Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Security's Top Five Priorities

Portable devices, Web application security are among the issues keeping CSOs awake these days

What keeps you awake at night? If you're a politician, it's campaign funding. If you're a teacher, it's tomorrow's lesson plan. If you're Paris Hilton, it's how to get more cupholders into your convertible.

For security professionals, the awake-at-night issues keep changing. When we did our last "look ahead" story back in December, the industry had not yet been slapped by the TJX breach, Web 2.0 worries, or Gary Min's attempt to steal $400 million worth of trade secrets from DuPont. (See 2007: Trouble Ahead.) Security threats, apparently, are like politically-incorrect comments by Don Imus: There's a new one every few minutes.

And so, in one final nod to Dark Reading's first anniversary this week, we've done some research on security professionals' current concerns, and those they foresee in the immediate future. The following is a synopsis of what we found.

As you'll see, some of the top issues and priorities in IT security have shifted significantly in the scant four months since we last asked this question. We hope you enjoy it. But read it fast -- the next sea change can't be far away.

1. The Portable Problem
Laptops. USB thumb drives. Removable hard drives. PDAs, smartphones, and Apple iPods. No matter what the devices are, they're capable of holding a ton of data, and their capacities grow every day. They can be the getaway vehicles for sensitive data, or the unwary carriers of viruses and other malware.

It's no surprise, then, that removable storage is at the top of the list in almost every security professional's priority list these days. In a survey published yesterday, Centennial Software reported that 38.4 percent of attendees at the recent InfoSecurity Europe conference listed portable media as the number one security issue facing their organization. Viruses finished second at 23.7 percent; spyware garnered 22.3 percent.

"It comes up in every conversation I have with a customer," says Steve Stasiukonis, vice president and founder of Secure Network Technologies, a penetration testing firm. "It doesn't matter if it's stuff being taken out or coming in -- they say they worry 50-50 about both. It's bad if a user brings it in and [pollutes] the network, or worse if they take something out and it gets into the hands of someone who can hurt [them]."

And the problem is becoming more acute all the time. According to a study published two weeks ago by Senforce Technologies, 73 percent of IT professionals say their organization houses critical data on removable devices such as laptops, thumb drives, and iPods. Twenty-three percent of the respondents said their organization had reported a network security breach in the last 12 to 18 months, and another 25 percent said they didn't know whether such a breach had occurred. (See USBs' Giant Sucking Sound.)

2. Web Two Point Zero-Day?
Security experts agree: The corporate network security perimeter has become a pretty tough nut to crack. So, like any good squirrel, the hacking community is putting that nut down in favor of an easier one: the Web-based application.

In tests of some 31,000 Websites last year, the Web Application Security Consortium exposed more than 148,000 vulnerabilities, according to the latest WASC statistics. Despite the recent notoriety of the problem, nearly 85 percent of the sites tested were vulnerable to attacks via cross-site scripting (XSS).

As with portable devices, the problem with emerging Web applications -- sometimes collectively called Web 2.0 -- is that the popularity of the technology is rapidly outstripping the IT organization's ability to secure them. In a study of 1000 workers under the age of 29 conducted by British security firm Clearswift in March, some 42 percent of respondents confessed to discussing work-related issues on social networking sites and blogs.

Researchers also have found plenty of holes in next-generation Web technologies. Fortify Software earlier this month reported a new wave of Internet attacks targeting Web 2.0 sites and the Ajax applications that have helped make them so dynamic. Coined JavaScript Hacking, attackers go after vulnerabilities in major Ajax toolkits, allowing them to pretend to be victimized users and gain access to sensitive information.

3. Attacker Inside!
Corporations have always been concerned about security leaks and insider attacks. But that was before they heard about Vencent Donlan, Roger Duronio, and Gary Min.

In the past several months, the security industry has had an opportunity to see some of the biggest brass balls in the history of corporate theft and sabotage.

Donlan, a former stock options administrator, this week was charged with stealing some $7.7 million in company stock and routing it to an account in his wife's name. (See SEC: WFI Insider Stole $7.7M.) Duronio was convicted of planting a logic bomb in his company because he wasn't happy about his bonus. (See Ex-UBS Sys Admin Found Guilty.) And Min had to rent a storage bin and a separate apartment to house the $400 million worth of data and documents he stole while he worked at DuPont.

These three incidents may not be the biggest insider incidents in history, but with today's laws mandating breach disclosure, they put a new, ugly face on the prospect of such things happening at your company. As a result, many enterprises are taking a harder look at compliance, leak prevention, and end-user monitoring than ever before.

Next Page: Page Two

4. Endpoint End Game
Networks and applications are nice, but most hackers' favorite target is a nice, blissfully-ignorant end user. Whether it's shoulder-surfing at Starbuck's, hijacking a WiFi connection, or entry through an unpatched antivirus application, an attacker's pickings around a single end user are surprisingly good.

Security vendor Promisec yesterday released the results of 193,000 end point audits it has conducted across 32 organizations, and the results are sobering. Here's what it found:

Some 25,090 (13 percent) of the corporate PCs surveyed had unauthorized USB devices attached to them. More than 7,700 (4 percent) of corporate PCs had peer-to-peer (P2P) applications installed, such as KaZaa. About 2,900 (1.5 percent) did not have the latest Microsoft Service Packs, and 3,281 (1.7 percent) had antivirus monitoring and remediation issues.

It doesn't stop there. More than 2,300 (1.2 percent) of the 193,000 audited endpoints were without required third-party desktop security agents, and 1,579 (.82 percent) had unauthorized remote control software such as GoToMyPC. A smaller percentage had unauthorized and unprotected shareware.

Whether it's Cisco's NAC, Microsoft's NAP, or any one of a dozen other endpoint security strategies, corporations need to find a solution, and fast. Otherwise, hackers will continue to see them as big, strong castles -- with lots of open doors.

5. Botnet Bugaboo
When attackers crippled two of the Internet's key Domain Name Service servers in February, it was bad enough. But now experts are telling us that the attack might have been a prologue to a much larger attack, or perhaps even a sales demo for a botnet seller. Those are pretty scary possibilities. (See Fujitsu Softek Eyes Acquisitions and DNS Attack: Possible Botnet Sales Pitch .)

The creation and operation of botnets, experts say, has become big business. BBC News today is reporting that some companies have begun hiring hackers to launch botnet attacks on their competitors, creating spam networks or crippling their rivals' networks with botnet traffic.

And with zero-day vulnerabilities discovered in Microsoft's DNS just a few weeks ago, the botnet threat is greater than ever, experts say.

"Botnets are pervasive on the Internet and use zero-day vulnerabilities, such as Microsoft's DNS vulnerability, to grow their armies," said Ashar Aziz, CEO of security company FireEye. "Botnets enable theft of enterprises' customer data and intellectual property, and can be used to commit fraud and crime on a large scale. Enterprises should be very concerned about brand damage and legal liability due to botnets on their networks." (See DNS Flaw Creates Botnet Threat.)

— Tim Wilson and Kelly Jackson Higgins, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.