Think that viruses and worms sent by e-mail are an IT security nightmare? Wait until you experience the next assault hackers are unleashing — the browser-based attack.
The second annual survey on IT security and the workforce conducted by CompTIA, the Computing Technology Industry Association — a copy of which was obtained by TechNewsWorld — reveals browser-based attacks are “surging” and may pose the next “significant security threat” to corporate IT operations.
Browser-based attacks employ browser systems and preset user system permissions to interfere with computer functions. Such attacks are unleashed when someone visits a Web page that seems to be harmless but actually contains covert malicious code intended to sabotage a computer or compromise privacy. The result of the attack may be as routine as a crashed browser or as menacing as theft of personal information or loss of confidential proprietary data.
The survey was conducted for CompTIA by TNS Prognostics of Palo Alto, California, a customer-research consultancy for the IT industry. CompTIA is a 22-year-old global trade association representing the business interests of the IT industry. It has 19,000 members in 89 countries.
The project, which surveyed nearly 900 organizations, found that 36.8 percent were victimized by one or more browser-based attacks during the last six months. That figure is up dramatically from 25 percent in last year’s survey.
Although worms and viruses are still the biggest threat to IT security, they are significantly less common than they were a year ago. Just last year, 80 percent of organizations pointed to worm and virus attacks as their most common IT security threat. This year, the comparable figure is 68.6 percent, the survey said.
“The explosion of dynamic, created-on-the-fly Web pages, which often incorporate individual personal preferences, is exposing organizations’ IT systems to new security threats,” John Venator, president and CEO of CompTIA, said.
“It is clear that education on IT security can no longer be limited to a handful of IT personnel,” Venator added. “Keeping the IT infrastructure safe is the responsibility of everyone in the organization.”
Named last year as the second-most common security threat, at 65.1 percent, network intrusion showed a significant drop this year, falling to 39.9 percent. Survey respondents also reported significant declines in problems caused by remote access, such as virtual private networks and dial-up access — 41.7 percent, down from 49.9 percent — and social engineering, at 17.9 percent, down from 21.9 percent.
Other key findings of the survey were as follows:
- Antivirus applications are still the most frequently used technology to enforce security requirements.
- Firewalls and proxy servers are the second most commonly used technology, identified by 90.8 percent of respondents. That’s down from last year, when 93.7 percent of organizations reported using these technologies.
- Security audits and penetration testing are an increasing portion of the measures now in place to monitor general security performance. They were identified by 61 percent of respondents, up from 53 percent.
- Fifteen percent of organizations have no measures in place to monitor general security performance.
The researchers said the findings of the CompTIA survey underscore the fact that education about IT security can no longer be limited to a handful of IT personnel. Keeping the IT infrastructure safe must be the responsibility of everyone in the organization.
Anticipating this shift in industry thinking, Microsoft this week transferred two top executives to its security business unit as part of a new strategy designed to channel more resources into battling viruses and other threats.
The company moved Gordon Mangione, head of Microsoft’s SQL Server unit, to a new position as corporate vice president of security products. In his new post, Mangione will head the development and support of Microsoft security products, including the company’s ISA Server, a technology that serves as a buffer between the Internet and a company’s internal network.
Microsoft, meantime, transferred Rich Kaplan, who had been leader of the company’s content development and delivery group, to the new role of corporate vice president of security marketing. Kaplan earlier lead Microsoft’s efforts regarding the Y2K issue.