security’s top five priorities

DarkReading recently posted Security’s Top Five Priorities. I wasn’t going to post on this, but my manager made this a homework assignment as we’re going to discuss it at our team meeting today, so here’s some notes.

1. The Portable Problem – We can encrypt everything: PCs, thumb drives, portable devices, backup tapes. This should also deal with things (data) leaving our control and things (data, devices) coming into our control. Data Leakage Prevention may be a good logging mechanism on what is leaving, and device port control may help control things coming in. I’m not personally sold on NAC/NAP, although…

2. Web Two Point Zero-Day – Nice title! I think the authors missed making the distrinction about two very important veins in talking about Web 2.0 attacks: serverside concerns and userland concerns. Serverside concerns deal with fixing up the issues in web applications and making sure they are not opening holes to internal footholds or data that external users should not have; SQL injections, XSS, file executions, and so on. Userland deals with better assurance that users wielding a browser as they surf a website are not going to get pwned or catalyze a site-wide pwnage. Proper SDLC, developer education, regular audits will help serverside issues. Userland issues are much more difficult: endpoint security, browser and OS hardening and possibly even tools like NoScript, web filtering, gateway malware detection; user education about best practices as well as education on data leakage by posting confidential stuff to the Internet.

3. Attacker Inside! – Monitoring and logging, i.e. an audit trail, is paramount when it comes to detecting/preventing insider attacks. Database access monitoring, least privilege when it comes to network and data access (as opposed to OS access), and separation/rotation of duties could help. Likewise, making sure “small” security breaches that go against policy are truly dealt with, as opposed to ignored such that it creates a bad slippery slope.

4. Endpoint End Game – This is the big one these days. From encryption of the device to OS hardening, HIPs/firewall, device restrictions (USB…). This is also where user education comes into play, teaching users about the risks of using wireless, laptops, what data is important, social engineering issues, software policies (P2P), and what to do on laptops when not away from our more secure network where web filtering and gateway controls won’t block malware from malicious sites.

5. Botnet Bugaboo – There’s far less we can do about botnets than the other five issues, but as I’ve long predicted, they are a very real spector looming over the Internet. A lot of power that has thankfully not yet been wielded in a way that impacts me too much. We do have two things we can do. First, prevent PCs from becoming part of a botnet. This should include detection of C&C communications through IDS/IPS. Second, perhaps think about a strategy for responding to a DDoS attack, either directly to us or affecting us as collateral damage (we’re amplifying it or part of the same ISP block). The former doesn’t seem to require anything beyond endpoint and network security in general, and the latter is still pretty “out there” to be a huge priority beyond just thinking about it. I think ISPs, public networks, and security reearchers/products have more to worry about here.