Re: Ten least secure programs

["Roger A. Grimes" <rogerg () cox net>]

Chris, most rationale network administrators (or whatever you are) cannot
generally dictate by themselves what is and isn't allowed on "your network".
It's a business decision made by management after you've told them of the
risks of using such-and-such a program.  Nearly any program can be hacked,
and nearly any program can be made secure.  The key is how what is dictated
by your business environment that must be used, and has to be secured
regardless of its inherent vulnerabilities.  You may hate MS-Outlook and
MS-Internet Explorer, but if your CEO tells you have to support it, then
it's best to learn how to secure vs. just saying someone can't have it.

All the programs you mention below can easily be made relatively secure by
following the vendor's recommended configuration settings and patches.  The
key is keeping up with vendor patches and deploying each of these programs
in a reasonably prudent way.  So, I wouldn't recommend telling any end-user
they can't use such and such...it's better to tell them (or mgmt), "you
should have it configured this way and use this patch mgmt tool" if you are
going to use that software package.

If you're not into my business advice and philosophy and you want your hard
and fast list, consider looking at SANS (www.sans.org) top 10 list (or is it
top 20 now).  The list mentions some commonly vulnerable systems, that are
frequently left unpatched and misconfigured.

Also, I consider any P2P program to be high on my list as increased risk,
simply because the security configuration and patching mechanisms aren't
there.

Good luck,

Roger
****************************************************************************
****
*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg () cox net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
****************************************************************************
*************

----- Original Message ----- 
From: "Chris Berry" <compjma () hotmail com>
To: <oclug () oclug org>; <windows2000 () freelists org>;
<security-basics () securityfocus com>
Sent: Saturday, June 28, 2003 6:08 PM
Subject: Ten least secure programs


> I'm putting together a list of what seem to be the ten least secure
computer
> items in use today with the idea of having a set of things to recommend
> AGAINST people using, probably to be posted on the IT room door with a
note
> like "NO, you cannot use the following!!".  Here is what I have so far,
I'm
> looking for additions and comments.  The list is in order from with the
> worst offender being number one.  These should be products whose inheirent
> design is flawed, not that are just difficult to secure.  I expect
vigorous
> discussion. *putting on flame retardent garments*  Oh, and leave Operating
> systems out of this one.
>
> 1) Microsoft Outlook
> 2) Telnet
> 3) Sendmail
> 4) IIS Server
> 5) Wireless networking
> 6) PHP
> 7) ?
> 8) ?
> 9) ?
> 10) ?
>
> Chris Berry
> compjma () hotmail com
> Systems Administrator
> JM Associates
>
> "Within every man beats a heart of darkness." --The Shadow
>
> _________________________________________________________________
> Help STOP SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
>
> --------------------------------------------------------------------------
-
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------