“Warfare is the way of deception,” said Sun Tzu, the ancient Chinese military strategist. 

Cyber attackers have long embraced deception by deploying tactics, such as social engineering help-desk employees to install trojans or obtain users' credentials. Even the famed hacker, Kevin Mitnick, wrote a book called “The Art of Deception.” If deception can be used to attack, can it also be used in cyber defense?

Today, it's not clear how thoroughly cyber security professionals embrace this well-established military tactic beyond lip service that deception is a good idea. Traditionally, security professionals have been mired in a mindset of fortifying perimeter defenses, creating impervious walls, relying on defensive signatures and valiantly, or vainly, attempting to passively keep attackers from stealing data.

Websites are currently taking a beating from hackers. It's impossible to miss reports in the mainstream media of recent attacks on websites like Zappos, Sony PlayStation Network and the CIA by all classifications of hackers, including hacktivists such as Anonymous, organized crime groups, state-sponsored espionage, and low-skilled script kiddies.

The web application is among the most porous and frequently attacked surfaces in any organization, and there are five reasons why the web layer is so popular with hackers.

• First, the sheer number of websites and the ability to automate and scale up attacks puts the economics of hacking firmly in the perpetrator's favor. Today, millions of sites can be scanned for vulnerabilities very quickly and easily, and attacks are distributed and scaled up using botnets.
• Second, all the code, including any vulnerability, is public on the website. This alone offers the quickest and easiest potential pathway to get information out of a company or infiltrate the network.
• Third, the web layer is largely undefended within many organizations, eliminating the hacker's fear of being detected and caught.
• Fourth, the skill level required to exploit known web vulnerabilities is less because of the numerous public scripts available to download and execute known attacks. Subsequently, there are a large number of unsophisticated script kiddies hitting sites with impunity.
• And finally, the web application is static, so is easy to profile for weaknesses.

The goal of deploying deception to detect hackers is to change the underlying economics of hacking, making it more difficult, time consuming and cost prohibitive for infiltrators to attack a web application. Realistically, there will always be attackers seeking to gain advantage, and the reality is that the hacking problem cannot be solved, but it can be proactively managed.

So what does web intrusion deception look like? By putting a deceptive layer of code all over the web application, invisible to normal users, one creates a variable attack surface that makes the attacker detect themselves through their behavior. Once a hacker touches one of the deceptive "tar traps," they identify themselves and are immediately prevented from attacking the site.

The effect of inserting deceptive tar traps into the web application code means a change in the hacking game. Primarily, there is increased risk to the attacker of being detected and caught. Furthermore, a variable land-mined web application also requires increased skill to attack because the site does not respond in normal and expected ways. If the hacker has to worry where they attack, they also have to be more selective in choosing sites to compromise. In addition, adding the deceptive tar traps increases the size of the site, which then increases the time it takes a hacker to profile and find vulnerabilities.

But the ultimate deception is misinformation. Imagine supplying the hacker with fake successes, responses, files and assets to exploit. This wastes the attackers' time and makes them feel like they have successfully hacked, unknowing that they are instead compromising a virtual world.

 If they don't know what they are seeing, and cannot rely on what they learn, how can they craft an attack?

Intrusion deception is a new approach to cyber security built on classic philosophies from the “Art of War.” Sun Tzu said, “Appear weak when you are strong, and strong when you are weak.” Your website can appear weaker, but actually be stronger. How's that for changing the game on the hacker?

Edward Roberts is the director of marketing at Mykonos Software, which was recently acquired by Juniper Networks.

We've recently been witnessing tremendous change in perspective when it comes to IT security. It started in early 2010 when Google announced publicly that it had been the victim of a sophisticated cyber attack. Later, more companies went public: software makers, defense contractors, computer and networking companies, and most recently the security and domain name registrar VeriSign.

I don't believe these incidents are a blip, but rather a flip. A flip in the way organizations view coming forth publicly about significant IT security incidents. The shroud of embarrassment associated with breaches has been lifting. I suspect in the year ahead we will see many more breach announcements. Not only because Google helped make it more acceptable, but because it's required in many cases now as we detailed in “SEC Cybersecurity Guidelines -- What You Should Know.” The SEC is all but making it a mandate for public companies to report significant incidents.

More importantly, what does all of this mean for the IT security industry? Has any of it changed the way enterprises view security? Fortunately, yes. The message is clear: Even the most sophisticated companies can be breached.

This is changing the way many in IT security view their profession. The industry is no longer viewed as just about firewalls, secure sockets layer (SSL), anti-virus, and intrusion detection and prevention systems. While such defenses are vital, no one can architect an impenetrable enterprise-wide defense.

Jon Oltsik, a principal analyst at Enterprise Strategy Group (ESG), gets this. In a recent post he argues that, “Large organizations need best practices for inevitable security events.”

It's absolutely so. When it's finally understood that a certain percentage of attacks will be successful, incident response and forensics become much more important.

For instance, ESG's research found that 20 percent of large enterprises are certain that they've been the target of an advanced attack (often referred to as an advanced persistent threat), while another 39 percent believe that they've likely been targeted. That's roughly 60 percent of organizations who have good reason to believe that they've been targeted by attackers who are skilled at what they do. Personally, I think a good percentage of those who don't think so either have nothing worthwhile to steal, or they're burying their head in the sand.

Something worth noting about the ESG research findings is that organizations seemed to be challenged when it came to actually having the internal technical chops necessary to respond to an incident. They may lack the staff necessary to respond, or the technology, policies, procedures, and even proper internal communications plans.  

Oltsik believes that more CEOs are likely to increase security budgets this year and put the pieces in place necessary for their organizations to more effectively respond to security breaches.

It's not just executive leadership that is taking notice of the need for incident response. The topic is getting increasing media attention after years and years of inattention.

It's a great sign to see more news items tackling the topic. It shows a general maturing of IT security.

One example is an interesting story last month in DarkReading. The piece highlights how organizations can overcome staff shortages, lack of skills and lack of incident preparedness.

While surveys, news stories and opinions are some indicators, when trying to determine the accurate direction of a trend it's always good to gather information from multiple data points.

Anthony DiBello is the product marketing manager for compliance and cybersecurity solutions at Guidance Software. The company will be returning to the RSA Conference this year and will be located at booth 136.

In order to ensure holistic network security with a BYOD policy, organizations need to consider all parts of the BYOD ecosystem, including mobile device application development, mobile device management (MDM) and network access control (NAC):

Mobile device application development

Simply put, organizations need to make sure the apps people use on their mobile devices come from a trusted reliable source, such as an app store. While not perfect, app stores and the like are one of the safest places to download apps – you know the apps have been tested, have integrity and are of high quality. Taking this step ensures a strong building block for the rest of the blueprint.

Mobile device management (MDM)

MDM provides IT with the ability to monitor the activity of each device deployed across mobile operators, service providers and enterprises by tracking and managing the data and applications of each individual phone and/or tablet. MDM solutions can provide the following:

• Remote device management, using encryption and passwords
• Remote OS patching and/or upgrades
• Remote install or removal of applications
• Full-disk or folder-level encryption
• Remote locking or wiping of lost/stolen devices

Network access control (NAC)

NAC tracks and secures network access of all endpoint devices that try to access a corporate network. These endpoints include (but are not limited to) PCs, laptops, servers, printers, IP phones, medical devices, POS devices and in a BYOD environment, smartphones and tablets. In a BYOD environment, NAC technology can automatically identify and profile all devices and all users on a network, providing complete visibility and control. NAC can also enable IT departments to automatically differentiate between corporate and personal assets and provision network access accordingly to ensure the correct access policy is applied to each device. In a hospital setting, for example, a doctor's personal iPad may be able to access patient data, but devices used by the administration staff to check patients in and out may have limited access to the network.

In order to fully embrace BYOD, IT managers need to consider all facets of the BYOD blueprint, as successful BYOD strategies will use a combination of these technologies to enforce the overall policy. With all three technologies, devices are protected and network access is determined by device (and/or by user) based on corporate policy. IT gains a holistic view of devices and users across the network as well as the ability to automatically provision access accordingly – giving control back to IT managers and freedom of choice to employees. 

Complete endpoint security can no longer be ignored and a “good enough” security strategy is no longer good enough. Historically, building a complete and integrated endpoint security program was too often at the bottom of an IT manager's list, or something that was viewed as too costly or “a project for next year.” But in today's world, we are constantly reminded of the criticality of endpoint security as more companies are breached and hacker groups announce their latest ploys on a daily basis.

The nature of threats is changing too. No longer are hackers simply targeting random individuals just for fun with a mischievous attack. Instead, hackers are now part of organized initiatives (or even foreign governments) working to exploit your company's and its customers' data for financial gain and to wreak havoc on your business. In addition, attack vectors are more complex than ever – often employing multiple types/styles of malicious code to attack end-user systems.

In short, today's threat environment is extremely daunting – whether you're a small start-up or a large enterprise. And the myriad of point products and odd security vendor solution mash-ups in the marketplace doesn't make matters any easier. However, there are several pieces of functionality that you should look for in order to arm yourself with a unified threat management strategy. 

1. Know who/what/where. Your security policy should be fluid based on the type of end-user and their environment. The ability to adjust security settings based on users' job functions and environment (i.e., the corporate network, an end-user's office or an airport) is a basic concept every security policy should employ.
2. Couple AV. Contrary to popular opinion, AV is not dead, but if you use it as a standalone defense, your reputation could be. You must couple AV with additional functionality because as your only defense against malware, AV is wholly ineffective. Rather, it must be integrated with additional, more proactive threat protection solutions.
3. Patch, patch, patch. Simple in theory, but you'd be surprised how few IT technicians actually follow the process and use the tools needed to be successful here. Perhaps it's due to the fact that while patching is simple in theory, it can become overwhelming if you're talking about doing it on a machine-by-machine basis. Not to mention the fact that complexity can escalate quickly if you have multiple types of platforms and a wide range of applications. But bringing software into the mix changes everything. With an integrated patch management tool, this process is made exponentially easier with far fewer points of redundancy. You can deploy patches to thousands of machines with more efficiency and significantly higher success rates.
4. Black, White and Grey. Many solutions report to have blacklisting capabilities. But attempting to continuously block every potential threat/application is not realistic in this day in age. You're better off permitting only the good stuff – i.e., pre-approving which applications can run or whitelisting. You then can monitor application behavior. By looking for potentially harmful activity and pre-approving known applications, you'll achieve a grey area. And in this case, that's a good thing. Better yet, tie the approval to trusted deployment systems and make your life even easier.
5. It's all in the HIPS. A host-based intrusion prevention system monitors your systems for sketchy activity. It then logs information about this activity, attempts to prevent it, and records the incident. The capability to not only track malicious activity, but to log it enables you to better secure your network and take a more proactive stance in safeguarding in the future – by identifying types of bugs and patterns.

2011 saw a record number of cyber security attacks and associated breaches with very public disclosures including Citigroup, the International Monetary Fund, RSA (the security division of EMC), Lockheed Martin, Google, Sony, ADP and NASDAQ. These attacks are just the tip of the iceberg. Government networks, critical infrastructure operators and the private sector are facing an increasing frequency and sophistication of cyber attacks and breaches of information security – often with discovery after the fact.

Risk-based security

The 2012 Global State of Information Security Survey, which was conducted by PwC surveying more than 9,600 security executives from 138 countries, reveals that only 16 percent of respondents believe their organizations are prepared and have security policies in place that are able to confront an advanced persistent threat (APT). This does not come as a surprise, considering three years of budget constraints that led to degradation in core security capabilities

Considering the current economic climate and impasse in Congress, a dramatic change in prior years' budget limitations across the commercial and public sectors appears unrealistic; however, the increased threat levels will lead to a budget realignment toward security. Security professionals will be asked not to deploy additional security solutions, but instead to find better ways to leverage existing investments in security tools. The revised objective of many organizations today is to develop a risk-based rather than compliance-driven approach to determining the business' investment decisions.

According to a 2011 survey, more organizations are focusing on managing risk, not just security. In fact, 57 percent of survey respondents had already shifted to a risk-based approach, employing a formal enterprise risk management process or methodology. 61 percent of respondents indicated that they will put even more value on a risk-driven strategy going forward.

