Security trends for 2012

  1. Folks will continue to use abc123 as their password. They will then be surprised when they’re completely pwned.
  2. Folks will continue to not patch their apps and operating systems. They will then be surprised when they’re completely pwned.
  3. Folks will continue to use apps as administrator or god like privileges. They will then be surprised when they’re completely pwned.
  4. Folks will continue to click shit. They will then be surprised when they’re completely pwned.
  5. van der Stock’s immutable law of gullibility: Folks will continue to be sucked in by incredibly basic scams. They will then be surprised when they’re completely pwned.
  6. Folks despite extensive and continuous evidence to the contrary for over 25 years, will continue to be sucked in by grandiose vendor claims (“buy X now, and you’ll be protected from X…”) in the unfounded belief that technological solutions can fix people problems. They will then be surprised when they’re completely pwned.
  7. Folks will continue to allow mobile and web apps to transmit their sensitive crap without any form transport layer encryption. They will then be surprised when they’re completely pwned.
  8. Folks will turn on a firewall and think they’re safe. They will then be surprised when they’re completely pwned. It’s not 1995 any more. Never was.
  9. Folks will continue to run old crap, or allow old crap to connect to them. They will then be surprised when they’re completely pwned.
  10. Folks will continue to think that they will be safe if they just virtualize or cloud enable their crappy apps. They will then be surprised when they’re completely pwned.
If we can’t learn from our most basic of basic mistakes, 2012 will be exactly like 1989 – 2011. And that’s sad.
Because I hate solution free hand waving posts like the above, here are some basic solutions:
  • Adopt strong authentication TODAY – passwords have NEVER been appropriate.
  • Patch your crap.
  • Implement low privilege users and service accounts.
  • Don’t click shit.
  • Learn about basic phishing and scams.
  • Fire folks who post on Twitter or Facebook all day. You know who they are.
  • Don’t buy any product marked “Protects against APT”. If you do, fire yourself as you’re an idiot.
  • Only use products that use SSL. If you don’t know, assume it doesn’t and find something that does.
  • Evaluate your security needs with 2012 in mind – firewalls alone are a few sheep short of a full paddock.
  • Upgrade to the latest OS and apps. Not only will your users love you, it’ll be harder to attack you.
  • Protect data assets no matter where they are. The plumbing is unimportant.

Comments

5 responses to “Security trends for 2012”

  1. AbiusX Avatar

    Awesome man 😀 Pretty awesome post.

    Looks like getting pwned motivated you to write this post 😀

    Oh and BTW, about 8, folks usually stop their firewalls to allow crap to pass in 😀

  2. vanderaj Avatar

    AFAIK, I’ve not been pwned. I’ve dealt with folks being pwned this year, and that makes me a sad panda.

    I normally write about the security trends for the future year as my last post of the year, and unfortunately, I was proven right again with the mass attack on everyone from Google through BlackOps and w00w00. I was sick of all the other trends blog posts banging on about things that no one cares about except to sell more crap or scare folks, when basic, basic stuff isn’t being fixed, like getting rid of passwords.

    2012 has to be about getting rid of passwords, patching crap, upgrading to Windows 7, Lion or the latest distro, and killing IE 6 / 7 / 8. If we can’t do that this year, it’ll be more of the same.

  3. Susan Ottwell Avatar

    Get rid of passwords? What would you recommend in place of passwords? For example, how would you like to see the login to a CMS management screen handled?

  4. vanderaj Avatar

    In my view this has to be done like weaning the world off cigarettes. We know passwords are truly terrible for us, but they are so embedded in every program, it’s important to understand they are not going away. So, here’s my list:

    a) Get programs to give up authentication and leverage someone else’s hard work. Particularly in enterprises, this should be a no brainer. If you’re yet another forum, honestly, why are you interested in someone’s password? Use Google, OpenID, Twitter, or Facebook. They are all much better at it than you are.
    b) Once you get enough credentials together you have a business case to make it better, like adding in two factor (like Google has done with Gmail and apps)
    c) Prohibit short passwords, where short is < 16 characters. At the same time, get rid of all the unbelieveably stupid password "rules" like changing your password every 30 minutes or requiring the user to write down the password.
    d) Encourage the use of pass phrases by giving "good quality" to only passwords over 25 characters in length that involve the use of the space bar.
    e) Only allow the use of password UX that prevents brute forcing. This is as simple as slowing down folks who try to enter three wrong passwords in a row using an exponential delay from the same IP or session. 3, 9, 27, 81 seconds, at 3^5, brute forcing is just not going to work.
    f) Create a static analysis tool or shame file that reports if an app uses plain text passwords, MD5 in ANY form, or unsalted hashes. Such apps should be prohibited from going live, or shut off if they are currently running. They are simply unsafe at any speed. There should be fines and re-education camps.

    At this point, we have passwords that CANNOT be broken using rainbow tables today or brute forcing ever. This will give us time until we can retire passwords / pass phrases. Do I think passwords / pass phrases will keep me employed in 2035? Yes. Should they be there? No.

  5. reader Avatar

    Here are what I regularly hear from those folks.

    >> Adopt strong authentication TODAY – passwords have NEVER been appropriate.
    We have strong password policy in place that everybody must follow.

    >> Patch your crap.

    We patch our craps regularly. But based on business users that rely on these systems, we have to disable patch. We cannot make the systems down because of these patches.

    >> Implement low privilege users and service accounts.

    As you know, our applications need high level of system user accounts to operate.
    Thus, we cant assign low-privilege user tied to these applications. This is BUSINESS requirement.

    >> Don’t click shit. Learn about basic phishing and scams.

    We have web security gateway in place. No worries!

    —————————————–

    A lot of excuses. No wonder, they’ll be surprised when they’re pwned.

Leave a Reply

Your email address will not be published. Required fields are marked *