Our regular opening questions ask readers to spotlight their biggest problems in the past and coming years. Many still struggle with the lack of security awareness of end-users, while others say the timely patching of vulnerabilities is their biggest challenge. One respondent blamed all his problems on Oracle; several saw Microsoft as the main source of their woes.
Another reader from the U.S. military summed it all up with "hostile management." Many others complained that the work involved in achieving regulatory compliance would really do little to improve security.
Question Four asked people whether or not they were optimistic about the future of IT security. While many in the private sector declared themselves quite hopeful that things were improving, our readers in the public sector (U.S. and Europe) were almost unanimous in the view that lack of funds will damage security.
Our question on budgets elicited a similar response. Most private sector readers expect budgets to rise, albeit not spectacularly. The public sector professionals had no such hopes -- a point that politicians should take into account, given the importance of information security companies.
We also asked readers if there was any tool or technology that had helped them in 2005. Many mentioned spam filters and general email management tools, but no one product stood out as a favorite. Here is just a selection of the responses, which reflect the general mood of the survey. Many thanks to all of you who replied.
From an information security viewpoint, what was your biggest problem during 2005?
"My IT security manager failing to review commercial realities of a proposal before making it, i.e., security staff getting tied up in the mechanics and hysteria without paying adequate attention to the needs. The old return on investment chestnut."
"Our most challenging issue has been patch management. We don't have the resources to regression test all of our systems and applications in response to three or four "critical" MS/Oracle/ Veritas updates every month. Consequently, we've been burned when Microsoft patches interfered with production systems."
"The use of outsourced programming and manufacturing companies. How to share data, etc. securely."
"Secure management of multiple passwords and PINs for multiple uses (work, banking and other accounts."
"Spyware. Not so much from an actual leakage of confidential information as from theft of resources -- the user complaints of strange problems and lost productivity, the staff time to investigate, the increased number of systems to be imaged and re-imaged all combine to make this the single greatest problem."
"Spyware. I'm talking about keystroke loggers that get installed via ActiveX controls on websites. Some of these are installing themselves in a way not showing up via task manager or the tasklist command, but we know because we see the traffic on the network."
"Incident response. Developing an incident response capacity in-house or to outsource is the most difficult decision we have had to make and are still evaluating the options."
"From a technical point of view, trying to maintain patches across 6,000 desktops is verging on futile. From a non-technical point of view, it's the maintaining and promotion of policy to 11,000 employees. Of that, their abilities and access to IT facilities will vary hugely."
"Spam has increased dramatically -- over 80 percent of mail is filtered away from the desktop and identified as spam. Spyware is also becoming a major problem. Legitimate organizations have found it necessary to use spyware to 'benefit' our web experience, but this has been a major headache in 2005."
"Clueless users, with executives and sales staff being the worst."
"For our county government, simply acknowledging that information security is an issue has been the biggest struggle. We finally received board approval for a new infosecurity manager for the county but have still not filled it."
"In my environment, which includes users of healthcare applications, convenience continues to drive practices. Even after HIPAA training we became aware of the simplistic nature of passwords. This was due in part to not having the complexity for password setting turned on the Microsoft network."
From where do you see the greatest problems coming in 2006?
"Data stewardship will be our greatest problem in 2006. Specifically, obtaining data owners for data panels that multiple groups use."
"Malware/spyware for hire has become the number one problem, and will be the biggest threat in 2006. As soon as vulnerabilities are found, they are exploited. The cracker community has outpaced the security industry, and the IT manufacturers patch when and how it's in their best interest."
"Windows-based rootkits are smart enough to hide themselves from detection on the O/S. RSS, while it's a very cool and useful tool can eat up all your bandwidth if you let end-users configure how often the feeds get polled. People all want information and they want it now."
"In our organization the greatest security challenge has always been user training and helping upper management understand or even be interested in information security. During the past 24 months, we've invested in anti-spam, antivirus, anti-spyware, and IDS/IPS. If some new security threat surfaces in 2006 and requires further investment to establish countermeasures then getting budget will be difficult."
"Unless we keep 'drip-dripping' with policy, then folks are going to think that we don't enforce or monitor. They're going to become complacent and see the occasional 'e-mail attachment removed' or 'website blocked' as restrictions on their ability to work rather than for their own protection."
