The document summarizes the top 10 security risks for 2011 as identified by Redspin Security Team. It discusses each risk in 1-2 paragraphs addressing the risk and providing recommendations. The key risks addressed include: mobile devices in the enterprise, social media information disclosure, virtualization sprawl, third-party mobile applications, vendor management, SQL injection, risk management, wireless networks, inadequate testing programs, and lack of a mobile device security policy. For each issue, it identifies the risks and provides clear and actionable recommendations for organizations to mitigate the risks.

1. Security Seminar
Top Security Risks for 2011
(Revised with notes and extended bullets for
online viewing).
January 7, 2011 - Redspin Security Team

2. Issue 1:
Mobile Devices in the Enterprise
The transition from control at the perimeter to data and/or
application-based control has arrived and should be reflected in
your Information Security Program. Start by assuming sensitive
information will be accessed, wired and wirelessly, from all
possible devices - desktops, laptops, iPads, Droids. By relying
less on control of the end device you can focus more on
controlling the data. Ensure only those people who need access
are granted access. Understand where the data must be stored
to support business processes and update your information
security policies to include mobile devices.

3. ● Risk
– Assume sensitive data will be accessed from iPads,
iPhones, Droids, tablets, laptops, thumb drives, ...
– Managing security risk has moved from the perimeter
to the core: applications and data
– Less control of end-user devices
● Recommendation
– There is no single point solution (i.e. DLP)
– Need-to-know access to app/data
– Mobile Device Policy
– Training, training, training
– RDP access can limit remote data storage, MAC scan
Mobile Devices in Enterprise

4. Issue 2:
Social Media Information Disclosure
While social media is relatively new, the threat posed by casual
disclosure of many individual bits of non-sensitive information is
not. Called “Operations Security” in the federal government, the
reality is that in some cases, when aggregated, disparate pieces
of related information taken as a whole can in fact be
confidential information.
The prevalence of social media in the workplace (both
authorized and unauthorized) makes this a credible threat to the
typical enterprise. Ensure that your policies clearly state what
can and cannot be communicated through social media and
train your employees appropriately.

5. ● Risk
– Casual disclosure of small bits of information can add
to sensitive data disclosure
– Called 'Operations Security' in federal government
– Prevalence of social media (both authorized and
unauthorized) makes this a credible threat
– Example: post to twitter about new hire, LinkedIn says
new hire has forensic analysis experience, post to
security message board “malware question”
● Recommendation
– Policies: clearly state what can and cannot be
communicated via social media
– Train employees about risk and appropriate use
Social Media Information Disclosure

6. Issue 3:
Virtualization Sprawl
Eliminating hardware reduces IT costs and, on the surface,
reduces complexity. However, those underlying systems still
exist and are simply partially or totally decoupled from the
hardware. In many cases, those systems are rapidly replicating
as well, increasing the complexity to manage and keep secure.
Document procedures thoroughly and define functional
responsibilities to make certain that only systems that are
needed are in use and the risk to a continually-changing
environment can be managed.

7. ● Risk
– Breaks security model: separation of duties
– Easy replication means
● Many potential configurations
● Sensitive data lying around
● Complexity
● Recommendation
– Document well-defined process for managing
instances
– Ensure only needed instances are in use
Virtualization Sprawl

8. Issue 4:
rd
3 -Party Mobile Applications
Vulnerability management programs have had it easy until now.
Along with the onslaught of portable and personal media has
come a set of third-party applications that were likely developed
quickly and without adhering to a secure SDLC (software
development life cycle) program. Many patching solutions now
support third-party applications; however, mobile devices are
less supported and rely more on user interaction for updating.
Start by identifying necessary applications and removing
everything else. For those applications on the list, determine the
most efficient way to patch each one after critical security
updates are released.

9. ● Risk
– Mobile applications are immature and not likely to
follow Secure SDLC process
– 3rd – party application can be difficult to patch on
workstations → mobile device enterprise
management systems are even less evolved, require
more user interaction to update
– Infected mobile device attaching to internal network
could compromise internal systems & data
● Recommendation
– Identify necessary apps, remove other apps if possible
– Implement process to monitor app critical updates and
upgrade vulnerable apps
rd
3 – Party Mobile Applications

10. Issue 5:
Vendor Management
With the emergence of cloud computing, vendor management is
even more of an issue than in the past. Previously, only parts of
enterprise IT were outsourced. Today, an entire business can be
hosted in the cloud and one mistake by a vendor could destroy
your company. How are you mitigating this risk? As with any
outsourced vendor, ensure that the necessary safeguards are
defined in your contracts, make sure your vendor has their
systems tested annually and provides you with the results.

