As the year comes to a close, we thought it would be appropriate to highlight some of the best stories and columns for 2010. Here is a selection of top picks for the year, based on several factors including number of reads, inbound links, tweets, and SecurityWeek staff selections. Enjoy this selection of top picks for 2010, listed in no particular order. Happy New Year!
• VM Introspection: Know Your Virtual Environment Inside and Out – Johnnie Konstantas – Knowledge is power and, when it comes to security – the more information you have about your environment – the more effective you can be at protecting it.
• Defense Department’s Cyberwar Credibility Gap – Michael Stevens – IT pundits find it hard to believe that an incident which led to the Pentagon’s recognizing cyberspace as a new “domain of warfare” could have really happened as described.
• Application Layers – The DNSSEC Chicken and Egg Challenge – Rod Rasmussen – There are obvious security benefits to adopting DNSSEC, but there are some severe downsides to being too early in the adoption curve. Should your organization implement DNSSEC yet?
• The Rise of the Small Botnet – Ram Mohan – Smaller botnets are cheaper and easier to build out and operate, and criminals have already realized that large-scale botnets attract unwanted attention
• Meeting Compliance is Overrated—Manage Risk! – Gary Davis – Meeting Compliance is Overrated – Manage Risk! Efficient, Effective Risk Management is the Key to Ensuring the Possible Security Posture and, by Extension, Meeting Compliance
• Stuck on Stuxnet – Are Grid Providers Prepared for Future Assaults? – Matt Hines – Not only will U.S. grid infrastructures see more of these types of campaigns, most experts seem to think that energy providers and other key backbone constituencies are woefully unprepared to ward off such assaults.
• Deploying DNSSEC – Four Ways to Prepare Your Enterprise for DNSSEC – Ram Mohan – Rolling out DNSSEC is not entirely painless. Here are four things your organization should do to prepare for DNSSEC deployment.
• An Inside Look at Hacker Business Models – Noa Bar-Yosef – The industrialized hackers are intent on one goal–making money. They also know the basic rules of the business of increasing revenues while cutting costs.
• The Evolution of the Extended Enterprise: Security Strategies for Forward Thinking Organizations – Derek Gabbard – In the world of information security during the ‘good old days’ of the late 1990s, enterprise boundaries were enterprise boundaries and operational risk to infrastructure was relatively easy to define, track, assess and remediate.
• The Increasing Importance of Securing The Smart Grid – SecurityWeek Research – Smart Meter technology can remotely control consumer electricity use. This can help utilities conserve energy, reduce costs, increase reliability and transparency, and make processes more efficient. However, the increasing use of IT-based electric power systems increases cyber security vulnerabilities, and this increases the importance of cyber security
• The Implementation Challenges for DNSSEC – Rod Rasmussen – Wide-spread DNSSEC adoption is still far from completion, even for critical domains and services. So what are some of the major the pitfalls of DNSSEC and how can they be avoided?
• Customer or Fraudster: Tossed Your Cookies Lately? – Tom Grubb – Detecting online fraud – The burning issue with cookies isn’t about privacy at all—it’s about the death of the cookie as a usable way to identify a device.
• Routing on The Internet: A Disaster Waiting to Happen? – Ram Mohan – For a number of years, many of the Internet’s leading architects have considered the rapid growth and fragmentation of core routing tables one of the most significant threats to the long-term stability and scalability of the Internet. As the number of Internet hosts and networks increases, the greater the challenge will be for networks running older or slower equipment.
• Out of Band Authentication: How Fraudsters Circumvent Sophisticated Security Measures – Idan Aharoni – Cybercriminals are constantly going up against anti-fraud measures designed to stop their efforts and they need to bypass them in order to make a profit.
• How Operation Payback and Hacktivism are Rocking the ‘Net – Noa Bar-Yosef – With all the pro-Wikileaks hactivity of the past week, it’s time and discuss the threat-scape defined for hacktivism and their methods.
• Social Networks as an Attack Platform: Cybercriminals Love Social Media Too! – Noa Bar-Yosef – Never before in human history has a population adapted to technology advancements as we currently are today. But we, the netizens, are not the only ones benefitting from these technologies. The hackers are sharing this high-speed ride with us and they’re not agreeing to sit in the back seat of the technology bandwagon.
• The Anatomy of an Advanced Persistent Threat – Terry Cutler – Attackers are Getting More Sophisticated – Here’s an Example of How they Work and Insight on How to Stop Them.
• Unspoofable Device Identity Using NAND Flash Memory – Markus Jakobsson – In 1998, Intel announced the introduction of processor identities. Anti-fraud practitioners celebrated, security experts busied themselves thinking of the research implications, and privacy advocates were terrified.
• What’s in your Extended Enterprise? – Rod Rasmussen – Analyzing its make-up and what risks it carries. Enterprises today exchange information almost completely online with more providers and partners, in more ways and more places than ever – in order to keep your castle walls secure, you must make sure the village is secure as well.
• Managing Security and Compliance – Seeing the Forrest Instead of the Trees – Eric Schou – Successfully managing security and compliance is difficult in any sized organization, but universally most people will suggest the place to start is by getting a detailed understanding of the standards and regulations that affect you.
• Why Cloud Tenancy and Apartments Have More in Common Than You Think – Dimitri McKay – One of the most common questions about cloud security is around privacy and regulatory compliance. Questions around government mandates and industry requirements abound from IT managers considering a shift to the cloud—most of which relate to multi-tenancy.
• Web 2.0: Should Businesses Block or Embrace? – Alex Thurber – Social Media Acceptable Usage Policy – Why Allow Web 2.0 to Be Used in Business?
• Using Guilt Instead of Cryptography – Markus Jakobsson – Web site passwords are frustrating to many, especially on mobile devices, where entering them is time-consuming and error prone. Theory on Using Guilt Instead of Cryptography to Prevent “Friendly Fraud”
• Hacker Uses XSS and Google Street View Data to Determine Physical Location – SecurityWeek Video – Samy Kamkar demonstrates the ability to extract extremely accurate geo-location information from a Web browser, while not using any IP geo-location data.
• IT Salary Guide Shows Increase in Salaries for IT Security Professionals – SecurityWeek News – IT security professionals in the United States can expect starting salaries to increase in 2011, according to the Robert Half Technology Salary Guide for 2011. The guide suggests larger increases in base compensation expected in high-demand segments including information security related positions.