What does 2010 hold for us infosec types?

I would like to see some of the following happening in the new year in Australian organisations in order for them to address key risk areas:

Application Security programs

• Implementing trust but verify gates into the SDLC for security risk assessments, requirement documentation, static source code analysis, functional and vulnerability testing
• Risk based testing schedules for applications in production that test the key controls in the applications (i.e. test critical apps in a detailed manner each release/year, with a rolling schedule of vulnerability testing for low criticality apps)

Tactical Security Infrastructure projects

• Large scale Data Leakage Prevention (DLP) deployments with associated business process remediation
• Virtualisation and rationalisation of perimeter security infrastructure
• Logging Monitoring and Reporting programs with integrity monitoring implementation and enablement of logging in end devices and configuration of alerts on central monitoring software.

( I doubt organisations will be kicking off large difficult projects such as identity & access management projects next year due to the after effects of the GFC and a hesitancy to launch projects that won't have a "quick win")

Security Management initiatives

• furthering development of good asset management, change and release management processes so that the outputs can be used to drive appsec programs and vulnerability management processes.
• pragmatic Information Asset Classification and Labelling (which could be facilitated by DLP used to discover information assets)
• Security awareness and induction training

What I suspect I will see is the following:

• DLP product sales that expect rollout and management by BAU resources forgetting that DLP will identify broken business processes and systems that need to be remediated and that well organised support mechanisms will be requried to prevent disruption to one off business processes
• the compliance driven annual penetration test will now involve web application security assessment of a sample application bundled in as an optional extra
• writing of security policies only to satisfy audit findings that are destined to become shelfware due to a lip service approach to security
• refreshes of end of life perimeter security infrastructure forced by capacity driven outages and a lack of vendor and system integrator support
• purely top down risk management initiatives that do not progress beyond the generic due to a lack of expertise amongst those performing the risk assessment

Any thoughts from out there in the blogosphere and twitterverse?

DLP implementation process

I suggest that the following phases be considered in implementation of a Data Leakage Prevention Solution.

Asset discovery

Use your DLP suite to help you discover information assets on desktops, file shares and in intranets and extranets.

Asset classification

Leverage the suite to assist you in classifying the information assets discovered. Don't forget to classify the systems on which the assets reside!

Establish implementation team and support structure

You need resouces to design, implement and most importantly tune and respond to "false positives". Establishing a 1-800-DLPFIX number might be a good idea or at least documenting procedures for the help desk to handle common queries and escalate to the DLP team to respond to. Ensure that web based training is developed and that line managers are tasked with re-training personnel that will ping the DLP.

Design

Consider all points of egress USB, CD/dvd burner, webmail, instant messenger, email in the design. Remember you are mostly planning to catch accidental disclosure. Consider where SSL tunnels will terminate.

Consider use of the 1800 number in warning notices that will get turned into block notices.

Implement

Drop in the appliances on the gateway and the software on the desktops. Do a test of each point of egress with a test file, using encrypted and unencrypted webmail etc.

Monitor

Configure the DLP in monitoring mode with all signatures enabled. Do not alert end users at this stage.

Fix Broken Business Processes

By using the DLP solution in monitor mode you will now be able to identify broken businesses processes. For example PII being un-necessarily shuffled around on fileshares or credit card numbers being emailed due to a lack of system interfaces or even systems!

Tune

After you have remediated the business processes to a point where it makes sense to do so, then its time to tune the false positives out

Training

Roll out web based training for all personnel who will be affected prior to end users being alerted by the system.

Alert

Now enable warning messages for end users for each of the selected rules you wish to enforce. A click yes to proceed and a notification to contact the DLP team if there is a valid reason that this action must not be blocked in the future. During this phase the DLP team must be monitoring logs and liasing closely with stakeholders as to their contents. The alert period must be long enough to pick up any month end or FY end business processes such as shuffling of spreadsheets with billing data around.

Enforce

For the rules that are to be enforced, enable them after suitable fanfare and comunication to stakeholders. Use muliple channels such as voicemail, email, flyers and posters to get the message out.

Tune and Respond

There will be incidents discovered, leakage prevented, false positives to tune out and apologise for!

Virtualised Perimeter

I drew the following as I wanted to start investigating how you might really push the limits in virtualising the perimeter.

Risks I was considering in the design were:

- guest to hypervisor (jumping from a vuln in the load balancer appliance/firewall/webserver to the hypervisor and into the database tier)
- accidental misconfiguration of database tier into web tier

Design considerations made:

- backup network for backup of server snapshots
- replication of database on SAN between production and DR datacenter
- "virtualised out of band management"

Keen to have some feedback and constructive criticism of the design.

I was thinking for the technology mix something along the lines of:
IBM blade servers
Windows 2003
EMC SAN
Vmware firewall (Vshield?)
Tripwire
HIDS

Rich Picture of the state of web application security

Here's a first bash at the diagram.  I was hoping to show on the diagram (along the lines of the seminal one in the Microsoft "Road Signs" paper):

- Current attacks from a "drive-by" and "targeted attack" perspective
- Security Controls (authentication, session management, input validation etc.)