Not being a security expert nor in a specialized security role, I was curious what the latest buzz was on security and learned a few things. It was a great session.
Back To Basics
More and more companies are becoming services based, including mine. We have outsourced everything and we have no more worker bees. We have only managers and above on staff, spending our days managing suppliers and buying new tools to pass off to those suppliers. It seems we are not the minority. Everyone is buying tools to do things for them, including tools to protect their network. Hackers have gotten smarter by going back to basics. They don't have to spend days trying to get around our shiny new tool, they can simply outsmart us the old fashioned way.
This is how it goes down:
Hacker: Clones a reputable site and emails you a link to it.
User: Don't say you won't click on it, because you did. It infects your computer.
Hacker: Now has access to your computer and realizes you are not an admin. He then calls you, "This is Marco from the service desk. You just clicked on a malicious link and we believe your computer may be infected. I will be logging into your computer to check a few things."
User: Apologizes profusely and says no problem.
Hacker: Calls your service desk. "Hi, this is < insert your name >
Then the service desk logs into your machine, giving the hacker the admin login that he needs.
Be careful. Know who you are talking to.
Know Your Data
If you are like me, you are not working in the White House or a bank, etc. We don't have that many applications that people would want to access for any gain. So why would I put extensive effort into security? The main take away is that you can't boil the ocean. You can't protect everything, so stop trying to. Know what needs protected and protect it well.
Cloud Security
The worst assumption you can make is that your data is safer in the cloud. It may be more difficult for hackers to access, but look at what they have to gain. They will gladly do more work to hack into multiple companies vs. one. Read the SLA's, which most likely state they cannot guarantee your data will be available or that your data will be safe.
What You Can Do
1. David talked highly of Cisco ScanSafe, saying that you can prevent 80% of threats by blocking external ports and using ScanSafe.
2. Define classifications for your data (A,B,C) - "A" being your most sensitive data, etc. Then apply those classifications to your applications/databases. That will give you a basis on what needs to be protected more agressively.
3. Don't encrypt everything and then create a table named "Encryption Keys". That's the kind of thing an idiot would do with his luggage.
4. Don't assume that your 3rd party does a better job at protecting your data than you did. Ask them how they are protecting it. Ask them for regular breach/virus reports.
5. Be careful of what you store in the cloud. If you don't have a policy on cloud storage, write one and make everyone aware of it.
Let's see what we've learned here. Don't talk to Marco. Check up on your suppliers. Don't try to boil the ocean. Don't save your social security number in the cloud. Rename your table for gods sake.
If you would like to learn more about David Kennedy, check out his site.
cheers,
-a
