Recently I joined Jon Soldan, Daniel Bowden, and Robert Humphreys (of Property Solutions, the University of Utah, and the Western Governors University, respectively) in an Alumni Speakers Series panel discussion on cyber security threats.

Over the past 15 years, in various roles from system administration to Engineering positions, I’ve witnessed exploits ranging from small WordPress SQL injections to full-blown multi-gigabit denial of service attacks from large-scale botnets. Some of those DDOSes were so massive they crippled our systems, even though we were routed through DDOS mitigation.

The past 12 months was an active period for security vulnerabilities. Highly-impactful bugs were found in core services and technologies (like SSL): Heartbleed, Poodle, Shellshock (and now FREAK!)

Fortunately the principles of a secure system remain largely the same. First, avoid risky behaviors (weak passwords, opening emails/attachments from someone unknown, pissing off Anonymous!, surfing sites known for malware, etc.)

Then, follow these IT security best practices:

• Only grant access to those who need it. (The principle of least privilege)
• Patch your systems and configure them to standard
• Stop using MD5/SHA, instead use adaptive hashing via bcrypt based on the Blowfish cipher with random salt (okay, that’s a new one)
• Lower your risk portfolio, by making your information less useful if compromised (for example, use a 3rd party credit card tokenization service instead of storing credit card numbers yourself)
• Don’t say embarrassing things in emails or chats (Thanks, Sony!)
• Centralize logging of all server information
• Enforce and audit your Information security policies regularly
• Invest in security awareness and education
• Audit code for secure coding practices
• Install antivirus and malware prevention tools for all workstations and production servers
• Secure the endpoint
• Audit your firewall configurations

By: Ryan Byrd