2010 Security Predictions

Download Paper
(Webtorials registration required. Click here if you forgot your username/password.)

According to Corey Nachreiner, WatchGuard Senior Security Analyst, CISSP, "At the start of each new year, the WatchGuard LiveSecurity team releases its annual list of Security Predictions, because we know having an idea of what type of threats you can expect in the coming year helps you plan your defenses accordingly. And frankly, it's also kind of fun for us to gaze into an imaginary crystal ball and try to predict the future. This is how I see it."

Download Paper
(Webtorials registration required. Click here if you forgot your username/password.)

Categories:

9 Comments

| Leave a comment
user-pic
Author Profile Page Steven Taylor | February 11, 2010 4:48 PM | Reply

This paper addresses a view of the "Top Ten" security threats for 2010, and they are excellent. In addition to being technically accurate, it's a fun read.

I especially like the attention paid to social networks and mobile devices. I see this as a major issue that all networking professionals will have to address - and soon.

user-pic
Author Profile Page Steven Taylor | February 11, 2010 4:52 PM | Reply

So here's a first question for Corey. I totally agree that mobile devices are here to stay, whether integrated into a phone or in a device as simple as an iPod Touch.

Since these devices have the capability for full web browsing and for email, what do you recommend as a set of first steps for ensuring network security - especially since they seem to have no obvious inherent security.

(Btw, I don't think that banning them from the network is a reasonable approach. They're here to stay.)

user-pic
Author Profile Page Corey Nachreiner, WatchGuard Technologies, Inc. replied to comment from Steven Taylor | February 17, 2010 7:58 PM | Reply

Great question, Steve. To start, I agree banning smart phones is an unreasonable approach. They are way too valuable a business tool to just ban them.

Since smart phones are essentially mini-computers, they can benefit from many of the same types of security practices and technologies we use on our desktops and laptops. Here’s a few:

• Smart phones can benefit from firewall and anti-virus/malware software. There are already vendors selling mobile security solutions that package smart phone versions of these traditional security controls. That said, smart phones are much more resource constrained than typical computers. You need to be careful how much you run on them at once.

• Mobile Device Management solutions (http://en.wikipedia.org/wiki/Mobile_device_management) can help. Some vendors are selling solutions that allow you to manage all of your mobile devices from one centrally managed interface. These solutions install a small agent on the smart phone, which then allows you to do things like restrict what applications a mobile device runs, backup and restore the device, wipe it remotely if it ever gets stolen, etc. One of the biggest dangers posed by smart phones is all the sensitive data we keep on them. Being able to remotely delete that data is a great benefit.

• Mobile VPN clients can secure sensitive communication from you smart phone. We often use our smart phones to connect with our Head Offfice and pass data, usually via email. Depending on your smart phone, these communications aren’t always secured or encrypted. This is where a VPN client can help. For instance, WatchGuard’s IPSec VPN client supports some smart phones. You can even install a version of this client that includes a mobile firewall. With this VPN client, you can encrypt any communication between your smart phone and your head office. In fact, you could even configure your phone to forward ALL its data traffic through the VPN tunnel. This means that all your smart phone’s traffic would go through your HQ’s perimeter security defenses. So if you had a WatchGuard UTM appliance with all the security services, your smart phone would get the same protection as your local users (since you force your traffic through the tunnel).


There are also more basic things you can do. For instance, make sure to set a password (a strong password) on your mobile and configure it to lock the phone after a few minutes. Some smart phones also have an option to wipe their data after too many incorrect login attempts. I recommend you enable this feature if you have it.

Finally, don’t forget to simply practice the same types of safe internet surfing habits you perform today. Avoid unexpected email attachments. If you receive strange SMS or MMS messages that contain links, don’t follow them. Etc…

As the smart phone threats continue to evolve, I think our defenses will too, but for now, the steps above should help.

user-pic
Author Profile Page Steven Taylor | February 18, 2010 5:27 PM | Reply

By the way, for my colleagues who are similarly nor familiar with gaming terminology, here's what "pwned" means. :-)

user-pic
Author Profile Page Steven Taylor | February 18, 2010 5:41 PM | Reply

You mention DLP (Data Loss Prevention) "solutions." Can you elaborate on exactly what DLP solutions are?

user-pic
Author Profile Page Corey Nachreiner, WatchGuard Technologies, Inc. replied to comment from Steven Taylor | February 22, 2010 6:31 PM | Reply

That's a somewhat difficult question to answer, since there really is no really good industry standard definition of what DLP is (IMHO)... but I'll give you my two cents.