This data is complemented by independent market research studies, which show that more organizations recognize that instead of looking at governance, risk, and compliance (GRC) from a centralized perspective, it is more efficient to let business operations drive these efforts as that's where the organization's risk knowledge resides. In this context, the market sees the emergence of the role of the business information security officer (BISO) to reflect the fact that regional resources are the real subject matter experts when it comes to risk associated to particular business units.

Making risk visible, measurable, and actionable

The dilemma that organizations are facing is that their current security and vulnerability measures are unable to keep up with evolving threats, including perimeter intrusion detection, signature-based malware and anti-virus solutions. Often, these security tools operate in a silo-based approach and are not integrated and interconnected to achieve a closed-loop process and continuous monitoring. Another shortcoming lies in the fact that a majority of vulnerability programs lack a risk-based approach, whereby vulnerabilities and associated remediation actions are based on the risk to the business. Thus, it is often impossible to make risk visible, measurable, and actionable.

However, as mentioned before, using real time risk analysis is essential to optimize business performance and make better investment decisions. Therefore, organizations should explore software tools that are able to aggregate data from existing security tools and information management applications. These tools not only provide advanced reporting capabilities, but interconnectivity to ensure that remediation actions can be triggered and followed through easily. At the same time, the tools are tying compliance and security automation together, thereby extending the traditional GRC capabilities. Leveraging these tools allows organizations to implement a holistic view of security, while pursuing automation of the GRC process. This approach is being labeled “security risk management,” rather than “GRC” and yields the following benefits:

• Reduces risk by making threats and vulnerabilities visible and actionable; enables organizations to prioritize and address high-risk security vulnerabilities before breaches occur
• Reduces cost by streamlining processes to leverage automation and reduce redundant, manual efforts
• Provides reports and metrics to measure effectiveness and efficiency

Part of the problem is the misconception that if you run your anti-virus (AV) software regularly and update the operating system, you are covered. Reality begs to differ. While AV software derails a lot of potentially harmful attacks, it is only one component of a comprehensive security solution. Updating the OS is important, but it doesn't cover holes in applications and browsers that hackers, cyber criminals and other assorted IT malefactors are adept at exploiting.

Simply put, a truly comprehensive security strategy includes automated, centralized patch management software designed to handle a multitude of patches issued by multiple vendors at different times; a system to perform the necessary tests before applying patches; and the tools to conduct software audits on a regular basis. The execution of which, for far too long, has been a challenge for many small and midsized businesses, and completely out of reach for your average home user.

This needs to change.

The software patching function could be accomplished much more easily for most home and business users if security hardware and software vendors (including AV, firewall, gateway appliance and PC utility companies) integrated patch management into their solutions. It's hard to think of a better fit between complementary technologies, but even though patch management has been available for the better part of a decade, most security vendors still don't offer it among their growing slate of features.

For their part, service-focused companies such as ISPs (internet service providers), MSPs (managed service providers) and RMM (remote monitoring and management) vendors have been successfully integrating patch management into their offerings, thereby taking pressure off their customers to keep systems safe, while also establishing incremental service revenue opportunities for themselves.

Managing a stream of patches

Keeping up with the stream of patches in the course of year is a daunting task for any IT administrator, let alone your average home user. Vendors follow their own schedules, issuing patches monthly, quarterly or as needed. Microsoft alone issued close to 100 updates last year.

Most software applications and systems nowadays do come with auto-update mechanisms for downloadable patches. However, updaters operate independently of each other, taking up resources and bogging down systems, and require users to run them manually. They are time-consuming, requiring application shutdowns and system restarts, so it's easy to see why many users put them off.

Automated patch management solves this problem, and in so doing, prevents upward of 90 percent of software attacks, mostly affecting home computers. Consider that most bots – responsible for untold spam, DDOS and phishing attacks targeting corporate networks – are essentially thousands of infected home PCs, and it becomes clear how increasingly intertwined corporate security is to the security of the average home user.

There's not only an industry imperative to address here, but there's also a tremendous market opportunity for security vendors to seize.

Six pack of trouble

Think of patch management as a flu shot. Like the flu, computer viruses and malware evolve constantly. Just as your body has to adapt to fight off infection, so does your IT environment. A vaccine helps your body adjust, and that is what a patch management system does for your network.

A recent Center for Strategic and International Studies (CSIS) study made a strong case for patch management. The study, conducted over a three-month period, found that simply applying the most recent patches to six software packages on Windows machines could prevent 99.8 percent of malware infections. The six packages are Java JRE (responsible for 37 percent), Adobe Reader/Acrobat (32 percent), Adobe Flash (16 percent), Microsoft internet Explorer (10 percent), Windows HCP (three percent) and Apple Quicktime (two percent).

For anybody using a computer or managing an entire network, automated patch management is clearly a tremendous benefit, protecting their systems and data while saving them money. A network free of viruses is, of course, more cost-effective than one requiring remediation after an infection.

Patch management should be a fundamental component of any comprehensive security solution. It's something ISPs, MSPs and RMM vendors understand, though we can't yet say the same for a broad array of other security vendors, who should proactively strengthen their products with integrated patch management to better protect their business and consumer customers.

If they don't, users and service providers should pressure them to do so. If they succeed, it would be a win for everyone.

Scott Hagenus is vice president of strategic relationships at GFI Software. Learn more at www.gfi.com or by sending email to atg@gfi.com.

And let's not forget Julian Assange. WikiLeaks gave new meaning to the concept of insider threat by providing a convenient vehicle to empower staff at government agencies and public/private corporations to quickly and instantly hand over their privileged information to the world.

Insider threats are becoming a global phenomenon. Every company in every part of the world is subject to some level of insider threat. And guess what? Insider villains are just as unidentifiable in the U.K. as they are in the United States. They appear just as innocuous in Poughkeepsie as they do in Perth.

Yet despite these costly, high-profile breaches, hacker attacks are far more publicized than insider attacks. Last summer Anonymous and LulzSec attacks splashed news headlines, and undoubtedly more people could name Anonymous than they could Kweku Adoboli.

As I meet with executives of large corporations, they have one request of our company: Keep us out of the Wall Street Journal. Don't let me be the CEO who lost all of my customer's credit card data.

The richness and sensitivity of this information, much of it personal to the consumer, has led to a series of legislative efforts to ensure it is secured. The enactments of Sarbanes –Oxley, PCI-DSS, Basel II and a host of standards throughout the world have emphasized the importance, and indeed require us to secure the assets of our customers.

Billions of dollars have been spent over the last few decades on corporate information technology security in order to “keep the bad guys out,” but it turns out the bigger threat was and always has been, found within the network perimeter. The so-called “insider threat,” the trusted employee, contractor or partner, that can cost an organization more on a daily and/or per-incident basis than any outside hacker could hope for.

Whether we like it or not, “good people can do bad things” intentionally, accidentally, or indirectly.

If you have employees with excessive privileges or access to sensitive data, then they are at risk of intentionally, accidentally or indirectly misusing that privilege and potentially stealing, deleting or modifying the data. There is a very fine line between intent and action, especially when excessive privileges on IT resources are involved.

In April 2011, a former network security engineer at Gucci America was indicted on charges that he illegally accessed the company's network and deleted documents shortly after he was fired, costing Gucci nearly $200,000 in damages. Using an account he secretly created while working at the company, the former employee allegedly later accessed Gucci's network and deleted virtual servers, shut down storage areas and wiped corporate mailboxes.

Employee terminations are, unfortunately, a necessary evil for corporations. The Gucci America case, and many others like it, calls attention to the importance of having policies and procedures in place to ensure terminated employees no longer have access to company information and resources. Email, network and application accounts must be swiftly deactivated. Employees granted administrative privileges while at the company could also pose an even greater threat. 

Human nature is the weakest link when it comes to the intersection of people, processes and technology. And, all too often it's the tendency of almost the entire IT industry – vendors, analysts and press – to ignore this.

You can't rely on everyone being a saint or competent all of the time. It's not just malicious malcontents intent on destroying the system who can cause havoc, but also the negligent, misinformed and downright nosey who can compromise sensitive data. In most situations it's more often than not the case that such people have way too much privilege access – admin rights on the desktop, root password on server – for the role they are required to play.

It would be nice if every villain inside your organization walked around wearing a big sign that broadcasts "bad guy looking to do bad things," but alas it is only in cartoons and movies where you can always find the stereotypical bad guy.

In real-life enterprises, insiders look like you and me – just regular employees doing their job and collecting their paycheck. That's why securing the perimeter within is so important.

Mobile devices have infiltrated nearly every aspect of people's lives. The amount of personal and corporate data stored on these devices makes securing the information on the tool a priority.

A survey conducted in January 2012 by Dimensional Research explored the impact of mobile devices on information security in corporate environments, noting that 94 percent of companies have seen an increased number of personal mobile devices, such as smartphones or tablets, connecting to corporate networks. Increased employee productivity and mobility are the main benefits for organizations that allow these devices in the workplace, but those benefits come with their own set of risks.

The threats associated with mobile devices can come in many forms, including:

• Mobile operating system – Every OS, including Android, iOS, BlackBerry and Windows, comes with its own set of security challenges. Threats can originate from mobile apps, the mobile browser, as well as insecure Bluetooth and Wi-Fi hotspot usage.
• Employees – The lack of security awareness among employees is often the leading factor impacting the security of mobile data. Many employees simply aren't aware of the mobile security risks and corporate policies associated with mobile devices, such as storing corporate data, customer information or access to business applications.
• Personal mobile devices – The consumerization of IT brings another layer of complexity as more employees want to leverage their personal mobile device for business purposes. While companies begin to accept the “BYOD” (bring your own device) trend, there are significant concerns about the privacy of sensitive data stored on the devices that IT must handle.

The first step businesses should consider when safeguarding against these security challenges is to develop and enforce best practices and corporate policies for the mobile enterprise. This should include a list of approved devices that can access corporate data, the types of data that can be stored on mobile devices and taken out of a corporate environment, which types of mobile apps can be downloaded onto devices, procedure for theft or loss of a device, a routine for updating operating systems patches, requiring mobile passwords, as well as having the capability to wipe a lost or stolen device.

Mobile device usage in the workplace is a trend that has staying power because it un-tethers employees from their offices, allowing them to work more efficiently while on the go. As with any emerging trend, organizations will need to be careful about striking the right balance between mobility that empowers employees and the new security concerns that arise from it.

Advanced persistent threats

Hackers and computer criminals have shown an ongoing ability to stay one step ahead of the security professional. This is occurring in large part because security is often not treated as a sustained effort, and too many organizations take a check-box approach to implementing security or meeting compliance objectives.

As a result, long-term coordinated attacks can often exploit inadequate defenses over a period of time. In many cases, these attacks are well disguised and designed to undermine typical security controls deployed within many organizations. Often these attackers are well-funded, financially motivated and in some cases nationally sponsored (by China, in particular).

These entities have changed the game by leveraging new types of attacks that traditional systems can't easily detect. With APT, we require a fundamental change in mindset by IT professionals to a state of sustained vigilance. There are no “quick fixes” for APTs and no single product is a cure-all.

Organizations need skills and tools to find patterns, correlate activities across applications and infrastructure, and conduct forensic analysis to find the clues that you may be compromised or that you are about to be compromised. They need to be able to do this in real time, and most organizations do not have the visibility, solutions or skill sets to best protect themselves against these kinds of sophisticated attackers. The information needed to detect attacks exists within the enterprise regardless of whether the attack is by an external party or an insider. Organizations that are not proactively collecting and analyzing this information lack the visibility needed to detect and respond to threats.

Virtual and cloud computing

Securing data, both personal and corporate, within virtual and cloud environments without the ability to implement and monitor controls presents a significant challenge for IT security personnel. As virtualization and cloud technologies continue to expand – due largely to the need to lower costs in IT – this trend has required us to grow, and in some cases, change our approach to security monitoring.

Not all virtual and cloud environments offer customers the ability to implement and manage effective security controls, and this can pose tremendous risk, particularly as many service providers do not guarantee the security of data stored within their environment, and the owner of the data generally retains liability if a breach does occur.

Organizations must understand that outsourcing IT does not transfer responsibility for data or liability associated with its security. Companies can mitigate the risks somewhat here through carefully structured contracts with clear SLAs, but that is not a failsafe by any means.

It may be difficult to implement parallel security controls so that confidential data accessed on the network is treated in the same fashion outside of your organization. End-users cannot be expected to know the location of an application or how to avoid placing sensitive data in a virtual or outsourced repository that may not have adequate controls in place. So, while there is no question about the ease and convenience of virtualization, these services may prevent IT from applying needed security controls, allow end-users to unintentionally expose confidential personal and corporate data, and ultimately put the business at risk of liability.

IT cannot stop this trend of business users contracting discreet services to support their objectives. IT needs to enforce protection at the data level, regardless of where it is located. Whether this is infrastructure or platform as a service and the organization maintains control of the systems, this can be addressed as an extension to current enterprise monitoring. Where the organization gives up control of the infrastructure for the benefits of SaaS, the risks must be addressed through a carefully structured contractual agreement, which includes terms for auditing and reporting. Without such protection, the organization is exposed as employees move critical information to cloud services.

Considerations for any security program

As new threats and deployment models increasingly impact organizations' security strategies, it is important to formulate a security model that accounts for these changes.

Ultimately we need to change our view of “trusted” users and focus on the behavior rather than the user. For that reason, a “zero trust” model is the most appropriate approach if organizations are to fully protect data and systems. In this context, no user is blindly trusted. Activity must be continuously monitored and identity continuously verified. The approach of controlling rights through an overall identity/role lifecycle, and the monitoring of those rights through continuous monitoring will ultimately help better ensure that corporate data is protected against new threats that routinely impact organizations worldwide.

1. Targeted cyber attacks
2. Insider threats
3. Intellectual property containment

As this list refers to data threats with a proven potential to severely impact a business's bottom line if left unaddressed, the relatively benign “threat” of failing a compliance audit did not make the cut.

These potentially existential threats are not only prioritized by how hard they are to solve, but are also in order of their urgency to be solved. This is based on the “top down” theory of data security that says the most difficult threat requires a solution that will, by definition, mitigate all other risks of lesser complexity. For instance, to prevent insider threats one must have found a practical solution for auditing and controlling enterprise uses of intellectual property (presuming that is the primary data target of a malicious insider). Likewise, to protect intellectual property, one must have found a practical solution to audit and control all data types, and so on. A “bottom up” model does little good if it requires implementing layers of disparate technology to solve progressively harder problems, as this simply incurs greater costs without making you any safer.

If you agree with the logic of top-down defense, then you must defeat the apex predator of corporate data. In 2012, this is undoubtedly targeted cyber threats – aka the advanced persistent threat (APT).

It used to be that stopping a malicious insider from stealing trade secrets was the hardest data security challenge to solve, but APT trumps that threat by being, in effect, an invisible malicious insider. So, if you haven't found a way to identify and track how IP is used, then you wouldn't be able to monitor or enforce how a trusted employee uses that IP, which means you wouldn't be able to detect when a trusted “user” account controlled by APT is stealing it, and so on.

What are APT threats and why are they so dangerous to companies? To start, if your organization has intellectual property (IP) that can be exploited by a global competitor, there's a good chance a purpose-built APT mission to steal it is already under way. Perpetrators of APT attacks are hackers and programmers with world-class skills that are backed by “investors” with essentially unlimited resources (i.e., nation-states) which will not stop until they gain an economic or political edge with your proprietary data.

But what makes APT so challenging to solve is that a successful attack requires it to operate freely within a network forever, so it must be highly customized (at great expense) to be undetectable by typical signature-based security technologies. Unfortunately, this means that virtually all traditional signature-based anti-virus and firewall products, along with most web/email security, intrusion prevention and disk encryption technologies that companies have implemented over the last 20 years are effectively useless to stop an APT attack. Companies targeted by APT will need to upgrade their defenses strategy to include multiple, integrated layers of extremely sensitive anomaly detection and mitigation.

How do you stop an APT attack? First, you must be able to continuously track any intellectual property over its entire lifecycle. This means tagging files in such a way that it cannot be tampered with or lost, no matter how the content may be manipulated, shared or transformed. Then, you must be able to identify your privileged users and categorize them by their right to handle data of certain sensitivity (e.g., IT administrator). This means having a policy management system enforced independently of a user's other network privileges. Next, your data protection technology must be able to recognize IP by policy, and control it based on each user's data handling privileges.

At that point, you can be assured of mitigating two key APT risks, even if the attack has not been previously detected. The first one ensures that tagged IP will remain protected if APT attempts to access it with a hijacked account (regardless of system privileges) with insufficient data usage rights. The second is that even IP accessed by an account with sufficient rights could still be contained by policy (e.g., encryption or blocking) if an attempt is made to export the data to an unauthorized destination. In either case, a reporting system which continuously audits all user account activities allows you to know exactly when and how anyone – or anything – attempts to handle IP, and could be an effective tripwire if your network has been compromised.

Finally, you must be able to merge enterprise anomaly detection on workstations, servers and network traffic using policy rules created to identify specific and subtle APT tactics. This trove of enterprise event telemetry should ideally conform within an integrated policy management/data mining system that can sift through legitimate “noise” to isolate and manage multiple anomalous or threatening events (either connected or separate) simultaneously. They key to an APT security strategy is that you only need to stop one stage of an APT attack to thwart the entire mission. If a particular security layer fails to detect something, you'll still be OK as long as the another layer sees it.  

Nobody said tackling these issues was going to be easy, but the threats are only getting worse (search “cyber attack” to see why). The good news is that the technical pieces exist from which to create a security mesh woven tightly enough to trap APT before it can complete its mission, and thus also solve insider threats and IP protection challenges without affecting the business process. Will the best defense be 100 percent effective? No, but it prevents you from being a constant victim. Besides, it is 100 percent certain that doing nothing will cause one or more of these security challenges to inflict serious – maybe permanent – harm to your business.

The sun rising tomorrow morning is almost as inevitable as the cloud's integration within every enterprise in 2012. Now that the “if” portion of the cloud question has been answered, the populace is now moving onto the next stage when discussing migrating to a cloud collaboration platform like Google Apps or Office 365: Is it secure?

The ensuing conversation is usually focused around the vulnerabilities and strengths of the infrastructure, whether or not the cloud application provider can see customer data and whether hackers can attain access to all of the information a cloud provider manages. Once those fears have been allayed, the cloud security conversation is over. The only problem is that these discussions overlook one critical fact: cloud security isn't really about the cloud. It's about people.

The complexities of the cloud bank

Think of the cloud as a bank. Banks have security guards, video cameras and high-tech intrusion prevention systems to keep your money safe. However, all of these systems won't be able to keep a penny in your account if you give your debit card number and PIN out to everyone. This illustrates the user's small, but essential, role in security.

The cloud operates in much the same way. Google, for example, has a stellar track record for protecting data stored in Google Apps. How many times have they lost customer data? Exactly zero. Information that has been lost within Google Apps is always due to a company or user's failure to comprehend the platform's collaboration intricacies. It's not about the security of the infrastructure, it's about how users share data both internally and externally. All the security certifications in the world are irrelevant if an employee shares the salary spreadsheet with everyone in the company or customer credit card info with anyone on the Internet.

Prior to the cloud, IT departments spent a huge amount of time, effort and money on controlling access to data on-premise for things like e-Discovery, governance, risk management and compliance (eGRC). IT staffs used a host of solutions like data leakage prevention, enterprise risk management or network access control to control how information flowed into and out of the corporate architecture. There was a defined border that could be guarded to prevent hackers and insider threats alike. But the public cloud doesn't come equipped with any such point that can be fortified which makes cloud data security an altogether different animal.

Cloud data security = secure collaboration

Collaboration is one of the cloud's primary benefits for enterprises. Unfortunately, it's also one of the major security vulnerabilities as access and usage rights permissions for files are largely left to the users. IT administrators who have long wielded the power in the data security equation now find themselves in a reactionary position. Like on-premise, fundamental cloud eGRC best practices start with understanding how information is flowing throughout the organization, both internally and externally.

Data security traditionally has been viewed as a Wild West movie: the “white hats” attempt to keep confidential information secure while “black hats” try to take it away by any cunning and nefarious means necessary. The cloud makes that viewpoint obsolete. Cloud platforms' high level of security allows enterprises to focus on the finer points of data security. In other words, organizations have to guard the money, not the bank itself. This is a much easier proposition as IT administrators can now focus on access and usage rights for specific documents rather than securing every endpoint and server.

With that in mind, CIOs have to make security a priority. Recent breaches, like the Wi-Fi network hack[SS1]  in the Seattle area, where an open wireless network was hacked and sensitive data was stolen, and Sony's PS3 data hack, illustrate that large data centers using virtualization are just as susceptible to an attack as traditional physical data centers.

The reality is that migrating to virtual environments poses equal security risks to physical environments for several reasons:

• Virtualization software can contain vulnerabilities and require patching just like any other application. This means patching another layer of software in addition to the pre-existing operating system (e.g., Microsoft).
• Cyber criminals are employing VM-aware malware that can spread unnoticed and unchecked among VMs due to lack of visibility into the vast amount of traffic between machines on the same server – where they often co-exist. They are like self-contained “black boxes,” which allows VM-aware malware to unknowingly spread to physical servers when moving VMs or applications.
• As VMs are added to the network, most do not automatically have security policies applied to them. In fact, many IT organizations may be unaware of the rogue VMs popping up across their environment that ultimately put their business at increased risk.

The virtual environment is very different from the “physical” data center where networks, servers and applications can be easily secured and monitored. Because of these concerns, companies are implementing security software designed for the physical environment and integrating the software into the VMs (also called virtual appliances), hoping they are protected in the “virtual world.” This approach may not effectively address malware and attacks that are VM-aware because it provides no visibility into VM movement and security policies that aren't portable.

Create a more secure environment by keeping the following best practices in mind:

• Implement comprehensive security policies for safeguarding networks and applications mean that protection is the same for both physical and virtual resources. That is the only way to have the same degree of protection for sensitive data and resources. No one wants to take a step backward when attacks are becoming more complex.
• Avoid reliance on virtual appliances as they do not always offer viable protection. They are not able to travel with VMs throughout the network and are too bare to provide protection that adequately preserves server resources. The ultimate goal of integrating VMs is to make better use of resources, so why use a virtual appliance and lose out on all the savings of virtualization?
• Integrating full virtual network asset and configuration tracking solutions allows security administrators to configure comprehensive security policies and obtain vital information comparable to that of a physical network. In order to effectively secure VMs, visibility into how they are connected and their communication paths are needed, just like in a physical network between two servers.
• Running a comprehensive, deep-packet inspection outside of the VMs preserves computing resources for applications without sacrificing security. The procedure also allows security administrators to focus on security, while at the same time allowing server administrators to focus on VMs.
• Deploying an automated security solution allows the network to adapt to changes in virtual environments, such as introducing a new virtual machine, thus creating continuous protection of both the physical and virtual landscape.

Day in and day out, security is becoming a critical consideration for CIOs. However, comprehensive protection can be achieved if the time is taken to integrate security from the beginning.

One of the main cloud computing security issues often not discussed is that administrators need to keep ports open (e.g., SSH or RDP) so they can connect to and manage their servers. With these ports open, anyone – including hackers – can gain control simply by guessing (or brute forcing) the administrator credentials.

According to a recent report by the Ponemon Institute titled "Managing Firewall Risks in the Cloud," 54 percent of IT personnel say they have no knowledge of the risk of open firewall ports on cloud servers. IT folks admit they just don't yet fully understand the dynamics of cloud infrastructure and its risk. They know that traditional, on-premise security fails to cover virtual and cloud environments. And they know that there really isn't a robust security toolset available from cloud providers. In fact, the cloud has grown so quickly that what's available from cloud providers is often limited, complex and manually operated, and is – of course – isolated to each provider's cloud.

It's not surprising there's a general lack of knowledge and confusion. If you think about the traditional data center, every server is behind the corporate perimeter (and firewall). So, if an administrator leaves SSH open on a server there, it's not a great risk. (This is like leaving your car unlocked in your locked garage.) When that same server is moved to the cloud, it's outside that corporate perimeter/firewall, and keeping those ports open now introduces an abundance of risk. (This is like leaving your car unlocked in a public parking lot.)

