IT Security is not rocket science

Davey Winder

One of the biggest mistakes we make as IT professionals is not admitting the mistakes we make. If that sounds a little too philosophical for this time of the day, let me simplify that: stupid is as stupid does. IT security is not, despite what the Chief Information Security Officer tells you, rocket science. Yet there are some astronomically daft examples of insecurity that seems to persist within every industry.

Here's a brief rundown of just some of them... 

AdWare isn't dangerous
adwareAdWare isn't usually seen as a security threat, it's more usually seen as adverts for stuff you don't want, can't afford and have difficulty removing from your browser. Sometimes though it bridges the divide, such as in the case of the recent Lenovo Superfish debacle.

Lenovo did a deal with an adware outfit to pre-install software that would serve targeted ads to users. Trouble is, Superfish was about as secure as a chocolate padlock. In order to serve up the ads it had to effectively hijack every SSL connection and act as a certification authority, which it did by installing its own certificate so that anything signed by Superfish was seen as secure; which meant everything basically. Sadly the same private key was used for every laptop and this was quickly made public by researchers meaning anyone could issue certificates and sign them to be trusted even if they were for malicious sites.

The moral of this story? Adopt the 'Charmin Ultra Soft' approach to hardware rollout: wipe everything clean of crapware.

Encrypt everything up the wazoo
passwordIncluding encryption as a Stupid Security Threat may seem dumb, but not as dumb as the IT department that doesn't realise that locking the restroom door in the old folk's home is not a cure for incontinence. Encryption is a great way to achieve data-centric security nirvana when done right, but ironically it's also a great way to get your users to blow their brains out when done wrong.

If you make it too hard for everyone who isn't a nerd to get work done, then don't be surprised when they take it as a personal challenge to circumvent your restrictions. Encryption can actually weaken your security posture when implemented badly.

Example? Sure, why not. Implement a policy of using encryption for mobile data which only works on one OS platform and with one proprietary USB thumbdrive and guess what, users will find a way around that. Usually that will be the route of least resistance, which means non-encrypted data on another stick or in the cloud which drives a damn great hole through your stance.

Seriously, even dumb users know how to use Google to find ways around bad security restrictions.

Fifty Shades of WordPress
50shadesStating that WordPress is not insecure is akin in the world of the IT security professional to Obama declaring his undying love for Vladimir Putin; ill advised and rather unlikely. Yet here I am, stating just that. No, not my love for Putin but my insistence that WordPress is secure.

What isn't secure is the userbase, and it's the biggest CMS platform out there remember, and the way these users blindly trust plugins. If Christian Grey were a geek, his fetish of choice would be WordPress plugin use.

Given the size of the userbase it's no surprise that around half of all users don't have any kind of IT manager handling their WordPress site, but it is surprising how many IT managers seem to share that Fifty Shades of Plugin fetish.

C'mon folks, update WordPress regularly and avoid unprotected plugin use; you know it makes sense.

If we build it, they will come (and hack it)
hackingWeb application developers – yes I'm talking to you with the hipster beard and overly-caffeinated facial expressions – are often amongst the stupidest when it comes to security. At least I hope it's stupidity and they are not creating insecure apps for the heck of it.

If you know a beardy code nerd, maybe you could remind him (or her) of a few basics. Users couldn't care less about your code and will input crap into your app which will likely make it crash and open the door to cross site scripting abuse if you don't force some kind of validation into the equation.

Oh, and while you are at it, don't move your development state into production state without first closing down all the stuff that isn't needed by anyone other than you and the cyber-criminal fraternity.

Internet of Things as your nemesis
toiletWhen it comes to security and the Internet of Things (IoT) my attitude can best be summed up as 'so I put on my reinforced brown trousers for this?!'

For starters who really wants an Internet-connected toilet? Mind you, that's only slightly less appealing than being able to control the office lighting from my iPhone when I am NOT IN THE OFFICE. Yet we are told, usually by people with a vested interest in scaring the bejesus out of us in order to facilitate a spending frenzy, the IoT will be 30 billion string by the end of this decade.That's one heck of a lot of restroom data flying back and forth. If you expand the IoT definition to include things like smartwatches then it could be as high as 30 billion and four.

Seriously though, the security risk is minimal from a networked coffee machine or heating thermostat. Theoretically a hacker could modify device firmware to create some kind of backdoor into the network as a platform to launch further attacks from, but then theoretically I can fit into these 32" waist paints...

Nation State hacking hysteria
nationstateSo, apparently the National Security Agency (NSA) has reprogrammed hard disk firmware for the last couple of decades with the ability to harbor its own malware. Now that's scary, in an Orwellian sense, but not so much that I would recommend you change your pants and start distributing tinfoil hats to staff.

I say this not because the problem is solvable with the use of drive controller ARM processors supporting secure boot mode and boot loader/OS kernel digital signatures at some point in the near future. Nope, I say this because there is more chance of me entering a polygamous relationship with Avril Lavigne and Hayley Williams than your organization being targeted.

It's too hardware specific, and as far as most of us are concerned would involve way too much resource expenditure on the part of the attacker for the potential reward.

Stop with the stupid passwords already
password2Just once I'd like to read the latest 'here is a thinly veiled marketing opportunity wrapped up to look like serious research' report from a security vendor revealing the most commonly used passwords that didn't have 123456 and password in the top three. I'd be impressed if people used the more apt 'whatadumbass' or 'cannotthinkforcrap' alternatives, at least they would be more secure.

Not secure, of course, but then we are talking about passwords after all. Here's a thought, why not force your users into using longer passphrases which contain a certain minimum combo of case and character types? Better still, why not join us in the 21st century and implement some form of Two Factor Authentication and layer up that access security a little?

Phish phail
phishingSocial engineering is just a term used to make dumb criminals appear smarter than they are. Unfortunately, they are often way smarter than their victims who appear to have the IQ of a peanut butter sandwich. Before you start screaming don't blame the user, let me run this past you: how difficult is it to not only read, but actually comprehend what is being read?

I'm constantly amazed when I hear of folk falling for the badly written emails purporting to be from PayPal customer support whilst having a Gmail address to reply to, or the missed DHL parcel reminder which comes in the form of an attachment called FedEX Document. Yet those are at the 'understandably successful' end of the idiot scale, as they at least require a smidgeon of lateral thought.

At the 'how do these people dress themselves' end of the spectrum are the folk who really do think that Dr Mumgambo, the former secretary of finance in the Nigerian government, would like to cut them 25% of the $100 million he's trying to smuggle out of the country.

Please educate your users into not believing *everything* they read online, there's a good chap.

Zero days, zero hope
zerodayWe finish with a "Z"… although given the swisscheese-like Flash Player it could have been another "A" for Adobe.

Zero days are those holes in software or systems which have not yet been discovered by the original developer or the security vendors, but the bad guys have found. Well, I say bad guys but the vast majority of zero days these days seem to be found by professional bug bounty hunters who sell the discovery to the good guys to fix before the bad guys can do anything.

They do still manage to squeeze through, like a fat man at the burger shop turnstile, and are the most dangerous of threats as they will have been quietly being exploited in the weeks leading up to that day zero disclosure.

What can you do about them? Not a lot, other than STOP USING THE SOFTWARE STUPID or practise squeezing those butt cheeks together until the security patch is released.