WHAT ARE YOU WAITING FOR?
Monday, May 11, 2015 at 04:10PM At a recent conference in Las Vegas, hedge fund execs were warned by the Department of Justice that they need to watch their butts. An assistant attorney-general (it was Vegas, and still all they could get was a lesser mortal) told the assembled crowd that hedge fund operations represent “a tremendous amount of capital, incredibly sensitive proprietary information, and valuable algorithms, but they are small shops and they often have very weak IT.”
At first glance, this seems ridiculous. These guys should know this already, right? “We handle money. Bad guys like to STEAL money. So we’d better be careful.”
But if you were in the security business, you would know one inscrutable fact: way way way way way way way way too many companies are not careful at all.
“We got a firewall. We’re good.”
“”We make people change their passwords once a year, we’re good.”
“Our accounting audit people look at our IT controls annually. We’re good.”
But ohhhhhh, it gets worse. In the last year, I’ve seen:
- · Companies that have literally NEVER required a password change
- · A company whose guest wifi password was ridiculous easy to guess, and never changed
- · Companies with dozens of applications, all of which were manually provisioned (i.e. somebody punches names into a keyboard for every single app)
- · A company that allowed a 30-retries policy for flubbed passwords
Now, when I heard the 30-strikes-and-you’re-out policy, I said, Huh?” It was explained to me that they had some rather unsophisticated users who knew the business, but who were not great with a keyboard. I pointed out two things to change their minds:
1) 30 strikes gives brute-force attacks a FAR higher chance of succeeding
2) If someone is so ill-coordinated that he could fat-finger that much, OR that he couldn’t remember a 6-to-8 character password, that person is too dumb to work for the firm
Many vendors (software or otherwise) segment their customers in various ways. One way is by vertical, so that you have subject matter experts selling into pharma, or power grid, or federal government. The other is by size. Enterprise accounts are massive targets, while local or national accounts are smaller. Larger accounts tend to already have an identity and access framework. In fact, many are on a second or third. Smaller ones chronically have little to nothing. It always astounds me at the complete lack of automation. It’s not even the number of users that matters. It can be the complexity. Compliance requirements. Difficult audits. Security worries. The number of resources.
There’s no excuse any more. If you get nailed for lack of effort, you deserve it. Sorry, but you’re a goon. There are too many threats, and too many targets.
Don’t think that you’re too obscure to get hit. If you manufacture the eyeballs that go on kewpie dolls that a rube might win after nineteen rounds of Skee Ball at the carnival, but you have an accounting system that dispenses money, you are on somebody’s hit list. I deal with a lot of vertical industries, and even I occasionally run into a client I’d never heard of before. I remember the first time I went into Worldcom, when they were nobody, long before they exploded and imploded,, and I had to explain to my boss later who they were and why they were a customer worthy of a visit.
Don’t be one of those many organizations I visit who are just begging for crap to happen. Protect your users. Protect your data. Start with the data, if you’ve done nothing else. And don’t think a firewall is the answer to anything beyond the basics. Be smarter than that.