A watering hole attack is an indirect attack on a victim. Rather than directly attacking the victim’s network, the attacker attacks a web site that the victim’s employees are likely to visit. Then the attacker attacks the victim’s network, via its own workstations, from that web site. A former colleague asked me how you protect against watering hole attacks, and I thought this was a good exercise. So here are some strategies for watering hole attack prevention.
I’ve never seen SQL injection explained really well, until one of my coworkers did just that. I’m going to try to repeat his explanation here, because SQL injection is something that everyone seems to expect everyone else to just know.
SQL injection (sometimes abbreviated SQLi) is the technical term for getting a form in a web site to run SQL commands when it shouldn’t. Here’s what it is and how and why it works.
People who’ve moved onward and upward within the company, bridging multiple departments are great attack targets because they probably have more permissions than someone who’s stayed in a single role.
In non-security speak, let’s talk about someone who moves from Accounting to HR. The right way to handle it is to grant access to all of the HR data and systems, and cut off all of the person’s access to accounting data and systems.
In practice, that rarely happens. In previous roles, I’ve often ended up with access to more than one group of systems after being moved around, so I’ve not only seen it, I’ve experienced it firsthand.
The bad guys know this. So they’re going to scour Linkedin for people who have multiple entries on their profiles for the same company, knowing they probably still have both feet in both worlds. People like that are going to get more phishing e-mails than average, because then they’ll have access to twice as much stuff. That means if an attacker manages to get onto their system, they’ll have access to twice as much stuff.
This gets overlooked a lot, but HR and security need to have a very good working relationship to keep these kinds of situations from happening. Employees who stay with an organization and move onward and upward within it are very rare these days, and those employees deserve every bit of the extra protection they need.
Career advisers say to make sure you show all of your upward movement within the same company on your resume and on your Linkedin profile. I know not everyone does this, but jobs are difficult enough to get that we have to assume people are looking for that edge. As security professionals, our job is to understand this reality and make sure it doesn’t mean extra exposure.
Last week, I heard a webcast in which the presenter repeated some advice from 2004: Patch things like your financial systems first, and your workstations last.
Workstations need to be first. Read more
Google is moving its corporate applications to the Internet. A year ago I would have said that’s the dumbest thing I ever heard. Today I’m not so sure.
Sticking stuff in the cloud is the popular answer to everything these days, and I just see the cloud as the new mainframe. It’s not a solution so much as a different take on the same problem, and while I see a couple of potential disadvantages, believe it or not I see some real advantages to the approach as well.
I scan the network I’m paid and sworn to protect on a nearly daily basis. I experienced a problem with the account I use for that, and I tested by scanning a small quantity of machines (my own and my cubicle neighbor’s) with my own account to make sure the problem was the account, not the tool.
Fixing the account has become a problem–my boss’ problem now–but when I told him about it, I said I could scan the network with my personal admin account, but didn’t want to. One reason has to do with liability and HR. The other, believe it or not, is technical.
I’ve read the stories this week about how fast-food chains like Jimmy John’s are forcing employees to sign non-compete agreements.
I’ve been asked to sign a non-compete exactly twice in my career, and signed one once, but neither of them was back in my teenage fast-food days.
My employer is experimenting with a few desktop PCs with SSDs. And they are amazing. These machines have an Intel Core i5 CPU, 8 GB of RAM, and a 120 GB SSD. They log on and off in seconds. Word and Excel 2010, which are absolute slugs on HDDs, load in one second. The time is right for SSDs in business.
This is what modern computing is supposed to be.
There’s plenty of benefit, too. Quality SSDs fail predictably, so that reduces maintenance. They take images very fast, which reduces maintenance. Their small size encourages people to save their data on the network, where it’s backed up. The same thing discourages users from storing movies and music on their PCs, which is a legal liability in more than one regard. Depending on the user’s choice of movies, it could be both an HR issue and a copyright issue.
But beyond the intangible benefits, there’s the increased productivity. The computer is almost always ready for the user.
It wouldn’t take long for a $100 SSD to pay for itself by saving a couple of hours of most workers’ time each month.
We had a round of layoffs at work last week. I’ve seen way too many of those. I’ve been one of the layoffs in too many of those, but not this time. If you’re wondering what to say to a coworker who was laid off, read on. Unfortunately I have experience in this area.
It was painful to watch. There were lots of tears, lots of glassy eyes, some denial, some apathy, and even a bit of acceptance. One day, someone walked around to every affected cubicle and wrote “You belong here” on the whiteboard. You can look at it like a sign of solidarity or like some kind of crazy reverse passover, depending on whether you were one of the affected.
I’ve made an effort to seek out the affected people I knew. It seemed like my duty. Read more