Here are a few articles that caught my attention this week:
Brute force attacks against the password field are exactly what they sound like. An attacker attempts over and over and over again to guess the password of a user’s account to gain access. Multiple companies recently have found themselves to be the target of this kind of attack… which is very easy to automate. But there are a few relatively simple defenses to mitigate the risk of this attack becoming successful: Defense #1: If a user is unable to successfully login after 3-5 tries, an organization could lock the user out a specified amount of time or add a slowly increasing time delay between unsuccessful login attempts Defense #2: A strong password creation and rotation policy will make brute force attempts at guessing the password field very difficult Defense #3: Successful and unsuccessful login attempts should be logged, so keeping an eye on the log files should alert an organization that a brute force attack is occurring
Preparing to fight the battles of the past doesn’t help us defend today’s attacks against our applications and databases. While less than a quarter of IT security budgets is being spent to defend these core pieces of infrastructure, attackers are focusing almost all of their efforts on these targets. Command injection attacks (such as SQL Injection) are cheap to attempt and can be fairly easy to automate. It is unlikely that hardware defenses will stop these attacks, yet organizations are still spending money on them in a misguided attempt at security. However, it is highly unlikely that any hardware purchased can defend an application or database because the hardware will not understand the difference between valid and invalid application input. What makes this even more difficult is that the definitions of valid and invalid input change for each application. If an organization has two hundred applications running on their network, that could make for two hundred unique definitions of valid and invalid input. To defend our applications and databases, the security has to be built directly into the application. …Here’s hoping that IT security budgets will be targeted more accurately sooner rather than later.
BYOD seems like a great idea when organizations focus on employees owning and maintaining their own mobile devices. But, too often, those devices are showing up with malicious software. To reduce the risk of an organization’s sensitive data being collected by malicious software on employee devices, a strategy of defense in depth must be applied. Number One on the list of reducing the risk of theft of sensitive data is Security Awareness! We have to do a better job of teaching our staff which activities are dangerous. For example, allowing our kids to download free games onto the same device we use at work is a huge security risk. But it is also easy to teach staff that this is a dangerous behavior and easy for them to remember.