Getting Back to Security Basics

Getting Back to Security Basics

There seems to be new security dangers and exploits every week. For example, Microsoft detected new malware targeting Macs that run Office. If you’re in IT and either have or are working toward an information systems degree, this probably doesn’t surprise you.

But the sad truth is that some things don’t seem to change. And in security, one of them is that old vulnerabilities never go away always need vigilance. For example, the new danger to Macs is based on an Office vulnerability that Microsoft patched three years ago.

Malware writers have taken an increased interest in Macs and other Apple devices because of their rapid increase in market share, particularly in the U.S. Unfortunately, Macs have developed an undeserved reputation of being invulnerable to attacks and people have been slow in applying updates and patches to them.

The people who created this most recent piece of attack software realized it and took advantage of it. Such attitudes become dangerous to corporations when the bring-your-own-device movement, with employees using their personal consumer smartphones and tablets at work, has continued to gain ground.

Unfortunately, that is just the beginning, as new types of attacks also increase. For the first time, hacked websites have targeted Android and the many millions of smartphones and tablets it runs. How should IT professionals react?

First by remembering that even in new attacks, it’s generally the basics that criminals focus on. They look for low-hanging fruit of the types of mistakes in practices and programming they are accustomed to find. Negligence of applying patches is just one example. Another is in Web programming, where certain business logic flaws typically undercut security, including the following:

  • Weak authorization implementation in application access control lists and privileges can give attackers a way to gain the access of a higher-level user.
  • Coding data and business logic into browser cookies can let attackers reverse-engineer critical aspects of an application and open a door to them.
  • If attackers can find a way to see business rules and system variables, they might deduce the context and possibly redefine them to further their ends.
  • Client-side software, such as JavaScript, Flash, or Silverlight, might also be reverse-engineered, giving attackers access.
  • If attackers can see into cached user profiles and identities, they might gain the information they need to appear like anyone to the software.

(There are more examples in the InfoWorld article that are worth reading.) Again, none of these vulnerabilities are new in theory or practice. But without knowing the typical weaknesses that criminal hackers might look for, a company is in danger. This is why security remains a hot IT hiring area and why having advanced training, like a masters in information systems, can help your career.

Tagged as