SYS-CON MEDIA Authors: Pat Romanski, Elizabeth White, Yeshim Deniz, Zakia Bouachraoui, Carmen Gonzalez

News Feed Item

Protiviti Cybersecurity Lab Tests and Analysis Reveal Companies' IT Systems Still Vulnerable to Exploits and Digital Treachery

Analysis of testing data in U.S. labs finds almost half of organizations' vulnerabilities have publicly available exploit code

MENLO PARK, Calif., April 16, 2018 /PRNewswire/ -- A new report released today by global consulting firm Protiviti shares the most common digital threats challenging companies today. The report is based on in-depth analyses of vulnerability scans and tests of IT systems and infrastructure at over 500 organizations. The scans and tests were conducted in the firm's cybersecurity labs across the U.S. over the course of a nine-year period. For the study, Protiviti compiled, assessed and quantified the anonymous vulnerability and threat discoveries in the data, which reveals trends in vulnerabilities, exposures and security posture by industry and company size. The Protiviti study, presented in its "2018 Security Threat Report," provides a roadmap for organizations to improve their overall security posture.

Protiviti logo. (PRNewsFoto/Protiviti)

"Our hope is that companies will see the results of our study as a wake-up call to the potential vulnerability of their own IT systems and then proactively make the necessary changes to protect the confidentiality, integrity and availability of the key business processes supported by IT operations, as well their sensitive data 'crown jewels,'" said Scott Laliberte, managing director and global security and privacy practice leader at Protiviti.

The firm's analysis of its wealth of testing data from nearly a decade's worth of security scans reveals several key takeaways, including:  

  • Vulnerabilities that can be easily patched are not being fixed in a timely manner, particularly within applications
  • Organizations are still running a significant number of unsupported systems, greatly increasing the risk for breaches
  • There have been consistent challenges with SSL, especially with weak ciphers and diversions
  • Every few years, a major critical exploit comes along that has a dramatic impact on the security landscape (e.g. Heartbleed, Shellshock)
  • Just under half of the vulnerabilities identified during testing have publicly available exploit code (as of the time of testing)
  • Companies in the consumer products; financial services; healthcare and life sciences; technology, media and telecommunications; manufacturing; and energy industries are the most vulnerable

"Most of the issues we identified in our assessment can be easily rectified by taking a proactive and programmatic approach to cybersecurity," said Laliberte. "By evaluating security posture on a periodic basis and implementing changes to update IT procedures, companies can significantly lower the risks associated with potential security breaches and attacks. Unfortunately, as the threat landscape has become more perilous, it's only a matter of 'when' your organization will get targeted, so we can't overstate the importance of implementing continuous improvement within your security program immediately."

Based on the security scans and analysis, Protiviti has identified five basic security principles that organizations should implement now to reduce the risk of a breach:

  1. Maintain strong permission and user access controls: By periodically checking networks and default permissions/credentials, organizations can reduce the likelihood of a hacker gaining easy access to a network.
  2. Provide employee security awareness: Inform employees of the latest security threats and social engineering techniques, how they can protect themselves, and what the organization is doing to mitigate these risks.
  3. Implement a patch management program: Organizations should use automated tools to both identify and apply patches within network devices, operating systems and applications. For systems that cannot be upgraded or patched, compensating controls (e.g., VLAN's or firewalls) should be implemented to protect the rest of the network.
  4. Ensure strong system configuration management: Be sure to look into areas such as password and audit policies, services, and file permissions, as these should be controlled through the configuration management process.
  5. Conduct periodic penetration testing: Penetration testing and ongoing vulnerability management across various pieces of IT infrastructure can help organizations identify security vulnerabilities and stay up-to-date with the latest tricks and techniques attackers are using.

"In addition to data breach preventative measures, organizations and their third-party providers must work on maturing detective controls and response procedures," said Andrew Retrum, a managing director in Protiviti's security and privacy practice. "Activities that simulate common attack patterns should be carried out to determine whether the organization's defenses can detect and respond effectively in real-world situations."

Methodology
Protiviti compiled the anonymous, aggregated data, and analysis and trends that are presented in the new report by reviewing in-depth security vulnerability scans of IT systems on behalf of more than 500 organizations in a broad range of industries. From 2009 to 2017, Protiviti's security experts were engaged by these organizations to scan their networks, detect vulnerabilities and help fix issues and establish proper mechanisms for monitoring and prevention. The resulting 47-page report is designed to be a practical resource for CIOs and CISOs, while also revealing the issues and challenges that senior management and boards of directors will want to monitor to help safeguard their companies' data and reputations.

Resources Available
The full report of Protiviti's study, along with an infographic and short video, is available for complimentary download at www.protiviti.com/threatreport. Copies of the report are also available at Protiviti's booth #4912 at the RSA security conference in San Francisco (April 16-19, 2018).

An archived Protiviti webinar exploring the security scans' key vulnerability and threat discoveries is also available for free here.

About Protiviti
Protiviti (www.protiviti.com) is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Through its network of more than 70 offices in over 20 countries, Protiviti and its independently owned Member Firms provide clients with consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit.

