Tuesday, December 30, 2008

Unleash the hounds!

Most security people are concerned with their current firewall or SSL-VPN, but some are already thinking about the future. We all know that the current line of security products are very secure, and we already have solutions for most current threats, but it's a cat-and-mouse game. We put up firewalls, and the hackers turn their attention to our Dial-up banks. We implement call-back, and they go after the VPN cluster. We get digital certificates and they start targeting our endpoints with Trojans. This is never going to end, of course, but the question is...what's next?

As long as there is money and computers in the world, there will be cyber criminals looking for ways to get them. The question of what threats and exploits are on the horizon is being asked not only by security professionals, but also by software development companies. The 1st company to predict the next threat will possibly the first to develop a solution for it, and capitalize on it when everybody rushes to buy it. So, how do you find the winning horse?

The major shift in the security industry lately was from network security to endpoint security. As security products for the network and the backbone have matured, attackers turned to exploiting the weakness of the human nature. Trojans and spyware became a global phenomenon, opening a channel for direct access to the corporate network through any desktop. Security companies quickly developed a slew of solutions - Anti spyware scanners, Endpoint lockdown mechanisms and Network Access Control systems. By now, most companies have implemented at least some of these, but there are more threats on the horizon.

Criminals are drawn to where the money is, and in the technology world, the money is where the DATA is. While the data in your servers and workstation is probably protected well enough, there are still some sources of data that are less protected. The 1st threat, as I see it, are mobile devices. Pretty much every phone in the world today can do everything a computer can - it can hold contacts, schedules, email and files, and often quite a lot of those. Usually, money can't be stolen directly off your phone, but the personal data can be easily used for identity theft, which can be used to hack the corporate network of your company. Imagine the phone of a company's IT manager being stolen...a list of vendors the company works with can be easily compiled, orders of hardware can be diverted, and passwords can be socially-engineered. If an attacker knows when your IT manager is on vacation or in long meetings, these timetables can be used to coordinate a focused attack. All this is not new, and Security solutions for phones are already quite advanced. Some solutions encrypt the phone's internal memory, so it can't be accessed without a password. Other solutions lock out the phone or format it when given a remote command through the carrier's network. There are, of course, quite a few anti malware products as well. One thing no one is doing yet is a way to prevent the phone from being lost. Cabs, airports, coffee shops - all are prime locations for forgetting your phone, and most are never recovered. Technologies such as RFID can be used to prevent this sort of loss, but it still doesn't have significant adopters.

Another abundant data mine is home networks. Securing a wireless home network isn't hard, but many people are still afraid to mess-around with their router's settings and just leave it open. Some people are concerned about sharing their bandwidth with driver-byers, but the real danger is that an unwanted guest might have unlimited access to your computers. Even if you setup a password on your computer, an attacker has all the time in the world to brute-force it, and it's likely that the average user won't check his event log and notice the failed attempts. Securing the home network is not that hard, really, but apparently, most people don't bother. Very few companies enforce a policy to prevent or control how their employees connect the company laptop to the home network, not to mention storing business files on the home PC. An ideal solution would be for the company to give its employees desktops, which would allow the company full control over what goes on inside it.

Buy every employee a PC, on the company dime? Am I crazy? Well, it will cost a pretty penny, but consider the costs for a minute. This could amount to several hundred dollars per year per employee, but would still be only a negligible part of the cost of an employee to the company. If it would prevent even a single attack, it could be well worth it. I'm not very optimistic that many companies will adopt this idea, but what should definitely happen is an improvement to home network security and cellular phone technologies. Instead of confusing dialog boxes about TKIP, AES, WEP, WPA and Hex Keys, a home router should be secure by default, and easy to configure. For example, a router could be pre-set to generate a random password and display it on a small LCD. The user will be asked to type it into his machines when connecting for the 1st time. Same goes for phones. Phones today are like Windows 3.11. You have to really try to set a lock on it. I think that settings a strong password should be the default action when getting it from the carrier, and only users who really want to and have the know-how can bypass it. No doubt it will be annoying to many, but so is locking your home every time you leave...and yet we are all OK with that! Currently, all router producers focus on performance and price, and I've yet to see even one that boasts better security. Same for phones - it's all about the music and easy texting, but not a single device that is safer. Will we ever learn?

No comments: