Last time we looked at some of the cast of characters in hackerdom and their motivations.  This time we want to look at how they can attack you and what you can do to make yourself less of a target.

The first principle of being secure on the internet has to do with making yourself as small a target as possible.  This is known as “minimizing your attack surface” – which is actually (from your perspective) – your “defense surface”.  In general, the term is used to describe vulnerability to outside attack.  From a military perspective, a long, thin line is vulnerable because it can be attacked anywhere at the enemy’s choosing.  Better to minimize that surface … like Thermopylae.

In the world of software and internet security, you don’t want to be the easiest target around.  In a pure “survival of the fittest” sense, the good news is that just like on the savannah where to avoid a predator you don’t have to be the “fastest wildebeest” … you merely have to be able to outrun the slower wildebeests.

So, you don’t need to have perfect security (good luck with that), but you certainly need to have better security than the next victim.  If not, then that next victim could be … you.

The top 10 vulnerabilities for 2013 according to OWASP (Open Web Application Security Project) are:

  1. A1 – Injection
  2. A2 – Broken Authentication and Session Management
  3. A3 – Cross-Site Scripting (XSS)
  4. A4 – Insecure Direct Object References
  5. A5 – Security Misconfiguration
  6. A6 – Sensitive Data Exploitation
  7. A7 – Missing Function-Level Access Control
  8. A8 – Cross-Site Request Forgery
  9. A9 – Using Components with Known Vulnerabilities
  10. A10 – Unvalidated Redirects and Forwards

Phew!  And that is just the top 10!  Fortunately, many of the vulnerabilities are beyond your control.  1. – 4. and 6. – 10. all have to do with the quality of the software or website.  Unless you are an expert in internet security yourself, you wouldn’t want to build your own website.  Would you?  So, you are home free with only “security misconfiguration” to worry about!

According to OWASP, Security Misconfiguration is

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

Now this is related to development, but it is the deployment of the software that is the chief focus here.

Note all the components listed above: application, frameworks, application server, web server, database server, and platform.  Let’s take your wireless network.  Because you have Iconic, you have a wireless network for the mobile point-of-sale device to do its thing.  So, how should your wireless network be configured?

Without discussing the particulars of your router settings, some general principles can be laid out:

  • Name your SSID (Service Set Identifier) something that is not easy to guess.  Do not broadcast your SSID.  (Really, people do this…)
  • Set the security key to something that is not easily guessed.  Longer is better.  (Pop quiz: the more popular password is?  Yep, it is “password”… (Really, people do this…)
  • Do not use WEP for securing your network; it was hacked a long time ago in a galaxy far, far away….Use WPA 2.0 (Wi-fi Protected Access) instead.
  • Do not continue to use the default network password supplied with your wireless router.  (Really, people do this…)
  • White listing the devices that will be on the network is helpful as well.  Note that the MAC addresses can be spoofed, but they would need to be guessed or discovered…

Once all that is done, then you will need to change that wireless password from time to time…quarterly, or, better, monthly.  But isn’t that a pain?  Yes.  It is a pain.  But take another look at that wildebeest in the tender embrace of that lion…

More anon…