It was one of THOSE gigs: an internal penetration test against a client that, considering the amount of personal information they held on their customers, should have been well prepared. And yet, we went from you-can-plug-your-laptop-in-over-there to Domain Admin in... well, let's just say a shockingly small number of hours. And it just went downhill from there...
For me, writing up the resulting report, triggered what I could only describe as a crisis of faith. While, as a security community, I don't fool myself that we have it all figured out, I had up until now strongly believed that we were making progress. And yet, I had just spent a week immersed in a corporate culture that seemed to have focused itself on so many higher-level security issues that the basics the Security 101 stuff was just plain overlooked.
The more I thought about it, the more it bothered me. It wasn't some fancy-schmancy 'leet
[email protected] 0-day that let us take down this organization from the inside: it was stupid-simple low-hanging fruit. I spent a bit of time chatting over Twitter with the ever-insightful Brian Honan (@BrianHonan) and came to the conclusion that the security community may have reached an awkward age at which we're grown up enough to be focusing on the golly-gee/whiz-bang/cool stuff (vis--vis the APTification of all that passes for security discussion) and, as a result, we're neglecting the basic, Security 101 stuff that raised the bar in the first place.
Think about it: Over the past year, how many high-profile hacks have been the result of awesome cutting edge skillz? How many have happened because someone just flat-out did something dumb? Take a quick gander at back issues of SANS NewsBites and I think you'll be convinced as well: We truly are neglecting the basics.
Since October is Security Awareness Month, a few weeks back, I sent out a call on Twitter for folks to submit pithy, 140 character-long, chunks of Security 101 wisdom. Below, I've compiled together the resulting list, along with the Twitter name of the submitter.
If you're feeling a little shaky on your security knowledge, then heeding this advice might just save your behind. Even if you're confident that you know it all, a quick review might have you discovering stuff you've inadvertently overlooked. Either way, I heartily recommend that you read (and heed) this advice. Also, if something particularly strikes your fancy, you might consider following the author on Twitter... you never know you might learn even more.
One last housekeeping note: I lightly edited these to remove some of the more blatant Twitterisms used to stuff big thoughts into limited character lengths. If anything got messed up, I'll take the blame.
@ChrisJohnRiley
If you can guess where PHPmyAdmin is installed, then so can attackers.
@DavidJBianco
You are already pwn3d. The question is, What will you do about it?
@Keldr1n
Don't leave default passwords on the administrative interfaces of your 3rd party web applications.
@Keldr1n
Know your network - and all devices in it - well enough to spot unusual activity.
@Keldr1n
Users are almost always the weakest link. Make it a priority to educate them. Do most of yours even know what phishing is?
@averagesecguy
Security 101: If you don't need it, turn it off.
@bowlesmatt
Passphrases are the new passwords. Make a sentence that is long, hard to guess, and easy to remember. ihatepasswordsseewhatididthere?
@bowlesmatt
Patch your systems and disable any unused services to reduce attack surface.
@bradshoop
Never trust a host you can't trust.
@bradshoop
Computers remember a lot. Even more if you contact security personnel before you reboot.
@bradshoop
Dedicate personnel to prevention AND detection. Preferably the same personnel in rotation to breed familiarity and contempt.
@connellyuni
It's more important to know what you don't know than it is to know what you do know.
@cutaway
Try to avoid saying We are investigating... why equipment that we have a destruction certificate for was... sold online to the media.
@cutaway
Assets using secure authentication are directly and adversely impacted by your assets using plain text authentication.
@cutaway
Complacency: 1) Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. 2) You will be hacked.
@cutaway
Default SSL Certs for internal management interfaces should be replaced with valid certificates associated with the organization.
@cutaway
Don't be afraid of your incident response plan. Conducting investigations will give your team experience and eventually reduce costs.
@cutaway
How do you Find Evil in your organization? Seriously, go Find Evil and report back to me.
@cutaway
IT environments are complex systems. They require a System Development Life Cycle to effectively manage AND secure.
