Information Security in 2009

December 31, 2008 by · Leave a Comment 

On the eve of 2009, as we work out our plans for ringing in the New Year, I stopped to think about what information security will bring us in 2009. As threats become much more dynamic, sophisticated, and targeted, I couldn’t help but come up with a few predications that I feel we’ll see more of next year. This list is not based on any confirmed sources or exploits, but rather my personal research and experiences in 2008.

1. Mobile security: Smartphones such as the iPhone, Blackberry, G1, and others are becoming more widely used and accepted in enterprise environments. With new capabilities to interface with backend Microsoft Exchange servers, corporate databases, and even banking websites, smartphones are accessing and storing tons of sensitive data. Therefore, security concerns will be addressed and controls will be implemented to manage these devices.
2. Virtualization security: Many enterprises are moving towards virtual solutions. Virtualization allows more efficient and easier management of servers. The ability to remotely create a server, place it on a network segment, then upgrade the memory and hard drive space with a few clicks is remarkable. However, I foresee much more emphasis on securing server clusters. Security boundaries must be protected and protected from other systems crossing security domains.

3. New Botnet Damage: Botnets are becoming much more widespread. Some researchers are estimating that some botnet herders own millions of systems across the globe. This provides herders with extensive capability. Not only can they attempt multiple DDoS attacks, but owning this many systems allows them to control their own online Army.  I foresee more focus on host-based IDS/IPS solutions to control botnets.

4. More MAC malware: I recently spoke of new malware targeting MAC. We’ve seen or heard of many vulnerabilities in Windows throughout the years, mostly due to the fact that they have a much higher market share in personal computers. As Apple starts to get more attention and as enterprises start purchasing MACs, more focus will be on creating exploits for Apple computers.

5. Whitelisting: There’s always been a focus on blocking bad IP addresses, programs, and processes with blacklists. The problem here is the zero-day threat that is unknown and implicitly allowed. More focus will be on defining what’s good and explicating allowing only those IPs, programs, and processes. This will implicitly block all other instances and better protect systems.

These are just five predications that I thought of today for 2009. I’m sure we’ll see much more from a wide-range of domains, and my hope is that we can effectively keep the new can of worms at bay.

Happy New Year!


Directory traversal prevention

December 20, 2008 by · Leave a Comment 

Directory Traversal


I was recently reviewing a case study about a company that was targeted and compromised with a directory traversal exploit. A directory traversal exploit allows an attacker to access unauthorized directories on a system. This is normally the result of sloppy programming that lacks input validation.

In this particular case, the attacker was able to use the “GET” command to access root level files in the directory. The lack of input validation allowed the attacker to combine the “GET” command, with arbitrary strings that allowed access to the application files. Basically, they then had access to configuration files on a backend application where authorization was clearly only supposed to be granted to administrators.

To prevent the compromise of this system, security managers should’ve ensured that their server validated input, thus, preventing arbitrary input that allowed the directory traversal. In addition, there was a patch for this vulnerability that was released six months prior. By not having an efficient patch management program in place when vulnerabilities are found, organizations may patch or become aware when it’s too late. Therefore, security bulletins from vendors and organizations such as CERT should be read and applied when relevant.

Thought of the day

December 13, 2008 by · Leave a Comment 

“An investment in knowledge always pays the best interest.”

Benjamin Franklin

98% of all PCs have vulnerabilities!

December 5, 2008 by · Leave a Comment 

According to research conducted by Secunia, 98% of all PCs connected to the Internet have unsecured programs installed. This means that the vendors of the installed applications have released an updated version that patches more than one vulnerability. Nearly half of the systems involved in the assessment had eleven or more insecure programs installed. Secunia’s free tool, Secunia PSI, checks installed programs for updates and patches. This tool helps users keep their systems patched, helping to mitigate potential exploits of vulnerable software.

For more information, visit Secunia here.

Security beyond compliance: A proactive and customized security framework

December 2, 2008 by · Leave a Comment 

Check out my latest article publised on

Here’s a brief excerpt:

Security professionals are governed by many regulatory standards. Whether FISMA, HIPAA, GLBA, SOX or PCI DSS, these standards serve to provide a baseline for implementing and managing security. But the need to comply with these guidelines is not enough to keep enterprises safe. Organizations must go beyond compliance standards to create a stronger security posture. Most of these standards were created well over six years ago, and their purpose was to provide a minimal level of security to protect sensitive information, not an in-depth strategy to address all enterprises risks.

To stay ahead of evolving threats, organizations must take a more proactive approach by developing a security framework specific to their operations. Such a framework should range beyond compliance guidelines to encompass several other basic principles, including defense through diversity, proactive security strategies, addressing layer 8 (users), and defining the framework. In this tip, we’ll review each of those concepts.


Warning: Unknown: open(/home/content/30/5076530/tmp/sess_u5s60oh6ro1porajj5k7hii4g0, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0