SpiderLabs, the advanced security team within the consulting firm Trustwave, has just released its Global Security Report of 2010. The report is based on 200 forensic analyses and 1900 penetration tests conducted by in the past year. Nicholas Percoco of SpiderLabs shares his top 10 security initiatives that every organization should undertake in order to reduce the risk of a costly security breach.
Where computer security is involved, it's always good to understand the kinds of breaches that companies have suffered and what the actual or suspected vulnerabilities were that allowed the breaches to occur. It is in this spirit that the members of SpiderLabs, the advanced security team within Trustwave, have published their Global Security Report of 2010. The report is based on more than 200 forensic studies and almost 1,900 penetration tests conducted by SpiderLabs in 2009.
For the most part, SpiderLabs' report is fairly consistent with security breach reports published by other security consultants and investigative agencies. By this I mean that thieves tend to target high-value information such as credit card data, Social Security numbers and other information that can easily be sold in the underground economy. In SpiderLabs' investigations, point-of-sale software systems were the most frequently breached systems.
Another consistency with other security reports is the fact that many breaches can be traced to known vulnerabilities that had been left unpatched. This further emphasizes the importance of a consistent patch strategy within your organization.
I recently talked with Nicholas Percoco, senior vice president of SpiderLabs, to get his recommendations of strategic initiatives for every organization. If you follow Percoco's top 10 recommendations, you should vastly improve your company's risk of a security breach.
1. Perform and maintain a complete asset inventory, and decommission old systems. Knowing precisely what you have is the first step to securing it. Percoco says his team's investigations frequently find devices that the customer organization doesn't even know about. In addition, the investigations often turn up old systems that have a planned decommission date. The customers often aren't concerned about keeping such systems up to date with patches because they are due to be taken off-line soon. Percoco says that in 75% of the cases, those systems slated for decommissioning are still in use a year later --unpatched and more vulnerable than ever.
2. Monitor your third-party relationships. In 81% of the cases the SpiderLabs team investigated, third-party vendors and their products were responsible for introducing vulnerabilities, mostly stemming from insecure remote access implementations and default, vendor-supplied credentials. Percoco advises that you discuss your security policies with your vendors and ensure they adhere to them.
3. Segment your network into as many zones as feasibly possible. If you've got a completely flat network, and one device on that network can see or talk to any other device, you've got a problem. A hacker gaining entry to this network has easy access to everything. Percoco tells a story about using a network connection in a hotel conference room. From there he was able to see the hotel's reservations system. Uh oh.
4. Rethink your wireless implementation. Wireless security is a fast-moving target that companies often struggle to keep up with. Percoco recommends you never place wireless access points within your corporate core network; rather, place them outside your network and treat them like any other remote access medium. Your perimeter security should help keep unwanted visitors out.
5. Encrypt your sensitive data. In their investigations, the SpiderLabs team has found clear-text sensitive data quite easily. Best practices dictate that you should understand where data is located, purge what isn't needed and encrypt the rest, including data in transit.
6. Investigate anomalies -- they could be warning signs. Excessive login attempts, server crashes, "noise" from a device: All of these could be signs that someone is doing something unusual and unwanted on your network. At the very least, investigate the anomaly with a suspicious eye as soon as you detect it. Doing so might prevent or limit the damage from a breach.
7. Lock down user access. Most employees do not need the high level of access that they are given. Having too many privileges allows them to do harmful things, either inadvertently or intentionally. Perform an analysis of role and access privileges and lock down as much as you can.
8. Use multifactor authentication everywhere possible. Percoco says we're too dependent on simply using passwords for authentication. This isn't good enough anymore. He recommends you deploy multifactor authentication where possible. There are lots of new techniques and technologies to choose from.
9. Implement and follow a formal Software Development Life Cycle (SDLC). SpiderLabs' experience with penetration testing has shown that many organizations don't provide enough checks and balances in their software development process. A comprehensive SDLC process is vitally important in the development of secure applications.
10. Don't forget to educate everyone. IT security is everyone's responsibility. Percoco says organizations need to implement a mandatory security awareness training program that every employee must attend annually.
For more information about the Trustwave Global Security Report of 2010 and the SpiderLabs recommendations on how to improve your organization's security posture, read the report here.