Schwartz On Security: Security Complexity Challenge No. 1

Still, organizations are loathe to cut vendors, fearing higher prices, greater total cost of ownership, and fewer capabilities.

Mathew Schwartz

March 16, 2011

4 Min Read
Network Computing logo

Is the average enterprise security operation needlessly complex? The findings from a new study by the Ponemon Institute and sponsored by security vendor Check Point suggest so.

For starters, the global survey of 2,400 IT security administrators found that more than half of their organizations work with at least seven security vendors. Not coincidentally, in every country surveyed the complexity of managing security operations ranked as the No. 1 information security challenge. In the U.S., complexity (the main challenge for 33% of survey respondents) ranked well ahead of data theft by insiders (21%), compliance (19%), security policy enforcement (15%), and data theft by outsiders (12%).

That's right: Security groups aren't spending most of their energy battling malicious insiders, hackers, or the latest malware. Rather, they're combating the complexity of their own security programs. Furthermore, organizations report that they're loathe to cut vendors, fearing that they'll have to settle for higher prices, greater total cost of ownership, and fewer capabilities.

The complexity problem, however, creates its own risks -- principally, that security teams are battling their tools rather than the bad guys. And failing to stop an attack can be costly. According to a July 2010 Ponemon study, the damage resulting from a single cyberattack can total anywhere from $237,000 to $52 million. Faced with those statistics, companies must work harder to reduce security environment complexity, even for a small price hit.

When it comes to security bang for the buck, organizations would do well to devote more of their scarce resources to battling data breaches, especially since only 14% of U.S. organizations surveyed in the recent Ponemon study reported going data-breach-free in 2010. Meantime, the information lost or inadvertently disclosed included customer data (for 56%), targeted consumer data (45%), intellectual property or source code (33%), and employee information (31%). Unreassuringly, 32% of firms said they were unsure what all was stolen during breaches.

The Ponemon study found that the No. 1 data loss vector wasn't whiz kid hackers or Web applications, though they ranked high on respondents' list. Rather, in every country surveyed -- the U.S., U.K., France, Japan, Germany -- the most common cause of data loss was lost or stolen equipment.

Safeguarding equipment from loss or theft isn't complex at all, yet related failures continue to make headlines. Just last week, for example, the New Jersey state comptroller revealed that data on state PCs destined for an online auction site hadn't been erased and wasn't encrypted, risking exposing residents' Social Security numbers. Now imagine if those computers hadn't been spotted en route to a site such as eBay but rather were simply swiped off of a desk.

How many other organizations are likewise guilty of poor PC physical security or retirement practices? The solution -- encrypting data on PCs from the get-go -- is a no-brainer.

If enterprises face complexity problems, thankfully the same can be said for attackers -- at least on Facebook. Symantec's Candid Wueest recently studied the prevalence of malicious applications on Facebook and found numerous cases of attackers improperly configuring their automated attack toolkits.

For background, Wueest examined 500,000 Facebook wall posts from people who have a public profile set to be visible to anyone. He found that one in five of those posts linked to a Facebook application, via direct link or a link-shortening service such as or "Of those, 73% were actually scams or malicious applications," he said in a blog post. Extrapolating these results, he estimates that 16% of Facebook posts that include a link point users to a malicious application.

In other words, click on a Facebook link, and you're playing malware roulette.

Luckily, some of those attempts are glaringly obvious, thanks to attackers failing to properly configure their toolkits. For example, Wueest found that one attacker, using a popular "my profile was viewed X times" scam, failed to properly mark up attack text. As a result, fields set to randomize -- varying messages to make them harder for security software to spot -- failed to work, instead listing large amounts of gobbledygook (in this case, in French).

"It seems that even the easy-to-use viral Facebook application toolkits are too complicated for some of the attackers," Wueest said. Of course, when it comes to security, that's one bit of complexity we're happy to live with.


Schwartz On Security: Unraveling Night Dragon Attacks

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

See all stories by Mathew J. Schwartz

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights