Security and Stability Wish list for 2008
My initial thought was to wrap up 2007 with a list of successes and failures in the areas of Internet security and stability. Too much has already been written on this topic, both fact and FUD. Perhaps this is out of character for a skeptic, but I'll close the year by asking Santa for changes I'd like to see in 2008.
A pragmatic approach to user self-administration. Many organizations lock down every client endpoint. This proves frustrating for three classes of users: those who know little but hate conceding control, those who incorrectly perceive themselves to be power users, and truly knowledgeable users who may know as much as many staff in IT departments. One policy won't fit all here, so let employees choose. Those who choose to have client endpoints locked down get priority support over those who do not. The truly knowledgeable users will solve the majority of problems themselves, from hardware diagnostics to data and OS recovery. The wannabe power users will either learn quickly that they know less than they imagine, or their productivity will plummet.
Take DNS out of the fast flux equation.. The efficacy of fast flux hosting is greatly improved when the attack can flux both web proxies and DNS name servers. Some registrars and registries have aggressive anti-abuse policies that prohibit short times to live on A resource records for name servers of domains they manage. Make this an industry wide practice, either through policy or best practices.
More fact, less FUD. Too many anti-virus products are marketed as providing effective relief from viruses and malware. The sharp folks at CERT Brasil have some sobering statistics on the performance of these products in the field. During a November 2007 APWG Summit, Cristine Hoepers of CERT BR presented a summary of antivirus detection rates for trojans, keyloggers and downloaders affecting the Brazilian financial system: only 5 vendors had detection rates above 70% while ~70% of vendors had detection rates of less than 40%. Assuming that endpoints in the Brazilian financial system are better managed than your average broadband user, how much worse can detection rates get? We need to invest in more and broader-based statistical analyses like this, obtain a clearer picture of client endpoints, and if the statistics prove what I suspect, focus research on complementary and alternative solutions to signature-based malware detection.
Take steps to reduce IP spoofing. I've written about this many times. So have SSAC, the IAB (BCP38), and other respected security authorities. Lots of folks in a position to reduce IP spoofing claim this is hard to do and there's no obvious and justifiable return on the investment in time, talent and technology. If you're waiting for an easy way to solve IP spoofing that will cost nothing and improve your revenue, don't hold your breath. If reducing the percentage of malicious traffic on the 'net, making DDoS attacks a tad harder to execute, and making it easier for white hats to identify bot-infected hosts aren't enough of a justification, then maybe your organization is just too content to remain part of the problem. Step up or step aside.
Police port 80 or shut it down. That's right... or shut it down. 80/http is overloaded to the point where we either need a standard discriminator for each of the random acts of application convenience that pass through 80 or a Draconian policy enforcement that dumps everything that's evading firewall egress policy (skype, et. al.) or really merits its own port and policy.
There are many more. I'll happily publish anyone's (serious) suggestion to complement my list.
Archived at http://www.securityskeptic.com/arc20071201.htm#BlogID663
by Dave Piscitello
