Anitian Enterprise Security
888.ANITIAN
info@anitian.com

Company

Article

What to Worry About in 2011

By Andrew Plato, CISSP, CISM, QSA
President / Principal Consultant
Anitian Enterprise Security

It is a new year and with it comes a time of reflection, and the inevitable lists of "Top Ten Trends in Security." I've read at least a dozen or so of these lists. You can boil them down to the same basic response: "OMG! TEH HAXORS ARE GOING TO GET YOU!!!! And only our revolutionary next generation box of super awesomeness can stop the bad guys and deliver pure IT happiness as well as gigatons of fawning praise from your peers."

Okay, maybe I exaggerate a bit – but only a little bit. In an effort to peel away the layers of fluff and FUD I offer my own list of five information security issues to consider for 2011. This list is based on the experience of Anitian's consultants as well as our approach to security: practical, pragmatic, and aligned with business and IT reality.

  1. The Fundamentals
    Before you start planning for big things in 2011, take a moment to ensure that the fundamentals of your information security program are in place. This includes:
    • Strong perimeter firewall
    • Intrusion detection or prevention (preferably throughout the environment)
    • Endpoint antivirus / antimalware on every single host
    • Whole disk encryption for laptops
    • Email security & antispam
    • Event logging and analysis
    • Web filtering (specifically for malware)
    • Strong remote authentication
    • Remove discretionary access
    These technologies and practices are crucial to the security of any organization. If you're missing anything on that list, then it's a good idea to move the implementation of those solutions to the top of your to-do list. Of course, there are always some reasonable exceptions, but if your organization lacks any of these controls, ensure you have a sound business reason for that.

  2. Rights & Access Management
    If we learned anything from WikiLeaks, it is that information is hard to contain. You might not be able to stop leaks, but you should be aware of any leak. Rights and access management is a rapidly maturing market. Microsoft has a current suite of products in this space, and there are other technologies serving it as well.

    The key issue is the management and auditing of rights. It is not enough to limit access, you need to know when somebody accesses unauthorized information and, if possible, what they do with that information. Data Loss (or Leak) Prevention (DLP) technologies have matured to the point where they offer real value in detecting and preventing the leakage of information.

  3. Mobile / Smartphone Security
    Mobile security is a huge problem, but there is a growing set of solutions. As phones become laptop replacements for field staff, the need to protect these devices becomes mandatory.

    The key to mobile security is control. People will lose phones and iPads, and probably more often than they lose laptops. Retrieval technology's a losing game -- focus your efforts on protecting the data on those devices and preventing unauthorized use.

    Apple and Android still trail in this space, offering limited security measures. Blackberry remains the leader for mobile security. There are some excellent third party security systems, such as the mobile security products from Good Technologies (http://www.good.com).

    Make sure each device can be remotely wiped, and establish policies for acceptable phone usage.

  4. Cloud Computing
    Let's all agree that Cloud Computing is about 80% hype and 20% useful technology. Once we are past that perception we can settle into the fact that moving some business functions into the cloud has real benefits. It also has some real dangers. Multitenant environments (which is fancy way to say "The Cloud") are rife with security vulnerabilities, data loss risks, and a fundamental lack of control. Before moving anything into the cloud, evaluate the risks. Be honest with those risks and develop practices to mitigate or eliminate them.

  5. Incident Response
    Almost every Top 10 list for 2011 mentions "hacktivism" or "evolving malware" but absolutely none of them suggest how to handle these pervasive, non-specific, sensationalistic problems. There is one way to deal with these, and many other serious security problems – better incident response. At a certain point, you have to accept that you cannot stop all attacks. If somebody (or some organization) is determined to harm you, they will. The difference between organizations that get ruined from an attack and those that bounce back stronger is their incident response practices.

    If you do not have an incident response program, then now is the time to develop one. If you have a program, then now is the time to test it. Run through some drills, perform sample attacks, and so forth.

    If you rely on third party analysts or forensic experts, remember there is a large difference between digital forensics and incident investigation. Many forensic people just image hard drives and search for key words – that's forensics, not investigation. An effective incident response looks beyond pure forensics into the larger picture of your network, systems, practices, and culture. The skill set required to be an investigator is not (always) synonymous with the same skill set to be a digital forensics expert.

  6. Don't Worry About...
    Cyberwar. Yes, there is evidence of state sponsored hacking. This is fascinating and very interesting development, but in all likelihood this has absolutely zero affect on your business. Unless you run a nuclear power plant or secure networks for national defense, you can remove cyberwar, cyberterrorism, and all the other cybersensationalist stuff of a Vince Flynn novel from your to-do list. If you are affected by these issues, take a very serious look at the first item written in this article (The Fundamentals). It is very easy to waste valuable time and resources on sensational issues all the while ignoring fundamental controls. In other words, if you cannot manage your endpoint antivirus or your perimeter firewall, you're in no position to be frothing about cyberwar. Fix your own house before you start complaining about the neighborhood.

    "Next Generation" Anything. If somebody calls their technology the "Next Generation of..." something, run away. This has to be the lamest of the lame marketing tactics. It's a statement that appeals almost exclusively to the emotional desire to have something flashy and new, and not necessarily something better. There are a few egregious violators of this principle. One in particular (who I shall keep nameless so they don’t sue me into oblivion) is fond of redefining words to make their technology sound like some mega awesome new thing. In fact, their product is nothing new. They are just repackaging the same old stuff with fancy words. Always buy a product based on how it performs and is used, not on how it is sold.

    ISO 27002. The more I listen to people talk about ISO 27002 and ITIL, the more convinced I become that these standards are actually religions and not security frameworks. Proponents of these standards demand devotion from their followers and there is a profound sense of "non-acceptance" to those that reject them. Rather than try to demonstrate adherence to some arbitrary standard, why not just do the right thing? Use ISO 27002 and all the other standards as a source of useful guidance, and don’t bother with the certifications.

Conclusion

As with all things in security, there should be balance. Balance between the cost and benefit. Between security and functionality. Pay attention to that balance.

Have a happy, productive and secure 2011.

 

For more information, please call 888.ANITIAN, or email Anitian Enterprise Security.

Home | Services | Products | About Us | Events | Support | Info
FacebookLinkedInTwitterRSS FeedEmail
All material in this web site is copyright © 1995-2012, Anitian Corporation. All Rights Reserved Worldwide.
Please read Anitian's copyright and privacy policy page for more information.