SYS-CON MEDIA Authors: Zakia Bouachraoui, Elizabeth White, Liz McMillan, William Schmarzo, Dana Gardner

News Feed Item

Protiviti Cybersecurity Lab Tests and Analysis Reveal Companies' IT Systems Still Vulnerable to Exploits and Digital Treachery

Analysis of testing data in U.S. labs finds almost half of organizations' vulnerabilities have publicly available exploit code

MENLO PARK, Calif., April 16, 2018 /PRNewswire/ -- A new report released today by global consulting firm Protiviti shares the most common digital threats challenging companies today. The report is based on in-depth analyses of vulnerability scans and tests of IT systems and infrastructure at over 500 organizations. The scans and tests were conducted in the firm's cybersecurity labs across the U.S. over the course of a nine-year period. For the study, Protiviti compiled, assessed and quantified the anonymous vulnerability and threat discoveries in the data, which reveals trends in vulnerabilities, exposures and security posture by industry and company size. The Protiviti study, presented in its "2018 Security Threat Report," provides a roadmap for organizations to improve their overall security posture.

Protiviti logo. (PRNewsFoto/Protiviti)

"Our hope is that companies will see the results of our study as a wake-up call to the potential vulnerability of their own IT systems and then proactively make the necessary changes to protect the confidentiality, integrity and availability of the key business processes supported by IT operations, as well their sensitive data 'crown jewels,'" said Scott Laliberte, managing director and global security and privacy practice leader at Protiviti.

The firm's analysis of its wealth of testing data from nearly a decade's worth of security scans reveals several key takeaways, including:  

  • Vulnerabilities that can be easily patched are not being fixed in a timely manner, particularly within applications
  • Organizations are still running a significant number of unsupported systems, greatly increasing the risk for breaches
  • There have been consistent challenges with SSL, especially with weak ciphers and diversions
  • Every few years, a major critical exploit comes along that has a dramatic impact on the security landscape (e.g. Heartbleed, Shellshock)
  • Just under half of the vulnerabilities identified during testing have publicly available exploit code (as of the time of testing)
  • Companies in the consumer products; financial services; healthcare and life sciences; technology, media and telecommunications; manufacturing; and energy industries are the most vulnerable

"Most of the issues we identified in our assessment can be easily rectified by taking a proactive and programmatic approach to cybersecurity," said Laliberte. "By evaluating security posture on a periodic basis and implementing changes to update IT procedures, companies can significantly lower the risks associated with potential security breaches and attacks. Unfortunately, as the threat landscape has become more perilous, it's only a matter of 'when' your organization will get targeted, so we can't overstate the importance of implementing continuous improvement within your security program immediately."

Based on the security scans and analysis, Protiviti has identified five basic security principles that organizations should implement now to reduce the risk of a breach:

  1. Maintain strong permission and user access controls: By periodically checking networks and default permissions/credentials, organizations can reduce the likelihood of a hacker gaining easy access to a network.
  2. Provide employee security awareness: Inform employees of the latest security threats and social engineering techniques, how they can protect themselves, and what the organization is doing to mitigate these risks.
  3. Implement a patch management program: Organizations should use automated tools to both identify and apply patches within network devices, operating systems and applications. For systems that cannot be upgraded or patched, compensating controls (e.g., VLAN's or firewalls) should be implemented to protect the rest of the network.
  4. Ensure strong system configuration management: Be sure to look into areas such as password and audit policies, services, and file permissions, as these should be controlled through the configuration management process.
  5. Conduct periodic penetration testing: Penetration testing and ongoing vulnerability management across various pieces of IT infrastructure can help organizations identify security vulnerabilities and stay up-to-date with the latest tricks and techniques attackers are using.

"In addition to data breach preventative measures, organizations and their third-party providers must work on maturing detective controls and response procedures," said Andrew Retrum, a managing director in Protiviti's security and privacy practice. "Activities that simulate common attack patterns should be carried out to determine whether the organization's defenses can detect and respond effectively in real-world situations."

Protiviti compiled the anonymous, aggregated data, and analysis and trends that are presented in the new report by reviewing in-depth security vulnerability scans of IT systems on behalf of more than 500 organizations in a broad range of industries. From 2009 to 2017, Protiviti's security experts were engaged by these organizations to scan their networks, detect vulnerabilities and help fix issues and establish proper mechanisms for monitoring and prevention. The resulting 47-page report is designed to be a practical resource for CIOs and CISOs, while also revealing the issues and challenges that senior management and boards of directors will want to monitor to help safeguard their companies' data and reputations.

