Are businesses more susceptible to attack over major holidays? With so many organizations running skeleton crews as employees take time off to be with their friends and families, many people seem to think so.
In an online survey of 270 security and IT professionals, about 57 percent said their companies may be more vulnerable to security attacks during major holidays such as Christmas or New Year's. Breaking down by job function found that 61 percent of security professionals were concerned, compared to 54 percent of business stakeholders. The survey, which was conducted between Nov. 8 and Nov. 19, was commissioned by nCircle and conducted by Dimensional Research.
While it's hard to tell if there are more Web attacks, such as denial of service, hacked Web applications, or network breaches, during major holidays (since criminals also like to celebrate the holidays too), there are more malware and malicious e-mail based attacks during this period. Cyber-criminals like to craft their phishing and spam campaigns that are specific to the holiday to increase the likelihood of the recipient falling for the scam.
In a recent interview with SecurityWatch, former New York City Mayor Rudy Giuliani called the holidays a "gold mine" for identity theft.
"In spite of the increase in malware and viruses around every major holiday, attacks can happen anytime," said Andrew Storms, director of IT security operations for nCircle.
The survey's sample size is pretty small, with only 270 respondents, making it an easy report to dismiss. However, considering that many of the organizations are operating on skeleton crews around major holidays, it is fairly reasonable that businesses are concerned about the possibility of an attack. There are less eyes to notice odd patterns in network usage, less hands on deck to handle a breach, and more work spread out over a smaller team.
"IT security professionals live in a constant state of vigilance – they know attackers are always looking for an advantage." Storms said. "You can’t build a good security program overnight, but if you already have one in place you’re probably just as safe on Christmas as you are any other day of the year,” Storms added.
Along with worrying about a potential attack, IT teams also have to worry about rolling out emergency patches to protect the network. While there hasn't been any major last-minute patches from vendors this month, it does happen. Last year, Microsoft pushed out an emergency update for ASP.NET on Dec. 30. The fix addressed a security hole in ASP.NET (and other Web server software from a slew of other vendors) which could be exploited to consume the server's processing power to the point where it stops responding. The attack was a relatively simple way to create a denial-of-service attack.
At the time of the patch, Storms noted that many businesses were closed and would remain closed till after the New Year, or were running smaller teams. This meant it was harder for organizations to get the patch tested and deployed as quickly as possible. For those without a security program, it should be on their list of goals for 2013 so that they could enjoy the holidays next year without worrying about potential attacks.