rooksecurity.com

On the other hand, the disdain that accompanies discussions of this principle overshadows the benefits that basic obscurity techniques can provide, particularly in light of modern search engines. In fact, while it should never be relied upon as a sole defense, obscurity techniques can mitigate many security risks that organizations face, limit the number of alerts that monitoring tools trigger, and help the operations team focus on the alerts that truly matter. For example, the GitHub project, SQLiv, uses Google to search for, and exploit as able, URL patterns that are often vulnerable to SQL injection on any application on the Internet. By following basic obfuscation techniques, an organization can limit its search engine footprint and thus mitigate the risk of general exploit scripts and novice hackers.

We’ve all seen Stuxnet, Flame, Shamoon, and others leveraged in precision attacks for the sole purpose of inflicting damage on enemies of the state. In the brief period after the cold war, important international actors largely shifted their focus away from this strategy with the goal to surgically hit the target with precision, reliability, and minimal collateral damage. It seems evident that the most recent author of Petya only included the exploit to drag the NSA’s name (and the United States) through the mud while it took down their adversary. If Stuxnet, Flame, and Shamoon were logical bombs with defined targets, these are “dirty” bombs with no care of civilian casualties.

For instance, the below policies are commonly found within an organization’s security policy: Acceptable Use Policy: outlines the acceptable use of a business’s physical and digital resources Audit Policy: describes the requirements for risk assessment and audits of the business ’s information and resources Extranet Policy: defines the requirements for third parties that access the business’s network Password Policy: provides the specific requirements for creating secure passwords and keeping passwords private Wireless Standards Policy: describes what wireless devices may connect to the business’s network and how to use these devices in a safe manner. Retailers should put controls in place to ensure that employees and users have access to data and company resources on a “need to know” basis, meaning access to these resources should be given only if there is a business need. A documented process should be developed that ensures: (1) appropriate access is granted to users, based on job role or business need, (2) access is revoked or modified anytime an employee departs the company or changes positions; user rights/access should be updated in a timely manner, and (3) access should be assessed periodically on a documented cadence (quarterly, semiannually, annually).

Security Operations includes your developers, HR, sales, marketing and all other business units. The same technique is applied whether the attacker wants W-2s or credit card numbers. Brute Force attacks against open RDP servers should be an issue of the past (on so many levels). Not to mention the thought process that another blinking light will solve your lack of people, process, or education problem.