@cutaway
If your product allows remote connections somebody WILL write a python/perl/ruby script to connect to it and send whatever THEY want.
@cutaway
Monitor and alert to new accounts and accounts being added to Domain Administrator, SUDO, or root groups.
@cutaway
Product certification does not mean it has been deployed correctly. Review placement, logging, access, input validation, etc...
@cutaway
Service accounts should adhere to corporate password policies and be monitored for modifications including lockout.
@eternalsecurity
Make sure you're protecting the right thing. A belt AND suspenders doesn't help if you're not wearing pants.
@hal_pomeranz
A backup is not a backup until you do a restore. #sysadminkoan
@hy2jinx
Attack vectors and regulatory requirements change. That's how we've always done it is a poor and lazy excuse.
@hy2jinx
Scanner infos can turn up bigger issues than you'd guess. Look at overall results, not just singles.
@hy2jinx
Five missing patches across 100 devices does not equal five vulnerabilities.
@hy2jinx
It's cheaper to consult a security professional from conception than mere days before go live.
@hy2jinx
Security professionals should be empowered to point the business towards good decisions and reserve the power of No for a last resort.
@itinsecurity
In your encryption system, your key is the weakest link. If it isn't, you're doing it wrong.
@itinsecurity
Security is not a box you buy or an app you write. It's an emergent property, a sum greater than its parts.
@jarocki
Dear User: Millions of $$ of software won't keep you from clicking that link. Only YOU can prevent link clicking.
@jarocki
When it comes to security controls, Trust But Verify... nah, forget the Trust... just Verify.
@jimmyzatl
If you don't log accepts in your FW logs for admin protocols you will have no way of knowing when those accounts are abused.
@jimmyzatl
An encryption algorithm that has to be hid from the public is by definition a weak algorithm...
@ken5m1th
That successful PCI DSS Report On Compliance will not save you from Zombies.
@kentonsmith
When setting up any new system, Step 1: Change default admin password.
@kill9core
Security through obscurity, or the practice of hiding flaws hoping they won't be found, has proven time and time again not to work.
@mattdoterasmus
Just because your security teams work from 9-5, doesn't mean attackers aren't looking the rest of the time.
@omegadefence
The attitude that it won't or can't happen to us because we're too small/big/have nothing to offer is dangerous.
@omegadefence
The attitude that I can't do anything about it so I won't even bother with security or reporting is also dangerous.
@omegadefence
Analyse your logs in detail, it is those with their heads buried in your logs that hold the key to prevent, detect and recover.
@omegadefence
Give only the permissions required to do the normal daily duties, nothing more. Special logons for special occasions.
@omegadefence
Best: using high-speed trend analysis with custom searches as well as automated reporting AND followup.
@rob_bainbridge
Security teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt - audit, ops risk, etc...
@tccroninv
Those that store passwords in plain-text invite catastrophe.
@tliston
We can't implement strong passwords/two-factor authentication. Our users aren't capable, says more about your competence than theirs.
@tliston
Developers: Never roll your own encryption, authentication or session management schemes. You're not that smart. Trust me.
@tliston
If you don't have written authorization to perform security-type testing in your organization, don't. You're too pretty for prison.
@tliston
If you're not putting as much thought into your outbound firewall rules as you are for your inbound rules, you're doing it wrong.
@tliston
If you're not supporting a legacy Windows OS, for the love of all that is Holy, turn off LANMAN hashes.
@tliston
If you've never tested restoring from your backups, then you don't have backups - you have a crapload of data and hope.
@tliston
If your internal security posture is based on,our employees wouldn't know how to do that, then you're likely already 0wned.
@tliston
Remember: As an attacker, I exploit misplaced trust. There's nothing mystical or magical about it.
@tliston
Run scans against your network. It's the only way to really know what's out there. I've yet to see a fully accurate network diagram.
@tliston
Sanity check security spending. A $500 lock on a cheap wood door doesn't buy security. It just gives a thief something to laugh at.