As you know, DLP stands for either Data Loss Prevention, or Data Leakage Prevention. Those two terms sound similar, but have slightly different meanings.

In general, Data Loss Prevention is the practice identifying and tracking your sensitive data; making sure that only those that are authorized to handle that data can access it; and making sure your sensitive data doesn't leak outside those authorized users.

Nowadays, however, many different vendors use the term DLP to describe various technical solutions that try to provide difference aspects of the practices I mentioned above. The problem, there are many different aspects of DLP, including:

* finding your sensitive data
* controling who has authorization to handle it
* auditing when ppl audit or change it
* tracking the data at rest, in use, and in motion.
* etc...

I've personally never met a DLP solution that does all of that on its own, so whenever someone says they have a DLP solution, its sometimes hard to understand what that really is.

However, the second term I mentioned -- Data Leakage Protection -- tends to have a more specific definition, so its easier to understand. Data Leakage Protection is monitoring and preventing sensitive data from leaving your perimeter. In this case, DLP solutions a only worried about your data passing some sort of perimeter gateway devices, usually via email, web 2.0 applications (like html email), and IM. So Data Leakage Protection is primarily about data in motion.

I do thing the definition of DLP, and the many different technological controls that are starting to come out to help use keep track of our data, will evolve quickly in the coming years. Since some many bad guys are clearly stealing our data, we will spend more time protecting it directly, rather than just protecting the "containers" that hold our data.

user-pic
Author Profile Page Steven Taylor | February 18, 2010 5:44 PM | Reply

Your comment on Search Engine Optimization (SEO) "poisoning" is a coming trend. Can you say a little more about this, and, in particular, how can I tell "bad" search results from "good" ones?

user-pic
Author Profile Page Brian Catt, EuroChannel | February 19, 2010 7:09 AM | Reply

Never mind heavy security apps and OS weaknesses, what about the fundamental TCP Level2/3 attacks which leave wireless devices wide open to professional hackers and why is no one interested in fixing this most dangerous of threats to their underlying systems? I have a problem, which is commercially driven BTW, with the actual interest of the market in securing mobile devices. Some services claim to have "heavy" app type solutions to malware at the applications level, the MacAfee/Symantec types of apps which prevent the loading of malware - mostly trojans and viruses - onto devices through mail and web downloads, and the sending of data from the device not initiated by the user, for example.

However this is not where the major risks arise. No TCP/IP device I am aware of is protected against TCP based wireless attacks using the 5 well known weaknesses of the session initiation protocol. So with all the claimed "security" mobile devices remain vulnerable to professional attacks using these weaknesses resulting in professional identity theft of the device itself and a resulting direct attack on the now compromised systems behind the device by professional criminals.

The primary vulnerability of TCP/IP mobile based mobile devices is to attack while live to air in a public space over WiFI or 3G networks, or even in a Hotel room, airport lounge or at home when a individual is targeted. A live connection is not required as the device is constantly looking for a connection. As the weaknesses are well known and documented there is standard hacking software to interrogate the device and obtain the users ID and login information before any of the higher level "security" applications can protect it - they won't know its even happened as the attack never reached their level in the stack.

The criminal can now access the service or system behind the mobile device as a legitimate user, be it a corporate network or a consumer banking service, for example. Oops.

Our business is trying to market a small software patch which hardens the TCP stack weaknesses preventing such attacks, allows for Blacklists and White lists to be loaded as well as detecting and blocking suspect activity at this level. It can be adapted to any smart phone operating system and installed by a phone maker, network service provider or volume end user service provider - e.g. a bank. A major access security problem solved.

Yet while we have explained and demo'd this serious risk and its solution - compromising prospects own security live - none of the large organisations who could be attacked in this way seem interested in ameliorating such professional attacks.

Any idea why? Are we missing something? Hope this is not considered commercial, its certainly relevant to this thread re mobile security.

Brian Catt

Post a comment/Reply to a comment

Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at http://www.webtorials.com/reg/.