2014 was a year full of technological highs and lows. On the plus side, no more XP to worry about. It’s finally out of support. On the minus side, vulnerabilities like Shellshock and even Heartbleed are still being widely exploited. 2015 hasn’t started off much better with a remote code execution in Microsoft’s Telnet server. On the plus side, if you’re using Microsoft’s Telnet server on the Internet, you probably have bigger problems. As a security company we could offer up some New Year’s resolutions for you and your people to consider, which would probably be the same as last year’s. Patch your systems, choose strong passwords and so on. But that’s not like us. Instead, here’s three alternative vendor neutral New Year’s resolutions for information security professionals.
1. Stop using unencrypted E-mail
If 2013 was the year of the Snowden leaks, 2014 is the year of Snowden reactions. Nobody likes the idea of being spied on all the time, least of all information security professionals. 2014 was also the year that the Snowden leaks showed us that the NSA and friends have special units for exploiting cryptographic weaknesses. But while many organisations take great pains to secure sensitive applications with SSL, few bother to do the same for email.
After you’ve read this article, take a look at your smartphone email settings. If you don’t have a smartphone, check your laptop email settings. Are you using PGP? No, of course not. In 2015 less than 10% of our customers still use anything like PGP, mostly because it’s cumbersome and difficult for end-users to use at an organisational level. However, I’m not asking you to use PGP. That would be accepted wisdom but nothing new.
Instead, I’d like you to look at your remote server settings for downloading E-mail.
First check your IMAP or POP3 settings. Are you using ports 110 or 143? If so your email isn’t being encryped at the Transport Layer. There’s an option for email to use a feature called STARTTLS that will allow it to use those ports and still encrypt email, but it’s initiated over plain text. An attacker between you and your mailserver can abuse this as many mail clients will ignore downgrade attack attempts.
Check your SMTP settings too. SMTP, IMAP and POP3 are common standards used in email. If SMTP is pointed at port 25, then it’s also unencrypted except for when STARTTLS is used and has the same problem. So what’s the alternative?
Rather than using unencrypted email, make sure that your email is fully encrypted at transport by using correctly configured TLS. If you’re not sure whether or not it is, then your IT function should be able to check for you, but make sure they check by looking at the connections made and the supported cryptography for both client and server. The questions to ask internally are:
What ports do we use for IMAP, POP3 and SMTP-based mail in the organisation?
What TLS ciphers do we use for mail traffic?
How do we ensure Perfect Forward Secrecy with our mail connections?
How are mail server certificates configured, signed and encrypted?
If you’re comfortable with the answers you receive, great. If not, contact us for a no obligation chat about your mail security and we’ll help where we can.
2. Stop telling people to use complicated passwords
At Mandalorian we break a lot of passwords. I mean a lot. Seriously, more than we’ve had hot dinners. A common problem with password policies is that companies try to enforce increasingly complex terms and users try to develop increasingly devious ways around them.
Let’s say for example that on an IT helpdesk password reset, ACME sets the password to “password”. Fast forward 5 years and a more complex password policy has been put in place. The policy requires an 8 character minimum, a number, and either punctuation or a keystroke accessible only in another dimension. The helpdesk stops using “password”.
What might the most common user password be? We’ve seen “Pa55w0rd!”, “Password1!” and “passw0rd!” in the wild so many times this year. It’s not worth doing anymore.
There’s several ways around this. One way is to use two-factor authentication. It’s a good idea, but can be expensive and problematic. Another option is to use a password manager, or vault to store passwords that are automatically generated. Just make sure the vault is securely deployed and managed.
As with much of the things I learn in life, I learned about password security from an online comic.
3. Focus on the real stuff
Despite the hype over Snowden, cyber-terrorists and APT last year, the fact of the matter is that most people are more likely to lose a backup tape than get rolled over by the Chinese People’s Liberation Army. Yes it’s a real threat, for some people, but it’s tempting to lose sight of the mundane day-to-day in favour of the latest shiny infosec craze.
Given it’s the start of the year, write down three things that you want to achieve as an information security professional this year. Break them down into smaller goals and identify how and when you’re going to work towards them. They don’t need to be enormous things. Here’s mine:
Do an app team leader exam
Complete the final stages of our internal ISO9001 program
Deploy reporting automation so we can pass on reduced reporting costs to our customer base
Of the three I suspect I’ll manage two. The real world has an annoying habit of interfering with our lives and I’m no exception. If you don’t manage to complete all three of yours that’s fine. But just as with new years resolutions to lose weight or be healthier, even if you only manage one, making sure they’re realistically achievable goals will be the difference between success and failure.