Back to the Basics – The Road Less Stupid
In any area of your life, you must understand the basics before moving on to advanced areas, but in security we seem to have forgotten that. If someone is struggling with advanced concepts in school, they will have to repeat a more basic class in order to understand the core concepts. Before you can run, you need to learn how to walk. However, almost every day when a new security breach or alert comes, out we are constantly reminded that organizations have not learned the basics of cyber security. A recent example is the announcement that the FBI is telling everyone to reboot their home or small business routers because they could be compromised with malicious code. To be honest with you, my initial reaction was same s_ _ t different day. My second reaction was how many times in cyber security do we have to keep paying the stupid tax and one of these days we will stop taking the road less stupid.
So let’s take a look at the basics, the concepts that while simple are still not followed. Disclaimer: when I give talks on this subject sometimes seasoned security professionals will state that some of the things I say are obvious and have been around for a while and that the idea of back to the basic is stupid. My response to them is a question: Are people following and doing these things? When their answer is no, my response is: I will keep preaching until people listen and cyberspace is a safe place to live, work and raise a family. Honestly, if my advice can help just one person be safe online, I can live with being called stupid. So if this is obvious to you and you are tired of hearing it, this post is not for you. If you are tired of getting compromised and want to make a difference and be safe, keep reading.
BASIC 1: Nothing is Secure by Default
Now I am sure a smart reader can find a few things that are secure by default, but for most of the devices and technology that we use in our daily life, they are not secure by default. The reason is simple. Companies that sell technology, whether it is hardware or software, want to make money. Organizations make money when customers are happy. Organizations lose money when customers are angry and upset. Customers are happy when things work. Customers are sad when things do not work. Therefore, if a device, application, or web site was super locked down with security and nothing worked, people would get frustrated. (On a side note, I hope I can live to see a world in which security is valued and people are happy when functionality is limited because of security, but we are not there yet.) Therefore, vendors that produce technology will often have minimal security enabled by default, so there is no interruption to the user experience. The GOOD NEWS is most products do have security built in, the BAD NEWS is that it is turned off by default.
The solution to this problem is whenever you get a new device or technology, spend 5 minutes determining what security features are available and turn them on. Areas to focus on is limiting access and controlling who can access the technology, including from where.
BASIC 2: Change the #{eb2dd144dc077676a5023eacca2d01ef9c3f02c22330f35001e7063f427f969c}^$&^@#! PASSWORD
Seriously, are we still having a conversation on strong passwords. While there are many technologies that will require you to enter in a strong password, there are many technologies, such as small routers and wireless access points, that come installed with a default password that is the same for every device. It shocks me that we are still seeing devices that have passwords of 12345, abcdef, or password as the default password.
The solution, while quite obvious is worth stating, always change any default password with a unique hard to guess password. There are two easy tricks for doing this. The first trick is to pick a phrase and use the first letter of each word. For example, my password is M1swb@RH@11:05 with the phrase I remember being My 1st son was born at Reston Hospital at 11:05. The second trick while potentially easier is just use the phrase as the password. Make your actual password “My 1st son was born at Reston Hospital at 11:05”. With passwords, people tend to overthink it. Let’s not make it more complicated than it needs to be.
BASIC 3: Remove or Control Access (From the Internet)
Simple rule of thumb to remember, if it is accessible from the Internet, it is hackable. So many devices and underlying technology are pre-configured to be accessible from the Internet, but the access is not needed, used, or required. If someone gets compromised because there was technology they needed, while frustrating, it is a cost of doing business. However, what really frustrates me is when someone gets compromised because of technology they were not using, did not need, and was not even aware that it was running on their system. We need to stop making it easy for the adversary. The question you need to always ask is whether we are doing activities that are offensive friendly, or defensive friendly?
The solution is to either use a firewall or block access from the Internet, if it is not needed. The most common culprit in technology is remote management or remote administrative access. A lot of technology is enabled automatically to allow someone from the Internet to remotely access your equipment. While potentially needed in a business, it is not needed in many cases, so it should be turned off, especially for home or small offices. If you are aware of this access, it is easy to turn off, but awareness is the key to security. Many people have no clue that they are exposed and this is a very dangerous position to be in.
In working with clients and looking at the news over the last several weeks, I felt the need to write this article because day after day and week after week, I see the same weaknesses being exploited and if individuals, organizations and countries just followed these basic principles, the world would be a lot safer and people would be more protected. Join me in making cyberspace a safe place to live work and raise a family. And most important, would love to hear from you on what your “favorite” basic recommendation is….