Security 101 : Security Basics in 140 Characters Or Less

Published: 2011-10-03
Last Updated: 2011-10-03 16:00:03 UTC
by Tom Liston (Version: 1)
4 comment(s)

It was one of THOSE gigs: an internal penetration test against a client that, considering the amount of personal information they held on their customers, should have been well prepared.  And yet, we went from "you-can-plug-your-laptop-in-over-there" to "Domain Admin" in... well, let's just say a "shockingly small" number of hours.  And it just went downhill from there...

For me, writing up the resulting report, triggered what I could only describe as a "crisis of faith." While, as a security community, I don't fool myself that we have it all "figured out," I had – up until now – strongly believed that we were making progress.  And yet, I had just spent a week immersed in a corporate culture that seemed to have focused itself on so many higher-level security issues that the basics – the "Security 101" stuff – was just plain overlooked.

The more I thought about it, the more it bothered me.  It wasn't some fancy-schmancy 'leet h@x0r 0-day that let us take down this organization from the inside: it was stupid-simple low-hanging fruit.  I spent a bit of time chatting over Twitter with the ever-insightful Brian Honan (@BrianHonan) and came to the conclusion that the security community may have reached an awkward age at which we're grown up enough to be focusing on the golly-gee/whiz-bang/cool stuff (vis-à-vis the "APTification" of all that passes for security discussion) and, as a result, we're neglecting the basic, "Security 101" stuff that raised the bar in the first place.

Think about it: Over the past year, how many high-profile hacks have been the result of awesome cutting edge skillz?  How many have happened because someone just flat-out did something dumb?  Take a quick gander at back issues of SANS NewsBites and I think you'll be convinced as well: We truly are neglecting the basics.

Since October is "Security Awareness Month," a few weeks back, I sent out a call on Twitter for folks to submit pithy, 140 character-long, chunks of Security 101 wisdom.  Below, I've compiled together the resulting list, along with the Twitter name of the submitter.

If you're feeling a little shaky on your security knowledge, then heeding this advice might just save your behind.  Even if you're confident that you "know it all," a quick review might have you discovering stuff you've inadvertently overlooked.  Either way, I heartily recommend that you read (and heed) this advice.  Also, if something particularly strikes your fancy, you might consider following the author on Twitter... you never know – you might learn even more.

One last "housekeeping" note: I lightly edited these to remove some of the more blatant "Twitterisms" used to stuff big thoughts into limited character lengths.  If anything got messed up, I'll take the blame.

