Editor's note
Editor's note
Editor's note
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
If we have made an in-depth risk analysis (sorry if I<br />
insist), we should know that even when these devices<br />
are not company-owned, we still need to include them<br />
in the strategic security plan; to say it clearly: wherever<br />
there is company valuable information, there are no<br />
excuses for not protecting it.<br />
Illegal Software, Dual Problem<br />
I Unfortunately it is true that many people use illegal<br />
software as a protection method!<br />
Besides being a logical nonsense, it entails a severe<br />
risk since there are many documented threats hidden in<br />
antivirus software or other kinds of allegedly fake antimalware;<br />
not to mention illegal software infection rates,<br />
usually downloaded from sites specialized in these<br />
matters.<br />
We are all responsible for bringing awareness both to<br />
companies and individuals; similarly we are accountable<br />
for pursuing the necessary know-how to understand this<br />
world we live in and decrease risk exposure.<br />
Keep One’s Eyes On The Ball<br />
Many of the APT type attacks have been targeted<br />
to access and expose an organization’s sensitive<br />
information.<br />
In some cases, information disclosed was not that<br />
valuable per se; but the discredit caused by such a<br />
disclosure was!<br />
What would happen if we could protect information in<br />
such a way that even when accessed by an attacker the<br />
same could not be used? Well, that’s what I mean when<br />
I say we should keep one’s eyes on the ball!<br />
Some experts recommend use of different encryption<br />
techniques (more or less complex and focused on<br />
different devices) as a way to reduce information<br />
exposure degree.<br />
Even when information could be accessed and<br />
extracted from the organization, decryption would be<br />
such a complex process that it would take hundreds<br />
or thousands of years to decrypt, using last generation<br />
computers, thus making its practical use impossible.<br />
This clearly raises many other technical nature<br />
challenges, e.g. digital certificates custody, though if we<br />
consider we still have the chance to apply much simpler<br />
techniques for applications like files encoding and<br />
database encryption for applications, just to mention a<br />
few, this kind of risk mitigation techniques could have<br />
their preferential space in the next future of information<br />
security.<br />
Give Him An Inch And He Will Take A Mile<br />
Stuxnet, Operation Shady RAT and the attacks against<br />
the International Olympic Committee and the World<br />
starterkit 02/2011(2)<br />
SOCIAL FRAUD<br />
Anti-Doping Agency (reportedly hidden and active at<br />
least during 5 years), among many others, are clear<br />
examples of what could happen but are not decisive<br />
when it comes to analyzing the future; all we can attest<br />
is not knowing what new threats will appear.<br />
However, we’ve got so much to do before giving up,<br />
some people even say that this is a war and that we can<br />
win it; I believe it’s too soon to say that, though without<br />
a doubt there’s plenty of room for improvement in most<br />
companies and public agencies information security<br />
management systems.<br />
There is one point where many experts agree; i.e.<br />
that new attacks call for new monitoring, detection, and<br />
prevention techniques; however these techniques do<br />
exist, the problem is just that they are not used widely<br />
enough.<br />
Just to give you an example; the SIEM (Security<br />
Information and Event Management) notion is<br />
practically unknown and partially implemented by many<br />
organizations, missing the opportunity to have at least<br />
integral monitoring systems that enable threat detection<br />
from the behavioral standpoint, supplementing pattern<br />
detection systems and other heuristic techniques; a<br />
value added for this kind of systems is that they enable<br />
audit leads, very useful to minimize impact in the event<br />
of an attack!<br />
GABRIEL MARCOS<br />
Twitter: @jarvel<br />
Page 34 http://pentestmag.com