To stay secure, Make sure these IT Security Initiatives are Among your Priorities in the Year Ahead
There’s no doubt that 2010 was one of the most eventful years ever in IT security. The news started with Operation Aurora, which revealed just how orchestrated and widespread attacks are when it comes to targeting high-profile companies such as Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman and Dow Chemical. Then, last spring, Stuxnet surfaced – targeting industrial control systems – and showed us that it’s possible for science fiction plots to jump from page to reality. And while the Zeus botnet didn’t make as many headlines, it showed the power and danger of a stealthy, centrally managed, widely distributed botnet.
That’s not to forget the dozens and dozens of breaches of personal financial and health-related information, such as the Gawker attack that exposed millions of passwords. Those are just the major security breach examples. There also are the macro trends such as the tame economic recovery that has lacked the firepower to get budgets moving strongly again, as well as the shift of on-premise computing to cloud computing systems.
There is no reason why such sophisticated attacks and malware won’t continue to accelerate in 2011. That’s why enterprises will need to increase their focus on identity management, security event monitoring and management, as well as virtualization and cloud security. Certainly, none of these are new; however the emphasis and their importance will be undeniable as this year progresses.
Managing User Identities and Access Control
Organizations are great at adding new identities and log-on credentials to their systems when new employees are hired, or contractors come on board. Unfortunately, they’ve been horrendous at managing those access rights throughout the rest of their life cycle. When employees move on to new employment, they fail to terminate that access. When workers are promoted, or their job roles change, new access rights are given but old ones remain intact. This just makes things too easy for attackers. For instance, as an ethical hacker, there have been many times in which I’ve been able to attain the encrypted credentials of an employee (many times ex-employees) and then use those credentials to gain access to a system – and then use that access to gain access to even more users and systems. All this was made possible by dormant access credentials simply left lying around. Considering that, it should come as no surprise that according to the 2009 Deloitte Annual Global Security Survey, excessive access rights are the most common external and internal audit finding.
With the explosion of Web applications, SaaS services, mobile devices, and cloud-based services, enterprises will have no choice but to rein in control over their identities and their access rights. They’ll need to audit their user accounts, and certainly archive or delete those that haven’t been used in 90 or 180 days. And they should require users to change their passwords within reasonable periods of time.
It’s also a great idea to evaluate identity directories. Are there too many? Can they be consolidated? How can the processes be put into place to ensure that user access accounts and associated rights are audited regularly, and outdated accounts are terminated?
Increase the use of Security Log and Event Data
This priority will be out of necessity. Think for a moment how much security data lies strewn and dormant throughout an enterprise in security system, application, and server log files. How many security events are occurring on networks that could be used to mitigate attacks, but go unseen? How much more secure would organizations be if they acted on that information?
Consider the 2010 Data Breach Investigations Report from Verizon Business, which found that 86% of data breach victims had evidence of the breach in their audit logs! However, 61 percent of those breached organizations didn’t notice the breaches themselves; they were (embarrassingly) notified by a third party.
The only ways to cull breach data from all of the application, security, and server logs is to either a) hire a team of experts to scour the logs manually and hope (praying helps, too) that they can accurately correlate all of the needed events into comprehensible and actionable information; or b) deploy a Security Event and Information Management (SEIM) system. SEIM tools, through the identification and integration of security-related information and events, can identify suspicious activities and events in real time. These events include everything from unusual log-on attempts to malicious network activity. This capability is essential for security and compliance mandates.
Virtualization and Cloud Security
This priority goes without saying, as enterprises are embracing cloud computing at an astounding rate. Fortunately, companies that put considerable effort into identity management (or first priority) will find that helps to build a strong foundation for both virtualization and cloud computing security. The second priority, SIEM, also will help make the transition to private clouds much more smoothly.
Cloud computing will increase the number of applications that employees use, as well as the number of places where employees access and manage data. If companies don’t get their identities under control, the security challenges they face in their physical environments will pale in comparison to those in highly virtualized or cloud environments. Attackers will be able to infiltrate accounts, brute force credentials, and conduct many other types of attacks. Unless the proper precautions are in place, enterprises won’t see these attacks coming.
Many of the threats to virtualization are similar to those of physical-based systems. However, because the ease with which virtual systems can be built, spawned, and moved, it’s even more important to ensure that proper procedures and security controls are in place. For instance, what if a stored virtual machine is corrupted? If a hacker corrupts its base image, it can infect that image with a root kit. Every time that image is spawned somewhere, the attacker has an installed backdoor. Risks will follow unsecured systems to the cloud, public or private, if the right precautions aren’t taken. As you move to the cloud, make certain you don’t make those same mistakes.
There won’t be much room for those mistakes, either. In addition to the types of attacks we see today, new attack techniques will be discovered, announced, and even demonstrated at hacker conferences. However, the basics don’t change, so, by focusing on these priorities, you’ll be in the best position possible to navigate securely through new and cloudy IT waters, as well as defend yourself against whatever the world throws at your enterprise.
Perhaps 2011 will be just as, if not more, eventful than 2010. Personally, I hope not. But that shouldn’t matter to you. If you have the right priorities in place and execute a sound security plan, you will have significantly lowered your chance of being part of any of the major breach headlines.