After a too long hiatus, our popular list of things that we see go wrong on a regular basis is back. As I’m sat here writing this, I’ve obviously not had a dollar for every time that I’ve heard the following. I can only hope…
“An attacker wouldn’t know that”. Attackers are sneaky people. They generally know more than you think, and unfortunately for those defending against them they have time on their side. With enough effort and desire to compromise something, an attacker will know what they need to.
“We don’t store unencrypted credit card data anywhere”. This one always makes us raise our eyebrows. If we had a dollar for every time somebody said this alone we would retire to our private island somewhere nice and warm and spend the rest of our days sipping mojitos and smoking Cuban cigars.
“We have a web application firewall, we’re safe”. Good security practice is all about defence in depth and implemented smart. No security product or appliance is a magical silver bullet that will make your problems go away. A wise man once said that rather than buying a single security appliance, people would be better off buying a Ferrari as a company pool car – TCO would be similar to an enterprise grade appliance over a 2-3 year period and there would probably be a better return to the company. (Happier security staff!).