2011 was a wild ride for information security. The amount and scope of some breaches has been astounding. New targets and new vectors have been uncovered as well as reminding us of well-known weaknesses in some systems. What's past is prologue, and with that in mind, let's take this opportunity to look at some of the information security lessons learned from 2011 that will hopefully help us be prepared for 2012:
#1 Third-party security services can be an attack vector
Organizations were not ready for attacks that essentially represent a complete loss of trust in their security providers. The RSA breach and the compromise of several Certificate Authorities (including Comodo and DigiNotar) are notable because these breaches were used to attack other organizations and users, exploiting the "trust" on their services. Organizations replaced their tokens from RSA at great costs and the Dutch government was almost paralyzed when their DigiNotar certificates were rendered untrustworthy. Also, in the case of the CA breaches, they underscored well-known problems of the "CA trust" model. For 2012, organizations should include in their plans the possibility of a compromise of their certificate supplier and prepare accordingly. A possible plan includes the use of multiple, independent CAs, so their certificates can be exchanged in case of a compromise.
#2 Responsibly disclose breaches
Even if it's not mandated by law, organizations should be honest in the disclosure of breaches. Some of this year's breaches were compounded when the affected organizations were less than forthcoming about the scope of the breaches (DigiNotar) or the type of information that was compromised (Sony). In the case of a breach, try not making an already bad situation worse by hiding the facts from the very customers that entrusted their data to you.
#3 The need to secure the industrial control systems
In 2010, the Stuxnet worm showed the world that industrial systems could be targeted and affected by malware and reminded us how often these systems are overlooked and unsecured. In 2011 we got a couple of new "gentle" reminders in the form of the Duqu worm and the incidents in Illinois and Houston. The Illinois "hack" was proven false, but it's still a reminder of what could happen if we don't take the security of these systems seriously.
#4 Do not underestimate the threat of mobile malware
Reports might disagree on the numbers, but with the increasing amount of mobile devices connecting to the corporate networks, the possibility of information loss stored on those devices due to malicious apps seems very real. Users should be educated about the risks of some third-party app stores and to keep their security applications and mobile OS up-to-date. Device encryption is also an excellent option for protecting information on those devices.
#5 IPv6 security can no longer be ignored
Early in the year, the last blocks of IPv4 addresses were allocated and later on we had an IPv6 test day. These events signal that the transition to IPv6 could begin in earnest. However, there are many organizations that have not given any serious thought about the implications of IPv6 and may be leaving an open door into their networks. There's still time to create a strategy for this transition, including how to secure it.
#6 All operating systems need to be secured
The Mac Defender incident reminded us that Apple products have an increasingly larger presence in the market and it increases its appeal to cyber criminals as well. This is an old lesson, but it needs to be repeated: there are no security silver bullets. All operating systems need to be consciously secured; do not assume they are implicitly secure, lest you let your guard down. They must be kept up-to-date and its users educated in the basics of security.
I am a technology specialist with over 10 years of experience performing a variety of corporate IT functions, including desktop and server operations, application development, and database administration. My latest role is in information security, focusing on multiple areas including log management and security incident investigation and response.