Cybersecurity experts aren’t like you or I, and now we have the evidence to prove it. Researchers at Google interviewed more than 200 experts to find out what security practices they actually carry out online, and then spoke to almost 300 non-experts to find out how they differ. Perhaps unsurprisingly, the security experts practice what they preach – or, at least, they tell Google they do. They’re more likely to use two-factor authentication, to install software updates, and avoid visiting shady websites. Even for practices that are subject to healthy debate within the security community, actions speak louder than words: the experts are more likely to run anti-virus software and to use password managers than non-experts.
For the last few months, I’ve been working full time and talking with colleagues about a new way for security executives to measure the effectiveness of security programs. In very important ways, the ideas are new and non-obvious, and at the same time, they’re an evolution of the ideas that Andrew and I wrote about in the New School book that inspired this blog. I’m super-excited by what I’ve learned. I’m looking to grow the team and talk with security executives at large organizations, and so I’m saying a little more, but not “launching” or sharing a lot of details. This is less about ‘stealth mode’ and more about my desire to say factual and interesting things.
What’s important is that a big bank has taken steps to release software developed in house to meet its own needs to developers outside its organization. It’s even more important that, in the process, it’s jumping on the open source bandwagon, even if reserving the right to keep some software proprietary.
The cracks in the armor of most enterprise websites are many including recurring holes in OpenSSL, PHP, and WordPress and are largely due to a combination of extensive customizations paired with a shortage of testing and fixing of vulnerabilities when compared with that of long-standing commercial OS software. CSO Magazine traverses the treacherous terrain of the massive security craters present in today’s websites. Find out what it takes to fix these holes from the start and throughout the development life cycle.
Learn Nmap and related tools. Learn some other port and vulnerability scanners. Use them. Also learn your distribution’s commands and utilities for managing ports. Shut down any open, unused ports. One company I know has only two, at most three, ports open on the external network. That makes them a very hard target indeed. The bad guys may find and attack those ports. Then again, they may just go looking for easier targets.
Source NAT changes the source address in IP header of a packet. It may also change the source port in the TCP/UDP headers. The typical usage is to change the a private (rfc1918) address/port into a public address/port for packets leaving your network.
Destination NAT changes the destination address in IP header of a packet. It may also change the destination port in the TCP/UDP headers.The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.
Masquerading is a special form of Source NAT where the source address is unknown at the time the rule is added to the tables in the kernel. If you want to allow hosts with private address behind your firewall to access the Internet and the external address is variable (DHCP) this is what you need to use. Masquerading will modify the source IP address and port of the packet to be the primary IP address assigned to the outgoing interface. If your outgoing interface has a address that is static, then you don’t need to use MASQ and can use SNAT which will be a little faster since it doesn’t need to figure out what the external IP is every time.
It appears that there’s a bug in Ubuntu distributions which lets malicious users to locally exploit sudo and gain access to the user’s account without knowing their password. The bug was submitted to Canonical’s Launchpad back in September 2013 by user Mark Smith.
Shortly after this article was posted, WordPress released version 4.2.1, flagging it as a critical update. Website owners are encouraged to update immediately, and automatic updates have started to roll out. More information is here. However, the release advisory from WordPress still suggests that no prior notification was received from Klikki Oy, something the research firm disputes.
To be sure, many major Web companies like Google and Yahoo have been leveraging open-source dynamics aggressively and contribute back to the community. My aim is not to single out Facebook, except that it was during the F8 conference I had the opportunity to reflect on the drivers behind Facebook’s actions and why other technology providers may be wise to learn from them.