According to the Ponemon Institute study on cloud security, 39 percent of IT security personnel said that they thought the cloud provider would inform them if their cloud servers were hacked. We call these folks “wishful thinkers.” Perhaps even more concerning, 42 percent said they wouldn't know if their cloud server was hacked, and of those that know, 19 percent said they already have been. So clearly there's a big gap in cloud security, a misconception of who's responsible, and this issue is the top inhibitor to customer adoption. It all adds up to one thing: Service providers need to offer more security services to their customers.

By offering security services (i.e., those that the customer can opt-in, deploy and self-manage), providers will address the security issue head-on without eating into their margin or taking responsibility themselves. In fact, by making services such as encryption, firewalling and identity management available as a premium add-on, providers will increase their margins, differentiate their services and accelerate cloud adoption.

What enterprises need from their providers is the ability to centralize automated firewall management across all their servers and clouds. Automation makes security as elastic as the cloud infrastructure, and centralization eliminates gaps in security and processes and makes security administrators' lives much easier. This holds true for anyone who has a hosted, dedicated or virtual private server.

As a technologist, it's terrific to see cloud computing grow so rapidly. As a security guy, it's concerning to see that this explosive growth has come at a sacrifice to security. I've talked with a lot of security folks, and they tell me they're struggling to catch up with the developers and infrastructure teams which are quickly migrating their enterprises to the cloud. New solutions are needed to help them catch up, approaches that give cloud providers the tools to protect their customers.

The evolution of online attacks seems to mirror the progression advertising has taken. In the beginning, hacking was done for fun and hackers were driven by a spirit of adventure. However, some hackers soon realized the potential for personal financial gain from their hacking. Thus, the birth of trojan horses, keyloggers and malware distributed via spam messages. Much like television commercials of old, these attacks were broadly distributed; the strategy being to hit as many people as possible in the hopes a small percentage would download the malware. In general, this shotgun-type strategy was successful as unsuspecting victims would click on malicious links and have their account information, passwords or identity sent to a hacker's developing database. Black-hat hackers could focus on quickly creating simple, and oftentimes, low quality malware and, due to the sheer distribution volume, this method was profitable.

Just as we are seeing an increase in personalized targeted advertising, we are now seeing the rise of targeted attacks. In the past, this method of hacking was considered unprofitable as it took too long to create a targeted attack, thus reducing the profit margin. With the lowering cost of producing high quality malware, large customer database breaches, coupled with the surge in hacktivism, means we will begin seeing more targeted attacks in the future.

While the goals of criminal gangs and hacktivists may differ (profit vs. issues awareness), they are using similar tactics – malicious code designed for a specific targeted attack. The reason for the coming rise in targeted attacks is two-fold:

1. targeting certain types of businesses has become a profitable endeavor, and
2. social issues are once again spurring hackers into action.

Why is it now profitable to target specific account when it once was not considered a lucrative strategy? One reason may be the success security professionals have had with educating employees and technology users regarding online threats. It isn't that the creation of high-quality malware has become easier, it is that getting users to fall for their scams has become more difficult, making broad-based attacks less profitable. As a result, hackers are finding it more profitable to target a specific company or organization with an attack designed to steal data. These attacks are harder to defend against as they often involve rather sophisticated social engineering approaches and often are harder for common email spam scanners or content filters to detect. They depend on SQL injections and the infection of web applications or common social media sites, such as Facebook, rather than spam or malicious websites.

On the other side of the spectrum are hacktivists who are targeting a specific organization, not for profit but for social awareness. These socially minded hackers know that a high-profile security breach can damage the reputation of what they deem a socially irresponsible organization or bring down the network of a company the hacktivist believes is responsible for some injustice. It is the technological equivalent of protesting outside of the organization's office – and even more effective as it can quickly generate a global media buzz online when successful.

The number of targeted attacks will only increase in 2012 as users become more aware of broad-based threats, hacktivists become more active, and black-hat hackers create more sophisticated malware. For the general consumer and business, watching for these new approaches and taking control of your security policy enforcement should be a focus for your New Year's resolutions.

Congratulations are in order for all of this year's SC Magazine Awards finalists.

We give you props for everything you have achieved in this last year, and for being recognized by your peers as the best in the industry. Your partners in the world of security rely on you for your expertise to better understand and protect against the evolving threats of not only today, but tomorrow.

Which brings us to the SC Awards Finalist Blog.

The SC Awards Finalist Blog is a forum for the recognized leaders of IT security to weigh in on the most pressing security issues of the day. This is your chance to provide additional guidance and commentary on the hottest issues.

If you are an SC Award finalist, we welcome your contribution to this blog to share your vision. Submissions should not be product endorsements, but should provide high-level strategic guidance to our audience of IT security practitioners. The contributions should be up to 750 words in length and offer thought-provoking discussion about your recommended approach to address today's security needs.

Finalists may email submission to scbloggers@mix-pr.com. Posts will be reviewed and then posted to the SC Awards Blog from now until the SC Awards Gala Event ion Feb. 28 in San Francisco.

I always look forward to that night, celebrating the successes of winners in great spirits with your peers and rivals. To register for the event, please visit http://www.cvent.com/d/scqm6b/4W.

In addition, with the opening of the blog, we now officially open up 2012 SC Magazine Social Media Awards for nomination.  Sponsored by MIX Public Relations, the SC Magazine Social Media Awards recognize the industries best bloggers, blogs and tweeters. This year's categories are:

• Most Popular Security Blogger

• Best Corporate Security Blog

• Five to Follow on Twitter

Please send nominations to scbloggers@mix-pr.com from now until Feb. 1. Following the nomination period, we will post the finalists on SCMagazine.com for a direct vote by our readers.

Nominate your favorite blogger, corporate blog or tweeter today to help them achieve recognition for their expertise!

Again, congratulations to all of our finalists. We look forward to your ongoing guidance and leadership throughout 2012.

As we said when we announced the nomination period for the second annual SC Social Media Awards, blogs and social media have continued to be critical information sharing forums for our readers.

Today I am excited to announce the 2011 finalists for the Best Corporate Security Blog, Best Security Blogger and Five to Follow on Twitter categories. Before announcing the finalists, I would like to thank the hundreds of security professionals who nominated their favorite social media enthusiasts.

Sponsored by MIX Public Relations, the SC Social Media Awards recognize the industries best bloggers, blogs and tweeters. The finalist in alphabetical order, are:

·         Best Corporate Security Blog:

o        The Day Before Zero Damballa Blog

o        ESET ThreatBlog

o        F-Secure Antivirus Research Weblog

o        TrendLabs Malware Blog (Trend Micro)

o        Websense Security Labs

·         Best Security Blogger:

o        Graham Cluley, Sophos

o        Chris Hoff, Rational Survivability

o        Mike Rothman, Securosis

o        Bruce Schneier, Schneier on Security

o        Gary Warner, CyberCrime and Doing Time

·         Five to Follow on Twitter:

o        @arj, (Andrew Jaquith)

o        @cyberwar; @rstiennon (Richard Stennon)

o        @danchodanchev

o        @George_KurtzCTO (George Kurtz)

o        @jack_daniel

o        @jeremiahg, (Jeremiah Grossman)

o        @owasp

o        @ioerror (Jacob Appelbaum)

o        @theharmonyguy (Joey Tyson)

o        @weldpond, (Chris Wysopal)

Again, congratulations to all of our finalists. Now is the time for our readers to VOTE. Please visit our home page, http://www.scmagazineus.com/, and cast your vote (along the right side) for your favorite blog, best blogger and your top five tweeters.

Voting closes at 8 p.m. ET on Friday, February 11.

Winners will be announced at our SC Awards Gala Event on Feb. 15, 2011 in San Francisco. CLICK HERE to book your tickets today!

Over the past few years, we have seen a gradual transition from traditional computer centers with dedicated resources to virtual machines and cloud computing. 

During this time, people have realized some of the value of virtualization in terms of savings and resource optimization. Unfortunately there are still a number of warts in virtualization that have followed the migration to the cloud.

Before we discuss those warts, it is important to fully describe the cloud environment about which we are talking.

While most people want to talk about software-as-a-service (SaaS) and platform-as-a-service (PaaS) – and we could include them in our conversation – we really want to talk about clouds that are transparent and migratory. 

These clouds are typically described as public, private or hybrid.

What is a private cloud? 

A private cloud is (typically) a cloud created within a corporation (only using corporate-owned machines) and is entirely at the control of the corporation. The cloud includes numerous computers and can extend among different computer facilities, as well as crossing geographical boundaries. 

What is a public cloud?

A public cloud is controlled by someone other than the corporation and can have multiple entities participating all on the same machine. Each entity can have its own separate virtual machine (VM) and may not readily be able to see other entities. The cloud location and co-residents are unknown.

What is a hybrid cloud?

A hybrid cloud consists of some resources being controlled by the corporation and some by an outside entity. There may or may not be a bleed-over of clouds from the private cloud to the public cloud.

**

These distinctions may sound logical; however, from a security point of view, there isn't a distinction between them. 

In a cloud, you do not know the hardware you are executing in or what other entities are also using that hardware. If you are in a private cloud, you may know that all entities in the cloud are part of the company, but you don't know if the entities also using the cloud are the finance, research, or marketing department, or if they are a hacker. Additionally, you cannot tell if the cloud or the participants in the cloud are well-behaved. 

Here is where the warts become noticeable.

If a cloud is paused or stopped (not halted), it generates a snapshot and is written to the disk. Thus even if encryption is used, the files in the virtual disk may be encrypted, but the memory resident copies are not and are thereby placed on disk in an unencrypted state. If the VM is going to migrate to other hardware, the unprotected secrets will also be exposed in transmission.  

Next, if the hardware is reused or shared, one needs to be concerned.

If the hardware is reused, do all traces of the previous VM get wiped from a resource before a new VM can use it? If not, can the new VM read the raw resource and access the previous VM? If the resource is shared among multiple VMs, can one VM see/access the resources of another VM?

The bottom line is that unless you limit the people with access to the VM (in the cloud) and can monitor the clouds (as well as the hardware on which the cloud is based), you have no way to know if your cloud is safe. 

Two last things to remember when contemplating cloud and the security implications:

• Trusting a cloud environment – because of encryption or other security functions in the VM – is dangerous.
• Trusting the host operating system or environment in the cloud is just as dangerous.

Since businesses first connected to the internet some 20 years ago, there has been a race to deliver stronger security innovations faster than cybercriminals can write code and develop new tactics.

Today, the industry is seeing a broader range of companies who realize that security must now be a strategic part of their overall IT infrastructure. This is enabling them to proactively prevent security breaches and attacks from penetrating their network in the first place – versus taking the more historical approach of applying protections like a Band-Aid.

Based on a recent Check Point survey of more than 220 IT security professionals, more than 90 percent of businesses reported using firewalls and anti-virus solutions, which are important baseline protections to secure their networks. However, as companies combat traditional security threats, businesses also face a new generation of threat vectors, with the proliferation of Web 2.0 applications, mobile computing and custom attacks that are dramatically increasing security complexity for enterprises.

As internet threats become more sophisticated and data leakage becomes more prevalent, businesses need a holistic and integrated approach to security that focuses on moving from threat detection to prevention.

Key findings and industry trends, based on Check Point's research, show that organizations should consider:

• The proliferation of new threat vectors: For businesses facing a rise in the emergence and volume of new internet threats, 2010 was no exception. Survey respondents showed a 21 percent increase in the use of intrusion prevention solutions to protect against a greater volume of attacks – ranking viruses, botnets and drive-by downloads among the top internet threats to organizations. Malware, phishing attacks, trojans and keyloggers are still common and proliferating on Web 2.0 applications, which can impact enterprise security from the gateway to the endpoint.
• The call for more user awareness: Thirty-six percent of IT security administrators surveyed believe employees rarely or never consider corporate security policies in their everyday business communications. With Web 2.0 applications and technologies now becoming common tools used in the enterprise, organizations are looking to apply stronger application control to enforce corporate security policies.  Because employees are essential to helping organizations mitigate security risks in the enterprise, businesses will benefit from implementing technologies that combine stronger security and more user awareness. 
• The surge in mobile workers and connectivity: Mobile computing is no longer a trend but a way of life for most businesses. Approximately 54 percent of organizations surveyed are anticipating an increase in the number of remote users in 2011. In part, this is driven by employees and contractors demanding more access to business applications, data and corporate resources – from both corporate and personally-owned devices. The mobile workforce has been steadily growing, and now 64 percent of organizations are concerned the growth in remote users will result in exposure to sensitive data – as well as other security challenges like unauthorized network access and user management complexity.
• Securing the virtual environment: In the early stages, virtualization was mainly used to consolidate servers and IT resources for cost, space and energy savings. Today, however, its uses and applications are steadily growing. Yet virtualization, like every new technology, can present new risks to companies. Improper implementation of security for virtual environments can adversely affect an organization, exposing it to new security threats and risks. Therefore, implementing the proper security architecture in a virtual environment that can protect against both internal and external threats – while evolving as the business grows – is important to consider.

