IT Security Report Finds 97 Percent Have Suspicious Network Activity

According to a 13-page study from IT security vendor Positive Technologies, a whopping 97% of surveyed companies with at least 1,000 employees show evidence of suspicious activity in their network traffic and that 81% of the companies were being subject to malicious activity. TechRepublic reports: "In one in every three companies, there were traces of scans of its internal network, which could potentially mean that hackers are gathering intelligence inside the infrastructure. This includes network scans, multiple failed attempts to connect to hosts, and traces of collecting intelligence on active network sessions on a specific host or in the entire domain." Another alarming statistic from the research showed that 94% of the participating companies in the study suffered from noncompliance with their corporate security policies within their IT infrastructure systems, leaving them more vulnerable to successful cyberattacks, according to the report. Noncompliance with IT security policies "has a direct impact on security deterioration, by practically opening the door for the hackers to exploit," the report continued.

Also worrisome is that 81% of the participating companies are transmitting their sensitive data in clear text, or text that is not encrypted or meant to be encrypted, according to the research. By using only risky clear text, companies can enable potential hackers to search their network traffic for logins and passwords which are moving between and across corporate networks. Meanwhile, some 67% of the companies allow the use of remote access software, such as RAdmin, TeamViewer, and Ammyy Admin, which can also be compromised by attackers to move along the network while remaining undetected by security tools, the report states. In addition, workers in 44% of the companies use BitTorrent for data transfer, which dramatically can increase the risk of malware infection. Ultimately, 92% of these network security threats were detected inside the perimeters of the companies that were surveyed, according to the report, which reveals the depth of the problems and the need for constant internal network monitoring.

I don't believe this

[NateFromMich]

There is no way that figure shouldn't 100%.

Re:

[NateFromMich]

There is no way that figure shouldn't 100%.

Shouldn't be I meant of course.

Re:I don't believe this

[bobstreo]

There is no way that figure shouldn't 100%.

Shouldn't be I meant of course.

Well 3% of the companies weren't monitoring network activity....

Re:

[Anonymous Coward]

Given that 97% of the IT policies that must be complied with are contradictory, asinine drivel written by IT security vendors which make it literally impossible to do development or prod support and be compliant with policy... this is hardly surprising.

My corporate overlords adopted the recommended policies, which require me to fix prod issues when I have no access to the server, no access to the logs, and no access to tools which can do things like verify “is the process running,” or “is

Not industry-standard policies. I can help

[raymorris]

I can help you solve most of that frustration.

It sounds like one (or more) of three things happened.
Most likely a lot of #3.

1. Somebody implemented policies that are NOT the policies recommended by the security field.

2. Somebody didn't communicate the policies well with you.

3. The security team and you haven't communicated well about what your job responsibilities are and how you are going to do them, with reasonable efficiency and reasonable security.

4. You are missing proper staging servers.

Are you in fac

Re:

[Monoman]

Unfortunately there are many orgs that are not that mature. Some are working on it. Some cannot afford it. Some won't spend the money on it until they have to.

Absolutely - gotta know the goal, though, the targ

[raymorris]

For sure, most organizations are missing something. Therefore in most organizations there are steps you can take this month to have the process more mature, which will make your life easier and save the company money when they aren't paying you to put out fires, but to develop cool new stuff.

Don't HAVE dev and staging servers at all?
You can start working on that today. A first step might be to write out something similar to what I wrote as GP laying out how having a mature process with dev and staging will

Re:

[K. S. Kyosuke]

102.1 % of figures is made up on the spot.

Re:

[Gravis Zero]

There is no way that figure shouldn't be 100%.

You forget that just under 3% of user run Linux. ;)

Re:

[runningduck]

100%? Exactly! How many security products flag everything as suspicious?

Download FileZilla - PUP (potentially unwanted program)!
Automate a task with PowerShell - Heuristic detection; potential malware!
Check international news for COVID-19 updates - Suspicious activity!
Connect to nannycam to check on kiddos - Command and control!
Google why your security software sucks - Accessing cybersecurity web sites; computer must be compromised!

