Three Nominations For ISSA's 2009 Retrospective Awards

According to my friend Pete Lindstrom, the Information Systems Security Association (ISSA) is surveying its members for suggestions on three 2009 stories that, in retrospect, were the "most" of something. I'm not a member of the ISSA, but awards are fun, right? Here are my nominations:

Most significant breach of 2009: Heartland Payment Systems

Yes, this breach happened in 2008. But the story broke in 2009, so I'm counting it.The significance of the breach wasn't just the size (130 million credit card numbers). The story that surrounded the breach provoked some interesting debates about the role of PCI, the effectiveness of auditors, and the willingness of clients to QSA-shop, ignore advice, and blame third parties for their own failures.

Most overhyped story: "The cloud is insecure, m'kay?"

It is easy and appropriate -- today -- to discuss the risks assoociated with putting applications and data on semi-public devices you don't own. Criticizing is easy, but the fixing is more interesting. I predict that in time "the cloud" will be the best thing that has ever happened to information security, because it focuses attention on the data, not the infrastructure. Or to put it differently, it puts the "information" back into Information Security. This is exactly the discussion we need to have.

Most significant vulnerability: SSL/TLS Man-In-The-Middle Vulnerability

Hands down, the SSL/TLS man-in-the-middle attack was the most serious vulnerability of the year. The vuln was supposed to be publicized right around now, but an independent researcher re-discovered it.
The vulnerability is particularly nasty when an SSL-protected site also mishandles redirects. The flaw in essence requires a revision to TLS to fix it. If you ask, "What needs to be updated to fix this problem?" and the answer is, "Every SSL and TLS server on the Internet," then you know it's bad.


re: Three Nominations For ISSA's 2009 Retrospective Awards

Completely agree with your comments on "the cloud" driving us to focus on the data.

But I'd like to amend the TLS issue to "Most significant vulnerability that (sadly) doesn't matter much yet". I hope that focusing on this problem helps put the "mutual" back into authentication. But until then, I doubt that more than a very small proportion of experts would be able to spot even a simple man-in-the-middle proxy that sniffed all traffic. How many people do you know that check the server's certificate is correct? Even with warnings from their browser?