In short, controls have been deployed, but are not configured adequately, and just the mere existence of a control does not imply that the control is functioning adequately. Extremely subtle configuration problems can create critical risk on your network. The commonly held belief that more gear equates to a heightened state of security is shown by these findings to be a fallacy because the required investment of time, skill, and atten¬tion to detail needed to configure a particular piece of gear is not readily available to many. Organizations remain confident in their purchased equipment and continue to expand their networks rapidly. This gives rise to a dangerously misguided confidence, whereas a need for greater awareness and education is the much needed solution. Taking the time to completely understand and fine tune the configuration of the security controls already in place on the network is more likely to improve your organization's security footprint than supplementing with even more gear and complexity.
Understanding the trends and patterns of the past is the key to understanding the future, and security is no exception. The following security threat trends for 2008 have been assembled as a result of their frequency during security audits performed last year. These common and fundamental security issues typically arise from the same categorical underlying cause. Most organizations have had enough compliance audits and posses enough intuition of best practices to understand that security controls are necessary to mitigate risk. However, there continues to be significant discrepancy between what management believes the controls are doing and what the controls are -- in fact -- actually doing from a security standpoint.