Welcome to 2010. A new decade, for sure, but one likely to contain many of the traditional security problems that we have grown used to.

How would I rate the top three things you should be paying attention to as we begin the new year? Glad you asked. 🙂

1. Malware – malware is the current serious scourge of infosec. It is becoming increasingly clear that prevention is a losing battle. Detection is often not even up to par, so personally, I would be thinking about response. How can we leverage egress filtering, data leak protection and other controls in depth to limit the amount of damage that an infected machine can do? Can we perform alternative forms of detection, like HoneyPoints and HoneyBees to identify when things are “not quite right” in our environment? These approaches have a proven track record for helping. Check out the SANS CAG for more tips down this line of thinking.

2. Partner network connections – Are you sure they are secure? Do you treat them (and their traffic) like a DMZ? If not, get a move on, because the statistics show this is a major source of issues and data loss.

3. Do you have “production blinders” on? – Are all of your systems in scope for your ongoing assessments? You need at least monthly ongoing vulnerability assessments of every machine in your environment. Not just from the Internet, but also from the internal network(s). Why the inside too? Review point number 1. The inside is the new outside….. Give us a call to discuss assessments if you need help. Our GuardDog appliance can provide you with ongoing assessments that are affordable and results focused. Together, we can help you get to a comfort point where security is a manageable task.

Those are the big three. They are what I would focus on if I were a CIO or network manager. Welcome to 2010, where everything is different, except the things that aren’t. 🙂

PS – I hope you had a wonderful holiday season!

Are you looking for a free and easy to use password safe? Be sure to check out KeePass. It’s a great open source product that will place all of your passwords in a database which is locked with a secure key or key file.

The result? You only need to remember one password instead of hundreds.

Some key features include:

• Full database encryption; not just the passwords

• Portability- It can be placed on a USB stick

• Multiple key support- A key file can be used (which can be carried with you), a password can be used, or a combination of both!

• It’s not just for Windows. Ports are available for Linux, OS X, Blackberry, PalmOS, and many more

Want to learn more? Check out their site at http://keepass.info/

Security with mobile devices, starts before they are added to an organization’s assets. Although it may take extra time, it will pay off in the long run if an organization researches mobile devices before purchasing. Not all devices are equal. Some, such as MP3 players, are built for a general consumer base and won’t have such security safeguards as a “smart phone.”

Here are some tips that can help decrease the possibility of a security breach:

1. Use encryption and authentication features. Create policies that will ensure encryption features are accessed and launched. Many people do not use the password function but what would happen if a smartphone fell into a stranger’s hands? Why make it easy for someone to access private data? Set up a password.

2. Create remote wipe capabilities and set up a “lost item” process. If a mobile device is lost or stolen, the IT department could remotely remove any sensitive information. Not everyone turns in a lost cell phone. Remotely wiping it of sales forecasts or strategy diagrams will keep your organization’s plans safe. Having a quick hotline for lost items will help IT staff confront a problem quickly and efficiently.

3. Be careful about third-party applications. Although some seem to be harmless, they can possibly be a back-door for attackers to access your internal network. By limiting unsigned third-party applications, an organization can close one more opportunity for data theft.

4. Create unique firewall policies. Those who have smartphones do not need to have access to all the databases in the network. Only allow access to the data that would most commonly be used.

5. Start considering software. As smartphones become more common, hackers will start to target them more often. Adding precautions such as equipping devices with intrusion prevention software is another good way to provide security. And although anti-virus software for smartphones aren’t common, it’s a good idea to keep watching for it. This type of software is bound to develop and be plentiful as more organizations use highly sophisticated smartphones, which are really small computing platforms.

IT managers may be reluctant to tackle the issue of securing mobile devices, they realize mobile devices aren’t going anywhere. Supporting a limited number of mobile devices may be the answer. Creating and enforcing a consistent review process, together with awareness programs, will help keep your company’s business, your business.

I loved this story. The idea that some “hackers” hack for political or social causes is not new. This idea stems back several years and has evolved from simple web defacements with social and political messages to the “new breed” of information theft, data disclosure and possibly even sabotage to further one’s views.

Today, all of the experts in the security field, myself included spend a great deal of time teaching people that the primary data theft threat is more organized crime than teenage vandalism. But, that said, we certainly can’t forget the idea that hacktivism is still alive and well. In fact, given the explosive growth of the Internet, the continually expanding dependence on technology for everyday life and the common availability of so much data and access, hacktivism is likely to gain in popularity, not shrink.

That brings us to a huge issue. How do we know where some of the data that hacktivists would be interested in lives? Given that people are involved today in a myriad of social activities, use of social networks and such, how do we know who might have information that a hacktivist would want and who doesn’t? The answer of course, is that we have to assume that someone in our organization might have data that is relevant to this threat, so we have to account for it when we create our threat models. If we happen to be a philanthropic organization, a government agency or a federal group, we definitely can’t overlook hacktivism as a threat, because our very existence yields reputational risk for us and a reputational trophy for many hacktivists if they make us a poster child.