"Deperimeterization. I am being asked for all nature of connections to our network, from PDAs and USB drives to wireless GPRS devices."
"I can certainly see an increase in the number of botnets. It makes sense from a criminal activity point of view that this is a good opportunity to make easy money. As large criminal organizations invest in this activity the number and complexity of these attacks will probably increase. Spyware will become a major problem as long as large organizations legitimize the use of spyware for good reasons or not. It's becoming a major issue for network traffic."
Are you optimistic in the battle for security?
"Optimistic, although Microsoft seems to keep the same level of fault/product ratio that it's always had which isn't helpful."
"The battle for security is unwinnable. Only an uneasy equilibrium is possible where the malware authors and the network admins are locked into a perpetual digital arms race. As always, the defenders must win every battle while the attackers need only one victory to achieve their goal. From the right perspective, this is a good thing for everyone. One of an infant's "jobs" is to get mildly sick on a regular basis. The exposure helps the child to build a stronger immune system and helps prevent more serious illnesses throughout life. Computer systems and networks also need regular minor security incidents to force the deployment of better defenses and to spur improved software development, thereby preventing more catastrophic infections later."
"I'm public sector. The resources we need most are worthwhile staff, which the public sector system militates against. More money from the [U.K.] Labor government does not mean more of the right resources, just more waste."
"I feel that we are struggling to keep up. Designers as a whole are still not designing security into their applications. This applies both at the requirements level and at the software implementation level. Removing all uncounted string operations (gets, strcat, etc.) from the C language would be a major improvement in the security of new programs, but nobody has the courage to do it because 'it would break existing programs.' In my humble opinion, any program which uses any of these calls is already broken. Equally, at the requirements level people simply don't think of the security issues when assessing the business case for a new application. If security is tacked on afterward, it tends either to be inadequate or to get in the way of people doing their jobs."
"Nope. I'm not optimistic. The bad guys are getting more clever and we have to continue to support people who hold technology in such esteem that it can do no wrong. I've long argued that we need perfect technology to remove the human failure before we can consider that we're winning the battle. Perfect technology doesn't exist, and so we're always going to get 'human firewall' failures. Where staff have limited IT ability, then the proportion of these failures will be greater."
"Optimism has no place in the security marketspace by its very nature. My advice is NEVER hire an optimistic security expert. Optimists should work in marketing not security."
"My systems are heavily protected -- Posix-based and connect-on-demand -- so they are not under any immediate threat. The biggest part of the threat is the general public, who have no clue about maintenance, security or lowered bandwidth. Security will always be an uphill battle, as zombie machines by the score will be an available tool. Further, with a government that is generally clueless about the realities of computing and security, there is little hope for any kind of help from that end."
"It is a constant struggle and Microsoft fails to make it simpler for the SMB."
Are new regulations and legislation (Sarbanes-Oxley, HIPAA, etc.) helping you do your job?
"It was difficult enough deciphering the legislation and finding a sensible synopsis. It was even more difficult getting buy-in from the board. No more resources have been released even as a consequence of the above."
"They're making our job more difficult. An entire industry has grown around compliance and in my experience it's staffed by misinformed people who don't understand IT, and spread FUD (fear, uncertainty, doubt) in the quest for large consulting fees or to justify their own positions. We have gotten more resources in the form of a staff member who just deals with regulatory issues and keeps the Chicken Littles at bay. Five years ago, though, we didn't need an employee like that."
"Yes, they are helping highlight the need for security and getting some security measures in place. However, they are also hurting security because they go too far in requiring more security processes that do not add value to the business or the overall security goals. As a result, businesses are tagging some worthwhile security efforts with the "more stupid bureaucracy" label."
"New regs have created more work but it is grudge work. Money people do not see a ROI from it."
"These guidelines are the only thing which keep the users from completely screwing up the system."
"Legislation is helping to identify areas that may not have been looked at from an IT point of view - archiving, retention and encryption have certainly been brought to the forefront. However, much of the legislation is contradictory and very difficult to implement. Much of the information has been directed to IT providers when, in effect, much of the legislation affects HR and the organization as a whole."
"I thik that SOX, GLBA, etc. have provided more management attention to security because they have been forced to do so. Unfortunately, it sometimes creates the expectation that if it isnt required for SOX, it doesn't matter even if its a good security practive."