The high-profile security breaches of 2011, emerging security technologies and the increasing need to improve software security practices helped shape some of the most popular and thought-provoking Security Wire Weekly interviews of 2011. Over the course of the year, SearchSecurity.com spoke to dozens of security experts and researchers who have made important contributions to the security industry. This year’s top 5 podcast list had a common theme: security breach prevention.
In 2011, emerging technologies, including cloud-based services and powerful smartphone platforms had a major impact on corporate security strategies and continue to do so in 2012. Security defenses took a toll and attackers continually sought ways to take advantage of weaknesses and gain access to corporate networks. There were plenty of successful incidents to explore, including the RSA SecurID security breach, the Epsilon email breach and the Sony security breach. While unrelated, the security breaches highlighted a number of lingering security problems that can give any determined hacker a way into sensitive network data.
SearchSecurity.com has pulled together five interviews that were popular with our listeners and continue to provide valuable information to help security professionals understand the risks to their organization and apply best practices. In addition, a sixth podcast, which doesn’t qualify as an interview, was added to the list because it was a lively discussion on the impact of compliance mandates on the security industry.
- Sorting through data breach data to improve your security strategy: The annual Verizon Data Breach Investigations Report (DBIR) is a document full of interesting data, but finding the most useful information to improve an enterprise’s security posture is difficult. In April, the SearchSecurity.com editorial team spoke with Bryan Sartin, director of investigative response at Verizon about the firm’s 2011 DBIR. Sartin explained why the value of account credentials and intellectual props and explained the most important data points for enterprise CISOs.
Bryan Sartin is director of the investigative response practice at Verizon Business. He is responsible for all customer-facing incident response, computer forensics and IT investigative work.
- RSA SecurID lessons learned: In August, NetWitness CSO Eddie Schwartz joined SearchSecurity.com Editorial Director Michael Mimoso in a discussion on how NetWitness detected and alerted RSA’s security team to a potential security breach. Schwartz said large organizations often have log files that are diverse and dispersed, making it difficult for security teams to find anomalies and swiftly take action. NetWitness’ full packet capture technology flags anomalous network activity on users’ accounts and alerts response teams to indicators of compromise, Schwartz said. At RSA, it detected the use of a remote access tool on a specific account and helped incident responders to quickly determine the scope of the breach. Schwartz also talked about data breach trends, the rise of hactivist group attacks and the way organizations can respond to improve security defenses.
Eddie Schwartz is currently the chief security officer at RSA, The Security Division of EMC Corp. He was appointed last January following RSA’s acquisition of NetWitness.
- Data security breach avoidance also involves the end user: In August, Catalin Cosoi, head of the online threats lab at Romanian antivirus vendor BitDefender, talked about the increasing number of targeted attacks and social engineering attack tactics that security technology often fails to protect against. Cosoi believes ISPs need to be forced or empowered though legislation to protect users and block infected machines. The automated tools behind most phishing attacks are becoming more sophisticated, enabling less savvy cybercriminals to better focus their attacks, Cosoi said. In addition, determined cybercriminals can easily tap into social networks and other freely available information to conduct a spear phishing campaign against specific employees at a targeted organization, Cosoi said. At least part of the answer is an ongoing end-user security awareness training program, according to Rob Cheyne, CEO of Safelight Security Advisors. A good first step is a risk assessment, Cheyne said in an interview conducted in March.
Catalin Cosoi heads the online threats lab at Romanian antivirus vendor BitDefender. He has been involved in the company’s research and development of new antispam and antiphishing technologies.
- Software security is a key ingredient in data breach avoidance: Microsoft has long made its Security Development Lifecyle freely available to organizations attempting to boost the level of software quality within their development teams. In April, David Ladd of Microsoft’s software security engineering team talked about why many enterprises can easily deploy technical changes, but often struggle with culture changes. Ladd said Microsoft has launched a simplified SDL, which can help even small- and medium-sized organizations implement pieces based on priority. A good entry point to improving software security is to conduct an initial assessment of the state of the processes and technologies in place and understanding the business’ risk tolerance, Ladd said. Leadership is also important, he said, as well as understanding the resources and expertise available within the organization. More mature organizations can begin threat modeling, according to Chris Wysopal, co-founder and CTO of application security vendor Veracode, in another April interview. David Ladd is principal security program manager of Microsoft's SDL Team. He is also part of the University Research Programs group in Microsoft Research.
- Citigroup data security breach highlights necessity of Web application security: Following the Citigroup data security breach affecting more than 300,000 customers, Jerimiah Grossman of WhiteHat Security explained that a simple business logic flaw was exploited by attackers to steal account data. The insufficient authorization flaw should have been caught in the code review process, Grossman said.
Jeremiah Grossman, founder and chief technology officer of WhiteHat Security and a founding member of the Web Application Security Consortium (WASC).
- Bonus: Does compliance hinder the creation of innovative security technologies? Following his short talk at the 2011 RSA Conference on Why Zombies love PCI (YouTube video), Joshua Corman, then an analyst at the 451 Group and currently director of security intelligence at Akamai Technologies, joined Paul Judge of Barracuda Networks in a lively debate on whether compliance hinders the creation of innovative security technologies. According to Corman, compliance is forcing organizations to protect custodial data rather than protecting intellectual property and other corporate secrets. As a result, security vendors create technologies to protect custodial data, such as Social Security or credit card numbers. Meanwhile, Judge argued that compliance has stimulated specific security markets, cranking up competition.
Joshua Corman is director of security intelligence at Akamai Technologies. Prior to that he was research director for enterprise security at the 451 Group. Paul Judge is chief research officer at Barracuda Networks. He joined Barracuda following its acquisition of Purewire in October, 2009. Judge was founder and CTO of Purewire.