What this leaves us all with is the continuing quandary of how to keep these people out. So I think today that I will address several of the most common vectors and some possible ways of dealing with them.
- Brute force attack
- Technique - These are generally massive and rapid fire attempts, often from multiple apparent sources which pound a service with login attempts. The goal is quite simply to try every possibility until a working access is obtained.
- Possible solution - track all login attempts, after 3 retries, reroute attempts from this source IP to an alternate site which accepts after a random number of rejections, and drops the hacker into a honeypot while notifying security and doing a backtrace. Also, increase the minimum amount of time between those first 3 attempts for an IP (say about 5-10 seconds).
- Break the service
- Technique - hacker tries to break the service to obtain administrative control. Buffer overruns are the first choice here.
- Possible solution - Only one here. Spend the time and the money to do testing for this. Make sure your programmers address any conceivable error condition (default handling is fine as long as it is handled). Better a user gets thrown out then the service be compromised. Don't rush an installation and don't rush the coders. Make the coders check their code and then have an independent team confirm it.
- SQL Injection
- Technique - override an SQL query into a database by commenting out the balance of a query in a web page/form and inserting your own.
- Solutions
- Don't put direct queries in the web form
- Validate all fields, discarding any inappropriate characters (then start tracking the session) and drop the hacker into the honeypot and begin tracing.
- Again testing is imperative. Also best practices (Model View Model, etc.) can reduce this.
- Lastly don't rush the coders. And test for this vulnerability.
- Bad Users
- Techniques
- Passwords or user ids written down, in docs on unsecured laptops, phones or PDAs
- Cruising bad websites
- Clicking on e-mail links from people you don't know or you were not expecting.
- poor helpdesk or security desk training.
- poor security implementation.
- poor management.
- Use of USB flash drives
- Permitting non-company computers on the corporate network.
- Of all of these, poor corporate management is the most flagrant and costly and is implied by all the preceding points. If upper management doesn't follow appropriate security practices, it's hard to enforce it on the worker bees.
- Solutions
- Management must get serious about security. This means developing and enforcing a corporate policy. To include:
- Training for all new employees
- Retraining once per year (minimum)
- Requiring managers to be aware of what their employers are doing on their computers (which is why they are called managers)
- Failure to comply needs to be a mandatory dismissal.
- To avoid the bad websites, threats from personal e-mails and non-company computers, allow people to bring there laptops from home and provide them with a public access. While this may cost the company a couple of hundred dollars per year, it is nothing compared to the cost of single virus outbreak or hack.
- While USB drives are incredibly convenient, they are also the biggest new vector for hackers, as they pretty much bypass all security external to the attached computer. Easiest course is not to use them and block users from using them (easiest way is to disconnect the motherboard USB connectors and then lock the computer case). However, if you do decide to permit them, then they should be serialized, tracked, audited and erased and returned to the available bin.
- Outsourcing, public cloud computing/fired employees
- Technique - Typically, a recently fired employee decides to get revenge by breaking their old employer's systems - and you get caught in the crossfire (Zodiac Island - loss of an entire year's worth of shows). And/or the hosting company is less than stellar in their retention and backup policies (same case).
- Solutions
- Use in-house or a private cloud solution where your own team can verify that things are running properly.
- Verify that the hosting company is following through on backups and retention.
- Test your backup schemes regularly (once a week at least of practical. You don't have to check everything every time, but hit everything at least a couple of times a year - frequency to be based on data importance and its frequency of updates.
- Use more than one hosting entity for backups (e.g. use IBM and Sungard for replication sites).
- Research your hosting provider, get customer references, and don't use a lowest cost service. You get what you pay for.
- When you let someone go, remove and verify removal of their access before letting them leave the building (under escort). Also make sure that you get back any company owned equipment.
- Corporate/Nation State/Terrorist/ hacking
- Technique - All of the above. These people have the best hackers that money can buy and lots of bodies to throw at cracking your systems.
- Solutions
- Apply all the solutions above.
- Have your firewalls and services tested regularly (at least once per year or update).
- Don't take any vendor's word that their product will keep you safe.
- Employ multiple security solutions that protect you in multiple ways.
- Spend the money to acquire good IT professionals (as opposed to the cheapest) and enough of them that they aren't sleepwalking through their work day (no more than 50 hours per week, and with an average of no more than 42 hours - tired people miss things and if they do it is your fault not theirs).
- Consider implementing 2/3 factor security for all in-house and agent logins
No comments:
Post a Comment