Posts Tagged 'Security'

September 27, 2011

The Challenges of Cloud Security Below 10,000 Feet

This guest blog was contributed by Wendy Nather, Research Director, Enterprise Security Practice at The 451 Group. Her post comes on the heels of the highly anticipated launch of StillSecure's Cloud SMS, and it provides some great context for the importance of security in the cloud. For more information about Cloud SMS, visit www.stillsecure.com and follow the latest updates on StillSecure's blog, The Security Samurai.

If you're a large enterprise, you're in pretty good shape for the cloud: you know what kind of security you want and need, you have security staff who can validate what you're getting from the provider, and you can hold up your end of the deal – since it takes both customer and provider working together to build a complete security program. Most of the security providers out there are building for you, because that's where the money is; and they're eager to work on scaling up to meet the requirements for your big business. If you want custom security clauses in a contract, chances are, you'll get them.

But at the other end of the scale there are the cloud customers I refer to as being "below the security poverty line." These are the small shops (like your doctor's medical practice) that may not have an IT staff at all. These small businesses tend to be very dependent on third party providers, and when it comes to security, they have no way to know what they need. Do they really need DLP, a web application firewall, single sign-on, log management, and all the premium security bells and whistles? Even if you gave them a free appliance or a dedicated firewall VM, they wouldn't know what to do with it or have anyone to run it.

And when a small business has only a couple of servers in a decommissioned restroom*, the provider may be able to move them to their cloud, but it may not be able to scale a security solution down far enough to make it simple to run and cost-effective for either side. This is the great challenge today: to make cloud security both effective and affordable, both above and below 10,000 feet, no matter whether you're flying a jumbo airliner or a Cessna.

-Wendy Nather, The 451 Group

*True story. I had to run some there.

September 1, 2011

The Importance of Network Security

On Friday, April 27, 2011, I powered on my Sony Playstaton 3 and prepared to sit down for an enjoyable gaming session. As a Sony customer and a PlayStation Network (PSN) user, I expected my system to be able to connect to a service that I was told would be available. Because I had to sign an agreement to join the PSN, I expected my personal information to be secure. On that morning, I logged in and had no idea that my personal security might be at risk due to a lack of tight-knit practices and possible information redundancy.

My many years of brand loyalty held strong as I was told constantly that the PSN was down as a result of a maintenance. I understand that emergencies happen and proper planning by a professional company is in place to shorten the duration of impact. As it turned out, proper planning for this type of event seemed to have been lost on Sony. A malicious security cracker was able to infiltrate their network to gain access to numerous PSN customers' sensitive personal information. This kind of blunder had every PSN customer wondering what could be done to prevent this kind of event from happening again.

You probably noticed that I used the word "cracker" as opposed to the more common "hacker." A hacker is an extremely knowledgeable person when it comes to computers and programming who knows the ins and outs of systems ... which is completely legal. The typical misconception is that all "hackers" are engaged in illegal activity, which is not true. If the hacker decides to use these skills to circumvent security for the purpose of stealing, altering and damaging (which is obviously illegal), then the hacker becomes a cracker. To put it simply: All crackers are hackers, but not all hackers are crackers.

When I started working at SoftLayer three years ago, I was told to pay very close attention to our company's security policy. Each employee is reminded of this policy very regularly. Proper security practice is essential when dealing with private customer data, and with the advancement of technology comes the availability of even more advanced tools for cracking. As a trusted technology partner, it is our obligation to maintain the highest levels of security.

There is not a day at work that I am not reminded of this, and I completely understand why. Even at a personal level, I can imagine the detrimental consequences of having my information stolen, so multiply that by thousands of customers, and it's clear that good security practices are absolutely necessary. SoftLayer recognizes what is at stake when businesses trust us with their information, and that's one of the big reasons I'm to work here. I've gone through the hassle and stress of having to cancel credit cards due to another company's negligence, and as a result, I'm joining my team in making sure none of our customers have to go through the same thing.