@ChrisJohnRiley If you can guess where PHPmyAdmin is installed, then so can attackers.
@DavidJBianco You are already pwn3d. The question is, "What will you do about it?"
@Keldr1n Don't leave default passwords on the administrative interfaces of your 3rd party web applications.
@Keldr1n Know your network - and all devices in it - well enough to spot unusual activity.
@Keldr1n Users are almost always the weakest link. Make it a priority to educate them. Do most of yours even know what phishing is?
@averagesecguy Security 101: If you don't need it, turn it off.
@bowlesmatt Passphrases are the new passwords. Make a sentence that is long, hard to guess, and easy to remember. ihatepasswordsseewhatididthere?
@bowlesmatt Patch your systems and disable any unused services to reduce attack surface.
@bradshoop Never trust a host you can't trust.
@bradshoop Computers remember a lot. Even more if you contact security personnel before you reboot.
@bradshoop Dedicate personnel to prevention AND detection. Preferably the same personnel in rotation to breed familiarity and contempt.
@connellyuni It's more important to know what you don't know than it is to know what you do know.
@cutaway Try to avoid saying "We are investigating... why equipment that we have a destruction certificate for was... sold online" to the media.
@cutaway Assets using secure authentication are directly and adversely impacted by your assets using plain text authentication.
@cutaway Complacency: 1) Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. 2) You will be hacked.
@cutaway Default SSL Certs for internal management interfaces should be replaced with valid certificates associated with the organization.
@cutaway Don't be afraid of your incident response plan. Conducting investigations will give your team experience and eventually reduce costs.
@cutaway How do you "Find Evil" in your organization? Seriously, go "Find Evil" and report back to me.
@cutaway IT environments are complex systems. They require a System Development Life Cycle to effectively manage AND secure.
@cutaway If your product allows remote connections somebody WILL write a python/perl/ruby script to connect to it and send whatever THEY want.
@cutaway Monitor and alert to new accounts and accounts being added to Domain Administrator, SUDO, or root groups.
@cutaway Product certification does not mean it has been deployed correctly. Review placement, logging, access, input validation, etc...
@cutaway Service accounts should adhere to corporate password policies and be monitored for modifications including lockout.
@eternalsecurity Make sure you're protecting the right thing. A belt AND suspenders doesn't help if you're not wearing pants.
@hal_pomeranz "A backup is not a backup until you do a restore." #sysadminkoan
@hy2jinx Attack vectors and regulatory requirements change. "That's how we've always done it" is a poor and lazy excuse.
@hy2jinx Scanner "infos" can turn up bigger issues than you'd guess. Look at overall results, not just singles.
@hy2jinx Five missing patches across 100 devices does not equal "five vulnerabilities."
@hy2jinx It's cheaper to consult a security professional from conception than mere days before "go live."
@hy2jinx Security professionals should be empowered to point the business towards good decisions and reserve the power of "No" for a last resort.
@itinsecurity In your encryption system, your key is the weakest link. If it isn't, you're doing it wrong.
@itinsecurity Security is not a box you buy or an app you write. It's an emergent property, a sum greater than its parts.
@jarocki "Dear User: Millions of $$ of software won't keep you from clicking that link. Only YOU can prevent link clicking."
@jarocki When it comes to security controls, Trust But Verify... nah, forget the Trust... just Verify.
@jimmyzatl If you don't log "accepts" in your FW logs for admin protocols you will have no way of knowing when those accounts are abused.
@jimmyzatl An encryption algorithm that has to be hid from the public is by definition a weak algorithm...
@ken5m1th That successful PCI DSS Report On Compliance will not save you from Zombies.
@kentonsmith When setting up any new system, Step 1: Change default admin password.
@kill9core Security through obscurity, or the practice of hiding flaws hoping they won't be found, has proven time and time again not to work.
@mattdoterasmus Just because your security teams work from 9-5, doesn't mean attackers aren't looking the rest of the time.
@omegadefence The attitude that "it won't or can't happen to us" because "we're too small/big/have nothing to offer" is dangerous.
@omegadefence The attitude that "I can't do anything about it so I won't even bother with security or reporting" is also dangerous.
@omegadefence Analyse your logs in detail, it is those with their heads buried in your logs that hold the key to prevent, detect and recover.
@omegadefence Give only the permissions required to do the normal daily duties, nothing more. Special logons for special occasions.
@omegadefence Best: using high-speed trend analysis with custom searches as well as automated reporting AND followup.
@rob_bainbridge Security teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt - audit, ops risk, etc...
@tccroninv Those that store passwords in plain-text invite catastrophe.
@tliston "We can't implement strong passwords/two-factor authentication. Our users aren't capable," says more about your competence than theirs.
@tliston Developers: Never roll your own encryption, authentication or session management schemes. You're not that smart. Trust me.
@tliston If you don't have written authorization to perform security-type testing in your organization, don't. You're too pretty for prison.
