to be COMPLETELY ANAL i suppose you could deny ALL incoming access and permit ONLY the ip addresses you work from. then it is more work whenever you change a connection but i am aware of that policy. additionally, i suppose someone could spoof your ip.
I keep hearing other security holes are large enterprise environments. you might lock the heck down on the corp network but then joe blow uses his company provided ipad with 4glte internet and connects right into something that isn't controlled by the internal network security policy and someone comes in that way.... robots, aren't they great? Script kiddies.... ----- Original Message ----- From: CBB - Jay Fuller To: [email protected] Sent: Friday, September 30, 2016 1:10 AM Subject: Re: [AFMUG] the future of internet security i truly believe about 80% of all hacking is social engineering - - convince the company to let you in - - you're with the phone company to get faster internet. let me in the server room. i guessed my ex-girlfriend's cat's name. i have no idea what is involved in hacking the DNC phone records or hillary's emails... probably not social engineering. weak passwords? I know looking at a mikrotik log there are tons tons tons tons of random ips guessing root passwords... i usually just disable those ports. ----- Original Message ----- From: CBB - Jay Fuller To: [email protected] Sent: Friday, September 30, 2016 1:00 AM Subject: the future of internet security Travis brings up a very good point with his randomware query.....and i caught the tail end of a discussion with i think it was cisco on some tv channel that i thought also raised some very good points. One thing I always like about trade shows and user group get togethers is conversations about topics like this. on tv the point was made that the internet is no longer coming "into one business" or a clearly defined demarcation point. with the advent of internet of things and distributed work environments there is no longer just one place to look at securing. as i thought about this it became very clear to me. for example, even our company is pretty distributed. we have up to five office staff that work from home at any given point in time - myself included. we use web browsers and the powercode WISP management system - that does reside from within our network - but on a public IP address. At my house (and at least two of our techs) they are not within our network footprint or the trees are so thick there is limited to no service here. so my connection comes in off a cable modem. I also have a voip phone - going back to our office - and our netsapiens voip switch. in the near future we will probably have voip phones, remote access to our office (i do have a mikrotik with a permanent vpn connection to the office, but the aforementioned devices are all public ip accessible), if i happen to be visiting my parents or at a location with nothing more than a windows pc, i can access powercode or plug my phone in and hopefully not have to create a vpn connection or a remote desktop connection or remember to clean those credentials off. in fact, even more annoying is a lake rental property we have with a pretty smart tv. i've watched some netflix out there inbetween renters but when i leave and come home 'cause it's rented, you better be sure you clean your netflix account off that smart tv... what about home security systems? connected homes? yes, i suppose they all login to the cloud and authenticate - hopefully by something more than just a username and a password. would be nice if they authenticated by serial number or something - (like a mac address?) but maybe we access those with our smart phones, over our verizon 4glte connection, and not our home wifi, or maybe my dad's ipad - which is provided by his company and has company software on it - and probably shouldn't access my home automation stuff. heaven forbid if my neighbor somehow accidentally connects to my home automation software instead of theirs - (hah, surely not) one thing i have seen a lot more of and am probably good with - is this two factor authentication. our rental management portfolio (homeaway) requires confirmation of both an email alert and txt alert to your phone before you can login (at least on a new device) - which i'm sure is set by a cookie. i've seen this in banks too - so it's obviously more secure - but i also saw it once (i think) on ebay or paypal - - where someone registered a disposal phone to my account - and then somehow used that to authenticate fraudulently - that took some tracking down. an associate recently notified me they wanted to change from using yahoo as "free email" (i told them it sold to verizon anyway, not a bad thing to look for something else) - to something else cause it now required a cellphone to be registered. i know from running a wisp about 40% of my customer base has a new cellphone number every three months. must be the dating folks... i suggested gmail - they laughed, said they didn't like gmail's clunky interface - - i have to admit i have been annoyed by it. i have one company on gmail's domain and spam gets "eaten" then never delivered - even if it is legitimate mail. after about three months of training the system i think it is finally delivering what it is supposed to - - but who knows. ok, i've rambled. but i think it's a good topic for discussion. what does security -- not network security (cause we're on like 15 different networks, no?) - - what does secuity look like moving forward? is the two-factor authentication becoming standard? what is better? Where do we go from here? Good day. :)