-Jonathan

May 31, 2011

Bringing Home Data Center Security

Look at any time period in mankind's history, and you'll come to the undeniable conclusion that technology changes the daily lives people in any society. With the evolution of technology, our lives have gotten so much easier. Consider all the little luxuries and conveniences available now to get tasks done in the workplace and home. Unfortunately, our rapid technological advancements aren't necessarily exclusive to the "good guys" ... The "bad guys" are benefiting from new technologies as well. Crime and theft have become more sophisticated, and as a result, more technological advancement has to be pursued in security, and it's pretty remarkable to see some of the security measures and technologies put in place by companies like SoftLayer.

The day I started working here, I thought I was actually joining the CIA. I had to undergo several procedures to gain access to all the facilities: I had my photo taken and my fingerprints scanned before I registered for multiple key cards. The first job I had out of college only required its employees to have a single key card that allowed entrance through one door with access to all areas. Needless to say, it was a lot different to work in such a secure environment.

To give you an idea of what kinds of security we have at our data center, I'll walk you through my daily experience. I step into our lobby and am usually greeted by multiple security guards behind what appears to be bullet-proof glass. I have to pass a fingerprint scanner and numerous secured door checkpoints to get into the office. Every move is under the scrutiny of video cameras recording every square inch of the building. Big Brother is always watching, and for SoftLayer customers, that should be reassuring.

The facility's security reminds me of the movie Minority Report, and while those security measures may seem unnecessary or excessive, they're actually just visible evidence of SoftLayer's focus on the importance of security both online and in the physical realm.

Thinking about safety, I've also started considering heightening security at my home with a few security cameras. Some of my friends joke that this consideration is a sign of impending paranoia, but the "better safe than sorry" mantra should always be kept close to heart when it comes to protecting valuables. Apparently, I'm not alone in my home security research ... A day after writing a good portion of this article, I came to work and in the morning a coworker told me he'd recently bought a security camera with night vision for personal use. I didn't expect such a coincidence, and of course I enthusiastically replied to my coworker that I was thinking about making a similar purchase.

In closing, I'd like to ask you if you've entertained the idea of increasing security in your own home, and if so, do you have any suggestions about what equipment to purchase and features that prove useful? I doubt I'll go as far as hiring security guards and installing fingerprint scanners, but you never know!

-Danny

March 1, 2011

API Basics: REST API - "Hello World"

Learning SoftLayer's API
When I first started to look at SoftLayer's API, I favored the SOAP programming interface because I liked the strictly formatted XML responses, the good separation of concerns (using the server as proxy for data retrieval) and the increased security. All of these are great reasons to use the SOAP interface, but once I saw how easy and direct the REST interface is, I decided that I would use it as my cornerstone for learning the SoftLayer API.

REST API
Although the REST software archetype is a difficult concept to explain, its practice has become natural to those of us who use the internet daily. Imagine that the information that you want to know is saved as a web page somewhere and all you have to do is type in the URL, it will prompt you for a username and password, and you will see the information that you requested.

Authentication
Before making a request you will need to find your API authentication token. To do this, log into your customer account and click API under the Support tab. Click the "Manage API Access" link. At the bottom of the next page you will see a drop-down menu that says "Select a User" and above it a tag that says "Generate a new API access key." Select a user and click the "Generate API Key" button. You will see your username and the generated API key for that user. Copy this API key, as you'll need it to send commands SoftLayer's API.

"Hello World"
Unfortunately, there is no specific "Hello World" command in SoftLayer's API, but there are some commands that are very simple and don't require any variables, like the getObject() method. APIs are like component libraries, split into web services and methods of that service. The SLDN has a full list of SoftLayer's web services to choose from. I am going to use the getObject() method from the SoftLayer_Account service in this example:

https://api.softlayer.com/rest/v3/SoftLayer_Account.xml

  • You will be prompted for your username and API access key
  • XML data type output

https://USERNAME:PASSWORD@api.softlayer.com/rest/v3/SoftLayer_Account.json

  • Automatic authentication
  • JSON data type output

The Request
Here is the basic REST request structure:

<code>https://<u><em>username</em></u>:<u><em>API key</em></u>@api.service.softlayer.com/rest/v3/<u><em>serviceName</em></u>/<u><em>InitializationParameter</em></u>.<u><em>returnDatatype</em></u></code>
  • All requests are sent via secure transfer (https://)
  • Listing your username and API key before the URL allows for automatic HTTP authentication
  • Service and serviceName both refer to the web service you are trying to access
  • InitializationParameter is only used if the method you are calling requires an initialization Parameter
  • SoftLayer's REST API can respond with either JSON or XML data types; replace returnDatatype with the type you would like to receive.

