In this post, we get insights from Greg Johnson, Vice President of business development at A-Lign. He will present “The Song Remains the Same: A Decade of Unchanged Attack Vectors” at the North America Community Meeting in Las Vegas.
You’ve worked with breached merchants for many years, what are some of the more surprising things you’ve learned?
Greg Johnson: It’s amazing to me how the same old same old vulnerabilities and issues keep resurfacing – which is the main point of my presentation. The other thing is how little care so many businesses give to security just to save a little money. Those that got breached discovered the hard way that investing up front in security, policies and testing is not an optional endeavor. I am always amazed at the shortsightedness of business owners both large and small!
Weak passwords are a common problem, what are some best practices for strong passwords?
Greg Johnson: Obviously the longer the password, the harder it is to crack, but then one runs into the problem of remembering it without writing it down. I don’t believe passwords should be any less than 8 characters, and should include 1 or more caps and 1 or more special characters. Example: 2Secure!sMe!
What is the danger in not having security baked into the culture of a company?
Greg Johnson: There are two main issues here: First, without C-level approval, it is hard to get funding approved for needed hardware, software, infrastructure and expertise. Second, without HR involvement and proper training and other policies (such as background checks) there will be too many mistakes made which can lead to data breach.
Your presentation will touch upon misconfigured servers as a common problem- can you share advice to prevent this?
Greg Johnson: You bet. My presentation will contain a link resource for server hardening ideas and procedures, but the best advice is simply to have a repeatable process so that things don’t get overlooked. It’s kind of like camping, if you go a lot, you know what you need, but without running through a comprehensive checklist, chances are you’re going to miss something critical. Oops – I forgot my flashlight or darn, I forgot my lighter. Both important for light and heat. Similarly, there are too many things to miss on a server, the least of which is whether the OS is patched and up to date. Having a repeatable process for all to follow is critical.
What is the one key takeaway you hope attendees will come away with after your discussion?
Greg Johnson: That most data breaches are not rocket science and are avoidable with good policy and security culture!
Want to learn more? Attend Greg’s session at this year’s North America Community Meeting in Las Vegas on September 20th - 22nd.
