/>
X

Effective security techniques we don't follow enough

In almost every security incident there's some best practice that someone didn't follow. Here are six security technologies and techniques that would help in these cases.
0-underused-security-technologies.jpg
1 of 7 ZDNet/CBS Interactive

It's not all our fault, security is hard

The IT folks at Target weren't stupid or lazy. They had actually done a lot of security work, but it wasn't enough. Modern enterprises are so large and complex that applying best security practices at all times and locations is just too much to ask.

But we all can do better. As a starting point, consider these six programming techniques, products and services which tend to minimize the most common of security problems.

We know that most attackers are lazy and looking for low-hanging fruit. The harder a target you make yourself, the less likely it is that you will be compromised.

First Up: Parameterized SQL Queries

See also:

 

1-underused-security-technologies.jpg
2 of 7 XKCD

Parameterized SQL Queries

This is #1 because it's so well-understood and so long-established as an effective defense against SQL injection, and yet it is still widely unused. Any programmers using SQL and not parameterizing your queries out there? Shame on you.

SQL injection is well-illustrated in the classic XKCD cartoon on this page. When a program blindly accepts input from a user and stuffs it into a string constructed as a SQL query, it allows an attacker to damage and steal data from the database. Enormous harm has been done through such sloppy programming.

Any decent programming environment provides facilities for parameterizing SQL queries. These facilities sanitize inputs, but you can do more if you wish. Consider this example in PHP:

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

Required reading: OWASP SQL Injection Prevention Cheat Sheet

Next: Multi-factor authentication 

See also:

2-underused-security-technologies.jpg
3 of 7 ZDNet/CBS Interactive

Multi-factor authentication

The idea of two-factor authentication is that losing your username and password is not a killer problem because you need a second factory, typically some physical object that you have with you, in order to log in.

Two-factor authentication is all over the news now, what with support for the new U2F standard announced by Microsoft, Google and smaller companies like Duo Security.

Two-factor authentication has been around for a long time, but has made few inroads in broad markets because it can be a gigantic pain to use. The aim of the new standards and of support by Microsoft and Google is to make two-factor authentication easy enough that users won't mind it. The image on this page is a Duo Security Android push notification used as a second factor for Lastpass, a password manager.

So far, perhaps the most successful implementation is EMV (Europay/MasterCard/VISA), also known as "chip and PIN." EMV is a standard for payment cards which is widely deployed in Europe and coming to the US over the next couple of years. It puts an embedded cryptographic processor in the card that talks to a reader of RFID. In combination with a PIN entered by the user, it eliminates the incentive to steal card swipe information because you need the physical card. (Unless you are going online, which is a weakness in the system now, but we'll leave that for another day.)

Next: Identity and Access/Password Management

See also:

3-underused-security-technologies.jpg
4 of 7 OneLogin

Identity and Access/Password Management

Careless and erroneous management of identities and credentials is a major source of security incidents. The previous page of this gallery on two-factor authentication describes one of the main and best techniques for securing authentication, but today it's not a practical solution in all cases.

All operating systems perform some amount of IAM (Identity and Access Management) and may be extensible by third parties so that the operating system directory can be used to authenticate access to other applications. All of that is generic talk for Microsoft Active Directory, the widely-disliked system that nearly everyone uses. Working with Active Directory, especially in a multi-site, federated network, can be a major pain.

Enterprises and other managed networks often need to use an IAM solution, such as those from OneLogin, IBM and Computer Associates, that allows better maintenance of identity whether the application is in Active DirectoryPart of that.

Increasingly, enterprises are concerned about migrating to cloud services such as Google Apps, SalesForce or Office 365 without creating an authentication mess. In such cases, a cloud-based IAM solution such as that from OneLogin may be the best long-term solution.

Part of a good IAM solution is password management of the type provided for standalone systems by LastPass, 1Password by AgileBits and RoboForm.

