SpiderLabs’ top strategic security initiatives for every organization in 2011

SpiderLabs, the advanced security team within the consulting firm Trustwave, has just released its Global Security Report of 2011.  The report is based on more than 220 incident response investigations and 2,000 manual penetration tests conducted by in the past year.  Nicholas Percoco of SpiderLabs shares his top “eleven for ‘11” security initiatives that every organization should undertake in order to reduce the risk of a costly security breach.

Where computer security is involved, it’s always good to understand the kinds of breaches that companies have suffered and what the actual or suspected vulnerabilities were that allowed the breaches to occur.  It is in this spirit that the members of SpiderLabs, the advanced security team within Trustwave, have published their Global Security Report of 2011. The report is based on more than 220 incident response investigations and over 2,000 penetration tests conducted worldwide by SpiderLabs in 2010.

What I find interesting about reports such as this is that no matter how many layers of security companies construct, cybercriminals still find a way to get what they want, and they are doing it in ever more sophisticated ways. But sophistication isn’t always necessary. Sometimes it’s the oversight of small things that cause big problems. For example, 88% of SpiderLabs’ investigations involved deficiencies such as default vendor-supplied credentials and unsecure remote access applications. It doesn’t take a rocket scientist to guess a default password and gain unauthorized access to important network resources.

This report is full of really good information and insight. It’s definitely worth a read. Until you have time to go through all 55 pages, I’ll give you the Cliffs Notes version of advice from the SpiderLabs team. Nicholas Percoco, Senior Vice President of SpiderLabs, provides his “eleven for ‘11” recommendations of strategic initiatives for every organization. If you follow Percoco’s top recommendations, you should be able to vastly reduce the risk of your company experiencing a security breach.

1. Assess, reduce and monitor client-side attack surfaces

In 2010, client-side attacks occurred faster than anyone would have predicted. At times, software developers of browsers, plug-ins and viewers were issuing security updates every couple of weeks.

To combat the problem, create an organizational standard for various classes of applications. Monitor those versions and develop a method of inventorying the applications to measure adherence to standards. Finally, develop a method of evaluating risks, communicating them if needed, and rapidly patching them when required.

2. Embrace social networking, but educate staff

This popular medium is not going away anytime soon; business are now using social networking to improve brand awareness, reduce costs and connect with customers. With this come risks, such as public exposure of private company information or cybercriminals identifying targets by mining social profiles for personal information.

Establish a policy on what company information and activities can be shared by unofficial users. Educate staff on this policy and provide them additional awareness training on how they can protect themselves and the organization against social networking based attacks.

3. Develop a mobile security program

Employees with company-issued smart phones, laptops and other devices carry their organization’s intellectual property with them wherever they go. These devices are attractive targets, as they may not be as highly secured as other corporate resources.

Evaluate the various platforms used by employees, identify those that cannot enforce enterprise profiles, and decide how to phase them out. Over the next few years, mobile attacks may surpass those against desktops. Gaining as much control over the configurations of mobile devices as there is for desktop and service environments will help organizations begin to reduce risk.

4. Use multifactor authentication

People choose easy to remember (poor) passwords if they are allowed. Even with the enforcement of password complexity rules, many often still choose passwords that are weak in strength.

Multifactor authentication does not work everywhere, but should be strongly considered where possible. Critically important for perimeter access such as VPN or Remote Access, the cost of implementing a multifactor solution is far less than the impact of a major breach of the corporate network and loss of data.

5. Eradicate clear-text traffic

Cybercriminals know that businesses send sensitive data over private networks in the clear. Security can be tightened by implementing SSL certificates for Web-based transactions, using email encryption or using end-to-end encryption for transaction processing systems.

6. Virtually patch web applications until fixed

Both internal and external Web applications should be tested on a continuous basis using both manual and automated means to identify security issues. Vulnerabilities can then receive a virtual patch until a full patch can be developed.

You can do this by implementing a Web application firewall (WAF) and applying a virtual patch to protect applications based upon the result of the security testing. The development teams can then create a fix for the vulnerability. Once it has been validated, the virtual patch can be safely removed from the WAF.

7. Empower incident response teams

An organization’s internal incident response team should be investigating anomalies. If there is no incident response team, consider creating and maintaining one.

The incident response team should have access to the security team’s notifications or information stored within log aggregation or analysis systems, such as a security information and event management (SIEM) system. Empower the team to investigate even the most obscure issues. While investigating various data breaches, SpiderLabs often learned there were minor signs of criminal activity identified by the organization’s internal staff several months before the external experts were called in, but no one investigated. Security teams are often told to wait for the next large breach or HR-issued directive to take action, rather than seeking out signs of initial attack activity.

8. Enforce security upon third party relationships

Third-party vendors and their products introduce vulnerabilities, mostly as a result of default, vendor-supplied credentials and insecure remote access implementations.

Organizations need to be aware of what regulations or industry requirements apply to them, and what is required of their third party vendors to be able to know if those vendors are compliant. For large strategic partnerships, organizations should require their partners to undergo third-party security testing on a regular basis, with the results shared with the security team. In addition to functional testing, organizations should strive to include non-functional security requirements for implementation, maintenance and support services in their agreements with vendors.

9. Implement network access control

Most internal network environments tested by SpiderLabs had a weak security posture. Externally, attackers can only utilize OSI Layer 3 and above to perform their attacks. On the internal network, they can start at OSI Layer 2. This means that an attack, such as man-in-the-middle, is not only effective, but easily performed in most corporate environments.

A network access control solution combined with a segmentation strategy can help the internal network be just as resilient against attack as the externally protected perimeter.

10. Analyze all events

Network devices, servers, workstations and applications can all generate events. We often don’t let them because the “noise” they create can overwhelm the security staff. However, these events frequently serve as an early indicator of the origins of an actual attack.

Implement a security information and event management (SIEM) system to help turn noise into action by applying policy and workflows to environments events.

11. Implement an organization-wide security awareness program

Security awareness training may not stop an insider with malicious intent, but it can mean earlier detection and notification of a potential incident. Even an entry-level employee may notice something amiss if trained to be more security aware. Such security awareness training for employees can be especially effective in combating the risks posed by social engineering.

Organizations should look to implement a security awareness training program and make it mandatory for every employee, regardless of title or function. This training should be repeated at least annually and make it part of all new hire orientation.

For more information about the Trustwave Global Security Report of 2011 and the SpiderLabs’ recommendations on how to improve your organization’s security posture, read the report at https://www.trustwave.com/GSR.

Linda Musthaler is a Principal Analyst with Essential Solutions Corporation.  You can write to her at mailto:LMusthaler@essential-iws.com.

______________________________________________________________Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.  

About Essential Solutions Corp:  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.