Simplifying security

Organizations are using an average of nine different vendors to secure their organization's infrastructure from the network to the endpoint.

This creates more and more complexity, inefficiency and security management challenges – particularly for businesses with 500+ employees. Companies combining more than a dozen distinct security solutions are often left with large infrastructures. However, trying to piece together too many disparate point products can leave systems vulnerable.

Before adding yet another point product to the environment, businesses should consider which solutions enable them to evolve as their organization grows and new threats arise. They should also consider the operational efficiencies gained by managing a single security architecture from the gateway to the endpoint.

5 common vulnerabilities that can compromise your network

Today's security appliances do a great job patrolling the network perimeter, but what do you do when the threat is coming from inside the building? Below are the most common ways a network can be compromised from inside the gateway and what to do to protect your company.

1) USB Devices

USB drives are the most common way to infect a network from inside a firewall. They're cheap, hold a lot of data and can be used between multiple computer types. The ubiquity of thumb drives has driven hackers to develop targeted malware, such as the notorious Conficker worm, that can automatically execute upon connecting with a live USB port. Beyond simple thumb drives, any USB device that's capable of storing data is a potential threat. This includes external hard drives, digital cameras, MP3 players, printers, scanners and even digital picture frames. In 2008, Best Buy reported they found a virus in the Insignia picture frames they were selling at Christmas that came directly from the manufacturer.

What to do: Change the computer's default autorun policies. You can find information on how to do that within Windows environments here. Implement and enforce asset control and policies around what devices can enter the environment and when. And then follow that up with frequent policy reminders. In 2008, the Department of Defense developed policies and banned USB and other removable media from entering/exiting their environments.

2) Laptop and netbooks

Laptops are discreet, portable, include full operating systems and come with a handy Ethernet port for tapping directly into a network. What's more, the said notebook may already have malicious code running in the background that is tasked to scour the network and find additional systems to infect. This notebook could belong to an internal employee or guest who's visiting and working from an open cube or office. It is also important to think about the laptops themselves. All companies have some forms of sensitive information that absolutely cannot leave the walls of the building. It becomes very dangerous when that information is stored on an insecured portable computer, as they are very easy to walk off with.

What to do: Implement an encrypted file system for sensitive data. There are a number of off-the-shelf and open source solutions out there that do this. Control over endpoints that enter and exit the internal system is also important. Sensitive information, such as VPN, DV and Wi-Fi access, should not be stored persistently on devices such as laptops or netbooks.

3) Wireless access points (APs)

Wireless APs provide immediate connectivity to any user within proximity of the network. Wireless attacks by Wardrivers (people in vehicles searching for unsecured Wi-Fi networks) are common. TJX, owners of Marshalls and TJMaxx, was attacked using this method, and intruders escaped with store customer transactions – including credit card, debit card, check and merchandise return transactions. This intrusion has ended up costing TJX more than $500 million dollars. Wireless APs are naturally insecure, regardless if encryption is used or not. Protocols such as wireless encryption protocol (WEP) contain known vulnerabilities that are easily compromised with attack frameworks, such as Aircrack. More robust protocols, such as wireless protected access (WPA) and WPA2, are still prone to dictionary attacks if strong keys are not used.

What to do: WPA2 Enterprise using RADIUS is recommended along with an AP that is capable of performing authentication and enforcing security measures. Strong, mixed passwords should be used and changed on a fairly frequent basis. Generally, wireless APs are connected for convenience, so it is usually not necessary to have them connected to a working environment.

4) Smart phones and other digital devices

Today, phones are full-functioning computers, complete with Wi-Fi connectivity, multi-threaded operating systems and high storage capacity. And they are starting to be given the green light in business environments. These new devices have the potential to pose the same threats we've seen with notebooks and thumb drives. What's more, these devices have the potential to elude traditional DLP solutions.

What to do: The same rules for USB devices apply here. Implement and enforce asset control and policies around what devices can enter the environment and when.

5) Email

Email is frequently used within businesses to send and receive data; however, it is often misused. Messages with confidential information can be forwarded to any external target. In addition, the emails themselves can carry nasty viruses. One targeted email could phish for access credentials from an employee. These stolen credentials would then be leveraged in a second-stage attack.

What to do: With email security, source identification is key. Identify the sender using technology such as PGP, or a simple array of questions before sending sensitive information. Access control to broad alias-based email addresses should be enforced. And policy and reminders should be sent out to employees.

Derek Manky is project manager, cybersecurity & threat research at Fortinet's FortiGuard center. As lead author of Fortinet's monthly Threat Landscape Report, Manky blogs and regularly writes on breaking security developments. He designed the company's responsible disclosure policies, which have been reliably used for years to report and disclose critical, zero-day vulnerabilities.

After the roller coaster of 2010, what should be on the CISO's mind?

New threats? New security technology? New technology for everyone else?

Those topics are interesting enough,and are certainly things CISOs looked at in 2010. Yet, is there anything different?

The role of the CISO varies by enterprise, but as I talk with business managers, some generalizations apply across a range of enterprises and their CISOs.

Here are five key questions for CISOs to consider:

Are you prepared for the new regulations? Almost every heavily regulated industry experienced additional regulation in 2010. In addition, there are new regulations for legal entity type, transaction type and more. For example, banks received a bit of a holiday gift from the Basel Committee on Banking Supervision with a consultative document to update the nearly eight-year-old Sound Practices for the Management and Supervision of Operational Risk.

This contains more emphasis on information technology and outsourcing, and this will ripple through revisions, national implementations and field examinations. You and your boss/colleague who leads IT risk management need to understand regulations like these in financial services, electric utilities, health care, retail and more. Be cautious about relying on your compliance leader to tell you what is needed if that team lacks sufficient technology background.

Are you prepared for new products? Have you talked to your marketing and sales people lately? Depending on your market, they might be gearing up for new product enhancements, mobile applications, new geographic markets, new customer segments and support for additional languages. Are you ready for what is in their business plan?

Are you prepared for more mergers and acquisitions? Are you still trying to digest the last acquisition? Tough times make buying growth a popular strategy. How much “been there, done that” expertise do you and your team have in making acquisitions go smoothly? If not enough, get help!

How does IT security relate to overall IT-related business risk management? Is “IT risk management” in your institution just a way to do assessments for security purposes or is it used to achieve an end-to-end view of business process across all areas of IT-related risk and operations (change, configuration, release, energy, facilities, security, availability, recovery and more)?

Does it look at IT-related risk to achieving business value, portfolio design, investment decisions, program management and project management? If “IT risk” is still seen in a limited, internal, security and technical way, then it is time to get better.

ISACA's Risk IT framework (based on the COBIT framework) and best practice guidance can help.

Are you hiring and retaining the right skills to meet the above needs? IT security hiring is on an upswing. According to job search site dice.com, growth in information security jobs is outpacing overall job growth by a factor of three. This means that CISOs will have to give attention to hiring and retention as they have not needed to do in the past few years. Together, this sounds the call for more business-focused CISOs.

**

Together, these questions sound the call for more business-focused CISOs. While this is not new, what is new for 2011 is the intensity and focus of these factors as we navigate through a recovering economy.

Are you ready?

Brian Barnier, CGEIT, CRISC, is a principal at ValueBridge Advisors. He has worked in both business line and IT roles, and is an active volunteer with ISACA, where he worked on the development of the Risk IT framework. Contact him at brian@valuebridgeadvisors.com.

I wanted to take this opportunity to congratulate all of the SC Magazine Awards Finalists for everything you have achieved in this last year - and what a year 2010 was!

From Aurora to Stuxnet to Zeus, nefarious hackers have introduced quite a few new and difficult problems for security players like you to tackle. Your leadership is becoming increasingly critical in the battle to keep critical data and systems safe from any number of online criminal groups. Enterprises of all sizes look to your expertise and leadership to better understand and protect against the evolving threats of not only today, but tomorrow, which brings us to the SC Awards Blog.

The SC Awards Blog is a forum for the recognized leaders of IT security to weigh in on the most pressing security issues of the day.

The blog presents our readers with the opportunity to receive the critical guidance and strategy you believe necessary to secure organizations.

If you are an SC Award finalist, we welcome your contribution to this blog to share your vision.

Submissions should not be product endorsements, but should provide high-level strategic guidance to our audience of IT security practitioners. The contributions should be 400-600 words in length and offer thought-provoking discussion about your recommended approach to address today's security needs.

Finalists may email submission to scbloggers@mix-pr.com. Posts will be accepted and then loaded to the SC Awards Blog from now until the SC Awards Gala Event in February.

I always look forward to that night, celebrating the successes of winners in great spirits with your peers and rivals. To register for the event, please visit here. 

We hope the SC Awards Blog provides our readers with the valuable insight they need for the coming year.

Blogs and social media have continued to be critical information sharing forums for our constituents, and in recognition, today we are also proud to announce the opening of the 2011 SC Magazine Social Media Awards for nomination. 

Sponsored by MIX Public Relations, the SC Magazine Social Media Awards recognize the industries best bloggers, blogs and tweeters. This year's categories are:

·         Most Popular Security Blogger

·         Best Corporate Security Blog

·         Five to Follow on Twitter

Please send nominations to scbloggers@mix-pr.com from now until Feb. 1.

Following the nomination period, we will post the finalists on SC Magazine for a direct vote by our readers.

Nominate your favorite blog today to help them achieve recognition for their expertise!

Again, congratulations to all of our finalists. We look forward to your ongoing guidance and leadership throughout 2011.

Firewalls are again becoming talk of the town. There are an enormous amount of opinions, including claims of a recent firewall revolution that have been proposed to completely change the firewall landscape. I will be the first to admit that the features and capabilities offered in today's firewall products are not the same as was offered in their original incarnation. But then again, traffic patterns and applications are not the same as they were when firewalls first hit the market. 

If we look at the some of the original firewall products (bypassing the whole proxy versus stateful approaches), most products focused on a simple, yet powerful proposition – allow or deny specific protocols (applications) and most often the policy was to deny all, allow few exceptions. The general intent is to insert a barrier at the network border fending off unnecessary and potentially dangerous application traffic. These firewall policies were based on a common way to identify the application - the layer 4 protocol identifier.

Today, applications have taken a dramatically different approach in terms of user interface and communication methods. It should not be a surprise that the majority of applications have moved from a proprietary, client-based executable user interface and unique communication protocol to a web-based interface / communication method. This “webification” of applications is due in part to the innovations in web technology and the ability to deliver rich user experiences that parallel previous “heavy” client-based GUI applications in a web-based environment. 

Given this change in application delivery, it is natural for firewalls to evolve and address the new challenge of application security. Obviously the same principles exist as with the original firewall concept – allow / deny applications based on a corporate security policy. However, if every application uses a common web communication method such as HTTP - port 80, how would the traditional firewall implement appropriate controls? If port 80 is “allowed” through the firewall, it would open access to a plethora of applications, some of which could be contrary to the overall security policy. 

This is where things get interesting regarding the so-called “firewall revolution” being claimed today, whereby applications are identified based on their content distinguishing, for example, between peer-to-peer (P2P) applications and hosted business applications. While this is a new way to identify applications, I don't agree it is a “revolution” because other security technologies have been doing this type of detection for quite a while, including intrusion prevention/detection systems (IPS/IDS). With IPS/IDS technologies, the ability to distinguish between multiple applications on a common protocol employs exactly the same principle as the proposed new firewall “revolution”. The new “revolution” isn't a revolution at all. It is nothing new, just a new way to use existing capabilities.

It seems disingenuous and just plain marketing hype to say that extending the application identification technology as part of a firewall policy is revolutionary. What is really happening is the evolution of the firewalls to meet the application evolution.

If there is anything revolutionary about firewalls today, it is the incorporation of content-based security technologies being integrated into the firewall, something that was previously thought to be impossible. The true revolution is in identifying threats within the application content, irrespective of the application, not just a new way to identify an application and allow or deny it. 

