Dj 
Here we are three quarters of the way through 2013 and the information security problems that plague organizations have a theme: the same old stuff, different day. The basics of information security seem to often be ignored in day-to-day operations. So even though the tools are more advanced by the month, we are no more secure than we were last year.
Password Balancing Act
Let’s start off with the infamous password, an issue every user faces regardless of experience level. Is eight characters still a good idea? What about nine, 10, or 20 characters? We need to strike a balance between usability and security. See, if you give a user a 20-character password they will write it down on their work station, or worse yet, put it in a file called ‘passwords.txt’ in their home directory (pentesters love this). With the proliferation of rainbow tables, GPUs used for password cracking, the cloud, and other advances in password cracking, sound password advice for a Windows machine would be to turn off the LM Hashes and enforce a 15-character or longer password requirement for all administrative accounts. Wait, what’s that? Microsoft only allows the enforcement of 14-character passwords through the domain? SMH. Don’t worry, third party products exist to enforce passwords that exceed 14 characters.
Security Awareness Training
Next let’s talk about security awareness training. Will it always succeed? Probably not. But security training can help reduce the number of data breaches that are attributable to human error, recently estimated at 35 percent. Having employees trained in security awareness is akin to having a distributed sensor network in the wireless environment. A distributed sensor network is used for the following reasons:
Sensor nodes are prone to failure For better collection of data To provide nodes with backup in case of central node failure. Be sure employees know that if something is wrong they should report it – even if something only appears to be wrong, they should report it. A security awareness program operates just like an anti-terrorism operation; it cannot fully function without help and reports from the public. An unaware employee population will fall for phishing attacks, and will never report it or know they are compromised. Awareness training is not the be-all and end-all, but it is a layer of the security onion that must be addressed.
Patch Management
Patch management is still a headache for many organizations. This is not a set-it and forget-it technology. Like most security functions, patch management is only as good as the people behind it. Critical vulnerabilities should have a short window to patch and achieve as close to 100% as possible in that timeframe. Let’s also note that enterprise patch management solutions normally do not patch registry keys or config files, therefore, an experienced administrator should be in charge of making sure all web servers are up to date. Enterprise patch management solutions will also not patch or fix servers, appliances, or embedded systems with vulnerabilities or default passwords that have not been changed. Don’t forget the security issues that may be overlooked by automated systems.
Antivirus Solution
Next up is having a working enterprise antivirus (AV) solution that keeps machines up to date with the most current definitions. You do test your AV updates before you deploy it, right? Testing AV updates is extremely important before it’s deployed to the employee base. Also, be sure that your AV solution allows administrators and incident response folks to receive alerts in a timely fashion. While on the topic of alerts, we all need to review the security logs daily to check for anomalies. We wouldn’t want back-door accounts set up by an attack going unnoticed.
Policies and Procedures
Lastly, we need to focus on policies and procedures, which are unfortunately lacking across the board. Many organizations view policies and procedures as a checkbox paper drill, which is too bad. These “paper drills” will be invaluable if (or when) you need to respond to an incident. Good policies and procedures eliminate confusion in the aftermath of an otherwise chaotic event. The supporting documents will answer any questions that may come up as a result of an incident, as any crisis management plan should.
Basically, if you have a strong foundation of information security – passwords, security awareness training, patch management, antivirus solution, policies and procedures – then over time, security becomes ingrained into everything within your organization. Information security becomes the norm, rather than the exception.
B-Side Track
Salting Passwords