Five Things I Want to See in 2015
Well, we spun around the sun once again and are back where we started. It is now 2015. I am excited to see what this year will bring. There are many changes in information security coming and many issues we will need to address this year. Here are a list of InfoSec related things I hope to see in 2015:
- Internal Network Encryption
All companies should setup their network and their data storage to be secure, but face it, large companies tend to be more important to secure. This is simply because of the large number of people that can be affected if something goes wrong… which it will eventually.This year I hope to see more companies re-evaluating their security standards and implementing newer and more secure storage methods. Internal network encryption is no longer un-needed. Just because you are on a network, it does not mean SSL is not required.
- SSL Certificates Signed with SSH2
The old signatures are not nearly as secure as they used to be. Companies like Google are pushing for customers to start using SSH2 signed certificates and I couldn’t agree more that this is needed.
- Encrypted Database Storage
Transparent encryption in SQL Server is good, but the data stored in those databases needs to be encrypted on it’s own as well… WITH A SALT. The old method of just assuming data is secure because you only let internal network connections to SQL Server is no longer valid. More companies need to start encrypting data inside each field that contains PII.
- Data Loss Prevention Solutions
Most companies have security employees who have the sole jobs of securing data and making sure the network stays secure. One of the key places to start is often overlooked. Implement a DLP solution that can assist in discovering personally identifiable data and taking active action against that exposure. I hope to see a LOT more companies implement DLP solutions in 2015.
- Engagement with Amateur Security Researches
Several companies are now offering bounties for bugs and security holes that are discovered by anyone external to the company. While there are several companies doing this, the number that would rather just pretend the holes don’t exist far outnumbers those that are actively looking for engagement. A large number of exploits found each year are found by companies that are centered around security audits, but even more are found by amateur researchers (hackers). Many companies would rather threaten the people letting them know about these holes than fix the holes. Active engagement is a key actions companies need to take in 2015 in order to avoid exploitation by malicious users.
So, everyone have a great year and help push your companies towards accomplishing these goals please.