On the opening day of BlackHat 2008, Symantec commissioned an anonymous survey among the attendees to learn about contemporary views on security related topics, such as vulnerability research, future threats and trends, and what types of challenges we as security professionals will collectively face in the coming year.
We received exactly 500 responses, 21% of which coming from IT managers. The field also represented security researchers (17% independent and 11% employed by a vendor) and executives (11%). These respondents represented several industry sectors, including high tech (40%), government (25%), banking (10%), and healthcare (2%). Also, the demographic varied, with 18% of respondents attending from regions outside of the United States (Canada - 4%, EMEA - 7%, AsiaPac - 4%, Latin America - 1%) – a clear indication that information security issues are truly an international concern and that we share common pain points with our colleagues across the world.
The two areas that respondents believe will be rife with the most security issues in the coming year are Web 2.0 (46%), followed by virtualization (35%). These respondents were highly concerned about the impact of Web vulnerabilities in their organizations in the next 12 months. Both areas have certainly been of tremendous interest to Symantec, and we have made considerable technology investments that expand our product portfolio to provide superior capabilities in these areas.
For example, on the Web security front, we developed a behavioral blocking component inside of our intrusion protection engines that can generically detect if code on a Web site is attempting to exploit a Web browser vulnerability that results in a surreptitious (drive-by) download of malicious software on your machine. We also recently announced the beta launch of Norton Safe Browse, which goes one step further and identifies these malicious Web sites on the back end, and prevents users from getting to them in the first place (e.g., by warning them before they click on search engine results). On the virtualization front, Symantec acquired new virtualization technologies from Altiris, AppStream, and most recently nSuite. The combined coverage of these technologies yields a potent solution to many of the problems our customers are facing in the area of endpoint virtualization.
The potential for sensitive data to leave the rather amorphous boundaries of today’s corporations and wind up in the hands of someone undesirable continues to be a serious concern in the industry. The main causes, according to survey respondents, are insufficient access controls (26%), lost or stolen laptops (23%), data sent to third parties (21%), and improper posting of data to the Internet, intranet, and extranet (20%). While Symantec already has a strong solution suite to address the security and management of critical information, we added to that suite with the acquisition of Vontu late last year – allowing us to count data leakage protection (DLP) among our extensive array of offerings.
Almost a third (34%) of respondents said that they implemented some form of whitelisting within their organization (39% said no, and 26% actually didn’t know!). Note that whitelisting may not necessarily apply to all systems, but could be restricted to specific machines. For example, most respondents look to whitelisting to protect more “static” high-availability machines like servers (40%), gateways (31%), and desktops (32%) rather than more dynamic environments like laptops (26%) and wireless devices (29%). Symantec has been stressing for quite some time that we are on the cusp of a critical inflection point where the number of unique malicious code instances is surpassing the number of legitimate code instances. This trend necessitates considering a new approach to providing security; namely, rather than blocking out the bad, we should consider just allowing in the good. Naturally there are a host of challenges in this area, but given our tremendous reach and deep insight, we believe that there are some highly promising approaches to facilitating whitelisting – and this area is one that I’m personally both very excited about and also actively involved with.
Respondents research new applications primarily for job function (52%), which edges out curiosity (44%). A small percentage (5%) indicated personal profit as their motive, while 4% cited fame. Further, a majority (55%) have not created any form of malicious code in the name of research, though 17% said they would if they felt it could benefit their research or education. Having said that, malware falls into many categories – from a simple proof of concept prototype exploit for a vulnerability (which you can imagine is something many vulnerability researchers have developed) all the way to a more complex self-propagating virus. It’s not clear which end of the spectrum most of our respondents fall into, but my suspicion is that we are typically talking about toy prototype exploits here. I definitely wouldn’t recommend creating the latter; the brief history of Internet security already contains one too many examples of the unexpected ramifications when viral code is accidentally released into the wild.
Nearly half of the respondents (49%) plan to research infrastructure networking technology in the next year followed by Web technologies (34%). This result seems to contrast the earlier result about the Web being the number one concern. However, it’s quite plausible that these research desires could stem from the “Kaminsky effect,” as Dan Kaminsky’s much anticipated and highly attended talk on his DNS vulnerability was held earlier that morning and might have been fresh in the minds of respondents.
This year, more respondents (53%) were concerned with the security of Windows XP as opposed to Windows Vista (37%). Interestingly, when we conducted this survey last year the results were flipped! While this result might seem a little backward, it could be pointing in large part to slower adoption rates of Windows Vista across enterprise infrastructures.