Every year, like clockwork, various infosec pundits, gurus, authors, and blowhards release their “top” lists of security threats. And like clockwork, they invariably focus on all manner of sensationalist, headline grabbing issues, which on average, have little to do with the reality of IT security for the majority of organizations worldwide. Nevertheless, who am I to question this annual exercise? As such, I release Anitian’s Top Security Threats of 2013. These are the real issues, practitioners and IT executives should think about because they have a real affect your infrastructure.
5. – Android Phones
Let’s not mince words here, when we talk about mobile security, we really mean Android. The majority of security problems exist on this platform. Apple iOS is fundamentally more secure OS and ecosystem (reference: here). Blackberry has become such a has-been, that its natural security benefits are being overshadowed with the fact that nobody has a Blackberry any more. So, when we talk about mobile security and BYOD, what we mean is the seething masses of users who want to hook their Android phone up to the corporate email. And since Android now has a gigantic market share it means these phones are in the hands of a diverse group of users, many of whom have minimal respect for security controls.
You need a solid mobile security strategy that takes into account people, process and technology. And moreover, you need to be building this strategy before you run out and purchase a mobile device management (MDM) platform. Far too many organizations rush out to buy a solution, and fail to take the time to analyze their needs and the needs of their users. This leads to poorly planned and executed deployments that fail to properly address security as well as privacy issues. Sit down and develop a mobile security strategy first, before you spend a dime on any MDM product.
4. – Little Data
While Big Data gets all the headlines as companies try to leverage gigantic data stores, Little Data remains largely ignored, to the delight of hackers and malware developers everywhere. Little Data refers to the proliferation of smaller application databases in IT organizations. Virtually every application you install these days needs a database. And Microsoft’s SQL Server or MySQL are the engines of choice. A quick survey of some of the recent penetration tests we have conducted at Anitian show there are SQL instances everywhere inside organizations most of which are not formally managed or secured. And this proliferation of “little data” creates a large and lucrative surface area for attack. While there are ample ways to securely deploy SQL instances, it is equally easy to bypass those controls, especially when the installation is a hurried, last-minute deployment of some barely understood new product. Little Data is therefore a more pervasive problem. It affects more companies, more networks, and is less guarded.
- Stop the proliferation.
- Plan out application deployments more carefully.
- Centralize databases to a single database server (or cluster) that has strong security controls.
- Deploy a core firewall with UTM features that can control access to databases and provide intrusion prevention capabilities.
3. – Poor Risk Management
Risk is a concept that people intuitively understand, but routinely get wrong. In the context of information security, risk management is a crucial component to a security program. However, few if any organizations engage in regular risk assessments.
How can you blame them? Corporate risk assessment practices have devolved into nitpicking documentation exercises. Complex worksheets, obtuse methodologies and arguments over the value of IT systems and data quickly transforms a risk assessment project into a pointless “CYA” effort. Nobody wants to really address risk, since that could increase scrutiny. Scrutiny means somebody might locate mistakes, which can jeopardize jobs and raises. As such, rather than actually address risk, many risk assessments attempt to document a billions of points of data in a fruitless struggle toward greater “accuracy.” Mostly, they diffuse responsibility and masquerade problems in a sea of arcane language and unnecessary complexity.
This makes a IT risk assessments worthless, for the places that actually make the attempt. However, a lot of IT departments never even make the attempt. They reject formalized IT risk assessment in favor of attending vendor luncheons and fiddling with the latest next-generation gadget (which is bound to be a “game-changer”.) They do this because IT risk assessment is costly and offers vague guidance. Moreover, they mistakenly think intuition can replace formalized risk analysis.
Everybody understands risk because of fear mechanisms that are built into our emotions. We perceive risk all the time and have developed a natural intuition about it. Our minds (and emotions) are constantly evaluating our surroundings and information for the danger it poses to us. We see a tiger charging at us, we run. Our brains are wired to respond rapidly and decisively to risk.
But, just as easily as emotions can quickly motivate us to jump out of the way of the hungry tiger, they can also convince us that phantom tigers are real. Fear, sensationalism, and laziness conspire to cause IT leaders to rely on their intuition and gut reactions to risk, rather than rational, objective analysis. And since emotions are easily manipulated (the whole field of marketing exists solely to manipulate human emotion, and thereby desire) these intuitive responses are, at best, inconsistent and at worse, wasting resources on threats that simply do not exist.
