The Security Mindset

by Süleyman Petek 17. Temmuz 2015 21:00
Everyone in your organisation, all the time should keep security in mind. Remember that you are as s

Everyone in your organisation, all the time should keep security in mind. Remember that you are as secure as your weakest link in the chain. Whatever latest technology you use, your firewalls, IDS, IPS, antivirus etc. your level of protection is as high as your weakest link.

Everyone may not have the same level of mindset however the developers and IT staff should be careful about this. Of course having a company-wide mindset is not easy and it requires continuous education. Education comes with the cost of money and time. Top management should also have the mindset in order to approve these expenses.

Let's consider a project manager or a business analyst or a scrum master. While planning for the project, nearly none of them allocates time and human resource for security issues. Being aware of these issues requires allocating time plan for fixing the security issues and also aligning with the secure coding standards. The majority of the developers concantrate on learning new technologies but unfortunately they are not keen on security or they are not aware of the seriousness of the topic. 

In general there are some principles that should be kept in mind:

Least Privilege
Sometimes used as POLP (Principle of Least Privilege) is
 limiting access to the minimum level that is necessary to complete the job.

Simple is More Secure
Simply getting rid of unnecessary functions, unused features as possible as it is.

Do Not Trust Users
When we tackle about user actions, being paranoid is a good security behaviour. Even if your administrators are not 100% reliable for you (An unhappy employee may be very harmful). Sometimes offline actions such as phone calls can be considered as an attack.(Social Hacking)

The Unexpected Always Happens
Preventing the attack before it happens is vital. People generally see the "Happy Path" in projects but the edge cases should be considered also.

Defense in Depth
Slowing down the attacker via layered defenses. "If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system." - OWASP

If you read the CEH preparation book, hacking starts with reconnaissance process. The more information you give the more hackers benefit. Limit the information you give as minimum.

Blacklisting & Whitelisting
"A Blacklist is testing a desired input against a list of negative input's. Basically you would compile a listing of all the negative or bad conditions, then verify that the input received is not one of the bad or negative conditions.

A Whitelist is testing a desired input against a list of possible correct input's. To do this you would compile a list of all the good input values/conditions, then verify that the input received is one of this correct conditions."

Tags: , ,

IT Security | Awareness | Web Security | Web Attack


<<  Mayıs 2018  >>

View posts in large calendar