Some Casual Reading and 2006 Security Forecast

Interesting Articles
While I don't intend for this blog to become YANLS (Yet Another News Linking Site), I've come across a number of articles at work recently that have been very informative on a variety of subjects. Reader beware: these range in technical complexity from the most basic to the very complex.

I've been preaching to friends, family, co-workers, and anyone who will listen about the good, yes, good things that legislation like Sarbanes-Oxley, GLBA, and HIPAA have brought to the world. Most notably, pushing real security controls & technologies into companies previously too cheap to heed the advice of their security analysts. CSO Online recently published an article titled How To Love Sarbanes-Oxley, written by a security manager at Kennametal, that gets into the details of some of the good effects of the legislation, from a security perspective.

In the category of "blogging about blogging," we find the Security Monkey blog titled A day in the life of a security investigator. This is an entertaining read that illustrates some of the trials of being a security analyst. It's well-written, and a good read if you have some time on your hands. Writing about the specifics of my work is an employment gray area that I painstakingly avoid, but if I were to do so, it would many times read like this. For those of you who podcast, this may be of interest to you as well.

Finally, I ran across a very detailed and informative overview of both recovering data deleted off of magnetic media, as well as how to delete this data so that it's difficult to recover. The paper, from the University of Auckland, is titled Secure Deletion of Data from Magnetic and Solid-State Memory.

2006 Security Forecast
It's going to rain. But then again, since about 1999/2000, the security outlook for any given year has looked about like the weather forecast for Seattle: Rain, with a chance of more rain. I actually just wanted to note a few specifics in this section:
  1. Security configuration management software, also known as "Enterprise Configuration Management Software" and "Enterprise Risk Management Software" will get a lot of attention. This is software that will aggregate the configuration data from your network control devices (firewalls, routers, etc.) as well as your vulnerability assessment software. Based on this information, it can give you a view of your overall security risk (one host has a higher risk than another, because a vulnerability is not mitigated with a firewall rule), analyze access between nodes & sites, and evaluate the impact of network changes on the risk assumed by your organization. Skybox is, to my knowledge, the only COTS product that can deliver this. I will be writing about this software in more detail in the near future, hopefully.
  2. We will see more effective use of IM and P2P software to spread malware. These are the two vectors that offer the greatest amount of targets through the exploitation of a single technology, and to date have not been effectively attacked. Specifically, this makes for a great introduction into an otherwise-secure corporate network, since many users circumvent strong firewall egress controls by connecting to these services via weak HTTP proxy controls. A hybrid AIM / Microsoft vulnerability-du-jour attack could be especially damaging.
  3. Personal networking sites like Myspace and Friendster allow users to post HTML content without going to the pain of setting up their own website, DNS, etc. This is also a great way to launch phishing attacks, as well as host malicious code to be downloaded by bots, exploit the IE vulnerability du jour, and a variety of other bad things with minimal accountability. This has been rare to date, if it's happened at all, but the potential of these sites will soon be discovered by attackers. If administrators aren't proactive in filtering the content of their users' pages, this could mean trouble for the rest of us.

No comments: