So many things wrong with that title. First off I think it should be 8 ways, but make #1 "Don't be douchebags."
Okay, so here's the list:
1. Don't assume what type of attack will manifest - That's some solid advice. You should prepare, within all acceptable reasons for your highest risk scenarios. We find that a lot of the people making "risk-based decisions" are the same people that believe they will be attacked by hackers like Angelina Jolie.
Rather, think of how normal, everyday people access data on your network. Why? Because that is most likely the path the bad guys will take.
2. Use tried and tested CMS - Sounds okay, but think about some of those alleged CMS‚ Joomla, Wordpress, etc. Not much better, but the argument against a custom system does have some merits. All CMS sucks. But that being said, there is something to being said for getting hacked and not paying six figures for the right because you paid for a custom piece of software. I may suck at math, but paying $150k+ and paying for a compromise is worse than just paying for the compromise.
3. Use strong password hashing - Fair, but even well-hashed passwords can be bruteforced with enough time and computing power. We've talked about passwords often enough that you know they are broken. Trust us, there is a huge difference between hashing/crypto like Lanman with a static key (hello KGS!@#$%) and crytp3 using sha256. If you do not know the difference, here is a hint - Rainbow Tables.
4. Use strong passwords - Ditto. Sure, but how about something better? Maybe we could look at passphrases? Look, I know this is going to be a shock to a lot of guys out there, but length matters. Most anything over 15 characters is going to take a long time to crack.
5. Don't reuse passwords - Very good advice, but mere mortals may have issues. Back to the password issue again.
6. Keep patches current - Yes, for known exploits, you should be doing this stuff, especially if it doesn't break functionality. Don't be slow about it either. I'd say to do restrictive firewalls and such, but the cases in point here wee privilege escalation, which means they are already on the box‚
7. User awareness of social engineering - Yes, yes 1000 time – yes! Even then it still won't sink in, you still should try. Yes, even "smart" security folks can fall for it, and get someone to open ports on your firewall. Just because it is a "dumb idea" does not mean you should not do it. The reason why user awareness sucks so bad, is because the training is awful. You really should look to working with some people who know how to do it and do it right.
Originally discussed during episode 231