A security solution that harnesses the power of application control and content-based security enforcement is the true state of firewall technology innovation – especially if you agree that firewalls should be deployed as defense mechanisms to eliminate threats versus an “allow-or-deny” paradigm for application access.

Enterprise security is the classic “caught between a rock and a hard place” scenario. On one hand, the attacks are frequent and often quite effective. The losses mount quickly — $2.8 million annually for large enterprises.  Organizations face lost productivity, lost revenue, and a loss of customer trust.  

On the other hand, providing enterprise security is excruciatingly difficult  Even with massive staffs (230 or more for large enterprises), enterprises feel understaffed. And new data center initiatives – such as cloud computing and virtualization – make the job of providing enterprise security more difficult with each passing day. Despite these difficulties, the "Symantec 2010 State of Enterprise Security Report" shows organizations are holding their own and highlights simple steps IT managers can take to win the security battle.

Applied Research fielded the survey by telephone in January. The respondents came from three groups:

1. Small enterprise  (500 – 999 employees)
2. Mid-sized enterprises (1,000 – 4,999 employees)
3. Large enterprises (5,000+ employees)

The 2,100 respondents came from a wide variety of industries and included a mix of CIOs, CISOs, and senior IT management in 27 countries. 

Enterprise security is IT's top concern

Forty-two percent of organizations ranked cybersecurity as their top risk, beating out such notables as traditional crime, natural disasters, and terrorism. On average, IT assigns 120 staffers to security and IT compliance. In large enterprises the number is even higher – 232.

Nearly all (94 percent) expect to implement changes to their cybersecurity efforts in 2010, with almost half (48 percent) forecasting major changes.

Enterprises are experiencing frequent attacks

Seventy-five percent of all enterprises have experienced cyberattacks in the past 12 months. Forty-one percent said these attacks were “somewhat/highly effective.” When asked about specific types of attacks, 57 percent reported somewhat to extremely fast growth, with “external malicious attacks” the fastest growing type.

Costs of cyberattacks are high

The study found all of the enterprises surveyed had experienced cyberlosses in 2009. The most common losses were:

• Theft of customer personally-identifiable information
• Downtime of environment
• Theft of intellectual property
• Theft of customer credit card information

These led to serious costs to 92 percent of the cases, most commonly:

• Lost productivity
• Lost revenue
• Loss of customer trust

Enterprises reported an average combined cost of $2 million annually. For large enterprises, the cost was especially high – almost $2.8 million annually.

Enterprise security is becoming more difficult

Organizations have their hands full with the high frequency of attacks and staggering losses. Unfortunately, data center realities are making it even harder for IT to secure the enterprise.

Enterprise security is understaffed. The most impacted areas are:

1. Security systems management
2. Data loss prevention
3. Network security
4. Endpoint security

These security staffing woes come just as IT is rolling out initiatives that make providing security more difficult:

• Infrastructure-as-a-service
• Platform-as-a-service
• Server virtualization
• Endpoint virtualization
• Software-as-a-service

So, two of the hottest new technologies – cloud computing and virtualization – are also the technologies most apt to make security staff's jobs more difficult.

Finally, enterprises are buried with IT compliance efforts. The study found that enterprises are currently exploring a staggering 19 separate IT standards or frameworks and are actually currently using eight of them. The top frameworks/standards mentioned were:

•   ISO
•   HIPAA
•   Sarbanes-Oxley
•   CIS
•   PCI DSS
•   ITIL

Recommendations

Organizations need to protect their infrastructure by securing their endpoints, messaging and web environments. In addition, defending critical internal servers and implementing the ability to backup and recover data should be priorities. Organizations also need the visibility and security intelligence to respond to threats rapidly. 

IT administrators should protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in knowing where sensitive information resides, who has access, and how it is coming in or leaving your organization. 

Organizations need to develop and enforce IT policies and automate their compliance processes. By prioritizing risks and defining policies that span across all locations, customers can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.

Finally, organizations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.

For more information on Symantec's 2010 State of Enterprise Security study, click this link to visit the Symantec online newsroom.

Organizations need to protect themselves from today's attacks which are occurring at the application layer.  Intrusion prevention systems (IPSs) are often deployed in an attempt to protect web applications; however they are lacking many key protection elements. Below are the top seven reasons why IPSs fail to protect web applications:

1. A jack of all trades is a master of none.

IPSs have a wide protocol focus and are not solely focused on HTTP. This results in a reduced amount of system resources and signatures being allocated to web application protection. Web application firewalls (WAFs), on the other hand, do not inspect other protocols and can apply all processing and inspection power only to HTTP/HTTPS traffic.

2. You can't see me (access to encrypted traffic).

You can't inspect what you can't see. Most commercial IPSs are not capable of decrypting SSL traffic, which leaves a blind-spot in your detection and a channel for attackers to interact with the web application. The ability to decrypt and inspect SSL traffic is standard for WAFs.

3. Can you speak HTTP? (Application layer logic understanding)

Since IPSs are not “native” HTTP speakers, they do not properly parse the layer 7 web data down into their individual components, such as request headers, cookies and parameter names and payloads. They typically treat the HTTP data as one large blob of text which contributes to the higher false positive and negative alert ratios. WAFs are able to interpret the web data in the same way as the destination web application which means that it is able to better understand the context and apply rules and signatures more accurately.

4. Application layer rules (negative security model)

IPSs are mainly signature-based security systems so the breadth and quality is paramount. Unfortunately, most IPS signatures are based on vulnerabilities in public software so they are not effective for custom-coded web applications. WAF rules should also be generic in nature and provide “attack payload detection” to detect any variant of an attack.

5. Application profiling (positive security model)

IPSs typically inspect each request on its own, without any type of correlation of previous traffic. Commercial WAFs have automated learning and profiling capabilities based on a statistical model of all traffic that create custom, positive security profiles for each web resource. This allows for an input validation policy that permits only acceptable data to pass through and blocks attacks that are missed by the negative security model.

6. Application performance monitoring (Anti-automation/denial-of-service (DoS) defenses)

Acceptable traffic velocity levels are not a “one-size-fits-all” setting. Most IPSs have some form of base-lining capability which monitors traffic flows and can flag significant deviations, but they are not granular enough to be applied to each individual application resource. Web application attacks such as DoS, Brute force and scraping have unique thresholds for each site. WAFs are able to monitor the request velocity levels and apply threshold restrictions per resource, and block when these settings are violated. Additionally, by monitoring application response times, true DoS conditions may be identified.

7. Inspecting outbound data (information leakages)

IPSs focus mainly on the inbound requests and pay little attention to the data leaving the web applications.  Attackers often use the data presented within web error messages to enumerate back-end database resources and fine tune their attacks. WAFs are able to inspect outbound response body payloads for typical database error messages and block it so that it is not provided to the client. In addition to error messages, WAFs are able to track the locations and amounts of sensitive data (such as credit card or Social Security numbers) and alert or block when there are changes.

Conclusion

Organizations need to change their approach to securing web applications by using products with specially designed features for protecting layer 7 traffic and data exchange. While IPSs serve an important role in preventing network-level attacks, they just can't perform at the top of the stack. WAFs are specialized products for detecting attacks against web applications in more depth than IPSs. The PCI Security Securitiy Council echoed this same sentiment it the Requirement 6.6 Application Reviews and Web Application Firewalls Clarified Supplemental Document, which lists many of the capabilities described here.

Data breaches involving privacy information continue to increase despite the costs, embarrassment and negative publicity associated with them. Common themes exist in these two recent breaches:

• In May 2009, UC Berkeley's health services systems were breached, exposing the private information including Social Security numbers of 160,000 people.
• In September 2009, the University of North Carolina's systems were breached, exposing 163,000 Social Security numbers of women taking part in medical research.

Although these two examples came from the health care segment in universities, privacy breaches are occurring with startling regularity across all industries and companies. So what is it going to take for companies to start taking these seriously and institute the proper level of security to prevent them? Is the answer more government regulation, or are enough companies already going through the normal processes to plan and deploy these protections?

I suspect that, for many companies, the cost of a data breach may be just another cost of doing business. For these companies, the costs of a breach, which studies have shown to be anywhere from $150 to $300 per record, are weighed against the costs of process change, education, security technology, and ongoing maintenance associated with reducing the risk of breach. Unless a senior executive intervenes and weighs in on the importance of brand protection and reputation, many companies choose to take a reactive rather than proactive approach.

However, for any individual whose privacy has been compromised, it is a major cost and hassle. It seems as if the pain of an individual or a group of victims is not enough to justify proper privacy protection by a company. This is one reason why there are many new government regulations being enacted to protect individual privacy, at both the federal and state level.

Regulations such as PCI, SB-1386, and HITECH affect many companies and industries, and are generally thought to be well constructed for protecting individual privacy. But what about nonregulated industries where neither of these regulations apply? If there are significant privacy records to protect in any industry, it is only a matter of time before the government will step in with regulation if companies in that industry fail to adequately address privacy issues. The government doesn't care if you lose critical manufacturing plans to a competitor, or other intellectual property. They don't care if all your customer contacts are stolen and sold to your competitor. Protecting this type of information is something that a company should already be doing in order to protect their competitiveness. But the government does care if individual privacy is at risk, and will step in if companies don't step up.

Why is implementing a solution to prevent data loss so difficult? To be fair, this is not a problem that can be solved by one single technology. Addressing this problem often involves understanding how data is handled and transmitted, where data is stored, and educating employees about company policies. IT and security professionals often get overwhelmed by all the different potential leak channels and threats, and don't know where to start.

A layered defense is required for a comprehensive solution to data breach protection. Protecting against external threats such as data-stealing malware, hackers, and web application attacks is the first line of defense. This needs to be augmented by data loss prevention solutions which include both content monitoring and filtering as well as encryption capabilities. The ‘insider threat,' which arises from employees, contractors and partners, is often the source of the most damaging breaches, either due to carelessness or malicious criminal activity.

Today's environment

Over a year ago, IBM began a global conversation about how the planet is becoming smarter with an increasingly instrumented, interconnected and intelligent infrastructure. There is an explosive growth of data that is collected about virtually every aspect of our lives that we can connect and share across billions of devices with built-in intelligence. Our ability to use this data to visualize, control and automate what happens in our environment influences every aspect of our lives from financial transactions, to healthcare, retail, transportation, communications, government and utilities.

Security remains a prerequisite for doing business in today's dynamically evolving enterprise – managing risk in this environment is a challenge with constantly changing vulnerabilities, both internal and external, as the threats become more sophisticated. Failure to protect our systems results in lost business and impacts brand trust and business advantage.

Security for the smarter planet

Security can allow organizations to take risk and be an enabler of innovative change for them. Let's look at how security can help manage complexity, reduce costs and assure compliance.

• Identity is a focal point in today's global economy where trustworthy credentials are required for any interaction or transaction. The process of granting and maintaining digital identities, granting access to applications and information assets, and auditing user activities is a difficult and expensive one. Organizations spend an average of two weeks to set up new users on IT systems and typically up to 40 percent of existing user accounts are invalid. Identity and access management solutions can lower costs and mitigate the risks associated with managing user access to corporate resources; for example, reducing user provisioning time from days/weeks to minutes.

• Security at the application layer is an important area to watch, with industry analysts estimating that 80 percent of organizations will experience an application security incident by 2010. The average application deployed has dozens, sometimes hundreds, of defects, and about 74 percent of application vulnerabilities have no patches available today based on IBM X-Force research. Security should be an intrinsic aspect of business processes and operations, factored into the process from the initial security architecture to application development and implementation. Look at the ROI... Businesses today spend 80 percent of development costs identifying and correcting defects, costing $25 during coding phase versus $16,000 in post-production. Secure design can improve product quality and reduce costs in the long run.

• To cut costs and operate more efficiently, our customers tell us they want to adopt such technology paradigms as cloud and virtualization to provide dynamic operational support for peak capacity demands and data sharing. Unfortunately, security is often a roadblock. Effective data security and strong access controls can prevent security exposures when exploiting cloud technology. These and other security capabilities will only grow in importance as standards, such as PCI DSS, look at adding a requirements section specific to virtualization and cloud.

