True, while the group LulzSec may be disbanded and it’s members have either disappeared or been arrested (or arrested even more so), Anonymous is still here and the ideals that Anonymous portrays will probably live on for quite some time. It almost seems like we are back in the early 1990′s – website defacements, denial-of-service attacks and SQL injections being produced on a massive scale. It’s clear that Anonymous has a following and as long as they do they will have those who will either act on their behalf or thinks they are acting on their behalf.
So how does an organization protect itself from the likes of both seasoned hackers and skiddies (script kiddies)? Well, while no one can guarantee 100% security, but there are numerous measures you can take right now today that at a minimum, will make it extremely difficult for some hackers and impossible for others. I realize a lot of these may *seem* like common sense, but again and again I see people failing to implement or do these initial steps.
Rule #1: Patch All Systems
If you don’t have any type of patch management program or procedures that are active at your place of employment, nothing else may matter then. It’s been said that 95% of successful attacks could have been stopped if the compromised system(s) had current and up-to-date security patches. I can’t begin to stress enough how important patching your servers and desktops really is. Most malware makes use of known vulnerabilities, that are typically patched by the software vendor. For you home users – turn on Automatic Updates in newer versions of Windows. Business users – develop a patch management schedule, review security patches, test and then stick to the schedule. If patches or reboots cause a problem with a few end-users (whether business critical or not), remember that your problems could be much worse spending time and money on figuring out how your systems got compromised in the first place.
Rule #2: Secure Databases
Database hacking is reminiscent of a time during the early 1990′s. Beware – It’s become popular again. Make sure your MySQL and MSSQL database applications properly scrub user input and don’t build “WHERE” clauses from user input into your app or web app. Use of stored procedures is usually a better choice.
Secondly, enforce database encryption for tables in a database that may contain PHI, names, address, phone numbers, credit card numbers, bank account information, social security numbers or anything else that you would consider “private”. A simple SQL injection to reveal this information and a dump of the database is all an attacker needs to get their hands on your database information. Encrypting this database will add that extra level of complexity for an attacker, while thwarting efforts of others attackers completely.
Lastly, protect the password hashes in your SQL databases. In the case of MSSQL, definitely protect the password hashes to the SA account. While you’re at it, if possible, use a completely different database administrator account while limiting access to SA. Limit access to the Windows servers that are hosting MSSQL so dumping of the hashes is limited to Administrator and Domain Administrator accounts only.
Rule #3: Implement Host-Level Protective Measures
Consider using host protective measures such as:
- Desktop firewalls
- Anti-virus & anti-malware software (This is a no-brainer. Also consider running deeps scans on servers at LEAST once a week, not just a quick scan daily)
- File-Integrity Scanners (such as Tripwire to look for changes to important system or OS files that you may not have authorized)
- Backups (Whether you are a home or business user, backups of data should be kept – tape, thumb drive, NAS, SAN, external USB hard drive – doesn’t matter, but backup your data SOMEWHERE)
- Turn off un-needed server services – See here.
- Home users – not every user account you create needs to be a Local Administrator on your home computer. Created a user account with limited access and not giving your kids or teenagers the Administrator password is HIGHLY recommended. A lot of nasty stuff on the Internet can be prevented by following the rule of “least privileges”.
Rule #4: Firewall Rules & Web Content Filtering Must Be Effective
Business IT Staff – Constantly and consistently review firewall rules to ensure no unauthorized changes have been made, no unnecessary ports/services are open for either ingress or egress and lastly just to have a much cleaner rule-base for your firewalls. Most think this is a “set it and forget” type of thing. Sadly, that is not the case. Block malicious IP addresses/URL’s/domains from your corporate network.
Web Content filters should work the same way. If you are lucky enough to have one at your organization that can also do application-layer level filtering, consider blocking all P2P applications, torrent sites, Facebook applications, web-mail, and cloud based services (such as Dropbox, Amazon Cloud Drive, etc). These are ALL possible entry points for either an attacker or malware to get on your network and do some bad-ass things. Prevent this at all costs and make it known to your executive leadership why access to these services and sites should be prevented. You NEED top-down support.
Rule #5: Encryption On Hard Drives And Removable Storage
Business users – If you have staff that travels or it’s your company’s practice to issue out laptop, strongly consider implementing full disk encryption. If you also allow your staff to bring in their own external hard drives and thumb drives (and other storage media – iPhones, Androids) please keep in mind that all it takes is for one person to lose their mobile device/laptop/thumb drive, or have it stolen, and it could be game over for your organization. The human element is the WEAKEST element of security. Trusting people with data is difficult and no one should be fully trusted to secure their own or a company’s piece of hardware. That said social engineering is another method in which an attacker can manipulate your staff and employees. ISW will cover that topic at a later time though.
Home users – This is also a great way at preventing identity theft.
Rule #6: Mobile Device Security
With the advent of mobile devices (iPhones, Android phones, tablets, people bringing in their own computers to work), it’s becoming increasingly important to realize that your company’s virtual borders do not end at the firewall. As soon as you allow people to use their own personal devices to access internal company resources, your border has extended to where ever that device is geographically. I HIGHLY recommend some sort of MDM (Mobile Device Management) infrastructure put in place to regulate access and prohibit certain functions of these devices while they are attached to your resources. Get your legal and compliance teams involved, and keep them involved every step of the implementation. You WILL need their buy in and support.
That’s all I have for now. Again, I realize a lot of this is common sense, but keep in mind that common sense isn’t always as “common” as one might think. In an age where everything needs to get done as soon as possible and without delays, a lot of these “rules” get overlooked or thrown out completely. Be the one that stands up and says – “NO, we can’t do it that way” and come up with a solution that allows both access and does so in a secure manner.