In the Internet age, information security incidents have become common. Even the senior security company hbgary federal, working with the US military, can be hacked. Surfing the Internet means that you expose yourself to a large number of hackers and be cautious about protecting your information. In many cases, information security is not a technical issue, but a matter of human consciousness and habits. For example, it is funny that hbgary is hacked. It is an email spoofed by hackers and fake bosses, the firewall is automatically disabled and the backend SSH access permission is provided to the other party, which is basically a door-breaking hacker.
Of course, it is not all the fault of this supervisor, because hackers have obtained the boss's email account and know the previous password of the system. It seems that the credibility is very high. However, this also shows that no matter how good the technology is, people must be aware of security. If the supervisor thinks twice before shutting down the firewall, it may be different to confirm by phone.
I found that many people around the world do not have enough awareness of information security. Of course, many people have already said about general information security. From the programmer's perspective, I often develop programs in windows. With my own experience, I have summarized the following issues that Windows programmers often do:
1. Use XP system development without setting the administrator password. If you are a programmer, you can use XP to change the administrator password, saving others from occupying your machine.
2. Programmers will not encrypt their own code. Without encryption, your code can be easily seen by others, I have explained in detail in the article "the simplest, most effective, and most suitable for programmers in code file security encryption and protection methods-EFS", and I will not go into details here.
3. Set a weak password for the server or leave the password empty. This is rarely the case, and sometimes it is neglected. But don't say that. We had a system that thought it was used internally and didn't set the administrator password, but later we found that the Internet mapped a port for access and changed the password. Therefore, it is best to get into the habit from the very beginning. In addition to testing the system, the Administrator account must set a valid password.
4. concatenate SQL statements in the code, leading to the SQL injection vulnerability. This is the most likely cause of system hacking. The key to hbgary hacking is the SQL injection vulnerability in the CMS system. It should be said that the website system built by hbgary is quite secure, but it uses a third-party cms. This short board causes the Administrator account to be cracked and guessed, and the security in other places is equal to zero.
5. the logon password is transmitted in plaintext. Plaintext transmission is intercepted on the Internet. Therefore, encrypted transmission is generally recommended. However, I have also seen many systems not doing this.
6. directly use a text tool to edit the JSP without deleting the Bak backup file. The consequence of not deleting a Bak is that hackers can directly download the Bak file and analyze the JSP code, resulting in potential risks.
7. logon review is not enabled on the service or development machine. Generally, logon review is automatically enabled on the server. However, as developers, logon review is often performed remotely on their own machines. logon review should also be enabled to record malicious attacks.
8. The backup file is not encrypted and can be stored at will. It is safe to store backup files on the server. However, after a long period of time, it is easy to get the backup files to the file server or USB flash disk, risks of leakage.
9. If you do not want to be clear, you can change or upgrade the official system at will. I suffered a loss in this regard. I used to upgrade my skills at random. I accidentally restarted an important service in the middle of the night, but I did not think about it weekly before the restart, and the service failed to start, as a result, the customer's server stops service and cannot be accessed, and I can no longer connect to the service to operate, which scared me to death. Fortunately, I set a timed detection script for automatic recovery, after about an hour, the script checks regularly and finds that the related services are not started, and the service is automatically restarted and restored. It's really a bloody lesson. Since then, I have been very careful about the upgrade. I have been thinking about it in advance, and I have never dared to back up it.
In addition, I often see someone installing tools such as 360, QQ, and thunder on the server. These tools are intended for individual users and are not specifically designed and optimized for servers. It is inappropriate to install them on enterprise-level servers. In particular, anti-virus software is installed with personal anti-virus software on servers, which seriously affects system performance and stability. I personally think this is very unprofessional and irresponsible.
In general, security awareness is the first priority, and security technology is the best. It is useless if not used or improperly used. In fact, it is difficult for me to do everything myself, without absolute security. After all, great gods will make mistakes. What's more, the general public can only develop the habit of information security as much as possible.