#SecurityFails

(Originally Appearing in the Manila Times 06SEP2017 - https://goo.gl/Z51obD)

INFORMATION on how to protect yourself from the ruthless cybercriminals and hackers in the cyber world is abundant. How-tos, podcasts, eBooks, audio and video tutorials are everywhere. There is so much information readily available today than at any point in man’s history, all part of the myriad benefits brought forth by the magical Internet. We have enough people and materials telling us what to do so as not to be a victim and yet we still fall short either because of ignorance, stupidity, or sometimes just plain bad luck. Whatever the reason, an alternate but surefire and effective way to develop awareness is to learn both from your own mistakes and the mistakes of others. In this edition, I will be sharing some of the security fails I have come across in my life as an information security professional.As one security professional narrated, “I have walked over a land mine, and this is how I lost my legs”. Nothing like real-life experiences to teach you not to be secured.

Not changing default passwords. 

From high-end network and computing gear to your WiFi router at home, there is always a ‘starter’ password. I have gotten into many wireless routers and consequently free WiFi because people are either too lazy or don’t know how to go about it. To give you an idea and for educational purposes, the default WiFi password of one of our well-known local internet service provider goes about this format: ABCDWIFI12345 (internet provider name +”WIFI”+ the last five digits of your router’s MAC address) – this information and even the default administrator account and password is available via good old Google search. BTW, almost all of the well-known router brands default passwords are there as well.

Ignoring Common Sense. 

In the late 2016 survey by conducted by Freidrick-Alexander University, they found that 76 percent of their respondents claim to be aware of the risks of unknown links and yet still clicked anyway. If it’s too good to be true, then it is probably not. Receiving prizes from contests that you didn’t join, packages or goods that you never ordered, friend of a friend of a friend – these are all warning signs that you shouldn’t ignore. If in doubt, DO NOT. It takes a small amount of effort to verify an email or a service especially today when we have all these advanced communication methods at our fingertips.

Not Updating (Patching). 

Software is made by programmers, i.e. humans and hence by that very nature, prone to mistakes. In this case, programming bugs which, if implications in security occur, becomes a vulnerability. Updating or patching is the method to which corrections can be applied and hence new versions are produced. Unless there is a significant impact on the operation of the application, updating or patching should be mandatory. Un-patched or dated software is the single most frequent and very important reason why hacks and intrusions occur. It should be on the very top of every security mitigation list.

Giving administrator accounts. Software or programs inherit the rights and access level of the user who runs them. If the user has administrative level access, then the program executes with the same level of security. Certain applications legitimately need administrative levels to run and perform their intended action but what if a malicious software (Malware) manages to use the administrative account? You now have a rogue application roaming around with super user privileges. The possibility of compromise becomes wider in scale and deeper in implications.

Disabling logging.Yes, it can eat up storage space and it is much easier to turn off and forget all about it rather than allocate time and effort to maintain it. Besides, with that amount of information, who has the patience to review and go over it? That’s typically what some IT people would say, but make no mistake about it, logs are your best friend where everything else fails. This is the only source of data that can help you shed light on security incidents, who accessed what when, as well as records of device events and incidents. Unless you are continually capturing the packetsof traffic going in and out of your network (which are a hundred times more voluminous and harder to decode), logs are your best source of ‘after the fact’ data for forensic analysis and evidence.

Bragging about your security system.This is a classic mistake usually attributed to individuals or security engineers that have too much ‘air up there’. For whatever purpose, it maybe, whether to assure management or clients, please never ever brag about how secure your systems are, and how much high-tech expensive security hardware and software you have, especially in public or in the press. Hackers would take that head on with a “challenge accepted” thought balloon over their heads. To them, it is an explicit and open invitation short of putting a ‘Hack Me’ sign on your forehead.

Not educating your users. Creating a secure computing environment is not just an IT or security group’s concern, it is everybody’s business. Just as you train your IT and InfoSec personnel, so should you make aware your end-users. A well-informed end user contributes immensely to the success of any information security strategy.Ignoring common sense is one thing but voluntarily choosing to be ignorant is unforgivable.

The 'Security Guy' - http://www.manilatimes.net/the-security-guy/353061/ #digitaldelacruz #rigeltech @manilatimes #letsfaceit