- Folks will continue to use abc123 as their password. They will then be surprised when they’re completely pwned.
- Folks will continue to not patch their apps and operating systems. They will then be surprised when they’re completely pwned.
- Folks will continue to use apps as administrator or god like privileges. They will then be surprised when they’re completely pwned.
- Folks will continue to click shit. They will then be surprised when they’re completely pwned.
- van der Stock’s immutable law of gullibility: Folks will continue to be sucked in by incredibly basic scams. They will then be surprised when they’re completely pwned.
- Folks despite extensive and continuous evidence to the contrary for over 25 years, will continue to be sucked in by grandiose vendor claims (“buy X now, and you’ll be protected from X…”) in the unfounded belief that technological solutions can fix people problems. They will then be surprised when they’re completely pwned.
- Folks will continue to allow mobile and web apps to transmit their sensitive crap without any form transport layer encryption. They will then be surprised when they’re completely pwned.
- Folks will turn on a firewall and think they’re safe. They will then be surprised when they’re completely pwned. It’s not 1995 any more. Never was.
- Folks will continue to run old crap, or allow old crap to connect to them. They will then be surprised when they’re completely pwned.
- Folks will continue to think that they will be safe if they just virtualize or cloud enable their crappy apps. They will then be surprised when they’re completely pwned.
If we can’t learn from our most basic of basic mistakes, 2012 will be exactly like 1989 – 2011. And that’s sad.
Because I hate solution free hand waving posts like the above, here are some basic solutions:
- Adopt strong authentication TODAY – passwords have NEVER been appropriate.
- Patch your crap.
- Implement low privilege users and service accounts.
- Don’t click shit.
- Learn about basic phishing and scams.
- Fire folks who post on Twitter or Facebook all day. You know who they are.
- Don’t buy any product marked “Protects against APT”. If you do, fire yourself as you’re an idiot.
- Only use products that use SSL. If you don’t know, assume it doesn’t and find something that does.
- Evaluate your security needs with 2012 in mind – firewalls alone are a few sheep short of a full paddock.
- Upgrade to the latest OS and apps. Not only will your users love you, it’ll be harder to attack you.
- Protect data assets no matter where they are. The plumbing is unimportant.
Leave a Reply