October 2011 Archives

Security 101

| No Comments
Taken from ISC Diary entry - "Security 101:  Security basics in 140 characters or [fewer]

@ChrisJohnRileyIf you can guess where PHPmyAdmin is installed, then so can attackers.
@DavidJBiancoYou are already pwn3d. The question is, "What will you do about it?"
@Keldr1nDon't leave default passwords on the administrative interfaces of your 3rd party web applications.
@Keldr1nKnow your network - and all devices in it - well enough to spot unusual activity.
@Keldr1nUsers are almost always the weakest link. Make it a priority to educate them. Do most of yours even know what phishing is?
@averagesecguySecurity 101: If you don't need it, turn it off.
@bowlesmattPassphrases are the new passwords. Make a sentence that is long, hard to guess, and easy to remember. ihatepasswordsseewhatididthere?
@bowlesmattPatch your systems and disable any unused services to reduce attack surface.
@bradshoopNever trust a host you can't trust.
@bradshoopComputers remember a lot. Even more if you contact security personnel before you reboot.
@bradshoopDedicate personnel to prevention AND detection. Preferably the same personnel in rotation to breed familiarity and contempt.
@connellyuniIt's more important to know what you don't know than it is to know what you do know.
@cutawayTry to avoid saying "We are investigating... why equipment that we have a destruction certificate for was... sold online" to the media.
@cutawayAssets using secure authentication are directly and adversely impacted by your assets using plain text authentication.
@cutawayComplacency: 1) Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. 2) You will be hacked.
@cutawayDefault SSL Certs for internal management interfaces should be replaced with valid certificates associated with the organization.
@cutawayDon't be afraid of your incident response plan. Conducting investigations will give your team experience and eventually reduce costs.
@cutawayHow do you "Find Evil" in your organization? Seriously, go "Find Evil" and report back to me.
@cutawayIT environments are complex systems. They require a System Development Life Cycle to effectively manage AND secure.
@cutawayIf your product allows remote connections somebody WILL write a python/perl/ruby script to connect to it and send whatever THEY want.
@cutawayMonitor and alert to new accounts and accounts being added to Domain Administrator, SUDO, or root groups.
@cutawayProduct certification does not mean it has been deployed correctly. Review placement, logging, access, input validation, etc...
@cutawayService accounts should adhere to corporate password policies and be monitored for modifications including lockout.
@eternalsecurityMake sure you're protecting the right thing. A belt AND suspenders doesn't help if you're not wearing pants.
@hal_pomeranz"A backup is not a backup until you do a restore." #sysadminkoan
@hy2jinxAttack vectors and regulatory requirements change. "That's how we've always done it" is a poor and lazy excuse.
@hy2jinxScanner "infos" can turn up bigger issues than you'd guess. Look at overall results, not just singles.
@hy2jinxFive missing patches across 100 devices does not equal "five vulnerabilities."
@hy2jinxIt's cheaper to consult a security professional from conception than mere days before "go live."
@hy2jinxSecurity professionals should be empowered to point the business towards good decisions and reserve the power of "No" for a last resort.
@itinsecurityIn your encryption system, your key is the weakest link. If it isn't, you're doing it wrong.
@itinsecuritySecurity is not a box you buy or an app you write. It's an emergent property, a sum greater than its parts.
@jarocki"Dear User: Millions of $$ of software won't keep you from clicking that link. Only YOU can prevent link clicking."
@jarockiWhen it comes to security controls, Trust But Verify... nah, forget the Trust... just Verify.
@jimmyzatlIf you don't log "accepts" in your FW logs for admin protocols you will have no way of knowing when those accounts are abused.
@jimmyzatlAn encryption algorithm that has to be hid from the public is by definition a weak algorithm...
@ken5m1thThat successful PCI DSS Report On Compliance will not save you from Zombies.
@kentonsmithWhen setting up any new system, Step 1: Change default admin password.
@kill9coreSecurity through obscurity, or the practice of hiding flaws hoping they won't be found, has proven time and time again not to work.
@mattdoterasmusJust because your security teams work from 9-5, doesn't mean attackers aren't looking the rest of the time.
@omegadefenceThe attitude that "it won't or can't happen to us" because "we're too small/big/have nothing to offer" is dangerous.
@omegadefenceThe attitude that "I can't do anything about it so I won't even bother with security or reporting" is also dangerous.
@omegadefenceAnalyse your logs in detail, it is those with their heads buried in your logs that hold the key to prevent, detect and recover.
@omegadefenceGive only the permissions required to do the normal daily duties, nothing more. Special logons for special occasions.
@omegadefenceBest: using high-speed trend analysis with custom searches as well as automated reporting AND followup.
@rob_bainbridgeSecurity teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt - audit, ops risk, etc...
@tccroninvThose that store passwords in plain-text invite catastrophe.
@tliston"We can't implement strong passwords/two-factor authentication. Our users aren't capable," says more about your competence than theirs.
@tlistonDevelopers: Never roll your own encryption, authentication or session management schemes. You're not that smart. Trust me.
@tlistonIf you don't have written authorization to perform security-type testing in your organization, don't. You're too pretty for prison.
@tlistonIf you're not putting as much thought into your outbound firewall rules as you are for your inbound rules, you're doing it wrong.
@tlistonIf you're not supporting a legacy Windows OS, for the love of all that is Holy, turn off LANMAN hashes.
@tlistonIf you've never tested restoring from your backups, then you don't have backups - you have a crapload of data and hope.
@tlistonIf your internal security posture is based on,"our employees wouldn't know how to do that," then you're likely already 0wned.
@tlistonRemember: As an attacker, I exploit misplaced trust. There's nothing mystical or magical about it.
@tlistonRun scans against your network. It's the only way to really know what's out there. I've yet to see a fully accurate network diagram.
@tlistonSanity check security spending. A $500 lock on a cheap wood door doesn't buy security. It just gives a thief something to laugh at.
@tlistonSecurity isn't just about preventing compromise. It's about maintaining confidentiality, integrity & availability despite compromise.

About this Archive

This page is an archive of entries from October 2011 listed from newest to oldest.

September 2011 is the previous archive.

Find recent content on the main index or look in the archives to find all content.