Security SeminarTop Security Risks for 2011

January 7, 2011 - Redspin Security Team

(Revised with notes and extended bullets for online viewing).

Issue 1:Mobile Devices in the Enterprise

The transition from control at the perimeter to data and/or application-based control has arrived and should be reflected in your Information Security Program. Start by assuming sensitive information will be accessed, wired and wirelessly, from all possible devices - desktops, laptops, iPads, Droids. By relying less on control of the end device you can focus more on controlling the data. Ensure only those people who need access are granted access. Understand where the data must be stored to support business processes and update your information security policies to include mobile devices.

Mobile Devices in Enterprise

● Risk

– Assume sensitive data will be accessed from iPads, iPhones, Droids, tablets, laptops, thumb drives, ...

– Managing security risk has moved from the perimeter to the core: applications and data

– Less control of end-user devices

● Recommendation

– There is no single point solution (i.e. DLP)

– Need-to-know access to app/data

– Mobile Device Policy

– Training, training, training

– RDP access can limit remote data storage, MAC scan

Issue 2:Social Media Information Disclosure

While social media is relatively new, the threat posed by casual disclosure of many individual bits of non-sensitive information is not. Called “Operations Security” in the federal government, the reality is that in some cases, when aggregated, disparate pieces of related information taken as a whole can in fact be confidential information.

The prevalence of social media in the workplace (both authorized and unauthorized) makes this a credible threat to the typical enterprise. Ensure that your policies clearly state what can and cannot be communicated through social media and train your employees appropriately.

Social Media Information Disclosure

● Risk

– Casual disclosure of small bits of information can add to sensitive data disclosure

– Called 'Operations Security' in federal government

– Prevalence of social media (both authorized and unauthorized) makes this a credible threat

– Example: post to twitter about new hire, LinkedIn says new hire has forensic analysis experience, post to security message board “malware question”

● Recommendation

– Policies: clearly state what can and cannot be communicated via social media

– Train employees about risk and appropriate use

Issue 3:Virtualization Sprawl

Eliminating hardware reduces IT costs and, on the surface, reduces complexity. However, those underlying systems still exist and are simply partially or totally decoupled from the hardware. In many cases, those systems are rapidly replicating as well, increasing the complexity to manage and keep secure. Document procedures thoroughly and define functional responsibilities to make certain that only systems that are needed are in use and the risk to a continually-changing environment can be managed.

Virtualization Sprawl

● Risk

– Breaks security model: separation of duties

– Easy replication means ● Many potential configurations● Sensitive data lying around● Complexity

● Recommendation

– Document well-defined process for managing instances

– Ensure only needed instances are in use

Issue 4:3rd-Party Mobile Applications Vulnerability management programs have had it easy until now. Along with the onslaught of portable and personal media has come a set of third-party applications that were likely developed quickly and without adhering to a secure SDLC (software development life cycle) program. Many patching solutions now support third-party applications; however, mobile devices are less supported and rely more on user interaction for updating. Start by identifying necessary applications and removing everything else. For those applications on the list, determine the most efficient way to patch each one after critical security updates are released.

3rd – Party Mobile Applications

● Risk

– Mobile applications are immature and not likely to follow Secure SDLC process

– 3rd – party application can be difficult to patch on workstations → mobile device enterprise management systems are even less evolved, require more user interaction to update

– Infected mobile device attaching to internal network could compromise internal systems & data

● Recommendation

– Identify necessary apps, remove other apps if possible

– Implement process to monitor app critical updates and upgrade vulnerable apps

Issue 5:Vendor Management

With the emergence of cloud computing, vendor management is even more of an issue than in the past. Previously, only parts of enterprise IT were outsourced. Today, an entire business can be hosted in the cloud and one mistake by a vendor could destroy your company. How are you mitigating this risk? As with any outsourced vendor, ensure that the necessary safeguards are defined in your contracts, make sure your vendor has their systems tested annually and provides you with the results.

