Taken from ISC Diary entry - "Security 101: Security basics in 140 characters or [fewer]
| @ChrisJohnRiley | If you can guess where PHPmyAdmin is installed, then so can attackers. |
| @DavidJBianco | You are already pwn3d. The question is, "What will you do about it?" |
| @Keldr1n | Don't leave default passwords on the administrative interfaces of your 3rd party web applications. |
| @Keldr1n | Know your network - and all devices in it - well enough to spot unusual activity. |
| @Keldr1n | Users are almost always the weakest link. Make it a priority to educate them. Do most of yours even know what phishing is? |
| @averagesecguy | Security 101: If you don't need it, turn it off. |
| @bowlesmatt | Passphrases are the new passwords. Make a sentence that is long, hard to guess, and easy to remember. ihatepasswordsseewhatididthere? |
| @bowlesmatt | Patch your systems and disable any unused services to reduce attack surface. |
| @bradshoop | Never trust a host you can't trust. |
| @bradshoop | Computers remember a lot. Even more if you contact security personnel before you reboot. |
| @bradshoop | Dedicate personnel to prevention AND detection. Preferably the same personnel in rotation to breed familiarity and contempt. |
| @connellyuni | It's more important to know what you don't know than it is to know what you do know. |
| @cutaway | Try to avoid saying "We are investigating... why equipment that we have a destruction certificate for was... sold online" to the media. |
| @cutaway | Assets using secure authentication are directly and adversely impacted by your assets using plain text authentication. |
| @cutaway | Complacency: 1) Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. 2) You will be hacked. |
| @cutaway | Default SSL Certs for internal management interfaces should be replaced with valid certificates associated with the organization. |
| @cutaway | Don't be afraid of your incident response plan. Conducting investigations will give your team experience and eventually reduce costs. |
| @cutaway | How do you "Find Evil" in your organization? Seriously, go "Find Evil" and report back to me. |
| @cutaway | IT environments are complex systems. They require a System Development Life Cycle to effectively manage AND secure. |
| @cutaway | If your product allows remote connections somebody WILL write a python/perl/ruby script to connect to it and send whatever THEY want. |
| @cutaway | Monitor and alert to new accounts and accounts being added to Domain Administrator, SUDO, or root groups. |
| @cutaway | Product certification does not mean it has been deployed correctly. Review placement, logging, access, input validation, etc... |
| @cutaway | Service accounts should adhere to corporate password policies and be monitored for modifications including lockout. |
| @eternalsecurity | Make sure you're protecting the right thing. A belt AND suspenders doesn't help if you're not wearing pants. |
| @hal_pomeranz | "A backup is not a backup until you do a restore." #sysadminkoan |
| @hy2jinx | Attack vectors and regulatory requirements change. "That's how we've always done it" is a poor and lazy excuse. |
| @hy2jinx | Scanner "infos" can turn up bigger issues than you'd guess. Look at overall results, not just singles. |
| @hy2jinx | Five missing patches across 100 devices does not equal "five vulnerabilities." |
| @hy2jinx | It's cheaper to consult a security professional from conception than mere days before "go live." |
| @hy2jinx | Security professionals should be empowered to point the business towards good decisions and reserve the power of "No" for a last resort. |
| @itinsecurity | In your encryption system, your key is the weakest link. If it isn't, you're doing it wrong. |
| @itinsecurity | Security is not a box you buy or an app you write. It's an emergent property, a sum greater than its parts. |
| @jarocki | "Dear User: Millions of $$ of software won't keep you from clicking that link. Only YOU can prevent link clicking." |
| @jarocki | When it comes to security controls, Trust But Verify... nah, forget the Trust... just Verify. |
| @jimmyzatl | If you don't log "accepts" in your FW logs for admin protocols you will have no way of knowing when those accounts are abused. |
| @jimmyzatl | An encryption algorithm that has to be hid from the public is by definition a weak algorithm... |
| @ken5m1th | That successful PCI DSS Report On Compliance will not save you from Zombies. |
| @kentonsmith | When setting up any new system, Step 1: Change default admin password. |
| @kill9core | Security through obscurity, or the practice of hiding flaws hoping they won't be found, has proven time and time again not to work. |
| @mattdoterasmus | Just because your security teams work from 9-5, doesn't mean attackers aren't looking the rest of the time. |
| @omegadefence | The attitude that "it won't or can't happen to us" because "we're too small/big/have nothing to offer" is dangerous. |
| @omegadefence | The attitude that "I can't do anything about it so I won't even bother with security or reporting" is also dangerous. |
| @omegadefence | Analyse your logs in detail, it is those with their heads buried in your logs that hold the key to prevent, detect and recover. |
| @omegadefence | Give only the permissions required to do the normal daily duties, nothing more. Special logons for special occasions. |
| @omegadefence | Best: using high-speed trend analysis with custom searches as well as automated reporting AND followup. |
| @rob_bainbridge | Security teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt - audit, ops risk, etc... |