11. ● Risk
– Vendors are less secure than you think. Big does not
mean secure. Yet they hold so much of your sensitive
data
– Emergence of cloud computing means data supply
chain has vastly grown
– Saying “oops it was the vendor” is no longer a valid
reason for unauthorized disclosure of your data
● Recommendation
– Ensure effective security controls and risk management
is defined in contracts
– Verify that your vendor is actually testing their security
controls by objective 3rd-partty, and disclosing results
Vendor Management

12. Issue 6:
SQL Injection
An old standard, and still as prevalent as ever. New applications,
old databases. Continue to integrate security into the
development cycle and test after all code updates to ensure you
identify SQL injection vulnerabilities before an attacker does.

13. ● Risk
– Very common risk
– Can result in compromise of entire database of
sensitive data (and your entire network!)
● Recommendation
– Periodically test web applications to ensure they are
secure
– Integrate Secure SDLC (software development
lifecycle) into development process, where security is
designed into application and tested throughout.
– Ensure proper input filtering of user data
– Never trust user supplied input
SQL Injection

14. Issue 7:
Risk Management
Technology continues to evolve, so why shouldn't the risks and
management strategies? How is your management team
adjusting to new threats that surface on a daily basis? By
enforcing 5-minute screen saver timeouts for back-office
systems? Or enforcing 30-day password expiration for users that
do not have access to sensitive information? Companies are
increasingly spending more resources on trivial controls that
reduce minimal risks. The solution? Get management support of
an accepted framework to prioritize control implementation by
risk, not by hype.

15. ● Risk
– IT resources (time, budget, technical capabilities) are
limited
– Typically more risk exists than can be mitigated
– If you don't focus on the most important things, then
critical risk may be left unaddressed
● Recommendation
– Executive management needs to support a systematic
approach to risk management by supporting an
information security program based on an accepted
framework
– Always prioritize risk. (focus, focus, focus)
Risk Management

16. Issue 8:
Wireless
In the past, it was easy to mitigate wireless risks by separating
critical business functions from wireless technologies. That time
has ended. Wireless is now pervasive in all industries, business
units, and technologies, and has moved from business
convenience to business enablement. Consistent with the theme
of dissolving the perimeter, do companies really understand that
the increased flexibility and accessibility provided to legitimate
users also increases the accessibility to malicious users? Wireless
can be introduced into your environment securely, but consistent
implementation at all control levels – management, operational,
and technical – is necessary to protect your sensitive information
and critical infrastructure.

17. ● Risk
– Wireless signal bleed increases area in which an
attacker can “physically” access your network
– Wireless protocols are often found to be insecure
– Wireless is more frequently utilized for core network
functions – separating core business functions from
wireless systems via network segregation is not
always practical
● Recommendation
– Secure protocols should be used, of course, but also
layers of security: emphasis on password policies,
mobile device security, encryption, training, etc.
Wireless

18. Issue 9:
Inadequate Testing Programs
As systems become more complex, so must the control
environment to protect those systems. Start asking yourself
some probing questions. Are we sure each control is working as
designed? Do we have multiple layers of controls in case one fails?
However, do we have similar layers in our testing program? Do we
rely solely on an annual penetration test? How could more frequent
vulnerability scanning and scheduled controls-testing work together
with focused penetration testing to form a comprehensive testing
program that provides optimum assurance? Critical assets and the
controls to protect them must be understood and well-documented.
Only then can a testing program can be developed to ensure each
control is working as expected.

19. ● Risk
– Security controls are not working as intended
● Recommendation
– Ask these questions:
● Is each control working like we think it is?
● Do we have layers of controls in case one fails?
● Do we really think we are secure because we
have a ________ installed?
● Have we actually done an objective test of our
critical controls?
Inadequate Testing Programs

20. Issue 10:
Lack of Mobile Device Security Policy
Controlling enterprise-deployed mobile devices is hard enough
without also dealing with increasing numbers of personal
devices connecting to the network. A recent smartphone
management survey found that “of the 60% of employees that
are becoming smartphone equipped, up to 80% may be
employee owned." Whether company-owned or employee-
owned, if a smart phone or personal computing device can
access or store enterprise data, users must follow internal
policies and procedures. So, be sure to update your policies to
address your employee’s use of these personal devices.

21. ● Risk
– Mobile devices such as iPads, iPhones, and Android
devices are becoming ubiquitous
– They host functional apps with extensive network
access, data storage and systems access
– They are often employee owned/controlled
● Recommendation
– Create a mobile device security policy to address:
confidentiality, integrity and availability of mobile
device usage
– Policy should address: access control, authentication,
encryption, incident response, training/awareness
and vulnerability management
Lack of Mobile Device Security Policy

22. Resources:
- Penetration Testing
- Downloadable mobile security policy template
- Key to a successful information security program

23. { Thanks! }