I think that the 3% could easily be explained by the number of companies n

It is plausible.

[Mr. Dollar Ton]

That 3% is without doubt coming from those "Russian" and "Chinese" "hackers", who are presumably doing their job and paving the way for the next Manchurian candidate.

On a slightly more serious note, I am curious how much "spurious traffic" in a software development place goes to or from stackexchange and the like. And somesuch.

Re:

[gweihir]

Some companies actually have a full application and equipment inventory and can check for all traffic whether it is legitimate (or appears to be). It is pretty much the only thing that allows you to do actually meaningful intrusion detection.

Re:

[Greyfox]

There's probably a 5 percent margin of error, and the actual amount of suspicious traffic is 102%.

Back in the day when I was running on a static IP, the monitors I ran on traffic were reporting pretty much nonstop attacks on my ports. It probably would have been easier to run a whitelist of valid traffic.

Re:

[BeerFartMoron]

In other news...Off-the-Shelf Snort has false positives in 97% of networks!

Re:

[Rick Schumann]

Why should they bother when they can just go attack Equifax again and get another nine digits' worth of credit card numbers and identity information?

A Blessing

[Anonymous Coward]

"According to a 13-page study from IT security vendor Positive Technologies..."

Drink it down, my lamb in the haunted woods. Absorb the delicious subtleness into your tender neurons. Surrender to their translucent waves of gentle graciousness and favor and remuneration. You will give the magnificent masters of persuasion their due, for it is your freewill and rationalism that they will feast upon.

Subjugation, gentle reader. Subjugation.

Visa/Mastercard welcome.

Re:

[Aighearach]

Yeah but for only $5000 I can share with you my report on the susceptibility of the Underpants Gnome industry servers to coronavirus infection!!!

If you don't have access to the unredacted report, how will you know if your underpants are safe to wear? Or safe to not wear?!?!

It's all a house of cards waiting for a breeze

[Rick Schumann]

If you don't realize that the primo hackers of the world already have all the tools and knowledge they need to wreck the entire worlds' network infrastructure, steal everyones' money, and destroy our utilties infrastructure just for kicks while they're at it, then you haven't been paying attention.
The only reason they haven't done it yet, is they could only do it once, after that civilzation would be dead; you don't kill the golden goose. Much more profitable in the long run to just steal some data here, g

Re:

[Mr. Dollar Ton]

You should change your nick to Chicken Little. And unplug your computer while you're at it, a hacker may violate you over that connection.

Re:

[Rick Schumann]

You actually read Slashdot on a regular basis and you don't see the pattern? You don't see breaches practically every single day?
How's that denial working for you?
Found a picture of you [blogspot.com]

Re:

[Mr. Dollar Ton]

You actually read Slashdot on a regular basis and you don't see the pattern?

Please, I don't read Slashdot. There is nothing to read here. I'm here to write insightful and informative comments that cause butthurt.

You don't see breaches practically every single day?

Of course you see them. Do you know why they happen? Because the companies responsible for the breaches aren't liable for the damage those cause, and the security barrier that a hacker faces is less than or equal to the financial fallout from the damage that is directly faced by those who build the barrier. I bet you did not notice the massive effort to upgrade security pre

The Other 3%

[dcw3]

The other 3% are maintained by people to stupid to realize they have suspicious traffic.

Re:

[Aighearach]

The other 3% are maintained by people to stupid to realize they have suspicious traffic.

How hard do they have to stupid before they realize? I'm not sure about this theory... is it possible that if they stupided harder, they'd know even less?

I bet some employees even use Linux!

[Don Bright]

The notorious hacker tool.

These employees should be monitored especially closely, as they may be up to something.

What's the solution

[jandrese]

Don't worry, the same company has a product they would like to sell you that can solve that problem.

WELL NO SHIT

[darkain]

"there were traces of scans of its internal network" YES, we have active pen testing tools that scan the entire network for service ports left open and exposed, even on private LANs. *WE* are the ones doing that scanning!

"multiple failed attempts to connect to hosts" Some legacy ass application running on a cron job that didn't have the username/password updated when the other host's service's credentials were updated.

"67% of the companies allow the use of remote access software" WELL FUCK, have you seen

Nonsense

[Orgasmatron]

How on earth could 3% of companies with 1000 or more employees have absolutely no monitoring, at all?

Windows.

[Tough Love]

Windows. It's Windows again. A company so stupid it deploys windows inside its firewall. Sharing everything it does with China, Russia, who knows. Every bad guy everywhere. That's the price of using Windows.

Re:

[Mr. Dollar Ton]

Tell me then, where can I download your super-secure and totally invulnerable Tough Love OS? And what's the vendor liability limit when it's breached? I assume from your hardcore stance that you're ready to cover every damage and that you'll have the funds in an escrow account when we sign the contract.

Re:

[gweihir]

Actually this is not Windows, although I agree they have much to answer for in the IT security space. The problem is that you have to classify all traffic you cannot attribute as "suspicious". As most companies do not have a good IT inventory, there will often be legitimate traffic that cannot be easily attributed. Of course that accurate inventory is the cornerstone of all meaningful network intrusion detection. But creating, maintaining and verifying (by monitoring network traffic) is expensive and needs

100% of our systems have been scanned...

[WoodstockJeff]

... by university (and other) researchers, trying to justify their grant money. One university scans our mail servers almost daily. There are many projects "looking for IoT" using suspicious scans.

remaning 3% are offline?

[kiviQr]

Either incompetent IT that does not see it or they don't have online presence.

increase the risk of malware infection....

[uem-Tux]

"workers in 44% of the companies use BitTorrent for data transfer, which dramatically can increase the risk of malware infection" Uhhh, sure maybe downloading pirated software would do that. The bittorrent protocol itself doesn't have inherent malware risks.

WTF?

[fred911]

Is the point here? TFA finds that 97% have "suspicious network activity" which means the connectivity is initiated from internal resources and sufficiently encrypted. Meaning TOR connections, bittorrent sockets or properly configured VPNs initiated by users inside the network. Or, does it mean that 97% of network facing addresses get portscanned? There's no real meat here.

Utll there's a study of how many network facing interfaces are penetrated by external, non-authorized connections (and surely there are some), this is just FUD to sell "security monitoring services". All companies are responsible for securing their internal network and more are effective than aren't.

The 3% that don't

[aldousd666]

The 3% that claim not to have some kind of at least probing traffic are just too stupid or inept to realize it.

Doing their job

[sad_]

ofcourse there is scanning etc going on.
(secutiry) admins are doing their job, or how else do you think they can keep the network safe?

from the sponsored-post-dept...

[Blue_Fox]

"When employees connect to Tor, access proxy servers, or use a VPN to bypass site blocking, malefactors can use the same technologies...", is just rephrasing of another similar argument we often hear: encryption is bad because child predators and terrorists can use it.

Multiple failed attempts

[FritzTheCat1030]

"multiple failed attempts to connect to hosts"
I do this all the time, thanks to the 870 different departments just within my own company who all have completely different nonsensical password policies.

But ...

[Retired ICS]

If you buy bottles of our Snake Oil and smear it on all your networking cables, the problem will be 100% mitigated. Our Magic Snake Oil is 100% guaranteed to work or your money refunded (conditions apply). In order for 100% protection you need to apply our Magic Snake Oil to *ALL* your network cables every 30 days. Each bottle of Magic Snake Oil is sufficient for 1 application of a 300 foot ethernet cable and only costs $1000.00 per bottle.

Conditions: Magic Snake Oil is only effective if you achieve 100

Re:

[account_deleted]

Comment removed based on user account deletion