Below: "Exploits of a mom" and "Password Strength"
I recently read an article on PCMag.com that shows how vulnerable you can still be even if you implement all the right safe-guards in a system. There was a study that showed that "Password1" is the most popular password among active directory intranet users, for example for platforms like Microsoft's SharePoint. "Password1" satisfies the password strength settings for a Microsoft Active directory by containing A capitol letter and a number and satisfying the minimum character limit. It's also fairly easy for a human to remember, which ends up being the prime reason for its usage. Unfortunately, simple passwords like this are entirely too easy for a computer to brute force, especially with the computing power we have sitting under our desks these days.
It just goes to show you how, as the xkcd password strength comic states in the mouse-over tool-tip, that even after 20 years of trying to educate people to have better security practices there are still mistakes that we have all been guilty of at one point or another. It seems that we need a better form of protection through guidelines and restrictions, and somehow these "complexity" requirements need to be beefed up, or strictly enforced within a company. A lot of disambiguation occurs in the this market between security of your business (paper shredding, secure networks etc), and security in your software released by the software development team. Some think it's up to the developers to produce safe and solid code, while others think it's up to the company to strictly enforce shop standards that promote such a design.
The article explains some research done by Trustwave, a security solutions company. Customer records make up 89% of breached data. Customer records are your most precious forms of data, because if those are compromised you can definitely be assured that you will lose a large portion of your customer base, lose brand loyalty, and could put your company in serious risk of being labeled for its' poor practices/products or going bankrupt. This recently happened to Sony's PlayStation Network (PSN - 'poision'), and sure enough it was reported they lost a large amount of loyalty, money, and essentially future sales.
It bothers me that even big companies that are supposed to pay people big bucks to ensure that these types of mistakes don't happen, still fall victim to common mistakes in the Software and Security Engineering field. We need to start teaching CURRENT, and VIABLE Software and Security design standards to keep up with an ever-evolving industry. There will always be a threat. You cannot just release a product and expect it to be iron-clad forever!
To go hand and hand with subject and xkcd comic, the article also goes on to explain that SQL Injection is still one of the main forms of web-based attacks. How long has SQL been around? 40 years? And still people have such poor practices with their database inputs, web-site implementation, form validation and so on, it puts the entire application at risk of compromise.
Just another reason why we as professional software developers and security engineers should be paid the big bucks to know how to do things right the first time.
No comments:
Post a Comment