Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

Wild Wild West (WWW)

on July 5, 2010

In the past decade the internet has surpassed all expectations and changed the lives of us all. The World Wide Web holds little or no safety for the end user. Very much like the Wild West in the 1800s, the opportunities and possibilities are endless; however, so are the dangers. Everyone has to watch his/her back because of the unscrupulous gangs of identity thieves and scammers that are just waiting for you to walk into a trap. Online self-defense is a necessity.

There is an arms race going on between the dark and white forces; a Sisyphus work of building defenses which are in turn being defeated in a seemingly endless cycle. How can we ever break out of this cycle to finally feel and be safe?

Trust, together with encryption, is the keys to this goal. While most of the internet traffic is unencrypted and untrusted in origin, it is vulnerable to attacks. Obviously encryption by itself is not the silver bullet; it has to be done right, together with trust management and without exceptions.

This can’t be done overnight. Wherever possible, encryption should be used with proper key management. This would close many holes in the system, no longer exposing end user data to the attackers. The end user needs to be educated and forced to use the more secure – encrypted storage and protocols whether it’s HTTPS, SFTP, DNSsec or IPsec. Also email encryption and digital signing has been available for decades, but is rarely used by the general public.

It’s up to us, the IT pros, to set the standards, to configure secure defaults on our systems and in our products. We have to insist on using the most secure options, no compromises.

Many of us use VPNs which are de-facto encrypted by default, but many other services are not! We need to fix this. The best start would be:

  • use encrypted storage, internal and external
  • use IPsec on your intranet
  • force HTTPS/SFTP on your website/webmail
  • force SMTPS/IMAPS/POPS on your email server
  • introduce email signing/encrypting
  • enforce proper key management

More advanced securing can be achieved by employing DNSsec and NTP over SSL. Also a good idea is to pass proprietary/custom/3rd party protocols via SSL/TLS/IPsec tunnels.

When the majority of IT pros start following these basic rules, the situation will improve. It’s going to take time, but I am optimistic that we will get there.

submit to reddit
 
Comments
Sue Walsh July 28, 20106:00 am

I also suggest being hyper vigilant about your company’s FTP access-don’t use default logins, and if you don’t use it regularly, disable it! Your risk of falling victim to an SQL injection attack will be reduced.

Trivedi Castanon July 30, 20105:25 am

If I may also suggest, make it a habit to frequently change/update passwords, and when creating password, combine caps, small caps, number and characters. It’s only a hassle every now and then when you change, but the protection you get from it is priceless.

Peter Draper August 11, 20101:27 pm

Have to agree with you on that one. A lot of IT departments tend to postpone (or even slack off) on changing the default logins, especially with regards to server or FTP access. It’s isn’t common for exploiters to have a bible for this kind of information readily available. It’s best to have that kind of issue dealt with as soon as possible, and inform the related departments on the changes.