Security awareness operates on a principle where companies are only willing to fix their problems when they are being fined, or when their lack of security lands them in the newspaper. But, just as memories fade in time, the commitment to security fades quickly when breaches blow over and everyone moves on. Hopefully, more companies will begin to realize that regulatory compliance and IT security are not necessarily the same things.
There’s just too much misinformation out there about securing application credentials.
In general, there are plenty of governance and compliance frameworks that minimize risk and improve operational security and reliability. But true security is an ongoing strategic imperative that requires a fundamental shift in IT operations.
All too frequently these hard-coded credentials create an ASP.NET security hole because they grant unlimited access to corporate databases or are super-user (root and administrator) accounts with unlimited, domain-wide access.
It is the height of arrogance for a company to set up business in China, or any other foreign country, and fail to respect the laws and customs of that country. China has the right and obligation to do what it feels is in the best interests of its citizens and Google has no right to impose its “moral” values on China’s citizens. For example, if China requires web filtering and Google does not wish to comply, Google cannot complain about the repressive nature of China to the United States government, while at the same time reaching into the pockets of advertisers to enrich itself on this same web traffic.
Default passwords for these powerful, out-of-band devices are seldom changed and widely published. [For example, Dell cards use the default password calvin.] This means that anyone with network access and malicious intent can login and power down your datacenter hardware.
The poor state of security at banks and financial institutions continue to make headlines, with cases like the HSBC breach bringing embarrassing attention to this already beleaguered industry. This problem is the result of a fragmented feudal system of homegrown IT development that has evolved over the last 30 years, though not for the better.
Rodney Gedda of CSO Magazine recently posted an excellent description of a security phenomenon known as the “trust time bomb”. In his article Gedda explained how, over time, employees build up an incredible number of privileges that grant them dangerous access. This is akin to the problem with database administrators (DBA) who retain DBA superuser privileges indefinitely, as well as IT staff using the same password on every system in the company as a matter of convenience.