Wednesday, October 16, 2013

Show, Don't Tell - Proving Your System Security


In reading The Cuckoo's Egg, by Clifford Stoll, I was surprised that Stoll’s hacker gained most of his success by exploiting simple oversights in system administration.  This hacker would check generic accounts like username: guest, password: guest. In about one of twenty attempts he would succeed. Interestingly, most current cyber attacks also take advantage of simple oversights. The foremost of these involve SQL injection, a well-known and easily preventable attack. Amazingly SQL injection is the culprit for the majority of data theft and loss on the web. The outside world tends to view strong cyber security as being reliant on bigger and better programs, when in reality security stems from informed, vigilant system administrators. To me, it seems that any secure company needs a division devoted to solely to penetration testing. To those who claim their system is secure, I say prove it! What kind of hackers have you thwarted? How many companies have tested your security? Software and architecture mean nothing, only once a system has held up against thorough penetration testing should a system be labeled secure. 
Posted by at

4 comments:

  1. UnknownOctober 22, 2013 at 10:39 AM

    I really like your idea of having an independent department dedicated to penetration testing. I mean, we have dedicated testers for our software; wouldn't it make sense to have dedicated testers for our security suite? Thanks for the good insights.

    ReplyDelete
  2. KevinOctober 27, 2013 at 5:31 PM

    I think it is a very valid question to ask big companies. In a talk with a head of security at Walmart I was intrigued to find how much they really do test their system by hiring firms. They also let hackers, much like Cliff, get as far as they can without getting past a certain threshold just to see what exploits they use. Hopefully more companies use these techniques to ensure security.

    ReplyDelete
  3. theGirlNextDoorOctober 31, 2013 at 9:33 AM

    Most companies do have a division solely dedicated to security. Many companies are discovering that security is extremely important, just like you have stated. Stories like The Cuckoo's Egg have sparked an insight in companies to protect their data.

    ReplyDelete
    Replies
    1. David BarleyOctober 31, 2013 at 11:47 AM

      Well, that and companies actually getting hacked. That's incentive to protect yourself.

      Delete

Subscribe to: Post Comments (Atom)