My Security Planet » Dominic White's .tHE pRODUCT » Anti-Predictions for 2011

Feeds

13612 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

Dominic White's .tHE pRODUCT

• 

  Anti-Predictions for 2011

  Posted: January 10th, 2011, 3:53am CST

  Tags:  Security   [edit]

  Come the turn of the year, many people draw up list of predictions for the next. This list is slightly different, instead of focusing on what new threats, vulnerabilities or attacks we'll see, this is a list of some things that, if not already handled should be in your security strategy for this year. Some organisations are further along than others, and this list is targeted at the average ZA organization based on my observations. (Full disclosure, some of the items relate to services my employer offers, that's just because I believe in them).
  

  • Get a handle of what you have online. Many orgs have a much larger Internet presence than what's sitting in their hosting center. Cheap hosting, elastic hosting, service providers with their own infrastructure (particularly those catering directly to business units), half forgotten subsidiaries & business partners all put services online that tend to get overlooked. But expose your company to brand damage or access to your network. Best of all, this is cheap & quick to do. Consolidating the results into controlled hosting areas and applying consistent security standards isn't unfortunately.
  • Check up on exceptions to the basics. By now most have at least a basic patch, virus, change & configuration management process for servers. If you don't, start. If you do, start checking on exceptions such as;
    • How many servers don't we know about & why?
      
    • How many servers don't have AV & patches up to date?
    • How many changes that didn't go through change control were made?
    These are harder questions to answer, but as any pentester will tell you, we're good at finding those machines and that's our quick 'n easy in.
  • Third party patches. Microsoft did some good work in sorting out their patch release cycles and it's fairly easy to get those patches applied regularly. Unfortunately the attacks have moved to the harder to patch, less secure software on machines operated by less savvy users. This means you need to start managing non-MS patches, and you need to do it on more than just servers. Worse still, each third party software provider has their own update mechanism which is hard to centrally manage (in a Window environment at least). Big ticket patch management tools have long had this capability but they also come with the price tag. Cheaper tools such as Secunia CSI or even the right vulnerability scanner can alert on what needs doing.
  • Mobile security *processes* - People have hyped mobile security for years and we're at a point where there's a reasonable expectation that a majority of information workers have at least company email & calendar data on their phones. The most likely threat is of the device being lost or trivially accessed. Figure out what controls you can push to the most number of devices (e.g. MS ActiveSync allows passwords and lock times to be enforced & iDevices or RIM devices have an extended set of controls). More importantly however, is to implement processes for using these. They don't need to be perfect, but at a minimum employees should be able to report lost or stolen phones and have a remote wipe command sent & passwords reset.
  • Physical Access Management - It's 2011 and there are still wildly inconsistent ways in which this is managed. Make sure there is proper equipment sign in/out, that guards actually check bags & that legitimate data is entered (or go for the Ricardo Semler approach, but don't pay for an awkward middle ground). I still regularly sign in as Osama Bin Laden and walk in/out with laptops hidden in my bag. There are some nice advances in tech in ZA too; electronic sign in devices that look up ID numbers OTA and take copies of fingerprints. Next up make sure there's adequate camera coverage of your offices & that suspicious behavior is actually queried. A guy in a suit should not be an untested edge case.
    

  These items need some real thought, and the above is intended merely as pointers, rather than full implementation guides. As for actual predictions, we've had some fun with that at work and will hopefully add to the noise with those soon.