The Data
Looking at the first link above, your browser should be able to output the response data in XML format, showing information about your account. More information about the format of the data can be found on the SLDN wiki.

REST Basics
When you start integrating this into a website you will want to get/make a function or library to handle advanced requests and to properly receive and disperse the response; I recommend using JQuery. This is the most basic example of a function call for SoftLayer's API, I hope that it will help you get a feel for the information that you will need to pass to our server and the kind of response that you will receive.

-Kevin

February 17, 2011

API Basics: REST

What is REST?
"Representational State Transfer," or REST, is a style of software architecture designed to relate different types of hypermedia to each other for distribution. The basic concept of REST is that a client application can request information from a server in the form of a representation of a resource without actually downloading an entirely new resource. This is how the World Wide Web works.

The World Wide Web
A browser is a client side application which requests information from a server; the server then accepts the request and transfers data back to the browser. The data transferred is not an application; it simply gives instructions to the client-side application (the browser), which then uses those instructions to properly display some information. Downloading information from a server changes the application state of the browser. The result of that change in state is a new website, which is therefore named the new state, so when new websites are downloaded by a browser, it is transferring representational data for a new application state.

How does REST relate to SoftLayer's API?
SoftLayer's API has many different avenues for implementation; one of these avenues is simple data transfer using the GET method in HTTP. Hyperlinks are one of the most basic examples of REST in action. When the user clicks on the hyperlink it requests information from the server and responds by transferring back representational data, in this case the data is expressed as either XML or JSON.

What are the disadvantages of using a REST API?
REST requests must contain all information, including authentication, within the URL. This can lead to security threats somewhere down the line. Luckily, SoftLayer allows you to add any number of users to your account, and then restrict their access to specific servers/services. This way your customers can utilize SoftLayer's API without a security risk to you or each other. They can even create their own users and further restrict access.

What are the advantages of using SoftLayer's REST API?
Direct client to server communication is the biggest advantage of using REST. The other protocols that SoftLayer uses to communicate data to the API require server-side scripting; this means that you will have to program your websites to use the host server as a proxy for calling SoftLayer functions. With REST you can directly link to the information that you want to display, using XLST or JavaScript to display it. You can also use AJAX with JSONP or script injection to dynamically update your webpage.

REST
The REST archetype is the most natural API for HTTP. This sets it above others in that there are no secondary programs needed to interact with HTTP (like SOAP), which means less computing time and better performance. REST APIs also don't need to use a proxy server for remote procedure calls. This decreases server load and bandwidth usage and further increases website performance. SoftLayer's REST API is easy to implement, and with SoftLayer's tiered user system its security flaws can be eliminated. This is why I prefer SoftLayer's REST API over the others.

Basic REST function calls are detailed in the SoftLayer Development Network (SLDN) here.

-Kevin

February 15, 2011

Five Ways to Use Your VPN

One of the many perks of being a SoftLayer customer is having access to your own private network. Perhaps you started out with a server in Dallas, later expanded to Seattle, and are now considering a new box in Washington, D.C. for complete geographic diversity. No matter the distance or how many servers you have, the private network bridges the gaps between you, your servers, and SoftLayer's internal services by bringing all of these components together into a secure, integrated environment that can be accessed as conveniently as if you were sitting right in the data center.

As if our cutting-edge management portal and API weren't enough, SoftLayer offers complimentary VPN access to the private network. This often-underestimated feature allows you to integrate your SoftLayer private network into your personal or corporate LAN, making it possible to access your servers with the same security and flexibility that a local network can offer.