Vendor Management

● Risk

– Vendors are less secure than you think. Big does not mean secure. Yet they hold so much of your sensitive data

– Emergence of cloud computing means data supply chain has vastly grown

– Saying “oops it was the vendor” is no longer a valid reason for unauthorized disclosure of your data

● Recommendation

– Ensure effective security controls and risk management is defined in contracts

– Verify that your vendor is actually testing their security controls by objective 3rd-partty, and disclosing results

Issue 6:SQL Injection

An old standard, and still as prevalent as ever. New applications, old databases. Continue to integrate security into the development cycle and test after all code updates to ensure you identify SQL injection vulnerabilities before an attacker does.

SQL Injection

● Risk

– Very common risk

– Can result in compromise of entire database of sensitive data (and your entire network!)

● Recommendation

– Periodically test web applications to ensure they are secure

– Integrate Secure SDLC (software development lifecycle) into development process, where security is designed into application and tested throughout.

– Ensure proper input filtering of user data

– Never trust user supplied input

Issue 7:Risk Management

Technology continues to evolve, so why shouldn't the risks and management strategies? How is your management team adjusting to new threats that surface on a daily basis? By enforcing 5-minute screen saver timeouts for back-office systems? Or enforcing 30-day password expiration for users that do not have access to sensitive information? Companies are increasingly spending more resources on trivial controls that reduce minimal risks. The solution? Get management support of an accepted framework to prioritize control implementation by risk, not by hype.

Risk Management

● Risk

– IT resources (time, budget, technical capabilities) are limited

– Typically more risk exists than can be mitigated

– If you don't focus on the most important things, then critical risk may be left unaddressed

● Recommendation

– Executive management needs to support a systematic approach to risk management by supporting an information security program based on an accepted framework

– Always prioritize risk. (focus, focus, focus)

Issue 8:Wireless

In the past, it was easy to mitigate wireless risks by separating critical business functions from wireless technologies. That time has ended. Wireless is now pervasive in all industries, business units, and technologies, and has moved from business convenience to business enablement. Consistent with the theme of dissolving the perimeter, do companies really understand that the increased flexibility and accessibility provided to legitimate users also increases the accessibility to malicious users? Wireless can be introduced into your environment securely, but consistent implementation at all control levels – management, operational, and technical – is necessary to protect your sensitive information and critical infrastructure.

Wireless

● Risk

– Wireless signal bleed increases area in which an attacker can “physically” access your network

– Wireless protocols are often found to be insecure

– Wireless is more frequently utilized for core network functions – separating core business functions from wireless systems via network segregation is not always practical

● Recommendation

– Secure protocols should be used, of course, but also layers of security: emphasis on password policies, mobile device security, encryption, training, etc.

Issue 9:Inadequate Testing Programs

As systems become more complex, so must the control environment to protect those systems. Start asking yourself some probing questions. Are we sure each control is working as designed? Do we have multiple layers of controls in case one fails? However, do we have similar layers in our testing program? Do we rely solely on an annual penetration test? How could more frequent vulnerability scanning and scheduled controls-testing work together with focused penetration testing to form a comprehensive testing program that provides optimum assurance? Critical assets and the controls to protect them must be understood and well-documented. Only then can a testing program can be developed to ensure each control is working as expected.

Inadequate Testing Programs

● Risk

– Security controls are not working as intended● Recommendation

– Ask these questions:● Is each control working like we think it is?● Do we have layers of controls in case one fails?● Do we really think we are secure because we

have a ________ installed?● Have we actually done an objective test of our

critical controls?

Issue 10:Lack of Mobile Device Security Policy

Controlling enterprise-deployed mobile devices is hard enough without also dealing with increasing numbers of personal devices connecting to the network. A recent smartphone management survey found that “of the 60% of employees that are becoming smartphone equipped, up to 80% may be employee owned." Whether company-owned or employee-owned, if a smart phone or personal computing device can access or store enterprise data, users must follow internal policies and procedures. So, be sure to update your policies to address your employee’s use of these personal devices.

Lack of Mobile Device Security Policy

● Risk

– Mobile devices such as iPads, iPhones, and Android devices are becoming ubiquitous

– They host functional apps with extensive network access, data storage and systems access

– They are often employee owned/controlled

● Recommendation

– Create a mobile device security policy to address: confidentiality, integrity and availability of mobile device usage

– Policy should address: access control, authentication, encryption, incident response, training/awareness and vulnerability management

Resources:

- Penetration Testing

- Downloadable mobile security policy template

- Key to a successful information security program

{ Thanks! }