New Poll: Top 5 Unresolved Security Problems of 2012

Published: 2012-11-19. Last Updated: 2012-11-20 18:20:18 UTC
by John Bambenek (Version: 1)
20 comment(s)

Since it is a holiday week (at least here in the United States) thought I would put up a new poll question.  Unlike previous ones, this one is open-ended and comment-only.  What do you think the top 5 unresolved or underresolved security issues are of 2012?  What do you think is eating our lunch out there that we lack the tools or techniques to handle?

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

20 comment(s)

Comments

Big problem: Getting senior management and executives to comprehend that "IT Security" is not just a matter of having a few audits done to show that they did something about it.

Senior management and executives keep harping on about how "you can't tell us anything unless you put it in our language" but they won't meet us halfway: At some level these senior people need to get up to speed on what risk management really means and what the threat environment is really like before they can make effective decisions about IT Security problems. Pretending that "the auditor didn't find any problems" is an effective IT Security strategy and that they just need to read"CIO magazine" to know all that they need to know is NOT getting enterprises to wake up and see the genuine security threats.
Missing egress filtering at ISPs.
You nailed it, JNS. After getting hit on the last three internal pen tests for many people using Summer10, Summer11 and Summer12 as passwords respectively, the head of IT and CSO actually said at the closing meeting that he did not understand how being compliant with the "industry standard" password complexity of 8 characters minimum, 1 capital, 1 lower case, 1 number and 1 special character (3 of the 4) was a risk. "If the auditors are happy, I''m happy."

That's a problem with auditors and accountants. They live in a world where if you follow all the rules, check all the boxes and fill in the forms properly you've done your job competently. They just don't get it that in our world the other side does not have to play by any rules and doing the minimum is akin to being incompetent.
No he didn't. The biggest unresolved problem facing itsec folks in 2012 is that you are still hiding behind the postulate that 'management doesn't get it.' If management's not getting it, you are failing as an itsec pro to explain it.

JNS is correct that you can't tell them anything unless it's in their language, so you gotta learn that language and figure out how to talk to them. Explain the risk in terms they can understand. And you know what? One of the ways management is allowed to handle risk is to accept it, champ, and if you don't like that your management will accept the risk, you need to find yourself another line of work.
On the contrary, management gets it just fine, it is the security people who aren't getting it. Every person/organization makes a decision about balancing this costs and benefits of security measures versus accepting vulnerabilities. This is why we accept windows in our houses despite the vulnerability they represent. Management makes the same sort of decision when deciding on the level of security controls they will accept. Going around making condescending comments like 'management doesn't get it' isn't going to help. Maybe we could call that an unresolved security problem.
Anyway, my top unresolved problem is identity. We have so many ways of communicating and such a limited supply of tools to determine we are really talking to who we think we are. And most of those are broken to one degree or another.
I'd have to say the top unresolved problem is all of the browser add ons such as the Adobe family of products, Java and the like. The vulnerabilities these products carry are eating our lunch.
Actually, a huge one which has been with us for almost 40 years is the lack of input validation, failures to check return values from function/library calls (i.e. - malloc returning NULL and no test made, etc).

These types of software issues have been plaguing the world of software for as long as I can remember, unfortunately.

Weinberg's 2nd Law - If builders built buildings the way programmers wrote programs, then the first woodpecker to come along would destroy all of civilization :)
Over-reliance on 'magical black boxes' from security vendors.
Not sure this is resolvable (unless everyone follows Mom’s advice during growing-up); social engineering seems to be Top on the list.

Diary Archives