[ISN] It's raining IT security surveys

InfoSec News isn at c4i.org
Wed Mar 22 02:38:33 EST 2006


http://www.techworld.com/security/features/index.cfm?FeatureID=2350

By Cara Garretson and Ellen Messmer
Network World
March 20, 2006

If it feels like you're getting bombarded with surveys about network
security threats, that's because you are. Leading security vendors,
looking to scare up interest in their products, pumped out more than
twice as many of these surveys last year as in 2004, and this year are
on an even more aggressive pace.

Such surveys have shown that 25 percent of corporate e-mail users send
personal messages, that there were 2.9 million phishing attacks in
February and that 65 percent of ISPs consider distributed
denial-of-service (DoS) attacks a main concern. The factoids go on and
on and on.

According to our informal review of 20 leading security vendors, they
made public 34 such surveys last year, most of which were conducted by
third parties on behalf of the vendors. In addition, the vast majority
of them issued reports - some as frequently as monthly - derived from
information that their products collect regarding distributed DoS
attempts, spam blasts, phishing attacks and the like.

While vendors say these surveys and reports are meant to alert IT
professionals to growing security threats and to help vendors
determine what sorts of products customers need, in fact they're
creating a thick layer of fear, uncertainty and doubt, or FUD, that
helps sell products in a market that IDC says totalled US$32.6 billion
last year and is headed toward $38.4 billion this year.

For example, a survey of 603 consumers conducted last October by
Momentum Research Group on behalf of RSA Security showed the French
are more fearful than Germans about the possibility of fraudulent
access to personal information at banking sites. But when it comes to
fear of identity theft, no one beats Americans; nine out of 10 have
heard of it, as compared with only one in three in France and Germany.

RSA, which provides products and services for authentication and
anti-phishing, says in its press release about the survey: "The key to
online confidence lies at the door of the business community - meaning
that it is imperative for online vendors to be seen taking appropriate
measures to protect their customers' interests."

"There's always a self-serving aspect to anything a vendor releases,"  
says Keith Crosley, director of market development with messaging
security vendor Proofpoint, which does a few surveys per year. "But we
really are trying to educate markets and share interesting data that
helps people make really intelligent decisions about their technology
investments."

It's not surprising that vendors use survey results to help sell their
products, often paying tens of thousands of dollars per survey with
the hopes the results will support the need for their offerings.  
(Those that contracted professional firms said they did so because the
size and quality of each sample would be superior to what the vendor
itself could come up with, and therefore produce more accurate results
that would be less likely perceived as biased.) But security vendors
seem to be particularly fond of publicizing surveys these days,
perhaps because there are very few ways to gauge just how secure a PC
or network is - the FUD created by survey results sends the message
that you're never secure enough.

IBM, which offers a number of hosted security services, this week
released results of a survey it sponsored, conducted by Braun
Research, that shows 84 percent of the 600 IT managers surveyed said
they believe organized criminal groups with technical sophistication
are replacing lone hackers as the main threat from the outside.

But the press release describing the survey questions respondents'
ability to protect themselves. According to IBM, 83 percent of
respondents "boast that they have adequate safeguards in place to
combat organized cybercrime." The message? You're not as secure as you
think you are.


Be afraid

One security company recently attempted to quantify just how worried
IT managers should be.

Antimalware vendor WebSense's sixth annual Web at Work survey, conducted
by Harris Interactive and released last May, revealed that
"one-quarter of IT decision-makers feel that the test of protecting
their company against malicious Internet security threats is more
stressful than a minor car accident."

It's difficult to ignore the steady stream of magazine and newspaper
headlines announcing these survey findings, Network World not
excluded. Some publications, including ours, conduct their own surveys
as well to gauge readers' opinions and actions regarding security.

This flood of security headlines has led some to discount many surveys
as marketing material. Bill Boni, vice president and chief information
security officer at Motorola, says he will pay some attention to
surveys if they appear to show validated data from responsible
sources.

No one expects a vendor to issue a press release touting a survey that
negates the need for its product, but this selective practice
underscores the requirement to consider the source.

"Surveys are one of the only benchmarks you can use to make decisions
. . . you'd be foolish if you didn't at least read them," says Jim
Hite, supervisor of network services and central operations with
Virginia's Prince William County schools. "But you have to consider
that the manufacturer wants you to buy their product, so you have to
weigh that."

If a vendor sponsors a survey that contradicts its own product plans,
it's unlikely we'll ever know about it. Vericept, a small company with
products focused on preventing internal threats, last December
commissioned its first-ever survey, conducted by Enterprise Management
Associates. The survey asked how concerned corporations are about
internal threats; 74 percent said the risk of sensitive corporate
information leakage because of internal personnel is moderate to very
high.

And so, the company publicised its findings. "If we found people said
'internal risk is never a problem,' or that 'it will go away in six
months,' then we may not have published it," says Brett Schklar, vice
president of marketing with Vericept.


Decisions, decisions

Some IT managers use these surveys to help open the company purse
strings to fund new security projects.

"Reluctantly, I support the points many of these surveys are making,
even though some of them make you cringe," because they're so
blatantly oriented toward selling products, says Michael Dean,
director of IT security for the 200 K-12 schools in the Palm Beach
County School District in Florida, which support a high-speed network
of 50,000 computers for 175,000 students and teaching staff.

Surveys are designed to help the sponsoring vendors make decisions,
too.

In 2004, Proofpoint considered bringing to market an outbound e-mail
compliance product. But first the company sponsored a survey conducted
by Forrester Research that showed 43 percent of companies sampled used
employees to scan outbound e-mail for confidentiality breaches or
intellectual property leaks. Imagine the time and cost savings of
automating this process? A few months later, Proofpoint released an
outbound compliance product.

"The volume of response to the survey showed us there was a great deal
of interest," Crosley says. "If there was no interest in outbound
e-mail compliance, we would have definitely changed our plans with
respect to how quickly we created the product."

Sometimes surveys show that security threats perpetuate despite the
widespread use of preventive products. For example, ISCA Labs conducts
an annual survey of 300 companies and government agencies to find out
how much antivirus software they use on desktops and servers, and how
many "virus disasters" they experienced over the course of the year.  
Every year, as in last year's 10th Annual Virus Prevalence Survey, the
costs of cleaning up after a virus disaster seem to rise - last year
showed a 23 percent increase over the year before to $130,000 per
disaster - while companies keep buying more antivirus software.

Some companies have gone to extremes to show how badly users need
their products. Last October RSA Security sent a half-dozen employees
out to Central Park in New York wearing "I Love N.Y." T-shirts to see
if passers-by would fall for an in-person phishing scam to get their
personal information.

In the guise of conducting a tourism survey, the RSA employees spent a
few days handing out paper questionnaires. More than 103 people filled
out the questionnaires listing their name, address, number of
children, place of birth, mother's maiden name, date of birth and
other information, says RSA's public relations manager, Matt Buckley.  
"We left out the Social Security number."

The purpose of the survey exercise was to show how easily people fall
for phishing scams. "It shows that even though there are a lot of
stories about phishing, you can't rely on education. You need a
technology process," as a safeguard, Buckley says.

Ironically, cybercriminals are finding surveys help them, too. A
recent phishing scam masquerades as a $20 credit offer from Chase
Manhattan Bank if the recipient fills out an online survey about
customer satisfaction, followed by requests for personal information
such as Social Security number and mother's maiden name.

© 2005 : All rights reserved





More information about the ISN mailing list