Security 101

| No Comments
Taken from ISC Diary entry - "Security 101:  Security basics in 140 characters or [fewer]

@ChrisJohnRileyIf you can guess where PHPmyAdmin is installed, then so can attackers.
@DavidJBiancoYou are already pwn3d. The question is, "What will you do about it?"
@Keldr1nDon't leave default passwords on the administrative interfaces of your 3rd party web applications.
@Keldr1nKnow your network - and all devices in it - well enough to spot unusual activity.
@Keldr1nUsers are almost always the weakest link. Make it a priority to educate them. Do most of yours even know what phishing is?
@averagesecguySecurity 101: If you don't need it, turn it off.
@bowlesmattPassphrases are the new passwords. Make a sentence that is long, hard to guess, and easy to remember. ihatepasswordsseewhatididthere?
@bowlesmattPatch your systems and disable any unused services to reduce attack surface.
@bradshoopNever trust a host you can't trust.
@bradshoopComputers remember a lot. Even more if you contact security personnel before you reboot.
@bradshoopDedicate personnel to prevention AND detection. Preferably the same personnel in rotation to breed familiarity and contempt.
@connellyuniIt's more important to know what you don't know than it is to know what you do know.
@cutawayTry to avoid saying "We are investigating... why equipment that we have a destruction certificate for was... sold online" to the media.
@cutawayAssets using secure authentication are directly and adversely impacted by your assets using plain text authentication.
@cutawayComplacency: 1) Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. 2) You will be hacked.
@cutawayDefault SSL Certs for internal management interfaces should be replaced with valid certificates associated with the organization.
@cutawayDon't be afraid of your incident response plan. Conducting investigations will give your team experience and eventually reduce costs.
@cutawayHow do you "Find Evil" in your organization? Seriously, go "Find Evil" and report back to me.
@cutawayIT environments are complex systems. They require a System Development Life Cycle to effectively manage AND secure.
@cutawayIf your product allows remote connections somebody WILL write a python/perl/ruby script to connect to it and send whatever THEY want.
@cutawayMonitor and alert to new accounts and accounts being added to Domain Administrator, SUDO, or root groups.
@cutawayProduct certification does not mean it has been deployed correctly. Review placement, logging, access, input validation, etc...
@cutawayService accounts should adhere to corporate password policies and be monitored for modifications including lockout.
@eternalsecurityMake sure you're protecting the right thing. A belt AND suspenders doesn't help if you're not wearing pants.
@hal_pomeranz"A backup is not a backup until you do a restore." #sysadminkoan
@hy2jinxAttack vectors and regulatory requirements change. "That's how we've always done it" is a poor and lazy excuse.
@hy2jinxScanner "infos" can turn up bigger issues than you'd guess. Look at overall results, not just singles.
@hy2jinxFive missing patches across 100 devices does not equal "five vulnerabilities."
@hy2jinxIt's cheaper to consult a security professional from conception than mere days before "go live."
@hy2jinxSecurity professionals should be empowered to point the business towards good decisions and reserve the power of "No" for a last resort.
@itinsecurityIn your encryption system, your key is the weakest link. If it isn't, you're doing it wrong.
@itinsecuritySecurity is not a box you buy or an app you write. It's an emergent property, a sum greater than its parts.
@jarocki"Dear User: Millions of $$ of software won't keep you from clicking that link. Only YOU can prevent link clicking."
@jarockiWhen it comes to security controls, Trust But Verify... nah, forget the Trust... just Verify.
@jimmyzatlIf you don't log "accepts" in your FW logs for admin protocols you will have no way of knowing when those accounts are abused.
@jimmyzatlAn encryption algorithm that has to be hid from the public is by definition a weak algorithm...
@ken5m1thThat successful PCI DSS Report On Compliance will not save you from Zombies.
@kentonsmithWhen setting up any new system, Step 1: Change default admin password.
@kill9coreSecurity through obscurity, or the practice of hiding flaws hoping they won't be found, has proven time and time again not to work.
@mattdoterasmusJust because your security teams work from 9-5, doesn't mean attackers aren't looking the rest of the time.
@omegadefenceThe attitude that "it won't or can't happen to us" because "we're too small/big/have nothing to offer" is dangerous.
@omegadefenceThe attitude that "I can't do anything about it so I won't even bother with security or reporting" is also dangerous.
@omegadefenceAnalyse your logs in detail, it is those with their heads buried in your logs that hold the key to prevent, detect and recover.
@omegadefenceGive only the permissions required to do the normal daily duties, nothing more. Special logons for special occasions.
@omegadefenceBest: using high-speed trend analysis with custom searches as well as automated reporting AND followup.
@rob_bainbridgeSecurity teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt - audit, ops risk, etc...
@tccroninvThose that store passwords in plain-text invite catastrophe.
@tliston"We can't implement strong passwords/two-factor authentication. Our users aren't capable," says more about your competence than theirs.
@tlistonDevelopers: Never roll your own encryption, authentication or session management schemes. You're not that smart. Trust me.
@tlistonIf you don't have written authorization to perform security-type testing in your organization, don't. You're too pretty for prison.
@tlistonIf you're not putting as much thought into your outbound firewall rules as you are for your inbound rules, you're doing it wrong.
@tlistonIf you're not supporting a legacy Windows OS, for the love of all that is Holy, turn off LANMAN hashes.
@tlistonIf you've never tested restoring from your backups, then you don't have backups - you have a crapload of data and hope.
@tlistonIf your internal security posture is based on,"our employees wouldn't know how to do that," then you're likely already 0wned.
@tlistonRemember: As an attacker, I exploit misplaced trust. There's nothing mystical or magical about it.
@tlistonRun scans against your network. It's the only way to really know what's out there. I've yet to see a fully accurate network diagram.
@tlistonSanity check security spending. A $500 lock on a cheap wood door doesn't buy security. It just gives a thief something to laugh at.
@tlistonSecurity isn't just about preventing compromise. It's about maintaining confidentiality, integrity & availability despite compromise.

Leave a comment

About this Entry

This page contains a single entry by stord005 published on October 4, 2011 10:53 AM.

AtTask Project Management Software Demo was the previous entry in this blog.

Find recent content on the main index or look in the archives to find all content.