Let's look at a few of the many ways you can take advantage of your VPN connection:

1. Unmetered Bandwidth

Unlike the public network that connects your servers to the outside world, the traffic on your private network is unlimited. This allows you to transfer as much data as you wish from one server to another, as well as between your servers and SoftLayer's backup and network storage devices – all for free.

When you use the VPN service to tap into the private network from your home or office, you can download and upload as much data as you want without having to worry about incurring additional charges.

2. Secure Data Transfer

Because your VPN connection is encrypted, all traffic between you and your private network is automatically secure — even when transferring data over unencrypted protocols like FTP.

3. Protect Sensitive Services

Even with strong passwords, leaving your databases and remote access services exposed to the outside world is asking for trouble. With SoftLayer, you don't have to take these risks. Simply configure sensitive services to only listen for connections from your private network, and use your secure VPN to access them.

If you run Linux or BSD, securing your SSH daemon is as easy as adding the line ListenAddress a.b.c.d to your /etc/ssh/sshd_config file (replace a.b.c.d with the IP address assigned to your private network interface)

4. Lock Down Your Server in Case of Emergency

In the unfortunate event of a security breach or major software bug, SoftLayer allows you to virtually "pull the plug" on your server, effectively cutting off all communication with the outside world.

The difference with the competition? Because you have a private network, you can still access your server over the VPN to work on the problem – all with the peace of mind that your server is completely off-limits until you're ready to bring it back online.

5. Remote Management

SoftLayer's dedicated servers sport a neat IP management interface (IPMI) which takes remote management to a whole new level. From reboots to power supply control to serial console and keyboard-video-mouse (KVM) access, you can do anything yourself.

Using tools like SuperMicro's IPMIView, you can connect to your server's management interface over the VPN to perform a multitude of low-level management tasks, even when your server is otherwise unreachable. Has your server shut itself off? You can power it back on. Frozen system? Reboot from anywhere in the world. Major crash? Feeling adventurous? Mount a CD-ROM image and use the KVM interface to install a new operating system yourself.

This list is just the beginning. Once you've gotten a taste of the infinite possibilities that come with having out-of-band access to your hosted environment, you'll never want to go back.

Now, go have some fun!

-Nick

January 11, 2011

Jurassic Park, Uptime, And You!

Some of you may remember in the movie Jurassic Park where the park founder's granddaughter Lex, played by Ariana Richards, sits down at a computer terminal, gasps, and says "This is Unix. I know this!" That particular film moment has always resonated with me as a victory for realistic depiction of computer systems - the interface used in the movie is called fsn and was an actual Unix file manager - in an industry rife with horrific exaggerations; Swordfish, anyone? I'm sure there's an unwritten story as to how she (or her brother if you follow the book) gained her skills at a computer system that in 1993 was almost exclusively relegated to universities. However, I digress.

Shortly before that scene was another scene and catchphrase that should resound with familiarity to system administrators around the world. In the face of marauding dinosaurs and computer sabotage, the character John Arnold, played by Samuel L. Jackson, must sacrifice what I'm sure was an absurd amount of uptime by killing the power and rebooting the mainframe. Would the system come back up? Would everything load up as needed to get the park's systems back online? John's mantra was simple: "Hold on to your butts!"

Every day as a Systems Administrator I'm faced with a comparable (though far less exhilarating) situation. Linux is an extremely stable operating system, and I have logged into systems that have been online for quite literally years. Eventually, though, kernel updates or stray mounts necessitate a reboot. Will the server's filesystems need a check on reboot? Will the server even come back up? When a server's been online for that long, the only way to know is to "throw the switch" and cross your fingers.

One way to have a better idea of how your system will behave during reboots in a production environment is to take the time to update your kernel once a month or so and perform a reboot to make sure the update sticks. This allows routine file system checks to take place as necessary and keeps your system abreast of the latest kernel updates. It also familiarizes you with how long the process takes, what sort of caveats you may run into, and reduces the overall surface area of your server to outside attackers.

In the last year, I have seen at least two exploits that can give an attacker root access to a server running an outdated kernel using common toolkits that can attack commonly deployed Content Management Systems with trivial effort. Compromising an unprivileged user account gives an attacker even more leverage against unpatched systems. Google CVE-2009-2695 and CVE-2010-3081 if you don't believe me.

