Is there a big hacker conspiracy happening right now inside your business? Research coming out of the DEFCON hacker convention suggests there is…

Surveys taken during the annual DEFCON hacker convention always throw up a few obvious but nonetheless important revelations. How about this one: hackers love it when they find misconfigured networks, and they find lots of them because so many IT workers have no idea what a properly configured network looks like.

Every year at DEFCON, Tufin Technologies survey the gathered security researchers and IT security professionals attending the convention (or hackers as they are called when they are not filling in questionnaires) in order to get a grip on the trends within the hacking community and how they impact upon corporate security strategies. The results of the 2010 ‘Hacking Habits’ survey, as it is known, were published this morning and make for interesting if somewhat predicable reading.

It turns out that some 73 percent of those surveyed stumble across misconfigured networks around three quarters of the time, and 76 percent of the hackers asked stated that such resources were the easiest to exploit. A further 58 percent of those asked suggested that the reason for these misconfigured networks being so prolific was simply that IT staff had no idea what to look for when it came to assessing the security status of their network configurations. Well, call me Shirley and file under duh!

Obviousness aside, the fact that so many networks are still badly enough screwed up in configuration terms to allow so many hackers easy access has to be worrying. Especially when the Hacking Habits survey goes on to suggest that, for many companies, configuration retardedness is down to insufficient time and money for security auditing (18 percent), audits not capturing security best practise faux pas (14 percent) and threat vectors changing too quickly to be addressed in a timely fashion (11 percent). Of these, only the first holds any real weight as far as I can see, and that’s down to bad management policy which equates saving money to cutting corners on security issues and so is blind to the true cost of a breach. In fact, I feel a rant coming on so rather than repeat myself I suggest you quickly go and read why I hate bean counters so much and then return to finish off here. Thanks.

Where was I? Oh yes, if a security audit isn’t capturing the security best practise issues then get a different outfit in to do the auditing, use different auditing software or scrap your auditing strategy and start from a blank sheet of paper, dufus. And if the security threat landscape changes too quickly to be accounted for in your audits, change the frequency of your auditing, double dufus with knobs on.

But what really stood out from the Hacking Habits survey was the suggestion that somehow misconfigured networks are part of a big hacker conspiracy. It states that 11 percent of black hat hackers, and 46 percent of grey hat hackers, hold corporate security positions. Something that is extrapolated by Tufin to suggest “the focus has overwhelmingly been on how easily we can break things” and even “less than 30 percent of the sample is motivated by the desire to actually fix broken systems”. Oh, and let us not forget that the survey also found that 43 percent of DEFCON attendees thought planting rogue staff member inside a company was a successful hacking methodology.

Holy crap on a cracker, really? Hackers have infiltrated our enterprises and are turning a blind eye to misconfigured networks, or worse misconfiguring them on purpose. The sky is falling, the sky is falling.

OK, seriously, I’m sure that some of the hackers who attend events like DEFCON do indeed work within a corporate IT environment. They are geeks and nerds after all. However, I’m less convinced that they are in positions of responsibility for network security and less convinced that they crap on their own doorsteps, as it were, and risk losing their job. Why would a hacker break into his or her own network when they have access to it anyway, where is the fun in that?

I simply don’t buy into the big hacker conspiracy thing, sorry. Yes, it’s a good stick to beat people into buying automated network security auditing and configuration software but that’s about it for me. The main problem I have with any survey taken at the likes of DEFCON is the fact that I just cannot help but wonder of the people being questioned are being totally honest in their responses. The temptation with any survey is to big yourself up a bit, and that temptation can only be increased in a hacker convention environment. I have a funny feeling deep down in my gut that the real black hat bad guys don’t actually attend DEFCON, and if they do then they don’t spend their time filling in forms and taking part in surveys.

So, to sum up: your networks are probably badly configured so go fix it, but the sky isn’t falling and the Chief Security Officer is not known by his hacker mates as WaReZ-CraCKer out of the office.