Next: Prompt software updates

See also:

4-underused-security-technologies.jpg
5 of 7 SolarWinds

Prompt software updates

This is one of those things that everyone knows now they should do, but it's still a hard thing, particularly in light of some botched recent updates by some big companies. Enterprises can mitigate the immediacy of many updates with a good NGFW/IPS system that is aggressively updated.

Security research shows that this is a problem which has been lessening over the years, as update systems have become more automatic.

There's an added level of complexity to it, as different companies have different policies regarding the period of time they will provide patches to a particular generation of software. For many, such as Apple, once the new generation appears, updates for the old ones are limited or nonexistent. For instance, since iOS 8 appeared, there have been no updates for iOS 7, there may be an imperative to upgrade products for security reasons as well as to update for patches.

Even Microsoft, which provides security updates for products for ten years, will include new architectural security features in new versions of Windows that are not in the older ones. Therefore, from a security standpoint, you're always better off running the latest generation of Windows (currently 8.1), although it may not be practical to do so.

Once an organization reaches a certain size, central management of the process is necessary. For mobiles, that means an EMM solution. For Windows desktops it means a patch management solution, often part of a larger system management solution. The patch manager pictured here is from SolarWinds.

Next: Escaped HTML syntax

See also:

5-underused-security-technologies.jpg
6 of 7 Kaspersky via The Hacker News

Escaped HTML syntax

XSS (cross-site scripting) might be better termed "HTML/script injection" because that's what it is: The insertion of code into a page by a page on another domain.

The usual vector for this attack is a script trusting the input from a user in a field without sufficiently checking the contents for invalid text. The screen capture on this page shows a hacker causing VK, a Russian social network, to raise an alert. The same technique can be and has been used to insert more malicious code.

As OWASP says in their typically invaluable XSS (Cross Site Scripting) Prevention Cheat Sheet: "While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack."

The eight rules (numbered zero through seven) deal with escaping input, such as turning double quotes (") into (").

It's a good idea to use a security encoding library, such as Microsoft's AntiXSS for .NET or the OWASP Java Encoder Project.

Next: Software whitelisting

See also:

6-underused-security-technologies.jpg
7 of 7 Microsoft

Software whitelisting

Classic anti-malware techniques work on blacklisting, i.e. checking programs against a list of known bad programs.

Where possible, a better approach is whitelisting: Nothing is allowed to run unless it's specifically permitted. The image on this page is of Microsoft Applocker, a standard feature of domain-manageable editions of the operating system. An administrator can define rules to allow or exclude specific programs. Since it operates through Active Directory Group Policy, the rules can be made to apply to specific users or groups of users.

Whitelisting helps when a user or system is tricked into running an executable which is not what it appears to be. But malicious code can still be run on the system through vulnerability exploits, so whitelisting isn't a complete block on it.

There are many other whitelisting systems from third parties with more capabilities, including Bit9 and Lumension.

Whitelisting has been an important part of mobile operating systems management for some time. EMM (Enterprise Mobility Management) solutions often provide an "enterprise app store" to which IT can restrict users, and allow only corporate and approved outside apps in it.

See also:

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup
Person seated at a booth in a cafe looks at their phone and laptop.

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup

10 Photos
Tech salaries, developer skills, cybersecurity, and more: ZDNet's research roundup
remote-working-from-home-man-employee-small-desk.jpg

Related Galleries

Tech salaries, developer skills, cybersecurity, and more: ZDNet's research roundup

8 Photos
Yubikey Security Key C NFC
Security Key C NFC

Related Galleries

Yubikey Security Key C NFC

8 Photos
First look at the YubiKey Bio
YubiKey Bio

Related Galleries

First look at the YubiKey Bio

10 Photos
iVerify (version 17)
iVerify for iOS and iPadOS

Related Galleries

iVerify (version 17)

5 Photos
OnlyKey hardware security key
OnlyKey

Related Galleries

OnlyKey hardware security key

19 Photos
SoloKeys Solo V2
Solo V2

Related Galleries

SoloKeys Solo V2

10 Photos