer
“We’ve noticed, especially in the e-mail segment of our business, there’s a huge amount of investment that’s gone into the perimeter and an underinvestment in the constituent layers of the e-mail system,” he told TechNewsWorld.
“Companies have a good hard shell in many cases, but they’re very vulnerable in that middle spot, he added.
At most companies, internal security controls are placed at the desktop level, which is inadequate, Khalaf contends. “If a desktop or a laptop has been hacked into, the security on the desktop ain’t going to do much,” he said.
He explained that intruders attempting to break into a network from outside the system usually must go through a firewall, an antivirus gateway and an intrusion prevention system. If they’re breaking into the system from a compromised desktop or laptop connected to the system, they don’t go through anything.
“The reaction to securing the network from the inside has been, let us put more security software on the desktop,” Khalaf said. “I believe that is a bit flawed. What needs to happen is that the connection between the laptop or desktop and the network needs to go through the same rigorous security as a connection between the Internet and the intranet.
Reluctant To Quarantine
Security officers participating in the survey appear to agree with Khalaf. An overwhelming number of them — 88 percent — said that tighter user access to internal networks would improve overall security.
Ironically, while companies are leaning on local measures to thwart internal security problems, they are reluctant to take steps to strengthen those measures. A large portion of the survey’s respondents — 64 percent — refuse to quarantine most devices on their systems that do not have the latest security patches from their software vendors.
Nevertheless, Khalaf noted that there’s a growing awareness of the need to bolster the security layer between the firewall and the desktop, an awareness driven by factors like outsourcing.
Everyone on Same Page
He explained that many U.S.-based organizations have outsourced a lot of their functions outside the network. Those outsourcers often need access to resources inside the network, which has prompted companies to beef-up internal control.
Don Bowman, co-founder and chief architect of Sandvine in Waterloo, Ontario, Canada, explained that problems can occur with outsourcing when external partners haven’t implemented the same security standards as the company hiring them.
“If you’re expanding your border security to outside contractors, you should take steps to make sure that a contractor has the same level of diligence that you do,” Bowman told TechNewsWorld. “You don’t want a corrupt employee or an incompetent one exposing your data.”