Named to the 2018 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

Editor's Note: photos and infographic available upon request.

 

Cision View original content with multimedia:http://www.prnewswire.com/news-releases/protiviti-cybersecurity-lab-tests-and-analysis-reveal-companies-it-systems-still-vulnerable-to-exploits-and-digital-treachery-300630128.html

SOURCE Protiviti

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
Cloud Storage 2.0 has brought many innovations, including the availability of cloud storage services that are less expensive and much faster than previous generations of cloud storage. Cloud Storage 2.0 has also delivered new and faster methods for migrating your premises storage environment to the cloud and the concept of multi-cloud. This session will provide technical details on Cloud Storage 2.0 and the methods used to efficiently migrate from premises-to-cloud storage. This session will als...
In very short order, the term "Blockchain" has lost an incredible amount of meaning. With too many jumping on the bandwagon, the market is inundated with projects and use cases that miss the real potential of the technology. We have to begin removing Blockchain from the conversation and ground ourselves in the motivating principles of the technology itself; whether it is consumer privacy, data ownership, trust or even participation in the global economy, the world is faced with serious problems ...
FinTech is a disruptive innovation that denotes the adoption of technologies that have changed how traditional financial services work. While FinTech is now embedded deeply into the financial services ecosystem, the rise of digital age has paved way to FinTech 2.0 - which is rolling out innovative solutions through emerging technologies at a disruptive pace while maintaining the tenets of security and compliances. Blockchain as a technology has started seeing pilot adoption in FinTech around ...
For enterprises to maintain business competitiveness in the digital economy, IT modernization is required. And cloud, with its on-demand, elastic and scalable principles has resoundingly been identified as the infrastructure model capable of supporting fast-changing business requirements that enterprises are challenged with, as a result of our increasingly connected world. In fact, Gartner states that by 2022, 28% of enterprise IT spending will have shifted to cloud. But enterprises still must d...
Isomorphic Software is the global leader in high-end, web-based business applications. We develop, market, and support the SmartClient & Smart GWT HTML5/Ajax platform, combining the productivity and performance of traditional desktop software with the simplicity and reach of the open web. With staff in 10 timezones, Isomorphic provides a global network of services related to our technology, with offerings ranging from turnkey application development to SLA-backed enterprise support. Leadin...
Cloud-Native thinking and Serverless Computing are now the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, as well as the public sector. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that pro...
While a hybrid cloud can ease that transition, designing and deploy that hybrid cloud still offers challenges for organizations concerned about lack of available cloud skillsets within their organization. Managed service providers offer a unique opportunity to fill those gaps and get organizations of all sizes on a hybrid cloud that meets their comfort level, while delivering enhanced benefits for cost, efficiency, agility, mobility, and elasticity.
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It's clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Th...
The level of trust we have with individuals, businesses, and technology affects our lives daily. This is important to remember when discussing new technologies. For example, our level of trust is a critical factor when evaluating a new technology as a potential solution for providing business value. Given the importance of trust, imagine one's reaction upon hearing that blockchain is a "trustless trust" system. On the surface, that does sound like an oxymoron. This paper discusses how "trustless...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Public clouds dominate IT conversations but the next phase of cloud evolutions are "multi" hybrid cloud environments. The winners in the cloud services industry will be those organizations that understand how to leverage these technologies as complete service solutions for specific customer verticals. In turn, both business and IT actors throughout the enterprise will need to increase their engagement with multi-cloud deployments today while planning a technology strategy that will constitute a ...
Data center, on-premise, public-cloud, private-cloud, multi-cloud, hybrid-cloud, IoT, AI, edge, SaaS, PaaS... it's an availability, security, performance and integration nightmare even for the best of the best IT experts. Organizations realize the tremendous benefits of everything the digital transformation has to offer. Cloud adoption rates are increasing significantly, and IT budgets are morphing to follow suit. But distributing applications and infrastructure around increases risk, introdu...
Moving to Azure is the path to digital transformation, but not every journey is effective. Organizations that start with a cohesive, well-planned migration strategy can avoid common mistakes and stay a step ahead of the competition. Learn from Atmosera CEO, Jon Thomsen about the opportunities and challenges found in three pivotal phases of the journey to the cloud: Evaluation and Architecting, Migration and Management, and Optimization & Innovation. In each phase, there are distinct insights tha...
Most modern computer languages embed a lot of metadata in their application. We show how this goldmine of data from a runtime environment like production or staging can be used to increase profits. Adi conceptualized the Crosscode platform after spending over 25 years working for large enterprise companies like HP, Cisco, IBM, UHG and personally experiencing the challenges that prevent companies from quickly making changes to their technology, due to the complexity of their enterprise. An accomp...
Every organization is facing their own Digital Transformation as they attempt to stay ahead of the competition, or worse, just keep up. Each new opportunity, whether embracing machine learning, IoT, or a cloud migration, seems to bring new development, deployment, and management models. The results are more diverse and federated computing models than any time in our history.