Rüdiger Voigt | last update: 2017-08-13
- National Vulnerability Database
Comprehensive Database of public known vulnerabilities in software. Maintained by the U.S. National Institute of Standards and Technology (NIST).
- Rita Tehan "Cybersecurity: Authoritative Reports and Resources" (CRS Report for Congress / R42507 / October 25, 2013)
Contains the BugTraq-Mailinglist
- CERT Coordination Center
CERT ist part of the Software Engineering Institute (SEI) at Carnegie Mellon University
- United States Computer Emergency Readiness Team (US-CERT)
- SANS Institute
- RSA Conference
- Chaos Communication Congress
IT-Security 101: Best Practices
Perfect security of IT systems is illusionary. Even government systems and big corporations get hacked. Yet there are some basic measures / rules that transform an easy prey for script kiddies into a reasonably secure system.
- Staying up to date
Certainly one should keep software updated to the latest patch level. Beside that one should also keep track of new threats to the IT infrastructure.
- Antivirus software
Although Antivirus software is quite inefficient against new or tailored attacks it helps blocking known attacks.
VirusTotal is a subsidiary of Google. This service analyzes files and URLs to identify viruses, worms, trojans and other kinds of malicious software. It is possible to upload files with a maximum size of 64 Megabyte. The service calculates a cryptographic checksum before uploading a file to avoid multiple uploads of the same file. If the file has been checked before one can rerun the test without uploading it again.
- Avoiding linked accounts / No password reuse
Many websites force their user to use "secure" passwords that are long, contain special characters and numbers. This helps against brute force password guessing, but people now tend to use the same password on many sites. If one of those sites gets hacked it may be the case that the hacker gains access to the clear text password or a weak hash of it. In this moment the other accounts of this person are easy prey for the hacker who can use automated tools to test gained passwords on other accounts within seconds.
Admittedly not every site needs a unique password. However everything linked with cash and payment should have in any case strong and unique passwords. If hackers gain access to passwords they often get the reset email. This email address should have a unique password too as otherwise the hacker avoids cracking other accounts through brute force by simply resetting their passwords.
If possible two factor authentication should be used to protect accounts used to handle money or purchases and the mail account which is used to handle password resets of other accounts!
Another problem is that some accounts control access to too many aspects of people's life's. The journalist Mat Honan had to cope with massive data loss as (among others) his Google Account and AppleID were taken over. His case illustrates the risks.
- Using encrypted connections
The best passphrase is useless if transmitted unencrypted in a public network. So use SSL encrypted connections whenever possible.
Data and Backup should not be in the same building because it could burn down or intruders steal both.
All critical data have to be encrypted in case someone gains access to the backup media.
Is it possible to replay the data? How durable are the backup-media?
- up to date
What use has an outdated backup?
- readable file format
File Backups should be in well documented and widely used file formats. The development of some applications might be ceased or they will not run on a new version of the operating system. There are formats especially for backup purposes like PDF/A.
Encryption is essential for mobile systems as they get stolen frequently.
Warning: In some countries it is illegal to use encryption software. Law enforcement agencies may coerce you into decrypting your data.
|GNU Privacy Guard / GnuPG||Open Source|
|Open Source||The creators of TrueCrypt gave up development in may 2014 and issued a statement saying the software would be insecure.|
|RSA||commercial||RSA security is a division of the EMC Corporation and headquartered in the United States.|
|Bitlocker||commercial||Integrated into certain versions of Microsoft Windows. Easy to use.|
rsyslog. Further reading: in german
- Input Sanitization & Prepared Statements
To avoid SQL-Injections
- Access Control
Use SQL-commands like GRANT or REVOKE to tailor user permission.
- Encryption and salted hashs
- Reducing data
Needless data should be deleted. This saves backup-capacity, speeds up searches and in case of a security breach less data is exposed.
- Database Activity Monitoring and Audit-Logs