InfoSec 101


Here's a quick remedial blog post on information security. I want to save my keystrokes and get this into my blog so that I never have to explain it to anyone again. These are some basic tips, which I assume everyone knows. But just in case, here is the reference. Sometimes I forget them myself, so having a post to remind me is a good thing. I'm sure I'll be revisiting this more so than others.

Excuse Fallacies

It is easy to get complacent about security. Most people know they should be using better security, but they fall for an excuse. Here are a few of the more common ones.

We've never been hacked

Just because it hasn't happened yet, doesn't mean it won't. As you'll see below, hackers get better over time.

We are behind a firewall

A system is only as secure as its weakest link. Security needs to be layered. Just because there is a lock on the main door doesn't mean that everyone allowed in should have access to every room and file.

People make mistakes and might temporarily grant access to someone they shouldn't. Make sure when that happens, this risk is minimized. Firewalls don't protect us from ourselves.

I trust the people I share my password with

You trust people until the day you don't. Things can change.

It's too hard

Yes, security can be annoying at times. A cynic can easily believe that security policies only exist to cause pain for end users.

But it is often an opportunity to learn new ways of managing security. Hate typing passwords all the time – learn how to setup single sign-on or other password-less solutions.

Yes, it can be hard. But your only choices are to fight against having strong security or having a secure system. The choice is yours.

We aren't a target

We are a small company or just an individual. We wouldn't show up on an international hacker's hit list. Most hacks are not from foreign actors. They are usually people just poking around out of curiosity. They may even stumble on data they should have access to accidentally.

You may not even see the value or potential harm in the data you have stewardship over. You may think there is nothing to hide here, but if you have been entrusted with data it is your duty to protect it. Even something as simple as a list of contacts could be potentially devastating. Don't be the source of that leak.

It's too costly

The consequences of poor security are difficult to estimate. You never know what the going rate for a ransomware attack will be. They prices seem to be trending up.

Even after the attack happens it is hard to know the full cost. If data you were the steward for is leaked, all the people that trusted you with that information have lost faith in you (or at least have that trust damaged). What is the price of trust in a relationship?

There is also Broken Windows Theory. It isn't just that weak security might result in a hack, it is that weak security encourages even weaker security. The loss of pride in the environment can affect the culture. It can cause people to move away.

The Rules

Here is a quick set of rules that can help improve your security posture.

Don't use the same password on multiple systems

If someone knows your password on one system that shouldn't allow them access to other systems. Don't use the same passwords you use for your social media as you do for your bank. Use a different password for every system.

Even within the same organization different passwords should be used. For example, QA and Production environments should have different credentials. If for no other reason it makes sure that when logging in, the user is more likely to know the context of the system.

Don't use shared accounts

When two people use the same account to access a system it becomes difficult to audit the system. It is not possible to know which of the two people made a change. It removes accountability.

Anyone with the shared password may think they are authorized to grant their access to the system to anyone else, just by resharing the password. Authorization is granted without the knowledge of the IT administrators. If the password is assigned to an individual, this is less likely.

Shared accounts are large. They often have many users sharing the account and the privileges granted to that shared account are all the privileges that anyone of those users need. Maybe only one person is allowed to delete data, but because they use the login as everyone else – everyone will be granted delete permissions.

Security authorization rules should be small. See “use least privilege” below. Often the first step in improving the security of a system is remove all shared accounts so that access can be better controlled.

Use strong passwords

Use strong passwords that contain upper case, lower case, numeric, and symbol characters. Having a long password is more important than a cryptic password.

Always copy and paste passwords from your password store. Don't have passwords that are easy to remember or easy to type. If the technology stack doesn't allow pasting of passwords, consider using a different technology.

Change passwords frequently

Change passwords once and a while. Change passwords when ever there is a breach reported or there is a change in ownership.

Make sure that anyone that knows the old password cannot easily guess the new password. This implies that you shouldn't simply add the year to the end of the password to be compliant with this policy.

Don't keep multiple copies of passwords

Keep a single source of truth for your password. Don't keep a copy in an unencrypted text file on your computer or on a sticky note on your monitor. Ideally use a third-party password manager built by security experts.

Use the recommended security settings

Use the recommended security settings of your system. Don't disable the strong password requirements or multifactor authentication. Don't use HTTP when HTTPS is recommended. Don't run Windows desktop applications as administrator unless necessary.

Don't stay logged in

When you leave your computer, logout or lock your computer. If your system has a feature to automatically log out after a period of inactivity, use it.

Use least privilege

Log into systems with the minimal number of privileges that are required. It reduces the risk of systems getting hacked, and it reduces the risk of you accidentally making harmful changes.

Continuous Improvement

The is a tendency to believe the security that works well today will continue to be solid tomorrow. However, hackers are continuously getting better. So should you. Every year make sure you are taking small steps to improve your security.

Patch holes when they are discovered

Whenever a breach is discovered, take action to ensure that a similar type of breach cannot occur in the future. Often these breaches are the result of a known security guideline not being followed. Don't be complacent and say, "I will try to remember to do better next time". Make sure the mechanisms are in place to guarantee this.

Take advice

When someone recommends that you use better security, listen to them. Don't shrug, eye roll, or say "meh" or "you're not my boss". Go and implement the improved security policy immediately, especially if there is very little effort.

Policy and Tool Chain feedback loops

Sometimes new security policies are difficult to implement. This can result in searching for a better tool chain that supports better security. And vice versa – when installing a new tool this can often result in a stronger security policy. Be open to changing and/or updating systems. Don't avoid new tools because they might change/break the security you are used to.

Person dancing crazy

Dance like nobody is watching, secure your systems like everyone is.