Using the right keys
Today I was visiting a friends office and like many offices in NYC they have a shared bathroom …
Some of this may seem like a broken record, yet every single time you hear about a bank losing millions of customer data, or a company having a security breach they consistently have failed to implement and enforce the most basic security practices. Here are 7 simple security practices that you cannot afford to not follow.
Throw away the notion of a password. Pass phrases consisting of multiple words and symbols are considerably more secure and easy to remember. Most people use the same password for everything and it’s almost always a word or a word+#. A good pass phrase can be something like “Mary.had.@.little.Lamb”. It’s really easy to remember and nearly impossible to guess or brute force. Using a password management system like One Password for Mac is also a good idea.
All too often policies are put into place but lacking training necessary to ensure that policies are understood and followed. Quarterly web casts can go a long way to ensuring that the most critical policies are complied with without adding unnecessary disruptions to the business.
Hackers are attempting to break into your systems right now. If you aren’t holding self audits than the only ones auditing your systems are the hackers. It’s critical that this practice takes place routinely to ensure that your data and systems are as safe as possible. It only takes one small mistake to make you vulnerable. Routine system checking means there is a chance you will find it before someone else does.
Yes this is inconvenient. Yes you need to do it. Firewalls, ACL, fine grained permissions. Properly setup roles. In every system you do use, in every level. This also means that root/admin permission should always be behind sudo and never logged in.
All sensitive data should be encrypted. Hard drives should be encrypted; Tunnels should be encrypted using SSH, VPN or SSL; Wireless networks and even wireless keyboards. Passwords should be stored via a one way encryption like md5.
It seems every time you hear about a bank or government agency losing millions of critical identity information a portable drive or laptop is involved. While encryption is part of the solution here, it could entirely be avoided if sensitive data is not permitted off site. Data should reside on servers sitting behind properly established ACL and not be available to be copied or transferred onto a laptop or portable drive.
Lastly, the most important security principle is to use common sense. If it seems wrong, it probably is. Common sense is your best defense. Use it wisely.