NTA Monitor

Latest News

Will IE6 be the next NT4?

1st October 2009 All penetration testers will remember the long tail of Windows NT 4.0, and how this operating system continued to be used long past the point when security updates stopped at the end of 2004. For many years the presence of an unpatchable NT4 server was a common issue in a penetration test report, and it is only now, almost five years after security support ended, that finding an NT4 system on a network is becoming a rare event. Read More

One in four web applications susceptible to high risk security flaws

7th September 2009 NTA Monitor has reported a 10% increase in the total number of web applications found to have at least one high-risk security issue... Read More

Organisations facing a changing threat landscape

20th July 2009 According to NTA Monitor's 2009 Annual Security Report, the average number of Internet security vulnerabilities is on the rise... Read More

The Return of the Insider Threat

1st July 2009 When NTA started security testing twelve years ago, the main focus was on the insider threat. There were many reports with statistics showing that most security breaches were due to insiders. By contrast there was very little focus on the external threat via Internet and third-party network links. Back then many companies did not even have a firewall. Read More

Organisations facing a changing threat landscape

According to NTA Monitor's 2009 Annual Security Report, the average number of Internet security vulnerabilities is on the rise, revealing that organisations are once again battling against a steady stream of security issues.

Overall, the 2009 report highlighted that 27% of organisations tested contained one or more high risk vulnerabilities - which are widely known and actively targeted by hackers - compared to 25% in the 2008 report. More alarming is the revelation that, of those organisations with high risk issues, 22% had more than six high risk vulnerabilities identified within their Internet facing systems. In 2008, this figure stood at 8%.

It could be interpreted from this statement that organisations are becoming a little complacent when it comes to maintaining a secure gateway. However, consider the fact that, of the top ten most commonly occurring high risk security issues identified in this report, seven were not featured in the 2008 top ten, and this indicates that the threat landscape being faced by organisations and their IT departments is constantly changing.

Of the top ten risks, nine of these flaws were associated with services that are being made available to Internet users, demonstrating yet again that with increased functionality comes the threat of reduced security.

Of the ten sectors tested IT, government, services and not-for-profit have all seen an increase in the number of vulnerabilities found, with IT in particular rising by 63%.

In the government sector, NTA found an average of 29 vulnerabilities per test compared to the overall average of 23. This is a marked increase from the 2008 report and was the second highest on average across all sectors tested. While not entirely positive, this may be explained by the increased focus on the Government Connect GCSx Code of Connection, which is encouraging more local authorities to test for and address potential vulnerabilities within their systems. Roy Hills, Technical Director at NTA, said: "We would hope to find that these issues will not occur on such a large scale next year as the practice of regular testing, identification and remediation of issues becomes ingrained in the mindset of government IT departments."

In the finance sector, while the average issue levels remain the same, despite the increased drive that has come from Payment Card Industry Data Security Standards (PCI) and other security related compliance drives, it is interesting to note that eight out of the top ten high risk flaws could be found in financial organisations. Hills comments: "If a financial institution has a security problem, the repercussions are potentially severe for the organisation itself as well as the companies and customers it deals with. It is vital that the finance industry considers IT security as an integral part of its business."

It would appear that the PCI are having a positive effect on the retail sector, driving down the average number of issues from 21 in 2008 to just 16 in the 2009 report, which could be attributed to an increased awareness and focus on identifying and addressing security issues. The retail sector must keep up the good work, otherwise new vulnerabilities may catch them unawares, as highlighted by the vastly changed top ten security issues in this years report.

NTA Monitor advise that companies apply the following recommendations to minimise exposure to information security risks:

The report analyses data from external Internet vulnerability tests conducted by NTA against UK organisations across ten industry sectors. A copy of the full report is available by emailing marketing@nta-monitor.com

This article was first released on: 20th July 2009