A few weeks ago, my son and his family came to visit us from Japan (he is a Captain in the Marine Corps and stationed there). We took a day to go down to the shore and walk along the boardwalk. My son mentioned that he needed cash, so I pointed to an ATM sitting outside of one of the stores. He said “I don’t use ATMs that are on wheels.”
I take this comment as a wakeup call to point out a problem with the current trend to refer to computer break-ins as “sophisticated,” when what they really turn out to be is phishing.
It’s about time that we security professionals start owning up to the fact that the best “shiny tools” out there will not prevent an attacker armed with a valid ID and password from by-passing the fanciest security products.
We need to get the word out to the people that we protect that they really need to think about what they are doing, and that their actions behind the keyboard have real consequences.
Here are some of my two cents thoughts on common sense security:
- Authentication and Authorization are not the same thing
- Just because you think you know who someone is, doesn’t mean that they need to have access to everything on your network
- Multi Factor Authentication is the most important security tool in your box
- Depending on passwords to keep your systems safe just doesn’t work any more
- Depending on firewalls to do all of your security means that you’re going to get hacked
- Thinking that you can stop stupid means that you are going to get hacked
- You can’t stop stupid, but you CAN slow it down
- You can’t lose what you don’t have
- Collecting data, just because you can, will cause you no end to grief when you get hacked (notice I said when and not if)
- Security should match what you’re protecting – one size does not fit all
- Make sure that you understand the business you’re in and build a security program that meets its needs
- Remember that the bad guys are a moving target
- Going to conferences, reading (Security Current is a good place to start), talking to your peers, is essential – if you think you know it all, you will get hacked (you will probably get hacked anyway, but it might take a lot longer *joke*)
- Cheaping out on security may cost more in the end
- I don’t think that spending more is better, but I prefer to hire programmers and build smart systems than just having screen watchers
Doing security properly is hard; it takes a lot of thought and common sense. When you build it, make sure that it has a good foundation, and no wheels.