- Folks will continue to use abc123 as their password. They will then be surprised when they’re completely pwned.
- Folks will continue to not patch their apps and operating systems. They will then be surprised when they’re completely pwned.
- Folks will continue to use apps as administrator or god like privileges. They will then be surprised when they’re completely pwned.
- Folks will continue to click shit. They will then be surprised when they’re completely pwned.
- van der Stock’s immutable law of gullibility: Folks will continue to be sucked in by incredibly basic scams. They will then be surprised when they’re completely pwned.
- Folks despite extensive and continuous evidence to the contrary for over 25 years, will continue to be sucked in by grandiose vendor claims (“buy X now, and you’ll be protected from X…”) in the unfounded belief that technological solutions can fix people problems. They will then be surprised when they’re completely pwned.
- Folks will continue to allow mobile and web apps to transmit their sensitive crap without any form transport layer encryption. They will then be surprised when they’re completely pwned.
- Folks will turn on a firewall and think they’re safe. They will then be surprised when they’re completely pwned. It’s not 1995 any more. Never was.
- Folks will continue to run old crap, or allow old crap to connect to them. They will then be surprised when they’re completely pwned.
- Folks will continue to think that they will be safe if they just virtualize or cloud enable their crappy apps. They will then be surprised when they’re completely pwned.
If we can’t learn from our most basic of basic mistakes, 2012 will be exactly like 1989 – 2011. And that’s sad.
Because I hate solution free hand waving posts like the above, here are some basic solutions:
- Adopt strong authentication TODAY – passwords have NEVER been appropriate.
- Patch your crap.
- Implement low privilege users and service accounts.
- Don’t click shit.
- Learn about basic phishing and scams.
- Fire folks who post on Twitter or Facebook all day. You know who they are.
- Don’t buy any product marked “Protects against APT”. If you do, fire yourself as you’re an idiot.
- Only use products that use SSL. If you don’t know, assume it doesn’t and find something that does.
- Evaluate your security needs with 2012 in mind – firewalls alone are a few sheep short of a full paddock.
- Upgrade to the latest OS and apps. Not only will your users love you, it’ll be harder to attack you.
- Protect data assets no matter where they are. The plumbing is unimportant.
Awesome man
Pretty awesome post.
Looks like getting pwned motivated you to write this post
Oh and BTW, about 8, folks usually stop their firewalls to allow crap to pass in
AFAIK, I’ve not been pwned. I’ve dealt with folks being pwned this year, and that makes me a sad panda.
I normally write about the security trends for the future year as my last post of the year, and unfortunately, I was proven right again with the mass attack on everyone from Google through BlackOps and w00w00. I was sick of all the other trends blog posts banging on about things that no one cares about except to sell more crap or scare folks, when basic, basic stuff isn’t being fixed, like getting rid of passwords.
2012 has to be about getting rid of passwords, patching crap, upgrading to Windows 7, Lion or the latest distro, and killing IE 6 / 7 / 8. If we can’t do that this year, it’ll be more of the same.