Secure Your Data - No Really

On my recent product implementation it was requested we use a NoSQL database to aide in rapid application development. The particular vendor was already selected when I arrived. I was able to upgrade the version of the storage engine for our implementation. Along with this we had to decide if we had budget to pay for the enterprise edition, which directly influences the available security options. Our previous use of the database engine was for proof of concept work; security had not been implemented  for any of the projects leveraging the new technology. To ensure projects could gracefully implement our security model as they matured, we deiced to allow different versions to coexist on the same server. This worked well, as the insecure out of the box flavor used a default port  (which I personally find odious to contemplate). So I was able to use the versioning as a justification for a new internal port. 

And all of that is a prequel for the following.  In a recent article in ArsTechnica I learned about a search engine for port scans. This is such a weird idea to me. It takes four hours to write a basic port scanner, why would I want a search engine to do this for me? After looking around, I saw two use cases for https://account.shodan.io. The first is to gauge technology adoption trends. Gartner does this for us, but it is nice to verify these results. But that really begs the question of how Shodan can determine what technologies are being used in the wild. People are rushing their minimally viable products to market with no security at all. In my recent project we had this discussion several times. To me, Shodan is really a heartbeat on trends in poor security implementations. Security Week found this so bad they wrote an article on it. The headline was 35,000 MongoDB Instances Exposed Online. How these are accessible outside a firewall is a mystery to me, but you can read about that and more here http://www.securityweek.com/35000-mongodb-instances-exposed-online I love the fact that I can point to a search engine that proves people are compromising our privacy to prevent impacts of opportunity costs on their marketing strategy. And I am going to say the harder the security hooks in the tool, the greater the chance of someone bypassing common sense and leaving it insecure.

Our team had to work some overtime to get our product out in 60 days with a handful of new technologies secured and deployable to our personal VM farm. The security portion was absolutely part of that. I researched our options at home after dinner on the same computer I am writing this post. But my database instances are not going to show up on a Shodan report. I use nonstandard ports for the engine, I disabled the admin web UI for the engine (forcing us to implement our monitoring in a separate tool).  I enabled and provisioned a security model. The database services run under a limited access service account. We own a firewall and keep our goodies to ourselves. We pay capable network technicians to protect our corporate reputation. I am not sure how our industry has strayed from the fundamentals. They are harder now (two of us wanted to die when securing our message broker), but these things are still fundamental.