Resources Available
The full report of Protiviti's study, along with an infographic and short video, is available for complimentary download at Copies of the report are also available at Protiviti's booth #4912 at the RSA security conference in San Francisco (April 16-19, 2018).

An archived Protiviti webinar exploring the security scans' key vulnerability and threat discoveries is also available for free here.

About Protiviti
Protiviti ( is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Through its network of more than 70 offices in over 20 countries, Protiviti and its independently owned Member Firms provide clients with consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit.

Named to the 2018 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

Editor's Note: photos and infographic available upon request.


Cision View original content with multimedia:

SOURCE Protiviti

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO Silicon Valley 2019 will cover all of these tools, with the most comprehensive program and with 222 rockstar speakers throughout our industry presenting 22 Keynotes and General Sessions, 250 Breakout Sessions along 10 Tracks, as well as our signature Power Panels. Our Expo Floor will bring together the leading global 200 companies throughout the world of Cloud Computing, DevOps, IoT, Smart Cities, FinTech, Digital Transformation, and all they entail.
Eric Taylor, a former hacker, reveals what he's learned about cybersecurity. Taylor's life as a hacker began when he was just 12 years old and playing video games at home. Russian hackers are notorious for their hacking skills, but one American says he hacked a Russian cyber gang at just 15 years old. The government eventually caught up with Taylor and he pleaded guilty to posting the personal information on the internet, among other charges. Eric Taylor, who went by the nickname Cosmo...
ClaySys Technologies is one of the leading application platform products in the ‘No-code' or ‘Metadata Driven' software business application development space. The company was founded to create a modern technology platform that addressed the core pain points related to the traditional software application development architecture. The founding team of ClaySys Technologies come from a legacy of creating and developing line of business software applications for large enterprise clients around the ...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
Most modern computer languages embed a lot of metadata in their application. We show how this goldmine of data from a runtime environment like production or staging can be used to increase profits. Adi conceptualized the Crosscode platform after spending over 25 years working for large enterprise companies like HP, Cisco, IBM, UHG and personally experiencing the challenges that prevent companies from quickly making changes to their technology, due to the complexity of their enterprise. An accomp...
The benefits of automated cloud deployments for speed, reliability and security are undeniable. The cornerstone of this approach, immutable deployment, promotes the idea of continuously rolling safe, stable images instead of trying to keep up with managing a fixed pool of virtual or physical machines. In this talk, we'll explore the immutable infrastructure pattern and how to use continuous deployment and continuous integration (CI/CD) process to build and manage server images for any platfo...
DevOpsSUMMIT at CloudEXPO, to be held June 25-26, 2019 at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Am...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
Automation is turning manual or repetitive IT tasks into a thing of the past-including in the datacenter. Nutanix not only provides a world-class user interface, but also a comprehensive set of APIs to allow the automation of provisioning, data collection, and other tasks. In this session, you'll explore Nutanix APIs-from provisioning to other Day 0, Day 1 operations. Come learn about how you can easily leverage Nutanix APIs for orchestration and automation of infrastructure, VMs, networking, an...
Sanjeev Sharma Joins November 11-13, 2018 @DevOpsSummit at @CloudEXPO New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
It cannot be overseen or regulated by any one administrator, like a government or bank. Currently, there is no government regulation on them which also means there is no government safeguards over them. Although many are looking at Bitcoin to put money into, it would be wise to proceed with caution. Regular central banks are watching it and deciding whether or not to make them illegal (Criminalize them) and therefore make them worthless and eliminate them as competition. ICOs (Initial Coin Offer...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of computational needs for many industries. Their solutions provide benefits across many environments, such as datacenter deployment, HPC, workstations, storage networks and standalone server installations. ICC has been in business for over 23 years and their phenomenal range of clients include multinational corporations, universities, and small busines...
The dream is universal: heuristic driven, global business operations without interruption so that nobody has to wake up at 4am to solve a problem. Building upon Nutanix Acropolis software defined storage, virtualization, and networking platform, Mark will demonstrate business lifecycle automation with freedom of choice and consumption models. Hybrid cloud applications and operations are controllable by the Nutanix Prism control plane with Calm automation, which can weave together the following: ...