IT Pros Fall Short When Protecting Their Networks, Tripwire Finds

A new survey by Tripwire finds that while IT professionals are proactive in their attempts to protect networks, they aren’t as effective as they need to be.

While Tripwire found that nearly all of the IT professionals it spoke with used automated tools to track their networks, it was surprised to discover that few knew when configuration changes were made to endpoint devices. In fact, 40 percent of respondents said that they had a “general idea” when a computer had been modified, and 17 percent had no idea. Add that to the 10 percent of respondents who don’t track networks at all, and it’s a recipe for concern.

Tripwire found that after an endpoint device had been reconfigured by an attacker, 40 percent of respondents wouldn’t detect the change for hours. Another 22 percent of IT professionals said it could take days to find the configuration change. By then, the endpoint has been infected and may be replicating its payload across the network.

When examining health care and financial industries—two sectors that must safeguard extremely sensitive customer information—Tripwire discovered that patches don’t work nearly as well as IT professionals would like. On the health care side, just 26 percent of IT professionals said that their patches worked 90 to 100 percent of the time. Financial firms performed even worse, with just 23 percent of respondents saying they have been able to patch issues 90 to 100 percent of the time. That’s a lot of holes left unplugged.

In one of the few high points in the Tripwire survey, the security firm found that 38 percent of companies know for sure how long it would take for “vulnerability scanning systems” to alert them to an unauthorized device joining the network. However, 21 percent of IT professionals either don’t know how long it would take or don’t have a vulnerability scanner running on their networks that would search for unauthorized devices.

In its survey of government IT professionals, Tripwire asked how long it takes for vulnerabilities to be discovered and “promptly” patched. A whopping 15 percent of respondents said issues remain unpatched within 60 days, and a third of IT professionals said fixing the issue will take between 31 and 60 days. Approximately half of government IT professionals say they can fix vulnerabilities within 30 days.

Malicious users attempting to access sensitive files is obviously one of an IT professional’s chief concerns. However, just two-thirds of companies with annual revenue of $5 billion or more can detect when an unauthorized user tries to access networked files. And for smaller companies, that figure drops to 58 percent. A surprisingly large number of companies, in other words, have no idea if someone—an employee, hacker or anyone else—is gaining unauthorized access to data files.

Heading back to the finance industry, Tripwire wanted to know how much information could be obtained about unauthorized devices connecting to the network. Just 39 percent of respondents said that they could “pick up all the information necessary” to know for sure where and what the device is. Nearly 20 percent of IT professionals say that they have no way of identifying the unauthorized devices. Those companies, in other words, are flying blind with no way of knowing which devices need to be kicked from the network. Yikes.

Controlling device access to corporate networks is a first line of defense against malicious hackers. However, just 16 percent of respondents said that they can always find out when hardware connects to the corporate network. A whopping 40 percent of IT professionals know 50 percent of the time or less when new hardware is connecting to their networks.

According to Tripwire, IT professionals clearly understand that they need to know what’s connecting to their networks and when. The trouble, however, is that it often takes too long to get that information, and all the while, hackers could be running amok, stealing information and crafting nasty scenarios that those IT professionals will eventually need to deal with. As Tripwire’s Director of IT Security and Risk Strategy Tim Erlin notes, the study shows “IT managers and executives … are missing key information that’s necessary to defend themselves against cyber attacks.”