@tliston If you're not putting as much thought into your outbound firewall rules as you are for your inbound rules, you're doing it wrong.
@tliston If you're not supporting a legacy Windows OS, for the love of all that is Holy, turn off LANMAN hashes.
@tliston If you've never tested restoring from your backups, then you don't have backups - you have a crapload of data and hope.
@tliston If your internal security posture is based on,"our employees wouldn't know how to do that," then you're likely already 0wned.
@tliston Remember: As an attacker, I exploit misplaced trust. There's nothing mystical or magical about it.
@tliston Run scans against your network. It's the only way to really know what's out there. I've yet to see a fully accurate network diagram.
@tliston Sanity check security spending. A $500 lock on a cheap wood door doesn't buy security. It just gives a thief something to laugh at.
@tliston Security isn't just about preventing compromise. It's about maintaining confidentiality, integrity & availability despite compromise.
@tliston Security-through-obscurity doesn't work against anything with intelligence, but there's lots of dumb sh*t out on the 'net.
@tliston Taking nude photos of yourself? Don't store them on an always-connected device with little-to-no security. #forscarlett
@tliston Teach your users not to click on unknown links. DON'T send links to your users in email. More info: http://t.co/bdNTRI3O
@tliston Web developers: Give the exact same answer whether you're given a bogus username or password on logins. EXACT. SAME. ANSWER.
@tliston WebApp Devs: Just because you have a <SELECT> with A, B, C, & D as options doesn't mean you'll only ever get A, B, C, or D back.
@tliston Webhosting Companies: Web servers shouldn't be making many *outbound* connections. TCPDump is your friend.
@tliston Your organization's AUP should explicitly prohibit Copyright abuse. You do HAVE an Acceptable Use Policy, right?
@tliston Centralize your logging - you have no idea how helpful it will be.
@tliston Companies who use the same Windows Local Admin password on large numbers of machines are ripe for picking by malicious insiders
@tliston Developers: Input, even data you think you control, can never be trusted. Consider all input a threat and process accordingly.
@tliston Diligent change management practices have saved more asses than a Beverly Hills plastic surgeon.
@tliston Ensure that user accounts are disabled as part of your termination process. Audit all accounts at least semi-annually for "misses."
@tliston High privilege level accounts should be used only for administrative functions, not for day-to-day activities.
@tliston High privilege level accounts should have kick-ass passwords or two factor authentication. Or both.
@tliston If at all possible, disable password authentication for SSH. SSH is a huge brute force target. Keys are your friend.
@tliston If it plugs into your network, know why. The last thing you ever want to hear an admin say is, "That thing has a web interface?!?"
@tliston Learn how to manipulate text files. Learn how to use sed, cut, wc, and grep as a minimum. Text is your friend.
@tliston Logging authentication failures is NOT enough. Log successes and failures.
@tliston Mr. CxO: Your employees are not a "family." Some are untrustworthy. FYI: Some of the people in your real family are pretty sketchy too.
@tliston Never rely on the fact that you "own" anything: data, a communication path, etc... If you do - I 0wn it, I 0wn you. Trust nothing.
@tliston Nothing is more important to the long-term survivability of your organization than a fully functional backup process.
@tliston Packets to or from RFC-1918 addresses should not be allowed to traverse your border firewall in either direction.
@tliston Passwords are no longer security measures. They are merely speed-bumps. Treat them accordingly.
@tliston Physical access trumps most security measures.
@tliston Remember to always think in terms of "defense in depth." A belt AND suspenders is always better than a belt OR suspenders.
@tliston Shared accounts are never a good idea.
@tliston Telnet, FTP, and any other clear-text protocol developed in simpler, more naive times has no business on a modern network.
@tliston There is no excuse - NONE - not to use full disk encryption on laptops. Data breaches due to lost/stolen laptops are inexcusable.
@tliston Unencrypted WiFi is never secure. WEP = Unencrypted WiFi. Trust me. Stop using it. Now. Really.
@tliston Web Developers: Remove comments from your production website code. They serve NO purpose and can give away too much info.
@vaudajordan Total loss of Sony Breach $171M, I wonder how many salaries, code reviews, software, hardware that could have bought.
@zanis1 Assign only those privileges that are required to do the job.

Also, I want to extend a great big "thank you" to all of the people who submitted these tweets using the #sec101 hash tag.  I tried really hard to grab them all... If I missed anyone, I apologize.

Tom Liston
Senior Security Consultant, InGuardians, Inc.
Handler: SANS ISC

Note: Matt (@0xznb) has kindly made a fortune-mod zip file available here of the #sec101 wisdom.

 

4 comment(s)

Comments

Dynamite wired to the case is a physical security device. Don't use it.
"You'll never get the funding until something bad happens."
Signed up to amplify Alex's comment: "Money follows blood."

The signup validation includes receiving an under-explained click-me link in the email, which seemed ironic. It was expected (and in the event, benevolent) but the irony wouldn't go away.
Maybe it's just me, but doesn't 3 pages of 140 char responses sorta defeat the point of using 140 chars?

Diary Archives