Thursday, December 6, 2007

ZDNet looks forward into the past... huh?

I was reading some email today, from our friends over at ZDNet, and if you haven't caught their stuff lately - it's pretty good reading. Their blogs and news articles tend to have good coverage on the Microsoft side of the house, with Mary Jo Foley's "An unbliking eye on Microsoft [RSS link]" column... but then my eyes wandered over to this link, and I couldn't help myself. I'm sorry to sort of, rag on the subject, but... what the hell?

This whitepaper titled "Where Online Hackers Are Headed in 2007: "Coming Soon" to a Website Near You (and Your Hard Drive)!" by Kevin Prince (Chief Security Officer for Perimeter eSecurity) from Feb 2007 is posted front-and-center on the Thursday, 12/6/07 ZDNet Must-Read News Alert email. It's in the section "White Papers from our partners". I looked at it, and thought for a second. Why am I getting this in December? And more importantly... did Kevin get it right?

Well, while I can't tell you what ZDNet's motivation was for sending me this "must read" WhitePaper from Feb '07 (maybe they're out of sponsors so they're re-hashing some of the old crap?) but I'll pull some points out of it for you to analyze and think over. [Sorry Kevin, I'm really not picking on you].

For the most part, the first few sections hit the nail on the head in reference to history, and what the past few years have brought us in terms of attacks. Yes, the past used to be people attacking us at the desktop/server level with an outside-in attack... things have changed, and that is rightly pointed out. I love the sentence "Stopping new attack types demands strong security posture" uhmm... yea?

Here are the main points I think Kevin makes (Kevin, please reply if you feel I've mis-interpreted your paper).
  • Attacks for 2007 will move from exploiting vulns to social-engineering people into exploiting themselves -- check!
  • Attacks for 2007 will be browser-based -- check!
  • Malicious websites will lure users using SPAM, messaging and hijack-redirection -- check!
  • A layered approach will be required to reduce malware threats -- duh!
Kevin goes on to talk about some of the methods that'll be needed to stop aggressive malware. I'll break these down, and do a mini-analysis. If you'd like to read more, I'll be releasing a larger analysis of what it takes to stop malware these days on my site ( - check there for the "whitepaper" in a few days.
  • Intrusion Detection/Prevention: Old news! 2007 saw IDS/IPS become yesterday's technology. Yes, everyone should have this on the desktop by now and I realize few do but that doesn't mean it's the next big thing - in fact... IDS is the last old thing in my humble opinion. The buzz words for 2007 were "extrusion detection"...
  • URL Filtering: Yes - I have to agree there... this is a big frontier that in 2007 we didn't address enough, but should have. I think that stretching into 2008-2009 we as security professionals should be utilizing web filtering technology a lot more to save our desktops from attacks
  • SPAM filtering: Obviously. The horse is dead, and we're still kicking it - SPAM rules the SMTP gateways, and I saw some statistic yesterday that the UK gets something like 50% of the world's SPAM? SPAM filtering should be done at every company, and if you're not going to do it yourself, hire someone to do it for you that's better at it... next!
  • Policies& PC Restrictions: I lumped these together even though Kevin kept them separate because they're essentially the same thing. You can't do one without the other... you should be restricting your users from hurting themselves... after all - there is still no patch for the ignorant end-user.
  • Gateway A/V: In 2007 I think we as security pros did more of it, but aren't utilizing the technology enough. I agree with Kevin, it should have been an initiative in 2007 - but we're still burning resources at the desktop doing this... why?
  • Vulnerability Scanning: Remember, if you're not scanning for vulnerabilities on your network and perimeter, someone else with bad intentions is. I'll leave that one alone.
So there you have it - for the most part, I think the paper (aside from stating way too much of the obvious) was on the mark. The sad fact is... it doesn't matter how many crystal ball papers like this our security managers and business leaders read... the messages will still likely go unheeded.

Good luck out there.

1 comment:

Chris Ballard said...

I think that every organization needs to have strategies in place to prevent security breaches: firewalls, spam filtering, and the rest are all required in the office, especially when some of your users are not techno-savvy enough to take care of it themselves.