The Tech Herald

NCSAM: Security in 140 characters or less…

by Steve Ragan - Oct 5 2011, 12:00

Tom Liston, the Senior Security Consultant for InGuardians, Inc, has written a great blog on the SANS ISC diary, focusing on the basics of information security. His tips were sourced from Twitter; hence this story’s title, but they are a perfect fit for National Cyber Security Awareness Month.

Liston’s blog starts out by recounting a recent job. “I had just spent a week immersed in a corporate culture that seemed to have focused itself on so many higher-level security issues that the basics – the ‘Security 101’ stuff – was just plain overlooked,” he wrote.

“The more I thought about it, the more it bothered me.  It wasn't some fancy-schmancy 'leet h@x0r 0-day that let us take down this organization from the inside: it was stupid-simple low-hanging fruit… Think about it: Over the past year, how many high-profile hacks have been the result of awesome cutting edge skillz?  How many have happened because someone just flat-out did something dumb? We truly are neglecting the basics.”

Liston went to Twitter and asked other security professionals to share their wisdom. Some of the highlights are below, the rest can be seen on the SANS post, or on Twitter here.

If you can guess where PHPmyAdmin is installed, then so can attackers.

You are already pwn3d. The question is, "What will you do about it?"

Don't leave default passwords on the administrative interfaces of your 3rd party web applications.

Know your network - and all devices in it - well enough to spot unusual activity.

Security 101: If you don't need it, turn it off.

Computers remember a lot. Even more if you contact security personnel before you reboot.

If your product allows remote connections somebody WILL write a python/perl/ruby script to connect to it and send whatever THEY want.

A backup is not a backup until you do a restore.

Attack vectors and regulatory requirements change. "That's how we've always done it" is a poor and lazy excuse.

In your encryption system, your key is the weakest link. If it isn't, you're doing it wrong.

If you don't log "accepts" in your FW logs for admin protocols you will have no way of knowing when those accounts are abused.

Analyse your logs in detail, it is those with their heads buried in your logs that hold the key to prevent, detect and recover.

Give only the permissions required to do the normal daily duties, nothing more. Special logons for special occasions.

Unencrypted Wi-Fi is never secure. WEP = Unencrypted Wi-Fi. Trust me. Stop using it. Now. Really.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

300 Miles From One Gallon And No, That’s Not A Typo

Imagine you’re in a bar and a guy walks up and asks if you’d be interested in buying a car t...

2015 Nissan Pathfinder Prices and Specs

Nissan has announced pricing and specs for the 2015 Nissan Pathfinder. The SUV, which is on ...

Miami ePrix Circuit Revealed

The FIA Formula E Championship has revealed the layout for the Miami ePrix circuit. Formula ...

Two DeLoreans And A Replica Jaguar C Type On Scottish Classic Car Run

The Kirkintilloch & District Classic Vehicle Club’s annual run to Glencoe in Scotland is...

NBA All-Star LeBron James Teams with Kia

NBA All-Star LeBron James has signed a deal with Kia to be the company’s first luxury ambass...