At the 2015 Security B-Sides conference in San Francisco, I caught up with Dave Lewis (@gattaca), global security advocate for Akamai, and Bill Brenner (@billbrenner70), senior technical writer for Akamai, for a conversation about big cloud mistakes. Here are their four suggestions on what to avoid.
Not doing proper input sanitation
These are SQL injection problems and it’s a solvable problem that can be helped by a cloud provider, such as Akamai, but it’s also something that needs to be addressed by the application itself, “because you have to look at it as a defense-in-depth approach. You want to know your applications are taking security into account, when you’re writing them,” said Lewis.
Falling for social engineering tricks
“People are still very susceptible to clicking on links when somebody tries to trick them with a message of ‘You should see what somebody else is saying about you,’” said Brenner.
Poor password management
We’re all inundated with the need to manage multiple accounts with multiple IDs and passwords. It’s impossible to manage 60 or even hundreds of different accounts with passwords. To manage that complexity, people often use the same password or weak passwords, explained Brenner. “That really sets you up for someone to come in and really cause trouble with all your different accounts.”
Not locking down your registrar information
“Make sure your registrar information for your domain is locked down,” said Lewis. “You want to make sure that you have that sort of information set up in such a way that it’s not easily compromised. There are some registrars out there where you can send them a fax on falsified letterhead and actually change that data to point to a site that the customer no longer controls.”