If you run a production system or even a backend system that is exposed to the big, bad Internet, it is absolutely essential to make sure that your kernel, software, and security measures are up to date. Today's Slashdot article is tomorrow's exploit.

What lesson can we learn from the unfortunate folks at Jurassic Park? Don't assume your server is safe and don't wait until there are velociraptors roaming your halls looking for a snack to perform proper maintenance on your system.

-Adam

December 6, 2010

I, the undersigned, certify under penalty of perjury...

“I, the undersigned, certify under penalty of perjury”, “We believe the following host has recently been compromised”, “I received the below unsolicited commercial e-mail”, are a few statements that we as The Softlayer Abuse Department receive on a routine basis. The responsibility of responding to these quite serious matters in of itself is what gives us our motivation and niche in the overall scheme of this company: the protection of our networks global reputation. Without a firm and diligent abuse department, many of our customers would experience extreme packet loss left and right. Some customers may be affected by another provider’s block on an entire subnet, due to a single server periodically attacking their network for a month. Others would assuredly have their IP addresses consistently listed in spam databases, and therefore restricting e-mail contact to most or all of their clients. So in order to help keep these things from happening; we need to ensure that any reported or detected abusive activities occurring on our network are thoroughly responded to. We do this by analyzing abuse reports, determining the nature of the issues, and if an issue is valid, a ticket is opened with the customer for further correspondence as we track the issues resolution. At the same time, we maintain communication with other organizations and providers to ensure that matters are quickly addressed.

While most issues are resolved, or are being resolved within 24 to 72 hours, some issues require a quicker response. One of these is Phishing sites, which need to be removed within a shorter time frame. Our procedures regarding these sites are due to the fact that they are one of the most dangerous and wide spread issues on the internet today. If you’re not familiar with, or just want to read up on some of the latest news regarding these sites, you can get everything you need to know at APWG’s (Anti-Phishing Working Group) website. Softlayer’s membership within APWG allows us access to the most recent industry level trends and activities for a range of abusive issues. This gives us a much greater insight and oversight to identify and resolve issues that are negatively affecting our network. I can’t speak too much publicly past the above general time frames; since most abuse work is to some degree like spam filters, immediate disclosure of detection methods and procedures would render them useless. However, I can say that we believe one of the most effective methods for combating phishing is consumer education. If users are familiar with how fraudulent operations work, they are more likely to recognize components of them when they see them and not become victims. In support of this concept, we encourage all of our customers to respond to phishing site ’take downs’ by replacing the phishing site with a redirect to the APWG’s phishing education landing page. This page is an informative document that explains to the user that they were about to become a victim of illegal activity, and goes on to explain phishing in more detail. Most people in today’s modern society won’t go too far out of their way to obtain new information regarding trends in cybercrime. As such, the moment in which someone is about to be the victim of a phishing scam is considered to the ‘teachable moment’. This is the moment that someone has clicked on a link that they believe goes to their banks’ website, but are redirected to an educational page about phishing instead. The page is also configured to work with a variety of different languages, based on the client browser settings. As more people encounter the APWG’s landing page instead of a phishing site, the faster phishing education will spread and the less number of potential victims will exist. You may find information on how to implement the redirect here.

One of the next most concerning matters that we address is, servers being used by unauthorized third parties to conduct some form of outbound attack. While each are in there own way malicious and need the same attention, here’s a few specifics on some of the general different types. Password Cracking/Brute Force – this is typically done by malicious content attacking multiple hosts simultaneously while attempting various username and password combinations, typically with a massive list of pre-defined words. One of the easiest ways to help protect a server against being effected is to change at least your SSH, FTP, RDP, to non standard ports and ensure that you have complex passwords. I would also advise enabling account lockouts after a certain number of failed login attempts. Another predominant type of malicious scanning is doing so on an entire netblock by checking each host within them to see if one or more ports are open per host, which is then reported back to a database for later use in the latter form of attack. Essentially anything that is in some way part of an intrusion attempt is a priority.