While the hacktivism threat model is likely more one of opportunistic nature than dedicated, focused attacks against a given organization, that may not always hold true. One day it may not be all about what data YOU have and hold, but what data the people who WORK FOR YOU have and what roles they play in their personal lives. While this is not necessarily true today, the idea that hacktivists might one day target individuals to achieve social goals is not out of the question.

So, all of that said, how much thought have you given hacktivism? Does your risk assessment cover that as a threat? Have you done any threat models around politically or socially motivated attackers? If not, it might be a good idea to take a look at this threat vector. Their aims and goals may be different than what you had in mind when you last updated your threat models.

We still see an alarming number of users visiting our sites using Internet Explorer 6 (IE6). Although for the first time, IE8 and IE7 both had a slightly higher share than IE6.

We urge users who continue to use IE6 to update to IE7 or IE8, or switch to an alternative as soon as possible. There are numerous reasons for this. IE6 has been shown many times to be insecure, lacking privacy options, has no protection from XSS or phishing attacks, and it’s not compliant with common web standards. It’s also much slower than modern browsers, particuarly with javascript.

Upgrading your browser can have many benefits. The most important being enhanced security and privacy. Other benefits include a better browsing experience through better compliance and faster rendering. So please, upgrade your browsers!

It’s tempting to gravitate toward security vendors who offer assessments on the “we find holes or it’s free” basis. I wanted to take a moment and express my thoughts on this approach.

First off, security testing choices should not be based on price. They should be based on risk. The goal is to reduce the risk that any given operation (application, network, system, process, etc.) presents to the organization to a level that is manageable. Trust me, I have been in the security business for 20 years and all vendor processes are NOT created equal. Many variations exist in depth, skill level, scope, reporting capability, experience, etc. As such, selecting security testing vendors based upon price is a really bad idea. Matching vendors specific experience, reporting styles and technical capabilities to your environment and needs is a far better solution for too many reasons to expound upon here.

Second, the “find vulnerabilities or it’s free” mentality can really back fire for everyone involved. It’s hard enough for developers and technical teams to take their lumps from a security test when holes emerge, but to now also tie that to price makes it doubly difficult for them to take. “Great, I pay now because Tommy made some silly mistake!” is just one possibility. How do you think management may handle that? What about Tommy? Believe me, there can be long term side effects for Tommy’s career, especially if he is also blamed for breaking the team’s budget in addition to causing them to fail an audit.

Thirdly, it actually encourages the security assessment team to make mountains out of mole hills. Since they are rewarded only when they find vulnerabilities and the customer expectations of value are automatically built on severity (it’s human nature), then it certainly (even if only unconsciously) behooves the security team to note even small issues as serious security holes. In our experience, this can drastically impact the perceived risk of identified security issues in both technicians and management and has even been known to cause knee-jerk reactions and unneeded panic when reports arrive that show things like simple information leakage as “critical vulnerabilities”. Clearly, if the vendor is not extremely careful and mindful of ethical behavior among their teams, you can get seriously skewed views between perceived risk and real-world risk, again primarily motivated by the need to find issues to make the engagement profitable.

In my opinion, let’s stick to plain old value. My organization helps you find and manage your risk. We help you focus on the specific technical vulnerabilities in networks, systems, applications and operations that attackers could exploit to cause you damage. To do this, my company employs security engineers. These deeply skilled experts earn a wage and thus cost money. Our services are based around the idea that the work we do has value. The damages that we prevent from occurring save your company money. Some of that money pays us for our services and thus, we pay our experts. Value. End of story.

For years now, security folks have been shouting to high heaven about the end of the world, cyber-terrorism, cyber-jihad and all of the other creative phrasings for increased levels of risk and attacks.

SANS Institute (SysAdmin, Audit, Network, Security) at least asks for good things, too. It is always, as they point out, so much easier to create a list of threats and attack points than a list of what we have done, and are doing right. It is human nature to focus on the shortcomings.

We have to create rational security. Yes, we have to protect against increases in risk, but we have to realize that we have only so many resources and risk will never approach zero!

We recently worked an incident where a complete network compromise was likely to have occurred. In that event, the advice of another analyst was to completely shut down and destroy the entire network, rebuild each and every device from the ground up and come back online only when a state of security was created. The problem: the business of the organization would have been decimated by such a task. Removing the IT capability of the organization as a whole was simply not tenable.

Additionally, even if all systems were “turned and burned” and the architecture rebuilt from the ground up, security “nirvana” would likely not have been reached anyway. Any misstep, misconfigured system or device or mobile system introduced into the network would immediately raise the level of risk again.

Thus, the decision was made to focus not on mitigation of the risk, but on minimizing it. Steps were taken to replace the known compromised systems. Scans and password changes became the order of the day and entire segments of the network were removed from operation to minimize the risk during a particularly critical 12 hour cycle where critical data was being processed and services performed.

Has there been some downtime? Sure. Has there been some cost? Sure. How about user and business process pain? Of course! But the impact on their organization, business bottom line and reputation has been absolutely minimized than if they had taken the “turn and burn” approach.

Rational response to risk is what we need, not gloom and doom. Finding the holes in security will always be easy, but understanding what holes need to be prevented, wrapped in detection and protected by response is the key. Only when we can clearly communicate to management and consumers alike that we have rational approaches to solving the security problems will they likely start listening again.