Top 10 IT Security Issues for 2011

8/7/2019 Top 10 IT Security Issues for 2011

http://slidepdf.com/reader/full/top-10-it-security-issues-for-2011 1/23

Security Seminar Top Security Risks for 2011

January 7, 2011 - Redspin Security Team

(Revised with notes and extended bullets for online viewing).



Issue 1:

Mobile Devices in the EnterpriseThe transition from control at the perimeter to data and/or application-based control has arrived and should be reflected inyour Information Security Program. Start by assuming sensitive

information will be accessed, wired and wirelessly, from allpossible devices - desktops, laptops, iPads, Droids. By relyingless on control of the end device you can focus more oncontrolling the data. Ensure only those people who need accessare granted access. Understand where the data must be stored

to support business processes and update your informationsecurity policies to include mobile devices.



Mobile Devices in Enterprise

● Risk

– Assume sensitive data will be accessed from iPads,iPhones, Droids, tablets, laptops, thumb drives, ...

– Managing security risk has moved from the perimeter to the core: applications and data

– Less control of end-user devices

●

Recommendation – There is no single point solution (i.e. DLP)

– Need-to-know access to app/data

– Mobile Device Policy

– Training, training, training

– RDP access can limit remote data storage, MAC scan



Issue 2:

Social Media Information DisclosureWhile social media is relatively new, the threat posed by casualdisclosure of many individual bits of non-sensitive information isnot. Called “Operations Security” in the federal government, the

reality is that in some cases, when aggregated, disparate piecesof related information taken as a whole can in fact beconfidential information.

The prevalence of social media in the workplace (both

authorized and unauthorized) makes this a credible threat to thetypical enterprise. Ensure that your policies clearly state whatcan and cannot be communicated through social media andtrain your employees appropriately.



Social Media Information Disclosure

● Risk

– Casual disclosure of small bits of information can addto sensitive data disclosure

– Called 'Operations Security' in federal government

– Prevalence of social media (both authorized andunauthorized) makes this a credible threat

– Example: post to twitter about new hire, LinkedIn says

new hire has forensic analysis experience, post tosecurity message board “malware question”

● Recommendation

– Policies: clearly state what can and cannot becommunicated via social media

– Train employees about risk and appropriate use





Virtualization Sprawl

● Risk

– Breaks security model: separation of duties

– Easy replication means

● Many potential configurations

● Sensitive data lying around

● Complexity

● Recommendation – Document well-defined process for managing

instances

– Ensure only needed instances are in use



Issue 4:

3rd

-Party Mobile ApplicationsVulnerability management programs have had it easy until now.Along with the onslaught of portable and personal media hascome a set of third-party applications that were likely developed

quickly and without adhering to a secure SDLC (softwaredevelopment life cycle) program. Many patching solutions nowsupport third-party applications; however, mobile devices areless supported and rely more on user interaction for updating.Start by identifying necessary applications and removing

everything else. For those applications on the list, determine themost efficient way to patch each one after critical securityupdates are released.



3

rd

– Party Mobile Applications

● Risk

– Mobile applications are immature and not likely tofollow Secure SDLC process

– 3rd – party application can be difficult to patch onworkstations → mobile device enterprisemanagement systems are even less evolved, requiremore user interaction to update

– Infected mobile device attaching to internal networkcould compromise internal systems & data

● Recommendation

– Identify necessary apps, remove other apps if possible

– Implement process to monitor app critical updates andupgrade vulnerable apps



Issue 5:

Vendor ManagementWith the emergence of cloud computing, vendor management iseven more of an issue than in the past. Previously, only parts of enterprise IT were outsourced. Today, an entire business can be

hosted in the cloud and one mistake by a vendor could destroyyour company. How are you mitigating this risk? As with anyoutsourced vendor, ensure that the necessary safeguards aredefined in your contracts, make sure your vendor has their systems tested annually and provides you with the results.



Vendor Management

● Risk

– Vendors are less secure than you think. Big does notmean secure. Yet they hold so much of your sensitive

data – Emergence of cloud computing means data supply

chain has vastly grown

– Saying “oops it was the vendor” is no longer a valid

reason for unauthorized disclosure of your data● Recommendation

– Ensure effective security controls and risk managementis defined in contracts

– Verify that your vendor is actually testing their securitycontrols by objective 3rd-partty, and disclosing results



Issue 6:

SQL InjectionAn old standard, and still as prevalent as ever. New applications,old databases. Continue to integrate security into thedevelopment cycle and test after all code updates to ensure you

identify SQL injection vulnerabilities before an attacker does.



