So like many, it is that time of year to look back on the year’s events and reflect on things, while looking forward to the coming new year.
What is interesting in our industry is the fact this is the time of year that everyone does their “Top 5,10,15, 20” events/gadgets/moments blogs/news articles about security events of the year.
For your enjoyment, I’ll link you to a few of the more enjoyable reads (IMO) so far:
- Five Significant Insider Attacks of 2012
- Top 10 Government Data Breaches of 2012
- The Worst Data Breach Incidents of 2012
The interesting takeaways from each of these articles, and the events themselves, is that little has changed. Depending on your datasources, be it the Trustwave or the Verizon annual reports, Hacking Attempts and Malware continue to slug it out for the number 1 spot for most exploited attack technique, while Social Engineering and Physical Security come in at number three and four respectively.
As we discuss in our presentation “Security that Works, Even on a Budget,” regardless of platform – Desktop/Server/Application/Mobile device, etc. – the same four groupings of attacks are modified to go after the technology de’ jure, but the underlying issues have been the same for many years now. It’s been 12 years for application vulnerabilities and 15-20 years for network vulnerabilities, and since the beginning of time for password, social engineering, and physical security vulnerabilities.
So with this in mind, what will 2013 look like?
The answer is simply – more of the same.
Again, the techniques for exploitation will change a bit but the attack classes will stay the same.
As an example, – I love the Trustwave report on the most common passwords in use. I’m a huge fan of OCLHashcat and
love playing with GPU clusters, but to be honest it is pretty rare the we need to crack passwords anymore when doing pentests. We simply use “pass the hash” techniques or tools like mimikatz which dump passwords from memory to a file in clear-text. For those old enough to remember, this is like the old LSA Secrets attack for Windows NT4 and 2000. Yep-just like fashion, what was once old is new again .
Is this doom and gloom, no – just a statement of opinion based on 20+ years of experience. As we pointed out in our various articles this year on our blog, there are many ways to provide solutions for each of these attack classes. Don’t have time to go back and read all of them (yeah we are verbose), well let me highlight them for you:
Malware – Make sure your patch management solution can handle the operating systems as well as the most targeted third party applications – namely Browsers, Java and anything Adobe makes (mainly Flash and Reader). And again, we need to stop using enhanced or administrative permissions as our day-to-day account on our various devices (workstations, servers, mobile devices, etc.).
Hacking Attempts – Applications – Modernize your code bases whenever possible, you’d be amazed how hard it is to make mistakes now with the latest generation of .NET and Java frameworks and their security plugin and frameworks. Regardless, test them all for security issues before they become production. This could be dynamic or static testing, but do yourself the favor and test them regardless of vendor claims.
Hacking Attempts – Everything else – Patch and configuration management are key here. Find solutions that let you do both so you can have combined efforts. Test on a repeated cycle so that you can find issues and remediate them before someone else does.
Social Engineering and Physical Security – Training, Training, and more Training. Humans learn through repetition, not through once or twice a year events. Establish a security awareness program that reinforces your messages through long term testing, this will help you identify your weaknesses in user awareness and let you find solutions – be it technical or more training to mitigate your issues.
Security management is achievable , even on the largest of scales, with a bit of understanding on how attacks are carried out and a common sense approach to the problems.
So with that I wish all of you great success in the new year.