A while ago I read a totally rivetting book called "The Art Of Intrusion" by Kevin D Mitnick, the legendary hacker who was sent to jail for his intrusion exploits. He runs a security company now, that tests you security and reports back on how well you've done.
He says one of the most common failures of security systems of all kinds is that they rely on a secure perimeter. The theory is that if we keep the hoards out of the city at the boundaries, that's all we need to do. Unfortunately all the bad guys need is a single crack in that outer perimeter and tehy can go wherever they like. So his hacking attempts usually meant hunting for some hole in the wall, and once through that hole the entire enterprise was laid out for the taking. He'd find a router left online but unsecure by some lazy support person who wanted to be able to work from home. Or a long-forgotten modem somewhere, and once through that security hole, there were no other security blockers and teh whole network was his for the raping and pillaging. The lesson we learn from this? Dont rely on only one defense mechanism. All it takes is one crack in that armour and you're dead. You need to use all the weapons you have at your disposal. In this case, we need to use the Regex blockers, <cfqueryparam, strong passwords, regular password changing, separate physical machines for web and database - everything you can think of to make it more difficult for the attackers. That book was a great read on its own, but a real education for me as a web developer. i heartily recommend it. The opening chapter is highly amusing - where he is hired to probe security at a company, and at the review meeting where he presented his report, he said 'yes i managed to get in and managed to get some unauthorised access. And i think you should have done a better job on your applicatoin for a raise. And did you know you are being paid less than others of equivalent rank in your company? Oh and the profits you're going to report next month are x xx xx .. you have a secretary who is having an affair with one of your senior execs." When their mouths gaped open he finished it with the clincher .. "oh and this PC i'm using for the presentation - it's yours. Your security manager gave it to me, along with remote admin access to you network, and i have been working remotely through your network for the past month." A fantastic read. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311339 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