• The average company is subject to hundreds, often thousands of regulatory or industry specific compliance mandates, not to mention internal policies and audit standards. Trying to address this mix of requirements is overwhelming. Automation can help with compliance monitoring – effectively collecting and analyzing security information and events – management and reporting for data privacy laws and industry regulations.

Few would argue that IT security challenges are rising with an increase in sophisticated threats. Organizations will turn to any number of best practices for guidance, but the adherence to service management (ITSM) disciplines and the adoption of information technology infrastructure library (ITIL) services has proven to be the most effective. Industry surveys indicate that 87 percent of breaches were considered avoidable through reasonable (foundational) controls and the highest performers in the area of security management were those that adopted ITIL as their best practice approach. When creating a security “foundation”, it is important that organizations take a business-driven perspective – ensuring they align IT with their business objectives, allocate risk across security domains, and enforce the appropriate security level in each area in light of business opportunities, threats, and vulnerabilities.

Brighter future

Technology has a huge potential to help manage risk while enabling innovation for business growth. Imagine a smarter planet where critical infrastructures are more secure, cities are safer, your identity and privacy are protected, and you have ability to use social networking sites and new, cool apps on smart devices without worrying about the risks. A smarter and more secure planet is in everyone's interest, and the time for us to act is now!

1. Service Strategy: Defining the overall goals, objectives and business functions within the service.

2. Service Design: Designing the service components and processes within the overall service.

3. Service Transition: Managing the rollout process and change management to the service and process.

4. Service Operation: Executing the daily tasks and activities within the service.

5. Continual Service Improvement: Quality assurance and monitoring of the service for improvement and optimization.

 Besides, any conversations between the IT-GRC side of the house and the operations side are just gravy. Since there is no equation for gravy (except in some Southern states), you can use these conversations to pick up momentum toward meeting your IT-GRC goals.

With the SC Magazine Awards Blog, we're attempting to add thought-provoking subject matter from industry leaders on a wide variety of topics and issues facing the security industry today. Hopefully, these blog posts are providing you additional value and insight into the state of the industry and a forward-looking forum on the challenges we are likely to see in the future.

We're using a blog format, because as the threats and issues develop today, we believe that blogging is a key manner of communication and conversation that can quickly generate discussion among peers and other industry experts.

Many of our contributors and other security pundits blog on a regular basis in their own forums, offering their take on today's evolving threat landscape. This year, the SC Awards would also like to begin to recognize these pioneers in their own evangelist efforts.

I'm happy to announce that, for the first time ever, as part of the 2010 SC Awards program, we hope to formally recognize the security industries most popular, poignant and prolific security bloggers.

Contest details: We will be recognizing three blogging categories — Most Popular Security Blogger, Best Corporate Security Blog and "Five to Follow," a collection of the top five security pundits on Twitter.

How to nominate: You may email nominations directly to scawardsbloggers@yourtechpr.com. Please specify what category you are nominating for and the URL of the blog or Twitter handle you would like to nominate.Nominations will be accepted until Monday (Feb. 22), at which point the top finalists will be posted on www.scmagazineus.com for a direct vote from our readers.

The SC Awards gala dinner and presentation* will take place on March 2, 2010 at the Intercontinental San Francisco. The SC Awards gala will be a night filled with the excitement of the SC Award winners, dinner and entertainment, along with top corporate IT professionals attending. This offers an invaluable opportunity to network with colleagues and peers, and to cultivate new contacts.

Thank you in advance for helping us to recognize our fellow online security gurus.

Sincerely,

Illena Armstrong

Editor-in-chief

SC Magazine

*Dinner information

Dinner reservations for the awards can be placed online at http://www.scmagazineus.com/scawards2010-finalists/section/1309/ . Don't forget to place your reservation promptly as places are limited and bookings will be accepted on a first-come, first-served basis.

While it may not yet have reached fever pitch, there is a steady and growing awareness of the risks of a new trend in business computing: consumerization.

Consumerization has evolved into two different aspects – the first being the use of personal equipment for work purposes, and the second is the use of consumer services for work.

Both can potentially create issues in the corporate environment, though I will focus on only one side of consumerization: the use of personal equipment in the corporate environment, and the potential security issues this practice raises. Consumerization raises three primary questions:

1.       What does acceptable use mean with respect to corporate policies and how does one enforce those policies?

2.       What is the impact of privacy laws from the perspective of the corporate customer the individual device owner, and the corporation?

3.       What are the implications of employee attrition with respect to the security of corporate information residing on personal computers?

Acceptable Use Policies have traditionally precluded the use of corporate equipment for non-business activities.  They also often explicitly prohibited activities such as playing of games, use of file sharing technology, or personal web surfing. There were also often additional policies that defined what software could be installed as well as acceptable email content. Most significantly, these policies were ultimately enforced by the corporation's ability to access the machines for review and enforcement based on corporate ownership of equipment. However, when employees use their own computers, such access is far less clear cut. As a result, acceptable use policies as they are currently understood must be approached differently.

What to do? For now you might want to review the acceptable use policy and rethink several aspects of it. For example, the acceptable use policy might relax some of the rules such as non-work related (licensed programs) on the machine. The policy might also take a stronger stance on items such as file sharing (and especially bit torrents that can eat system bandwidth and or have questionable legal ramifications) or the use of third-party software in business due to licensing issues. 

Privacy Laws typically require that care be taken to not expose customer information and to report the leakage (potential and actual) of information to the customers. However, a non-corporate owned system will clearly introduce complexities when it comes to security measures and restrictions that would be different at home versus in the workplace. An example of this is filtering software, which might not be acceptable on a user's personal machine.

Two scenarios need to be considered when addressing consistency in security infrastructure:

1.       The employee goes home and gets an email from a company for a new widget. They click on the link, and get speared. While the corporate address book goes out, does it mean that the customer data was also exposed? 

2.       The employee is surfing the web at home and becomes the victim of a drive-by attack. Does the employee now need to report the incident to the corporate security team that must then notify customers of a potential breach? 

Not all issues will be as hard to resolve. For example, the issue of what to do in the event of a stolen computer can be mitigated by requiring employees to use encryption for corporate data. 

What to do? Look at your current security enforcement technology. Perhaps you could replace filtering software with web page analysis software that pre-scans web pages for malware. Another solution might be to provide virtual machine tools for surfing so that the user's web environment is sandboxed.

Employee Attrition is a potential issue when an employee with a personal notebook computer containing 500 gigs of storage resigns. The notebook contains corporate and employee purchased software as well as corporate data (email, memos, customer data, etc.) and employee data (pictures, movies, personal email, letters, etc.).

The company does not want to (or can't) leave the employee with corporate materials (customer information, corporate secrets, software licenses, etc). In addition, asking the employee to delete the corporate materials is not realistic. On the other hand, the company might not be able to remove its intellectual property with a clean restore or system wipe.

What to do? There are many solutions to this problem. One simple solution may be to provide an external drive for users to boot from when at work or doing work activities, while another solution might be to enable virtual compartmentalization. 

In the end, none of these issues are real show stoppers, but as always in the realm of security, the key is planning ahead to avoid the worst of the problems, and being pragmatic about solving the ones that you didn't see coming.

• More than 40,000 rules (i.e. national laws) were passed by the U.S. government in the last decade.
• The Weidenbaum Center at Washington University in St. Louis and the Mercatus Center at George Mason University in Virginia jointly estimate that agencies spent $49.1 billion to administer and police the 2008 regulatory enterprise.

The fact is that IT organizations require a simple solution that:

•  Provides the who, what, when and where of all changes, including details on previous and new change values, with the ability to add comments on Why a specific change was made to fulfill audit requirements
•  Monitors and tracks all change events in real time across the network, eliminating the need for multiple solutions
•  Reduces risk by providing regulation-specific reporting, aligning with operational best practices, and preventing leaks of sensitive data
•  Facilitates faster audits with less work on IT by generating predefined, custom and ad-hoc reports to meet the needs of various stakeholders, including auditors
• Controls costs, enabling IT organizations to use the same products to address compliance and security requirements and improve operational activities
• Enables faster and smarter responses to threats or unusual activities as they occur

An onslaught of cyberattacks, including some high profile breaches at Heartland Payment Systems, government agencies, Facebook, Twitter, RockYou, and, most recently, at Google, continues. Websites (web applications) across the globe remain vulnerable and ripe for hackers to exploit. Although good progress has been made in the last 12 months by some sectors, we have a long way to go when it comes to securing websites with a methodical and disciplined approach.

I wonder about the root cause of this inertia. If you knew that your house is likely to get attacked, wouldn't you try to fix all the doors and windows, get locks and alarms, and take other precautions? So, why is it that in spite of some well publicized attacks and regulations, there's not a massive adoption of a process and solutions to secure websites?

After talking to hundreds of companies, government agencies, and industry luminaries over the past few years, I have narrowed down the reasons behind this phenomenon to a few myths and real inhibitors, which I explained below.

Top 5 Myths around Web application security

It turns out that many IT professionals and business line managers still believe that their existing security measures are enough to protect their websites. Here are some of the common myths.

·         I have SSL so my Web sites are secure: Well, Secure Socket Layer (SSL) has its place in helping provide some protection to the consumers while they are conducting transactions online. However, it does nothing to protect hackers from hacking into websites. So, the SSL lock symbols on most of the sites can be misleading.

·         I have never been hacked so I am fine: Gone are the days when hackers used to hack to gain fame. Now, most web hacking is done by organized criminals and in some cases by government sponsored organizations. These guys don't want you to know that you are being hacked. 

·         I can test my web application once a year: Every month there are 400+ new application related vulnerabilities and hackers know about them. Also, every time you make any change to a web application, you have to make sure that there are no new vulnerabilities.

·         Application Security is painful to implement: Although it's more difficult to secure web applications than the network layer and desktops, there are many easy solutions to get your process jump started. Like all initiatives, once you get going, the road gets less bumpy.  

·         I am PCI compliant: You have to protect your web applications to secure your most important asset – customer information. If your applications are secure, you'll pass the audit and comply with regulations. The reverse is not necessarily true.

Inhibitors

·         Budget: Many companies still haven't set aside a budget for application security. A lot of times application security is part of a bigger bucket of security budget. If too much money gets spent on network security, identify management, data leakage prevention, etc. sometimes there's not enough left for applications.

·         Lack of education: Many IT people, especially in the upper management are not fully aware of the implications of securing their web applications.

·         Lack of expertise: Even when an organization is committed to implementing an application security program, they might not have the right expertise to create the right processes.

·         Unclear standards: Regulatory standards can help organizations in focusing on the right priorities and in obtaining a budget. Most of the current regulations are very broad for security without much clarity for application security.

·         Attacks are not publicized: In spite of continuous attacks at the web application layer, many of these attacks are not publicized or are not publicized with the application security breaches highlighted.

All indications are that cyberattacks at the web application layer will continue to rise in the coming months and years. With close to 80 percent of vulnerabilities in web applications and more than 75 percent of attacks happening through the websites, the question is not IF you will get attacked, but WHEN. 

It's very easy to get started with a web security program. There's a lot of help available to move you along the process. You just need to take that first step.

A larger, more mobile workforce carrying greater amounts of data on portable devices leaves confidential corporate data, customer information and intellectual property vulnerable to loss. Many of the smartphones and PCs used by mobile workers contain critical data but they don't have the appropriate security precautions in place.

According to Forrester, there are currently more than 34 million telecommuters in the United States, with analysts projecting the number of remote workers to reach 63 million by 2016. The trend is driving businesses to establish better IT measures to safeguard corporate endpoints.

Many organizations are quickly discovering endpoints — sometimes numbering in the thousands of network-connected PCs and devices — are the ‘Achilles' heel' of information security. To protect endpoints and keep pace with new compliance rules, enterprises have been rapidly deploying multiple endpoint security agents and technologies from an average of three to five different vendors. For IT administrators, the lack of integration can cause security management issues. Each new endpoint security component may require a separate management server, configuration profile, security policy, update schedule and pre-deployment compatibility testing. This can increase administrative overhead and management complexities.

Unifying endpoint security components into a single agent with centralized control helps IT organizations simplify endpoint security and reduce costs. A unified endpoint security strategy will:

• Detect and block malware
• Enforce policy compliance
• Offer secure remote access to networks
• Provide central management and efficiency
• Be transparent to end-users
• Secure information stored on endpoints

Protecting sensitive data on the go is critical as the most common vectors of enterprise data loss stem from lost or stolen devices. Once a device falls into unauthorized hands, clear-text data on the endpoint becomes available for access and exploitation. Securing endpoint data includes full-disk encryption with pre-boot authentication, removable media encryption and port/device control — even if the device itself ends up in the wrong hands.

