Thursday, July 26, 2012

A Security Nightmare

This is getting bad.  Very bad.  Keeping a company safe from hackers has always been difficult.  However, in recent weeks, things are getting worse.  Consider these three items that I tweeted about in the last couple weeks:
This power strip is not what it seems!
What happens when devices that look like one thing are something else?  What happens when virus start to infect things that have always been safe in the past?  What happens when pretty much anything is hackable?  Even "safe" .pdfs

Security Fails. 

It's not the fault of the users.  The attacks are getting too advanced.  Even experienced, somewhat security-aware admins can fall victim for these things.   I have a 39-character password.  I've been infected. I've had malware. It's a pain!

@DaveAitel, is starting to suggest that its' a waste of employees time to be trained in security awareness. I disagree.  There has to be a balance.  Users are not security experts.  Even if they were, we can't train users about things that don't yet exist.  There has to be a holistic approach.  Train users, but have defense in depth.  Use best practices.

If you can reduce your attack vectors, all the better.  But at a minimum, please secure your environment: 
  • regularly patch and test everything for vulnerabilities.  (How fast can you patch your PCs and servers? Is it hours, days, or weeks?)
  • segment your network  Keep confidential data isolated.
  • encrypt confidential data (hash and salt password!) 
  • no open WIFI access points, no open mail relays, etc.
  • require strong authentication (pass phrases, hard tokens, etc.)  and check for good passwords.  As said by xkcd:
Through 20 years of effort, we've successfully trained everyone to use passwords that are hard to remember but easy for computers to guess

Just remember, there's always unlimited resources to resolve a security problem once CNN learns that your company has been hacked, a USB key is lost, or  laptop full of medical records, financial aid applications, or space station codes 

No comments:

Post a Comment