Welcome to 2010. A new decade, for sure, but one likely to contain many of the traditional security problems that we have grown used to.
How would I rate the top three things you should be paying attention to as we begin the new year? Glad you asked. 🙂
1. Malware – malware is the current serious scourge of infosec. It is becoming increasingly clear that prevention is a losing battle. Detection is often not even up to par, so personally, I would be thinking about response. How can we leverage egress filtering, data leak protection and other controls in depth to limit the amount of damage that an infected machine can do? Can we perform alternative forms of detection, like HoneyPoints and HoneyBees to identify when things are “not quite right” in our environment? These approaches have a proven track record for helping. Check out the SANS CAG for more tips down this line of thinking.
2. Partner network connections – Are you sure they are secure? Do you treat them (and their traffic) like a DMZ? If not, get a move on, because the statistics show this is a major source of issues and data loss.
3. Do you have “production blinders” on? – Are all of your systems in scope for your ongoing assessments? You need at least monthly ongoing vulnerability assessments of every machine in your environment. Not just from the Internet, but also from the internal network(s). Why the inside too? Review point number 1. The inside is the new outside….. Give us a call to discuss assessments if you need help. Our GuardDog appliance can provide you with ongoing assessments that are affordable and results focused. Together, we can help you get to a comfort point where security is a manageable task.
Those are the big three. They are what I would focus on if I were a CIO or network manager. Welcome to 2010, where everything is different, except the things that aren’t. 🙂
PS – I hope you had a wonderful holiday season!
This is clearly vendor-bias. Malware and vulnerability assessments are usually “end-user system” focused. The primary problems today in InfoSec are based around online data, not end-user systems.
I would place “Insecure Applications” not “Malware” as #1. Partner connections are very important. Insecure Applications include problems such as SQL Injection. This is corroborated by the data from the Microsoft and Verizon Business Incident Reports from the past 7 years or so. 99.1 percent of breaches occur at the online data layer, and 99.9 percent of records stolen also come from this layer.
The best way to prevent breaches at the online data layer is to ensure that every online (Internet or Intranet) application was built with some sort of verified platform/framework/components, such as an OWASP ESAPI component-set verified with a verification standard such as OWASP ASVS at a reasonable level, such as the Level-3 verification standard in OWASP ASVS.
I am not sure that any of the things that you have mentioned as “proven”, such as HoneyPoint, SANS, or GuardDog — have actually been “proven” at all. In fact, I have no idea what you are talking about.
Thanks for the great response. I like it when the things I write get people thinking.
You are right about AppSec being important and I am glad that you brought it up. You are probably right that it should be in the top 3, likely instead of “production blinders”. The reason malware is still so important, in my opinion, is that it is certainly the back bone of the records thefts. While many of the initial stage compromises in the reports come from SQLi, rarely, are these attacks a “steal it all and go” type of attack pattern. Usually, (off the top of my head ~78% of the time according to Verizon), they involve second stage attacks against additional assets using malware. However, your point of appsec being critical is well taken. (Maybe I missed my carbs today… 🙂 ).
That said, let’s expand the list to 4 things and include application security threats too! 🙂
As for the other stuff, check out the SANS Consensus Audit Guidelines (CAG). This is an agreed list of the 20 most useful controls that organizations should be using. Great stuff! In the CAG, honeypot controls have shown some value, as they have among the customers of our HoneyPoint products for identifying malware and other threats inside the environment and on the public Internet.
Clearly, I hope that all organizations embrace ongoing assessments and I hope that they include both network and application layer attention. If that’s vendor bias, then I guess I am guilty. 🙂
Thanks again for the great response. Based on your commentary, I will check out your blog when I have some time. A quick look seemed interesting. Have a great evening!