@tliston
Security isn't just about preventing compromise. It's about maintaining confidentiality, integrity availability despite compromise.
@tliston
Security-through-obscurity doesn't work against anything with intelligence, but there's lots of dumb sh*t out on the 'net.
@tliston
Taking nude photos of yourself? Don't store them on an always-connected device with little-to-no security. #forscarlett
@tliston
Teach your users not to click on unknown links. DON'T send links to your users in email. More info: http://t.co/bdNTRI3O
@tliston
Web developers: Give the exact same answer whether you're given a bogus username or password on logins. EXACT. SAME. ANSWER.
@tliston
WebApp Devs: Just because you have a SELECT with A, B, C, D as options doesn't mean you'll only ever get A, B, C, or D back.
@tliston
Webhosting Companies: Web servers shouldn't be making many *outbound* connections. TCPDump is your friend.
@tliston
Your organization's AUP should explicitly prohibit Copyright abuse. You do HAVE an Acceptable Use Policy, right?
@tliston
Centralize your logging - you have no idea how helpful it will be.
@tliston
Companies who use the same Windows Local Admin password on large numbers of machines are ripe for picking by malicious insiders
@tliston
Developers: Input, even data you think you control, can never be trusted. Consider all input a threat and process accordingly.
@tliston
Diligent change management practices have saved more asses than a Beverly Hills plastic surgeon.
@tliston
Ensure that user accounts are disabled as part of your termination process. Audit all accounts at least semi-annually for misses.
@tliston
High privilege level accounts should be used only for administrative functions, not for day-to-day activities.
@tliston
High privilege level accounts should have kick-ass passwords or two factor authentication. Or both.
@tliston
If at all possible, disable password authentication for SSH. SSH is a huge brute force target. Keys are your friend.
@tliston
If it plugs into your network, know why. The last thing you ever want to hear an admin say is, That thing has a web interface?!?
@tliston
Learn how to manipulate text files. Learn how to use sed, cut, wc, and grep as a minimum. Text is your friend.
@tliston
Logging authentication failures is NOT enough. Log successes and failures.
@tliston
Mr. CxO: Your employees are not a family. Some are untrustworthy. FYI: Some of the people in your real family are pretty sketchy too.
@tliston
Never rely on the fact that you own anything: data, a communication path, etc... If you do - I 0wn it, I 0wn you. Trust nothing.
@tliston
Nothing is more important to the long-term survivability of your organization than a fully functional backup process.
@tliston
Packets to or from RFC-1918 addresses should not be allowed to traverse your border firewall in either direction.
@tliston
Passwords are no longer security measures. They are merely speed-bumps. Treat them accordingly.
@tliston
Physical access trumps most security measures.
@tliston
Remember to always think in terms of defense in depth. A belt AND suspenders is always better than a belt OR suspenders.
@tliston
Shared accounts are never a good idea.
@tliston
Telnet, FTP, and any other clear-text protocol developed in simpler, more naive times has no business on a modern network.
@tliston
There is no excuse - NONE - not to use full disk encryption on laptops. Data breaches due to lost/stolen laptops are inexcusable.
@tliston
Unencrypted WiFi is never secure. WEP = Unencrypted WiFi. Trust me. Stop using it. Now. Really.
@tliston
Web Developers: Remove comments from your production website code. They serve NO purpose and can give away too much info.
@vaudajordan
Total loss of Sony Breach $171M, I wonder how many salaries, code reviews, software, hardware that could have bought.
@zanis1
Assign only those privileges that are required to do the job.
Also, I want to extend a great big thank you to all of the people who submitted these tweets using the #sec101 hash tag. I tried really hard to grab them all... If I missed anyone, I apologize.
Tom Liston
Senior Security Consultant, InGuardians, Inc.
Handler: SANS ISC
Note: Matt (@0xznb) has kindly made a fortune-mod zip file available here of the #sec101 wisdom.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.