Total security requires companies to create, maintain and evolve an endpoint security strategy that is capable of growing with the organization to provide the best protection and investment. Most importantly, an effective endpoint security strategy employs technologies that allow businesses to scale fast and remain one step ahead of the threat landscape of tomorrow.

Look at TJX for example. Three years ago, its security team found that hackers had gained access to its network 18 months prior. Meaning, for 18 months, a hacker was completely undetected by the security prevention measures deployed by the company.

Effective security strategy

While most organizations implement security tools that target prevention, those same organizations fail to understand the full spectrum of security. Prevention is only one part of the equation. Detection and incident response are arguably more important. 

1. Prevention. We know prevention is not a 100 percent guarantee. Recent security breaches at Google, Adobe, The New York Times, T-Mobile, Heartland Payment Systems, LexisNexis, Visa, MasterCard, and even prominent security vendor Kaspersky provide proof that prevention is not an absolute.

What happens when a hacker is successful at breaking through your “secure” system?

2. Detection. When a breach occurs, what happens next? That's where effective detection capabilities must take center stage. The ability to instantly address security incidents is a critical strategy organizations often neglect to implement, even though the cost of failure is so great.

3. Network forensics / incident response. With a comprehensive incident response plan, you simply rewind the tape, like a surveillance camera at a bank that was just robbed. Network forensics provides organizations a rewind feature to quickly identify the true source and scope of any incident and even what happened to specific files, data, etc., so you can take immediate steps to rectify the situation. However, without the necessary network forensics tools and a plan, swift incident response is difficult to accomplish.

Three steps to preparedness

Typically, when a security breach is detected weeks, months or even years after the first incident occurred, the damage has been done. So, why do so many companies wait for a crisis? Forensic preparedness reduces the cost of response and helps determine exactly and instantly the data being compromised.

Preparedness might seem like an impossible task. How can we anticipate every threat out there? How does a company prepare for the unknown and unexpected? By addressing all three pillars of an effective security strategy – prevention, detection and incident response.

1. Move past prevention. Since security professionals can only stop what they know, we must advance past the first pillar. The “unknown unknowns” will continue to roam in the wild and until they are identified and classified, prevention alone will not be sufficient. These threats will be targeting vulnerabilities we are not aware of. Just look at the vast number of recent security incidents, including Hannaford Bros., Network Solutions, American Express and many others. Eventually, vulnerabilities will be found and exploited and a breach will occur.

2. Don't rely on compliance. Compliance is only a start, but regulations are really there just to provide a framework — and force adherence to — good security practices. For those who believe they will not be hacked because they are complaint with industry standards, think again. It can and does happen, just look at the Heartland breach. While Heartland was compliant with the requirements of the Payment Card Industry Data Security Standard (PCI DSS), it still experienced the biggest breach ever involving payment card data. There are simply no guarantees when motivated attackers have an eye for your assets.

3. Investigate, detect and fortify. Lastly, we must understand that securing our networks and data also includes swift detection of the source and scope of any security incident. This is critical to enable instant and intelligent response. Rapid detection of a breach is arguably more important than just trying to prevent one. This holistic perspective helps you know exactly what is going on within your networks. Then, when something questionable happens, immediate response to mitigate the incident provides more protection to your organization's bottom line and brand equity than with prevention alone. 

In the United States, the term “hacker” carries a negative connotation. It conjures an image of a dark room filled with computers and a lone man attempting to break into bank or credit card networks to steal as much personal information as he can.

While there are plenty of “black-hat” hackers engaging in criminal activity for their own gain, the term hacker has an entirely different meaning. A hacker is simply a programmer for whom programming is reward enough. They tend to be curious individuals who test the limits of what is possible in computing. Unfortunately, the term has become synonymous with “cybercriminal” and now that this image is etched into the conscience of American society, there isn't much this unorganized group of people can do to restore their reputation. Articles like this one also make it difficult for ethical hackers to shed this image.

Strict interpretations of DMCA, EULAs  and other laws or regulations have made criminals out of "white-hat" hackers whose only goals are to test the bounds of computing. The truth is we need hackers. Hackers are some of the most computer savvy individuals and their unique knowledge can be helpful in all kinds of scenarios. For example, an organization can hire a hacker to find possible vulnerabilities in their network, or a network security company can hire a hacker to help create a more secure firewall or other security devices.

While hiring true cybercriminals may not be advisable in all cases, to say that someone who was convicted of a cybercrime could never be trusted is laughable. Criminals reform, and these cybercriminals posses knowledge that possibly no one else has. Why not use their expertise to create a safer internet environment?

Other countries understand the distinction between cybercriminals and hackers. Some even create college programs that teach hacking techniques. Why? Because at the very least those who develop our network security solutions should understand how cybercriminals operate on a practical and technical level.

There's an old Irish proverb, “May you be in heaven half an hour before the Devil knows you're dead,” that has special relevance to IT security these days. Over the past couple of years we have seen a rapid transformation of IT security threats from relatively slow moving, mass infection phenomena focused on inconveniencing IT operations to fast, stealthy, hit-and-run attacks targeting economically and national security sensitive data. While a multi-billion dollar industry has grown up to defend enterprises and consumers from mass infection security threats, the IT security industry is still in the early phases of coming to terms with targeted, under-the-radar threats that may do damage that victims may never discover.

These attacks succeed for three reasons. First, the attacker knows much more about victim's IT infrastructure than the defender does. Second, the attacker understands that the faster they can move in, steal data, and disappear, the more likely it is that victims will never know that they have been ripped off. Finally, the task of securing IT assets (hardware, software and the data they process) has become a complex, expensive undertaking that many organizations prefer to avoid.

I know these recommendations sound like very tall orders or things that your so-called trusted advisers have not told you, I can assure that commercially available technologies exist today that provide a solid foundation for instilling the disciplines of visibility, speed and process efficiency. Getting to heaven is something no one can promise, but keeping the IT security demons in a state of ignorant impotence is definitely on the agenda.

Your city or town may not be highly dependent on bridges, but no place is trouble-free. Severe weather, road closings, and illnesses can hit anywhere.

Each year, SC Magazine celebrates the best and brightest leaders of the IT Security industry with the SC Awards. Award finalists have been recognized by the security community for the work they do every day in the trenches to help fight the battle for a more secure enterprise.

Along the way, these finalists gain valuable insight on some of the most pressing security challenges facing organizations. In this blog, our SC Awards finalist will share with you some of these insights, and lend their perspective to the most timely security issues of the day.

You can get news of a new blog posting –as well as other relevant IT security news and breaking stories of the day from our website and our Twitter feed. While on Twitter,  you may also follow our SC Awards Finalist Twitter list, where we collect the streams of tweets coming from all of our finalists on Twitter.

I am very excited to officially present to you the SC Awards Finalist blog, and hope you are able to glean valuable benefits from our Finalists' shared knowledge.

As a reminder, please make sure to book your tickets for the SC Award Dinner and Presentation soon. Tickets are available on a first-come first-serve basis. Click here to reserve your tickets today.

Sincerely,

Illena Armstong

• Sensitive data – databases and file servers


• Applications – custom, commercial, web and non-web-based applications


• Identity management – LDAP, Active Directory and IDM solutions developed by companies like SUN and Oracle


• IT infrastructure – firewalls, intrusion prevention, network gear, VPNs and physical security controls like badge readers, video analytics and RFID

• Our ability to understand how the new disruptive technology should work.


• Our ability to determine the practicality of its requirements.


• Our ability to detect and react when things go wrong.

• Source. If the content came from a website that’s no good (catering to hacker forums, storing malicious files, and even hosted in a foreign country – or with a less than appropriate top level domain such as .cn or .ru), security software used to be able to say “nay.” Back to the present – we see most of the malicious content and attacks come from .com sites, hosted in the U.S., and most likely on legitimate sites unknowingly serving malware.


• Looks. Web-based threats used to be a relief for security scanning software – everything is plaintext, and it is easy to figure out what a piece of code is trying to do just by “looking” at it. Reality: Enter obfuscation. Most (if not all) malicious code we see nowadays on the web is obfuscated to a level where a standard language-driven algorithm would just shoot itself. The vast capabilities endowed on browsers these days make it very easy to hide malicious code in a scrambled and dynamic fashion such that standard security software won’t be able to see it.


• Distinction. Back in the days, if something looked suspicious, it was blocked. Reality: Legitimate and malicious content are intertwined and exist in the same context of most modern web attacks. It’s hard to just say “nay” to a page full of legitimate content when it has just a few pieces of malicious content. Simply blocking sites and pages do not work, especially when (as noted above) most of the attacks come from legitimate sites whose content is vital to business.

• For small companies, PCI validation requires a passing vulnerability scan once a quarter. Every quarter, thousands of new vulnerabilities are published. Relying on the results of a passing vulnerability scan performed once every three months can provide a false sense of security.


• Commercial PCI scanning services that look for vulnerabilities that affect PCI compliance do not test for all security issues. Typically, these services only perform network-based vulnerability scanning and don't perform credentialed patch auditing, security testing of client software such as browsers or configuration tests such as password complexity testing.


• Finally, for large organizations that need to submit to an audit by a QSA, having an external auditor confirm that you are running an anti-virus solution, have a working firewall solution, track your users closely and so on STILL does not mean you won't have security problems.

• Blog submissions should not exceed 500 words.


• All submissions should be vendor-agnostic and exclude product/service proselytizing.


• Blog postings and commentary should focus on topics, trends and risks most relevant to today’s security industry.


• Blog submissions must include byline, title and company name for author.

Deb Radcliff filed this RSA wrapup.

Everyone’s always asking those of us from the trade press about trends we see at RSA.

Some will tell you RSA this year was all about virtualization, which already seems like an old story with vendors like Blue Lane Technologies and Reflex Security stepping in to monitor the heretofore unwatchable layers created by virtual machine managers and their guests.

Others will say it’s all about data leakage protection, and we sure saw a lot of that at the conference this year, with Symantec, Trend Micro and others taking leakage protection to a more comprehensive level at the endpoint and gateway.

Unified authentication and use of federated identity frameworks are also gaining momentum, with Microsoft discussing its unified access approach, TriCipher announcing over 50 web applications (SalesForce, WebEx, Google, etc.) in its user single sign-on portfolio, and so on.

Ultimately (true to RSA President Art Coveillo’s Tuesday morning keynote), the overall conference boiled down to more holistic management of risk under the following bullet points:

• Looking at security from inside out instead of outside in (protecting data instead of the network)

• Driving protections deeper into the infrastructure to make it more of an operational function rather than a separate security function

• Using security as an enabler for new types of business

All good and necessary aspirations. But one theme that subtly carried across and outside the conference was this nuance of surveillance – surveillance of children (Symantec’s upcoming family security suite), surveillance of IP traffic, including  through the ISPs.

The theme of being watched resonated outside the conference, starting with hotel rooms booked through the RSA block. On Monday night, little piles of colorful conference bling and fliers appeared on doorsteps of all RSA attendees who registered through that block. They know where you are, and so does everyone walking down the hallways looking at the bling in front of all those doors. RSA used a middleman to deliver the bling to the doors, according to a spokesperson, but that’s still creepy.

That same feeling also carried over to the end of RSA bash Thursday night, in which RSA Conference organizers put a lot of work and expense into setting up different forms of entertainment in the Marriott ballrooms. In the Karaoke room, for example, local entertainers set up a 20-foot black pyramid topped with a giant, 12 by 10-foot face-shaped screen with a nose protruding. Onto that screen was projected the face of a real person taking questions, acting all knowing like the Wizard of Oz, while looking ominously down upon them. (See my friend Liz Safran's picture of said face here.)

Then there was the face painting room. With security and privacy blended so closely together, it was amazing how many security practitioners blithely stood in line to get barcodes painted on their foreheads. Not only did the fake barcodes wreck their coiffures, they made their bearers repulsive – every time one walked by it made you think of the ‘mark of the beast’ predicted in biblical revelations.

All in fun, one might say. But given the level of desensitization among this crowd, it looked more like a parody of things to come.