SQL Injection

● Risk

– Very common risk

– Can result in compromise of entire database of

sensitive data (and your entire network!)

● Recommendation

– Periodically test web applications to ensure they aresecure

– Integrate Secure SDLC (software developmentlifecycle) into development process, where security isdesigned into application and tested throughout.

– Ensure proper input filtering of user data

– Never trust user supplied input



Issue 7:

Risk ManagementTechnology continues to evolve, so why shouldn't the risks andmanagement strategies? How is your management teamadjusting to new threats that surface on a daily basis? By

enforcing 5-minute screen saver timeouts for back-officesystems? Or enforcing 30-day password expiration for users thatdo not have access to sensitive information? Companies areincreasingly spending more resources on trivial controls thatreduce minimal risks. The solution? Get management support of

an accepted framework to prioritize control implementation byrisk, not by hype.



Risk Management

● Risk

– IT resources (time, budget, technical capabilities) arelimited

– Typically more risk exists than can be mitigated

– If you don't focus on the most important things, thencritical risk may be left unaddressed

● Recommendation

– Executive management needs to support a systematicapproach to risk management by supporting aninformation security program based on an acceptedframework

– Always prioritize risk. (focus, focus, focus)



Issue 8:

WirelessIn the past, it was easy to mitigate wireless risks by separatingcritical business functions from wireless technologies. That timehas ended. Wireless is now pervasive in all industries, business

units, and technologies, and has moved from businessconvenience to business enablement. Consistent with the themeof dissolving the perimeter, do companies really understand thatthe increased flexibility and accessibility provided to legitimateusers also increases the accessibility to malicious users? Wireless

can be introduced into your environment securely, but consistentimplementation at all control levels – management, operational,and technical – is necessary to protect your sensitive informationand critical infrastructure.



Wireless

● Risk

– Wireless signal bleed increases area in which anattacker can “physically” access your network

– Wireless protocols are often found to be insecure

– Wireless is more frequently utilized for core networkfunctions – separating core business functions fromwireless systems via network segregation is not

always practical● Recommendation

– Secure protocols should be used, of course, but alsolayers of security: emphasis on password policies,

mobile device security, encryption, training, etc.



Issue 9:

Inadequate Testing ProgramsAs systems become more complex, so must the controlenvironment to protect those systems. Start asking yourself some probing questions. Are we sure each control is working as

designed? Do we have multiple layers of controls in case one fails?However, do we have similar layers in our testing program? Do werely solely on an annual penetration test? How could more frequentvulnerability scanning and scheduled controls-testing work together with focused penetration testing to form a comprehensive testing

program that provides optimum assurance? Critical assets and thecontrols to protect them must be understood and well-documented.Only then can a testing program can be developed to ensure eachcontrol is working as expected.



Inadequate Testing Programs

● Risk

– Security controls are not working as intended

● Recommendation

– Ask these questions:

● Is each control working like we think it is?

● Do we have layers of controls in case one fails?

● Do we really think we are secure because wehave a ________ installed?

● Have we actually done an objective test of our critical controls?



Issue 10:

Lack of Mobile Device Security PolicyControlling enterprise-deployed mobile devices is hard enoughwithout also dealing with increasing numbers of personaldevices connecting to the network. A recent smartphone

management survey found that “of the 60% of employees thatare becoming smartphone equipped, up to 80% may beemployee owned." Whether company-owned or employee-owned, if a smart phone or personal computing device canaccess or store enterprise data, users must follow internal

policies and procedures. So, be sure to update your policies toaddress your employee’s use of these personal devices.



Lack of Mobile Device Security Policy

● Risk

– Mobile devices such as iPads, iPhones, and Androiddevices are becoming ubiquitous

– They host functional apps with extensive networkaccess, data storage and systems access

– They are often employee owned/controlled

● Recommendation

– Create a mobile device security policy to address:confidentiality, integrity and availability of mobiledevice usage

– Policy should address: access control, authentication,encryption, incident response, training/awarenessand vulnerability management



Resources:

- Penetration Testing

- Downloadable mobile security policy template

- Key to a successful information security program

http://www.redspin.com/

http://www.redspin.com/resources/whitepapers-datasheets/index.php

http://www.redspin.com/blog/2010/12/28/key-to-a-successful-information-security-program/

http://www.redspin.com/blog/2010/12/28/key-to-a-successful-information-security-program/

http://www.redspin.com/resources/whitepapers-datasheets/index.php

http://www.redspin.com/



{ Thanks! }

Date post:	09-Apr-2018
Category:	Documents
Upload:	redspin-inc
View:	215 times
Download:	0 times

Top 10 IT Security Issues for 2011

Documents