I use Apple products because they are not vulnerable to security problems <NOT>

[slgrieb]

Actually, "bank" security doesn't get compromised as often as datacenter security. So, what you get is a breach that effects perhaps dozens of banks in 5 or 6 states. joy. So, yes you can generally recover your money, but different financial institutions will handle the issue differently. This happened a couple of years ago to some of the folks I work with, and most of the institutions replaced the stolen funds immediately. Some, however, took a few days to do it, and pissed off a lot of customers. Even if the funds are replaced immediately, there's still the cost and inconvenience of card replacement which also includes updates to automatic bill paying that uses the cards, and any other online commerce sites you use.

The situation isn't always very clear where responsibility lies either. Look at the Target breach: FireEye appears to have provided information to Target that perhaps should have caused an earlier response, but you could also consider the info a bit ambiguous, or perhaps the IT staff had a lot to do, and not enough eyes to watch everything. In any case, it's always easy to second guess.

[CeeBee]

A couple months ago I started talking to the staff about 2 factor authentication. Of course everyone I have ever talked to about this is immediately turned off by the idea of it. On one hand, it's very secure to use it. But it's confusing for many people and so they don't use it. Personally I think it's pretty easy once you use it a bit. But most people are turned off to the idea.

The security of a system is as good as its weakest link.
2-factor auth won't help. Add an account locking policy and block after N attempts, implement strong passwords that don't change way too often and it's literally as good as it gets - one would literally have to know the password to get through, brute force is impractical. That's not where the breach occurs in most instances anyway.
The issue is with a user inserting an infected USB stick. Or downloading malware. That shit runs in the security context of the already authenticated user. Do they do VPN? Even 10-factor auth won't help if the client is infected and gets access.
If you want secure remote users there is a tool for making a portable Windows on a stick.

[Webhead]

Actually, "bank" security doesn't get compromised as often as datacenter security. So, what you get is a breach that effects perhaps dozens of banks in 5 or 6 states. joy. So, yes you can generally recover your money, but different financial institutions will handle the issue differently. This happened a couple of years ago to some of the folks I work with, and most of the institutions replaced the stolen funds immediately. Some, however, took a few days to do it, and pissed off a lot of customers. Even if the funds are replaced immediately, there's still the cost and inconvenience of card replacement which also includes updates to automatic bill paying that uses the cards, and any other online commerce sites you use.

The situation isn't always very clear where responsibility lies either. Look at the Target breach: FireEye appears to have provided information to Target that perhaps should have caused an earlier response, but you could also consider the info a bit ambiguous, or perhaps the IT staff had a lot to do, and not enough eyes to watch everything. In any case, it's always easy to second guess.

That's actually what I had in mind when I was writing earlier. I was thinking about the Target breach. Basically bad guys figured out that they could get access to Target customers financial account information by using a backdoor they discovered with the sloppy HVAC people that Target used. So in other words, no matter how secure a system is, there is ALWAYS a way. Just a matter of finding it.

When I started reading that "We Are Anonymous" book, first thing I learned is that one of their most powerful attackers wasn't even very technical. He was a mastermind at social engineering. I forget the guys name but guy's got impressive skills.

[Webhead]

The security of a system is as good as its weakest link.
2-factor auth won't help. Add an account locking policy and block after N attempts, implement strong passwords that don't change way too often and it's literally as good as it gets - one would literally have to know the password to get through, brute force is impractical. That's not where the breach occurs in most instances anyway.
The issue is with a user inserting an infected USB stick. Or downloading malware. That shit runs in the security context of the already authenticated user. Do they do VPN? Even 10-factor auth won't help if the client is infected and gets access.
If you want secure remote users there is a tool for making a portable Windows on a stick.