| @tccroninv | Those that store passwords in plain-text invite catastrophe. |
| @tliston | "We can't implement strong passwords/two-factor authentication. Our users aren't capable," says more about your competence than theirs. |
| @tliston | Developers: Never roll your own encryption, authentication or session management schemes. You're not that smart. Trust me. |
| @tliston | If you don't have written authorization to perform security-type testing in your organization, don't. You're too pretty for prison. |
| @tliston | If you're not putting as much thought into your outbound firewall rules as you are for your inbound rules, you're doing it wrong. |
| @tliston | If you're not supporting a legacy Windows OS, for the love of all that is Holy, turn off LANMAN hashes. |
| @tliston | If you've never tested restoring from your backups, then you don't have backups - you have a crapload of data and hope. |
| @tliston | If your internal security posture is based on,"our employees wouldn't know how to do that," then you're likely already 0wned. |
| @tliston | Remember: As an attacker, I exploit misplaced trust. There's nothing mystical or magical about it. |
| @tliston | Run scans against your network. It's the only way to really know what's out there. I've yet to see a fully accurate network diagram. |
| @tliston | Sanity check security spending. A $500 lock on a cheap wood door doesn't buy security. It just gives a thief something to laugh at. |
| @tliston | Security isn't just about preventing compromise. It's about maintaining confidentiality, integrity & availability despite compromise. |
| @tliston | Security-through-obscurity doesn't work against anything with intelligence, but there's lots of dumb sh*t out on the 'net. |
| @tliston | Taking nude photos of yourself? Don't store them on an always-connected device with little-to-no security. #forscarlett |
| @tliston | Teach your users not to click on unknown links. DON'T send links to your users in email. More info: http://t.co/bdNTRI3O |
| @tliston | Web developers: Give the exact same answer whether you're given a bogus username or password on logins. EXACT. SAME. ANSWER. |
| @tliston | WebApp Devs: Just because you have a <SELECT> with A, B, C, & D as options doesn't mean you'll only ever get A, B, C, or D back. |
| @tliston | Webhosting Companies: Web servers shouldn't be making many *outbound* connections. TCPDump is your friend. |
| @tliston | Your organization's AUP should explicitly prohibit Copyright abuse. You do HAVE an Acceptable Use Policy, right? |
| @tliston | Centralize your logging - you have no idea how helpful it will be. |
| @tliston | Companies who use the same Windows Local Admin password on large numbers of machines are ripe for picking by malicious insiders |
| @tliston | Developers: Input, even data you think you control, can never be trusted. Consider all input a threat and process accordingly. |
| @tliston | Diligent change management practices have saved more asses than a Beverly Hills plastic surgeon. |
| @tliston | Ensure that user accounts are disabled as part of your termination process. Audit all accounts at least semi-annually for "misses." |
| @tliston | High privilege level accounts should be used only for administrative functions, not for day-to-day activities. |
| @tliston | High privilege level accounts should have kick-ass passwords or two factor authentication. Or both. |
| @tliston | If at all possible, disable password authentication for SSH. SSH is a huge brute force target. Keys are your friend. |
| @tliston | If it plugs into your network, know why. The last thing you ever want to hear an admin say is, "That thing has a web interface?!?" |
| @tliston | Learn how to manipulate text files. Learn how to use sed, cut, wc, and grep as a minimum. Text is your friend. |
| @tliston | Logging authentication failures is NOT enough. Log successes and failures. |
| @tliston | Mr. CxO: Your employees are not a "family." Some are untrustworthy. FYI: Some of the people in your real family are pretty sketchy too. |
| @tliston | Never rely on the fact that you "own" anything: data, a communication path, etc... If you do - I 0wn it, I 0wn you. Trust nothing. |
| @tliston | Nothing is more important to the long-term survivability of your organization than a fully functional backup process. |
| @tliston | Packets to or from RFC-1918 addresses should not be allowed to traverse your border firewall in either direction. |
| @tliston | Passwords are no longer security measures. They are merely speed-bumps. Treat them accordingly. |
| @tliston | Physical access trumps most security measures. |
| @tliston | Remember to always think in terms of "defense in depth." A belt AND suspenders is always better than a belt OR suspenders. |
| @tliston | Shared accounts are never a good idea. |
| @tliston | Telnet, FTP, and any other clear-text protocol developed in simpler, more naive times has no business on a modern network. |
| @tliston | There is no excuse - NONE - not to use full disk encryption on laptops. Data breaches due to lost/stolen laptops are inexcusable. |
| @tliston | Unencrypted WiFi is never secure. WEP = Unencrypted WiFi. Trust me. Stop using it. Now. Really. |
| @tliston | Web Developers: Remove comments from your production website code. They serve NO purpose and can give away too much info. |
| @vaudajordan | Total loss of Sony Breach $171M, I wonder how many salaries, code reviews, software, hardware that could have bought. |
| @zanis1 | Assign only those privileges that are required to do the job. |
Leave a comment