What's your top three concerns?

I was asked to name my top three infosec concerns the other day. What
I came up with was:

- Client side security
Its a battle to keep all of the 3rd party apps (think winzip, adobe,
vlc, microsoft word, etc etc.) patched for known reported
vulnerabilities, let alone the worries of 0day vulnerabilities. Most
enterprises have a 6 monthly patch routine hence there is often many
vulns in software that is in common use. Hence you can't ban the
types of attachments and downloads that contain the malware like you
could in the days of .exe and .vbs email attachment driven malware.

- Asset Management
Its a battle in a large enterprise to identify what critical business
processes you have let alone what devices you have on your network or
what apps you have and which ones of these are
internet/customer/business partner facing. The security team can't
secure what they don't know about. Port scans may help identify what
systems there are out there (to some extent, large network ranges are
hard to scan safely), but what apps are on these systems? Its a sad
state of affairs when your firewall configuration is the only source
of information about what internet facing apps you have. What about
web apps your marketing department has contracted to have hosted by
web development companies? What about business partner routers
connected directly to your internal network?

- Decreasing effectiveness of controls
Firewalls are less effective as everything can be tunnelled through
your outbound web proxy server over HTTP
Antivirus is less effective as criminals are writing custom remote
access trojans and testing them with the software (these are
professionals not pranksters).
IDS and IPS are less effective due to encryption, obfuscation of
shellcode available in all exploit development frameworks.
Web and email content management is less effective due to fast flux
hosting of malware and due to malware being sent in attachment MIME
types who you need to accept (i.e. .zip, .pdf, .doc, .xls) or which is
encrypted (i.e. Winzip file with password)

--
Sent from my mobile device

Staying cheerful despite Barriers to Information Security

Sometimes it's hard to be positive when you work in information security. I have noticed a number of my colleagues get very despondent that they are unable to change the status quo at their respective organisations.

I'm an eternal optimist, and I think it's the job of information security professionals to be constantly active in attempting to improve the state of information security. You've got to keep a ducking and a diving with the grace of Muhammad Ali, taking the opportunity for a tactical win when the rare opportunity exposes itself.

Some maxims that are useful to keep in mind:

1. Success is defined as having the information security program aligned with the business's desired residual risk level. Some notes to consider below:

• management must make the informed decision to run "cheap, lean and risky" not be blindsided by security incidents
• security done well can be a competitive advantage to a business by reducing the costs of doing business when compared to their competitors (i.e. reduction in losses and security cap-ex and op-ex with no increase in risk)
  

2. Funnel the kick-back from a security incident into a productive pre-planned effort. " Oh sir, we've responded well to the incident, however this could have been prevented by the use of a DLP program which we had on the budget request last year".

3. Most intrusions (according to the 2009 Verizon Data Breach Investigations Report) are due to year old vulnerabilities so don't focus on obscure stuff and forget the basics like secure configuration/deploying security patches/ squishing SQL injection vulnerabilities.

Some common challenges encountered and tactics to consider:

• when "bottom up" vulnerability management efforts stall due to business application owners not approving costs/outages for secure configuration/patching/remediation of application security issues try "top down" approaches such as developing a security charter in conjunction with executives and then from that developing a security policy set (aka ISMS) that requires "vulnerability management"
• when information asset classification efforts are failing due to lack of business process documentation and inventory and asset management processes, try some inventory activities yourselves (i.e. some port scans) and share the results with the operations team to kick-start efforts.

If some more problems and tactics come to mind I'll re-edit this post later on.