Next we move on to an area of abuse that has most likely affected all of us at some point in time – Malware. This is a very general term we use to describe any software that has been written with malicious intent. The possible functions and uses for malware are only limited by the imagination and the software platforms that they are built upon, assuming that the infection process doesn’t accidentally crash the server. Various forms of malware have been identified as responsible for every type of abuse issue noted in this article at some point in time. While at the same time, malware on your server is not the guaranteed reason it may be conducting outbound abusive activities. Most specific malware related tickets are in reference to a single or series of malicious files that are publicly accessible. These issues are often resolved quickly upon deletion of the file(s) in question. However, it is also equally as important to ensure that any security vulnerabilities that allowed these files to be uploaded are repaired, or you can almost guarantee that the problem will reoccur. Microsoft reported that during the 1st half of 2008, over 90% of system vulnerability and subsequent infections were attributable to ‘weak’ applications rather than malware targeting the operating system itself. – Microsoft S.I.R. Vulnerabilities within the application layer remained the predominant risk throughout the 2nd half of 2008 as well. Malware in general has remained a formidable electronic adversary through 2009 and on to the present. As such, it is very important to ensure that you are using the most current version of all installed applications, and that they were written by a trusted source in addition to the maintaining the operating system security.

One very common form of malware effecting servers is an IRC(Internet Relay Chat) bot. One bot alone can be responsible for the infections of countless other machines. This is commonly done by injecting malicious code into poorly written PHP scripts. However, the bigger problem with an IRC bot is the fact that it’s connected to an IRC Botnet Controller, which is capable of commanding massive amounts of infected hosts simultaneously. While these are typically used for spam or other similar illicit activities, there is still the potential for the infected servers to be involved with even worse situations. These are in effect: A virtual army that’s literally capable of taking small countries off of the internet grid. In June of 2007, the F.B.I. initiated operation ‘Bot Roast’ an ongoing investigation to locate the people behind the wires. But in the mean time, needless to say, these matters need to be addressed as soon as possible.

During our triaging of abuse reports, we also address the very common issue of Spam. The three major types listed in order of priority are: Phishing, General Fraudulence, and other infected hosts Spam. However, you may also be audited, if you will, with a Spam ticket regarding a mailing list one of your clients is operating. For additional information regarding email marketing and the industry’s best practices, spamhaus.org's FAQ is a very useful resource.

Keeping the above in mind, there is also one last thing to consider; maintain a backup of all removed malicious content after it has been found. This evidence could prove invaluable to law enforcement, should the request for it be presented. We also encourage you to review your access logs to determine the source IP address(s) of any intruder or other malicious entity, such that you may report it to the appropriate organization. As it is with many other aspects of life, communication regarding these issues remains critical for timely and appropriate resolutions.

-Andrew Smith - Martinez

Categories: 
August 5, 2010

Security Myths part 2

Security Myth #4: A hardware firewall will stop the evil hackers from the internet. They also stop viruses and spam emails.

The Facts: A hardware firewall will filter your traffic based on a set of rules. If properly configured, this will certainly harden your system from certain types of attacks. However, if you want to stop intrusion attempts on your server, you probably want to implement brute force protection or intrusion detection (IDS). Most operating systems nowadays include brute force protection in one form or another (although it may not be turned on by default). If you want an IDS, there are several options available. Here at SoftLayer, we offer McAfee Host Intrusion Protection System (or HIPS for short) for Windows systems. This will offer you some additional protection against intrusion attempts, but it is no substitute for a well patched system with strong passwords. This is especially important to know if you contract with an outside agency to configure your firewall for you. It’s easy to delude yourself into a “set it and forget it” attitude toward security. I can’t tell you how many administrators I’ve talked to that have asked “how did I get hacked? I had a firewall!”

The Side Effects:

  • Having a hardware firewall means an additional step to allow access to ports. Can be time consuming.
  • Having a hardware firewall can potentially mean an additional point of failure.
  • Too many rules can mean degraded performance.

Security Myth #5: I run a Unix/Linux based system, so I can’t get hacked.

