I heartily and wholeheartedly agree.
A friend of mine runs a small ISP and was recently hacked through the recently announced BIND hole and has been trying desparately to clean things up. This has impacted all of his client web sites and caused no end of grief.
It started simply enough; DNS had been shut down. He restarted it, did a bit of research, and concluded that it had been a "white hack," a warning to beef up his security. Within a few days, though, he discovered that the same flaw had been used to compromise the rest of the system and that further mayhem was ensuing.
The relevant bit is that even though I had dutifully fowarded the link as soon I learned about it (here, actually), he failed to follow through and implement the patches quickly enough. He got side-tracked by other issues and is now paying the price for that.
Security needs more than knowledge, it needs action....regardless of your level powers on the machine(s) in question.
To begin, start learning how people get into your systems. I heartily recommend Hacking Exposed: Network Security Secrets & Solutions (Second Edition) by Joel Scambray, et al. (Osborne/McGraw-Hill, 10/2000). While it will make the most sense to administrators, it's written in a way that should be accessible to nearly everyone. It not only documents server, OS, and browser vunerabilities, it describes hacks in varying degrees of detail *and* provides countermeasures.
If you're not into the technical details (though I assume that you are, if you hang out here), you may also find Cliff Stoll's The Cuckoo's Egg an entertaining and (through implication) chilling reason to become interested in the gory details. While the book has received some criticism, the very idea should be enough to make the even most pointy-haired of bosses more than a little nervous.
If you don't have a lot of money, you can still start learning. There are a number of online resources devoted to security, ranging from SecurityFocus to documentation from the other side of the coin. (BTW, if you're using a proxy server that filters content, you may find yourself unable to get to certain sites. Keep digging. Use your personal dialup, if you must. Use care to disable JavaScript and take other basic precautions first.)
Other random measures:
Try to hack the systems you own or administer. As Stoll puts it, "rattle the doorknobs." If you can get in, others certainly can and may already have.
Note: Do this *very* carefully. If it's a business system, get upper management's support before doing this. One of our own has had no end of trouble because of this very thing.
If you're not the admin or do not have root, then make friends with the person that has that access. that way, you'll have a certain amount of credibility when you discover areas of concern.
Before shopping at an online merchant, take a moment to view the source of the shopping cart. If they put bad data in hidden fields, flee. Don't trust that site with your credit-card number. If they have weak security in one area, they probably have weak security in others.
Before posting data to an online form, try to view the directory containing the script. If you can, flee.
Make sure you know what's in your cookies. Accept them sparingly and don't give trusted data to sites that don't handle it well.
Patch your browsers and your OS regularly, consistently, and diligently.
Don't keep anything on a connected computer that you don't want the rest of the world to see.
With regard to security, you have to follow Mulder's advice: "Trust No One" (and don't use TRUSTNO1 as a password).
--f ...and, yes, I'm an X-Phile.
Update: Added a few more bits of random advice.
In reply to Re: Stay aware of security
by footpad
in thread Stay aware of security
by tilly
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |