SOURCE: Tufin Technologies

Tufin Technologies

August 25, 2009 08:00 ET

Tufin Survey: Hackers Say Take a Break This Summer Before Winter Hacking Spike

Hacker Survey at DEFCON Reveals Hackers Work the Night Shift; Believe Compliance Initiatives Don't Improve a Company's Security Posture

RAMAT GAN, ISRAEL--(Marketwire - August 25, 2009) - Tufin Technologies, the leading provider of Security Lifecycle Management solutions, today announced the findings of its "Hacker Habits" survey conducted amongst 79 hackers attending DEFCON 17 in Las Vegas earlier this month. Enjoy your summer vacation says the hacking community, as you're far less likely to be targeted now than during your Christmas and New Year's vacation. Eighty nine percent of hackers admitted that IT professionals taking a summer vacation would have little impact on their hacking activities, as a whopping 81% revealed they are far more active during the winter holidays with 56% citing Christmas as the best time to engage in corporate hacking and 25% specifically naming New Years Eve.

"The survey reveals that the Christmas and New Year holidays are popular with hackers targeting western countries," said Michael Hamelin, chief security architect, Tufin Technologies. "Hackers know this is when people relax and let their hair down, and many organizations run on a skeleton staff over the holiday period."

If you want to know when you should be most on your guard, it's during weekday evenings with 52% stating that this is when they spend most of their time hacking, 32% during work hours (weekdays), and just 15% hacking on weekends.

Ninety six percent of hackers in the survey said it doesn't matter how many millions a company spends on its IT security systems, it's all a waste of time and money if the IT security administrators fail to configure and watch over their firewalls. Eighty six percent of respondents' felt they could successfully hack into a network via the firewall; a quarter believed they could do so within minutes, 14% within a few hours. Sixteen percent wouldn't hack into a firewall even if they could.

"This may be stating the obvious," said Hamelin, "but poorly configured firewalls remain a significant risk for many organizations. It's not the technology that's at fault, but rather the configuration and change control processes that are neglected or missing altogether. Best practice suggests you should test and review your firewall configuration regularly, but many organizations fail to do so."

Validating the frustrating gap between compliance and security, seventy percent of the hackers interviewed don't feel that regulations introduced by governments worldwide to implement privacy, security and process controls has made any difference to their chances of hacking into a corporate network. Of the remaining 30%, 15% said compliance initiatives have made hacking more difficult and 15% believe they've made it easier.

"These results further validate the reality that there is little common ground between compliance and security, but as an industry we have the collective knowledge and the resources to change that," said Hamelin. "As the media constantly reminds us, while standards such as PCI-DSS provide a good baseline, organizations that assume achieving PCI compliance will solve their security woes are in for a rude awakening. With security and compliance budgets so deeply intertwined, it serves us as security professionals to make the two more synonymous. At the end of the day, the more accountable we are willing to be, the less we'll have to be."

With the Network Solutions breach being the latest in a series of widely reported breaches of PCI compliant companies, how big is the threat of a high-profile malicious hack? One important factor in determining that is to understand the scope of criminal activity.

Seventy percent of those sampled believe the number of malicious hackers -- criminals motivated by economic gain -- is less then 25% of the of hacker community.

"I never fail to leave DefCon without new insights on the nature of cyber crime and how to prevent it," said Hamelin. "My biggest take-aways from the survey are that cyber security investments are only as effective as the people, processes and technology tasked with managing them. Just as a small subset of criminal hackers can taint the reputation of an entire community, a few good guys willing to be accountable for their internal processes and technology can preserve a company's reputation. With winter right around the corner, we have time to shift the dynamic from 86% who can hack into a network through its firewalls to 86% that can't."

About Tufin Technologies

Tufin Technologies is the leading provider of Security Lifecycle Management solutions that enable large organizations to enhance security, ensure business continuity and increase operational efficiency. Tufin's products SecureTrack, SecureChange™ Workflow, and the Tufin Security Suite™, help security operations teams to manage change, minimize risks and dramatically reduce manual, repetitive tasks through automation. Tufin's open, extensible architecture enables any company with best of breed applications, devices and systems to take advantage of Tufin's unmatched policy optimization, change management, and auditing capabilities. With a combination of accuracy and simplicity, Tufin empowers security officers to perform reliable audits and demonstrate compliance with corporate and government standards. Founded in 2005 by leading firewall and business systems experts, Tufin now serves more than 325 customers around the world, including leading financial institutions, telecom service providers, transportation, and energy and pharmaceutical companies. For more information visit, or follow Tufin on:

Twitter at,

LinkedIn at,

FaceBook at,

The Tufin Blog at

The Tufin Channel on YouTube at

Contact Information