That's another thing. And in fact this is where Apple blew it. They allowed a brute force attack to be successful. Apple offers 2-factor authentication but it's not implemented very well. There's a number of flaws in their system. Hopefully they fix it. But as far as 2-factor auth goes, it's pretty good. Let's say a bad guy gets my un/pw, then the bad guy needs to also somehow get the account info from my phones authenticator system (SMS, Google Authenticator, etc.) With 2FA, it's not just what you know but rather what you know + what you have. I mean, it's *possible* in theory I suppose but the likelihood is so slim. I feel very secure using 2-factor. Do I still sleep with one eye open? Yes, but I feel much better with 2FA then without.

So when the service provider mitigates brute force attacks by shutting down the service after X attempts and on top of that, using 2FA along with caution, you should have a pretty good sense of security.

[Webhead]

By the way, there's another part you mentioned that is very important. Passwords. Even though we all know to create "secure" passwords, nobody does. And why? For the same reasons they won't use 2FA. Too complicated for them. I'm using Dashlane. If you guys read up on it, you'll discover it's a pretty good way to manage passwords. Because here's another thing: People tend to reuse passwords. So guess one, guess them all. With Dashlane it generates secure pw's for all your stuff.

But can't the bad guy hack your Dashlane and take everything? Well he can certainly try. The master key is not stored anywhere. Here: https://www.dashlane.com/security

Then finally, more about passwords -- we have to determine, "What makes a secure password?" These days you'd probably need a 20+ character secure pw (caps, lowercase, symbols, numbers.) However, it doesn't have to be that way. You can use dictionary words delimited by symbols. For example, "iPhone!Security!Sucks" would take a hacker forever to break. That type of password is more secure than a "secure" password and easier to remember.

[Webhead]

Couple of links to check out...

link: http://preshing.com/20110811/xkcd-password-generator/

link: http://www.baekdal.com/insights/pass...rity-usability

The second link might be outdated actually. I think there is a newer version of it somewhere but I'm too lazy to look for it at the moment. But you get the idea. I think I've posted this here before. And part of me thinks someone here was refuting the math on that page. But as far as I know the info on there is pretty solid.

[slgrieb]

Dashlane was unknown to me, and it looks interesting. I also generally try to use a phrase with special characters inserted between or replacing some letters. But I remain pretty old school. All passwords get recorded on 3x5 cards and filed.

But, I also wanted to backtrack a bit and make a remark or two on security vs. usability. I have a client running the business version of MBAM, Eset Endpoint Security, and they use an online security service which provides them with a VPN connection via a Fortinet gateway, also running Fortinet's own antimalware protection, plus very tight site blocking. Nevertheless, a couple of times a year, I have to do a malware removal for them.

Usually the infected machines come in pairs, generally from a pool of 3 specific employees. Looking at the browsing history for commonalities in site visits, it's pretty apparent that the sites are mostly legit, and that ads are the source of most of the infections. What's ironic is that if I get onsite and find that I wish I had yet another tool on my pendrive, or sometimes I just need to update a database for a tool, I'm generally 100% blocked by the site filtering from getting the desired download or update. In fact, just getting Internet access requires a login for the gateway, which times out every hour without constant activity.

The only personnel in the company that can override these restrictions are the President and VP. They can request a temporary override on access to a specific site or sites, but it may take an hour for the request to be processed. Anyway the point is that the client has good defenses in place, but when they fail, some of the security measures can make a fix more difficult and time consuming.

[Webhead]

Exactly. They have more security implemented but they sacrifice usability. It's a scale and choices have to be made unfortunately.

By the way,... what's the number one threat to any business? Employees.

[Gazzak]

So say I had something very valuale to me and HAD to keep it online somewhere. How would you guys go about making it as secure as possible?

[slgrieb]

So say I had something very valuale to me and HAD to keep it online somewhere. How would you guys go about making it as secure as possible?

Hell of a good question!. I have some stuff on Microsoft OneDrive, and my Microsoft account is secured with a long (hopefully hard to crack) passphrase. I made the change a few months ago when somebody tried to access my Microsoft Partner account using the password they stole when Adobe was compromised. Honestly, I'm not sure if I can answer your question with any real degree of authority, because so much of the security issue depends on trusting that the people who host your data use best practices. Lots of unknowns here.