So here we have yet another confluence of problems that births a larger problem. 1) IT risk assessment practices are broken, because practitioners embrace obtuse, complex, and inaccessible methods of communicating the true nature of risk. 2) IT managers think they understand risk, and rely on easily manipulated intuitive risk assessment practices. These two problems conspire to cause a lot of organizations to misappropriate efforts to reduce risk.
- Do not rely on intuition to make security decisions. Base decisions on rational, objective, independent analysis
- Simplify risk assessment. Demand concrete, tangible ways to reduce risk
- Demand risk assessors have the technical and business skills to correctly (and objectively) assess risk.
- Reject fear as a motivator for security
2. – Lack of Third Party Patching
This problem is pretty simple, and it is really bad. Companies do not patch third party applications, like Java or Adobe Acrobat with the same diligence of patching operating systems. Freeware patching products, namely Microsoft Windows Update Services (WSUS), does not patch anything other than Microsoft products.
Hackers know this, and as such a lot of malware leverages these platforms for exploit. This issue was covered in greater detail in the article Java & Adobe: A Hacker’s Best Friends.
- Implement a patch management product that can patch everything, not just the operating system
- Patch everything, all the time, every time, no excuses
1. – Dunning-Kruger Effect
This problem somewhat follows from #3. Few, if any, security practitioners ever address the human aspects of information security. Aside from some intellectual writings from Bruce Schneier, human factors in information security are all too often kicked aside as “soft” problems. Or they are lumped into the category of “social engineering,” which is only one aspect of human behavior in security.
Human factors represent one of the most serious and persistent problems for organizations of all sizes. And it is not just a lack of awareness or people bypassing controls. It is the psychological and metacognitive biases humans have that can thwart efforts to improved security.
The Dunning-Kruger Effect is one of the more fascinating metacognitive biases and it has an impact on security as well as all technical fields. Simply put, people who are incompetent will often overstate their skills and people who are competent will tend to understate their capabilities. In the information security community, this effect can have disastrous consequences.
The rapid growth in information security over the past few years, coupled with lucrative pay has attracted a lot of new security practitioners. Furthermore, security demands a broad range of technical, interpersonal and business skills. Couple these factors with the lack of security experience among general IT managers and executives who are easily swayed with fast talk and fear, and you have the perfect conditions to breed a community of people with an extremely inflated view of their skills.
This is not to suggest there are not some genuinely skilled and accomplished people in the security community. However, these people tend to be more reserved about their skill set. Moreover, they are more likely to hone their skills over a long period of time, rather than trying to bound up the corporate ladder.
The result of this issue is, quite simply, there are a lot of incompetent security practitioners in positions of authority, making bad decisions. With the benefit of 17 years of experience, it has become easy for me to identify these people. They tend to share common attributes, such as a lack hands-on technical experience, making rash decisions based on cursory examination of the facts, or an inability to work collaboratively with their peers.
Incompetence in security leadership is so destructive because it can affect so many different aspects of an organization’s security. While a new zero-day attack may take down a single server, or expose data to a single attacker; a leader who lacks the skill set to make responsible decisions, or a practitioner who is too self-absorbed to bother themselves with the daily realities of security is the root-cause behind a wide array of vulnerabilities, all of which expose the organization to increased risk.
- Demand hands-on technical skill for security practitioners
- Reject fear as a motivating factor for any security initiative
- Require experience for security leadership
- Enforce good decision-making practices on security
- Recognize the behaviors of people who overstate their skills
- Educate the security team on human factors in security, particularly areas of metacognition and psychological aspects of security
Ignore These Issues
While we are identifying the issues you should worry about, consider a few that do not require your attention:
Organized Crime / Hacker Communities
You are not going to stop these groups. And unless you work for the CIA or FBI, there is not much you can do. Focus on defending your business, not obsessing over the details of these criminal organizations.
Medical Device Hacking
This is such a ridiculously contrived problem. Sensationalist stories about hacking insulin pumps and pacemakers are the apex of FUD and sensationalism. Seriously, ignore this. Focus on good risk management.
While this is an interesting, and growing problem, it is unlikely to affect your business. I was highly skeptical of cyberwar until recently. There has been some obvious examples where this type of warfare is effective. However, unless you work for a gigantic global company or federal government entity (namely defense), this issue can sink to the bottom of your attention list.
Anything That Uses the Word “Game-Changer”
Every person who puts this in a marketing brochure should be barred from the marketing profession for life. It is a pointless adjective that has become completely meaningless. Moreover, if a product has to tell you it is a “game-changer” it is not a game-changer. Real game-changers do not realize they have changed the game until the game is actually long since changed and somebody notices it. Game-changing is always a backward looking concept. You cannot project game-changing into the future.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com