I attended the Dallas OWASP meeting earlier today. Charles Henderson from Trustwave was talking about their data breach report for 2010. Some notes I took with my comments: - Attackers are continually looking for the weakest link. Should be obvious, but we always need to keep this in mind. - Organized crime doesn't trust each other. This means they often use strong security in their own work. How ironic. - Attackers will normally try to use the existing infrastructure to get compromised data out of the organization and back to their control. - More targeted attacks today. Example given: Sally is pregnant. Attacker finds her direct reports, sends "baby pictures" about the time she is due. This is a very targeted phishing email. We still need to be very cautious, even with "expected" email. - Attacking requires customization today. Too many automated tools can find the "easy" stuff. - One wireless attack is to setup a wireless access point that a laptop with a hard connection to an internal network will automatically connect to. This could end up with a wireless connection directly into the "protected" network. I wasn't clear if the names of these potential WAPs can be learned from the traffic the laptop sends out or not. I will need to investigate this more. - The less you know about a device, the more you are likely to trust it. Very interesting. We will press "ok" the less certain we are. Scary.