IT staff consistently over-rate the importance of security technologies that a study for the Australian Department of Defence (ADoD) based on real-world attacks has assessed as being of much lower significance, according to security firm Avecto.
The Top 35 Mitigations study for the ADoD from earlier this year rated application whitelisting as the most effective control, with application patching second, operating system patching third, restricting admin privileges fourth and user application 'hardening' (e.g. removing unnecessary components) fifth.
Other mitigations on the list included disabling local admin accounts at number 9, user education at number 28, and - in last place - network traffic capture to and from specific workstations.
Avecto compared this with the answers given by IT staff for a more recent Ponemon study commissioned to cover the same ground, finding a marked contrast in priorities.
For professionals, intrusion prevention came top (8th in the ADoD study), web content filtering second (18th), email filtering third (17th), multi-factor authentication fourth (11th), and OS patching fifth (3rd).
As with many surveys of this kind, some context is necessary. First, what a department with military responsibility thinks is critical for cyber-defence, however well modelled on real threats, is not necessarily what would work for a mainstream enterprise supporting desk employees. The sort of attacks thrown at militaries are going to be of a different order.
Avecto also sells software that controls user and admin privileges and be used for application whitelisting, the latter of rated as the most important security control of all by the ADoD. The firm has an interest in pointing this out.
Nevertheless, it could also be argued that the real effectiveness of security controls is indeed out of kilter with conventional wisdom which seems overly focused on old-fashioned firewallling, intrusion detection, web and email filtering.
These are seen as important because they are systems that organisations already possess. The ones they might not have, or might not be as familiar with, are seen as less important. Psychologists call this 'confirmation bias', or believing only evidence that confirms pre-existing beliefs.
If an admin thinks they are likely to be attacked via rogue websites, filtering sounds like a great idea. The possibility that patching the browser or removing vulnerable interfaces suich as Java could achieve as much or more might then be under-estrimated.
"When it comes to security strategies, the perceptions of IT departments are wide of the mark," argued Avecto's vic president of global professional services, Andrew Avanessian.
He used the example of anivirus software, rated as essential by IT staff but only 30th by the AdoD. That is a huge difference of opinion.
"Minimising admin privileges on the other hand doesn't make the top 10, yet is ranked as the fourth most effective in the ADoD study," said Avanessian.
"It seems that IT professionals are opting for centrally-managed technologies, perhaps because they are deemed easier to implement. There is a misconception that these top four strategies are difficult to achieve, when in reality, it doesn't need to be that way."