Archive for December, 2009

Modern Information Security Challenges

Sunday, December 6th, 2009

There are several challenges in our evolving environments that make it difficult to adequately protect our resources. Among these many challenges, I think the following are worth mentioning:

  1. Blending of corporate and personal lives — It is harder to differentiate between your work life and personal life as the work day has less of a distinct start and end. For example, employees use company email for some personal communications, and some employees may be issued a blackberry or cell phone that they use for limited personal use. Many people may not even have a home computer and use their company issued laptop for everything including running personal software, like their tax software. On the flip side, some employees may bring a personal laptop into the office and try to plug it in.
  2. Inconsistent enforcement of policies — Many organizations either haven’t enforced their policies in the past, or have done so inconsistently depending on the position of the employee. This causes many issues when a security function tries to crack down of violators. Hopefully you don’t have one of those organizations who have buried their security policies on some internal website that no one ever reads.
  3. IT doesn’t own and control all devices — I alluded to this issue above with personal mobile devices, but what if the organization doesn’t provide a PDA to the sales team, so they buy their own and start storing client lists on it and try to connect it to your wireless network in the office? What happens when you need to do an investigation on that device, can you?
  4. Blurring of internal vs. external — The edge or perimeter of the network isn’t as clear anymore. In the past we established strong perimeter controls to regulate access into and out of the network, but now that perimeter has been pushed out to partners with extranets, to third-parties with hosting services, and to employees homes with VPN solutions that can be used from a personal desktop. Where would you even draw the line now?
  5. Covert attacks, no longer obvious — It used to be typical for a virus infection to be big and messy causing a lot of damage and immediately being obvious when you were infected. Now, however, attackers are silent and stealthy. They don’t want to erase your data or take down your system, they want to slowly steal your data or use your computing power to attack other victims. They do their best to be undetectable with rootkits and backdoor trojans.
  6. Moving target — As we mature and get better at securing our systems, the attackers find new and creative ways to bypass our controls. As we close the easy ways in, they develop more sophisticated attacks. It is a never ending battle.

The threat landscape is constantly changing, and it can be easy to fall behind. Techniques and strategies that worked last year, may not be enough this year. I’m not a proponent of spending every day analyzing the slightest change in threat intelligence, but your security program does need to be flexible. Take advantage of threat reports and study the major trends, and adjust your approach periodically.

Just remember that very few weaknesses or attacks are really new. Old attacks get repackaged and new buzzwords are coined. In my experience, it is just applying the same fundamental attack strategies to new targets. We in the information security field have the habit of making the same design mistakes over and over.