The Facts: I have seen a fair share of Unix based systems get hacked, simply because the user is unfamiliar with the OS. Running everything from within a control panel is convenient, but make sure you or one of your administrators is familiar with command line access.

The Side Effects:

  • Running a control panel can cause more security holes

Security Myth #6: I have my Wordpress (or other web application) patched to the latest version, so I should be fine.

The Facts: WordPress is a piece of cake to install. You don’t even need to know how to code in HTML. This means you can install it and have it working properly, and still forget to correct your filesystem permissions. You need to make sure that you read the installation documentation and complete all steps. If you just stop reading once the application starts working, you could potentially forget to correct your permissions and someone could gain access as an administrative user. I ran into a situation one time where a user was utilizing a web interface to manage an online marketplace. I was shocked to find out that the link he sent me allowed me in without the use of a password! Make sure that your application doesn’t use the default password or a blank password.

The Side Effects:

  • Having the latest version is great, but make sure you take a 360 degree look around to make sure nothing is out of place

Security Myth #7: I am getting SPAM messages, but I have a firewall.

The Facts: A firewall does not filter SPAM messages. You might look into the free SpamAssassin software that will filter email for potential SPAM. http://spamassassin.apache.org/

July 27, 2010

Security Myths Part 1

The world of IT security is full of partial truths and paranoia - some of which is completely justified. Sometimes, steps are taken that actually are beneficial, but without knowing the reason behind the precautions, many administrators are lulled into a false sense of security. Here are some common misconceptions that I see in action frequently:

Security Myth #1: If I set my password strong enough, my system will be secure.

The Facts: There are many ways to compromise a system. For example: exploitable code on your website, lax filesystem permissions, and publicly accessible services running on your system (such as email or chat). In fact, having a long secure password is often like having a steel security door with retinal scan technology on a grass hut. Don’t get me wrong, having strong passwords is a great thing, but don’t forget to look at the rest of your system!

The Side Effects:

  • Longer passwords take longer to type (obviously).
  • You are more likely to forget a longer password.
  • You are more likely to mistype a longer password (and get locked out).
  • If you force this policy on your end users they are more likely to write the password down (bad).

Security Myth #2: If I replace letters with their corresponding l33t speak numbers (e.g. hello -> h3110), it will make my password more secure.

The Facts: Technically, yes it will make your password more secure, but only marginally. Simple character substitution is a common feature among brute force tools. This will slow down the brute force attack, but your system may still eventually be compromised by a hybrid dictionary attack. You might also consider configuring the brute force protection options on your server.

The Side Effects: There are no side effects - in fact, this is a far greater idea than simply using a dictionary word. However, it is best to also add some additional numbers or letters to throw off brute force tools. Many brute forcers also allow for pre-pending or post-pending a string of numbers (e.g. 123hello or hello123). It is better to place random numbers or characters in the middle of your password so that it is not vulnerable to a dictionary attack (e.g. hagen!23daas). Another alternative to a secure and easy to remember password is make an acronym of a famous phrase or quote. For example: “sticks and stones may break my bones” -> “S&smbMb!$”.

Security Myth #3: If I change the port number for RDP/SSH/Plesk or turn off ping response, my server will be safe.

The Facts: This is the myth of “security through obscurity.” Changing your port number or turning off ping will only reduce attacks from computer worms and extremely lazy hackers. Say for example that you run a website on your server. Anyone who knows the URL of the website can easily find your IP address (by ping or nslookup). Then all they have to do is port scan that IP address (using a port scanning tool such as nmap or SuperScan) to see which ports are open. If your passwords are secure enough, you needn’t worry too much about the brute force attacks from the internet. You should only consider this a secondary safeguard just in case the server happens to have a vulnerable service running on it. Your first priority is making sure your system is properly patched and updated.

The Side Effects:

  • It is very difficult to track or troubleshoot packet loss on servers that have ICMP blocked.
  • Changing ports may confuse your users.
  • You will need to remember to include this port information in any technical support request.
  • Many automated systems or scripts will require custom configuration.
Subscribe to security