Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: New Poll: Top 5 Unresolved Security Problems of 2012 - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Poll: Top 5 Unresolved Security Problems of 2012

Since it is a holiday week (at least here in the United States) thought I would put up a new poll question.  Unlike previous ones, this one is open-ended and comment-only.  What do you think the top 5 unresolved or underresolved security issues are of 2012?  What do you think is eating our lunch out there that we lack the tools or techniques to handle?

John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting


262 Posts
ISC Handler
Nov 20th 2012
Big problem: Getting senior management and executives to comprehend that "IT Security" is not just a matter of having a few audits done to show that they did something about it.

Senior management and executives keep harping on about how "you can't tell us anything unless you put it in our language" but they won't meet us halfway: At some level these senior people need to get up to speed on what risk management really means and what the threat environment is really like before they can make effective decisions about IT Security problems. Pretending that "the auditor didn't find any problems" is an effective IT Security strategy and that they just need to read"CIO magazine" to know all that they need to know is NOT getting enterprises to wake up and see the genuine security threats.

4 Posts
Missing egress filtering at ISPs.

42 Posts
You nailed it, JNS. After getting hit on the last three internal pen tests for many people using Summer10, Summer11 and Summer12 as passwords respectively, the head of IT and CSO actually said at the closing meeting that he did not understand how being compliant with the "industry standard" password complexity of 8 characters minimum, 1 capital, 1 lower case, 1 number and 1 special character (3 of the 4) was a risk. "If the auditors are happy, I''m happy."

That's a problem with auditors and accountants. They live in a world where if you follow all the rules, check all the boxes and fill in the forms properly you've done your job competently. They just don't get it that in our world the other side does not have to play by any rules and doing the minimum is akin to being incompetent.
No he didn't. The biggest unresolved problem facing itsec folks in 2012 is that you are still hiding behind the postulate that 'management doesn't get it.' If management's not getting it, you are failing as an itsec pro to explain it.

JNS is correct that you can't tell them anything unless it's in their language, so you gotta learn that language and figure out how to talk to them. Explain the risk in terms they can understand. And you know what? One of the ways management is allowed to handle risk is to accept it, champ, and if you don't like that your management will accept the risk, you need to find yourself another line of work.

9 Posts
On the contrary, management gets it just fine, it is the security people who aren't getting it. Every person/organization makes a decision about balancing this costs and benefits of security measures versus accepting vulnerabilities. This is why we accept windows in our houses despite the vulnerability they represent. Management makes the same sort of decision when deciding on the level of security controls they will accept. Going around making condescending comments like 'management doesn't get it' isn't going to help. Maybe we could call that an unresolved security problem.

20 Posts
Anyway, my top unresolved problem is identity. We have so many ways of communicating and such a limited supply of tools to determine we are really talking to who we think we are. And most of those are broken to one degree or another.

20 Posts
I'd have to say the top unresolved problem is all of the browser add ons such as the Adobe family of products, Java and the like. The vulnerabilities these products carry are eating our lunch.
1 Posts
Actually, a huge one which has been with us for almost 40 years is the lack of input validation, failures to check return values from function/library calls (i.e. - malloc returning NULL and no test made, etc).

These types of software issues have been plaguing the world of software for as long as I can remember, unfortunately.

Weinberg's 2nd Law - If builders built buildings the way programmers wrote programs, then the first woodpecker to come along would destroy all of civilization :)

21 Posts
Over-reliance on 'magical black boxes' from security vendors.

48 Posts
Not sure this is resolvable (unless everyone follows Mom’s advice during growing-up); social engineering seems to be Top on the list.

12 Posts
I agree with Eli, I do not believe management is the ones failing.

I've previously done some research about a very similar question. I researched around what people think is the most important thing in their security arsenal. The top words in the clouds are:
awareness 44
education 34
people 13
training 11
diligence 8
knowledge 7
intelligence 6
experience 5
monitoring 5
prevention 5

1 Posts
(Border Gateway Protocol routing information vulnerability)
And this:
(Programs dependent on Java, although I'm really talking about programs dependent on specific versions of Java which cannot be updated without invalidating your support arrangements. This is also true for some Adobe products, and presumably many others...)
1 Posts
BYOD. And the lack of consistent policies to treat it.

3 Posts
Java++; I hate this thing... not to mention the many security issues it has, but so many programs that are "mission critical" require specific versions of it. So we can't patch this thing properly. Flash and Reader have gotten better... time for Oracle and Java developers to get some religion.

29 Posts
Interesting view from India ('Business Standard' online edition) :

6 Posts
#1: The domain name system must have better management/behavioral rules to be enforced. As long as just about anyone can become a registrar and then allow names like to be registered on the fly with false credentials to be used for malware, and then have no responsibility to stop it or clean it up, we will always have a security mess. Essentially, we need a registrar police, or rules that if not followed result in a registrar blacklist similar to SSL cert company blacklists.

9 Posts
Top 5 Unresolved Security Problems of 2012
1. Inability to find skilled and motivated staff to fix security problems
2. Inability to realize that the first problem is staffing
3. Inability to justify paying staff who are sufficiently skilled and motivated to fix the security problems
4. Dismissal of #1 as a long term problem since consequences probably won't hurt this year's profit or stock price as much as they would cost
5. Dismissal of #1 as someone else's problem
Speed and innovation. How long does it take for attackers to change tactics vs how long does it take for us to recognize the change, budget for it (if needed), test and implement what ever is needed to plug the hole in our defenses or train the user not to click a link.
Encryption of other sensitive data like PCI compliance protects credit card information. Recent news has been about Social Security numbers and there is a never ending list of user and password compromises. Encrypting this other data should be a priority and make harder to data mine.
1) We still do not have a way to secure the user, or rather protect the system from the user.
2) We have no easy way to implement a whitelist of internet domains/ip's that is non-impacting to the user community.
3) The need for data encryption to be a standard not an extra.

I should make it clear I am not saying there are good implementations/attempts to address these points (i.e. sandboxing, ip/domain reputation etc), but for most organisations these are costly, disjointed and extremely timely to implement and then manage, making it a hard sell when you know the truth that you will need more staff and ongoing budget to "do it right". IMHO security is all about securing the I/O - what you let in and what you let out, the encryption is for when you let it out but have a gut feeling you really didn't want to (or rather need/have to). I won't get started on how SSL encryption for connecting to remote parties using mainstream CA's seems a rather broken system ...

14 Posts

Sign Up for Free or Log In to start participating in the conversation!