Ever since the traditional print industry collapsed in on itself like a decommissioned ‘Vegas casino, replaced with blogs, micro blogs, social networking and other forms of Web based publishing, the end of the year has brought with it a blizzard of retrospective and prospective Top 10 lists from click hungry sites. There’s a good reason for this, of course: data says that you readers like ’em. Top 10 lists are really like editorial Happy Meals – conceptual packages that say to the reader “You don’t have to do anything – we’ve got everything you need behind this one link!”
The problem is that Top 10 lists, like most other things, are subject to abuse and over use. We blog sites and Web publishers use them throughout the year to attract attention to a particular idea, but they really rain down on readers with the advent of the New Year and our (natural) tendency to want to look back and imagine the future, simultaneously.
The IT security space is no different. Even though computer security is just one slim branch on the vast oak tree that is Web publishing, there are still Top 10- and Best Of lists flying at readers from all quarters – vendor sponsored, publisher sponsored, individually generated. Threatpost, of course, has dipped its toe in the water here, with our Five Security Trends to Watch in 2011. But what you really need is someone to read them through then mash together…err…”curate” a list of the best. That’s what we’ve done here with our Top 10 Security Top 10 Lists…list?! Enjoy!
Not too bad. A security news fast ball, straight down the middle of the plate. Tony Bradley at PC World calls out Stuxnet, Aurura, the crackdown on the Mariposa botnet and social media hacking as top trends for 2010. Hard to disagree with this list.
9. Top Threats to Cloud Computing (.PDF)
OK, this one actually came out in March, so its no end of year “look back.” Still, the Cloud Security Alliance’s first ever list of the biggest security threats stemming from cloud-based deployments is still an indispensable resource. Among the issues that CSA calls out: insecure APIs, malicious insiders and inadequate authentication, authorization and audit (AAA) controls. Add this to your end of year reading list.
After you’re done reading the CSA’s list of top cloud threats, peer into your crystal ball with CSO writer Bob Violino’s Five cloud security trends experts see for 2011″ top five cloud security trends for 2011.
7. Top Security Stories of 2010 (Alertlogic)
Alan Shimel and crew at Alert Logic are rolling out a blog post a day highlighting the top security trends and stories. So far, the group has called out trends like mobile insecurity, app insecurity, the sentencing of TJX/Heartland Payments hacker Albert Gonzalez and the emergence of cyberwar as trends that are likely to carry over into the new year. Good job!
6. 10 Great ways to get hacked in the New Year (Acunetix)
The winner of this year’s “Don’t think about an Elephant” award goes to Acunetix for its list of “10 great ways to get hacked in the New Year.” Among the list of great…err…terrible suggestions from the firm: “don’t enforce strong passwords,” using a Web application firewall to “cover up known SQL injection” holes, ignoring all the ASP.net oracle padding vulnerabilities that keep cropping up, and focusing on audit compliance over security. Nice!
5. 2011 Security Predictions (zScaler and Websense)
The smart people over at Web security firm zScaler have been the source for quite a few Threatpost stories in the past year and, in general, strike us as folks who “get it,” especially around topics like Web security and malware. Their list of 2011 Security Predictions, then, caught our attention. Some of their trends (data breaches, app store abuse, niche malware for IP enabled “stuff”) overlap with Threatpost’s “Five Trends to Watch in 2011.” Others struck us as bold and interesting, notably: mobile malvertising (the subversion of mobile ad netowrks like iAd and AdMob) and a data breach that exploits cloud-shared resources and COTS (commercial, off the shelf) technology.
4. So, too, did the list of 2011 predictions from the researchers at Web security firm Websense
Among the trends Websense sees: more and more dangerous blended threats
like Zeus and SpyEye, a faster turn around for zero day holes and
threats targeting mobile devices like iPhone and iPad.
To paraphrase Tolstoy “all successful security programs are the same,” but each security snafu fails in its own way. That’s what makes lists of security screw ups oh-so-much more interesting than security advice and trends lists. We saw two nice lists that shone a light on the biggest slip-ups of the year. Network World’s top Security Snafus list calls out Google’s abortive effort to take a stand against the Chinese government in the wake of the Aurora hacking incident. Google also won notoriety for its liberal data snarfing policies with its Street View program. There was the hack of Apple’s iPad VIP list by Goatse Security and – of course – the theft of a quarter million diplomatic cables from the U.S. Department of Defense’s classified intelligence network. PC Tools list took more of a TMZ approach – noting prominent hacks of computers and social networking accounts belonging to celebrities like Lady Gaga and reality star Angelina Pivarnicks. Hey, celebrities are people, too!
Threatpost, we spend most of our time writing about man-made threats –
worms, viruses, denial of service attacks and the like. But the list
compiled by Data Center Knowledge of the biggest data center outages of
the year reminds us that some of the biggest threats to our IT
infrastructure come from natural events – storms, floods, accidents of
various sites, as well as from less predictable “floods” of human
activity. Its a fascinating list that comprises both data center
outages and social media outages, with a noticeable lack of outages
do to malware or hacking. Food for thought.
1. Top 10 Sexy Infosec Geeks of 2010
isn’t a word that readily comes to mind when you think of information
security. And anyone who’s ever strolled the crowded hallways and
conference rooms at, say, Defcon in Las Vegas can attest to the fact
that, for security geeks, attraction is really a neck-up affair. Still,
that doesn’t mean there aren’t hotties out there walking amidst the bearded and pierced rank
and file, Arduino boards in tow. So we’ll give it up to Mike Dahn and his Chaordic Mind blog
for the annual “Top 10 Sexy Infosec Geek list.” WE love the fact that
this is a co-ed list, that its members were user-nominated and that PR
flak reprenstation on the list is low (Dahn groups three of the cuter
security-focused flaks at number 10. As for the #1 sexiest Geek – my
former 451 colleague Andrew Hay? Well, that’s just the icing on the cake.