The Seven Deadly Security Sins

[InfoSec News <isn () c4i org>]

http://www.newsfactor.com/perl/story/19116.html

By Jay Lyman
NewsFactor Network 
August 22, 2002 

Gartner research director John Pescatore blamed the hiring of people
who turn out to be internal threats or who have submitted inflated
resumes, which results in "sheer incompetence."

When it comes to computer break-ins and breaches, there are plenty of
ways to place blame, but some security missteps are more common than
others -- and most of them fall into the category of often-overlooked
basics.

Among these blunders are the usual suspects: misconfigured servers,
lack of patching, dangerous default settings and sloppy password
management. However, security experts also pointed out less obvious
mistakes, including negligent IT hiring and sharing of networks with
business partners.

While security fiascos are often blamed on IT staff, analysts said
business management personnel also contribute to vulnerabilities,
which are almost always exploited eventually.
 
Common Mistakes

"All of the other stuff is supposed to flow from the policy," security
expert Ryan Russell told NewsFactor. "If you don't have it formulated
and you don't have it written down, it changes. Actively keeping
secure means you need a policy."

And Yankee Group analyst Matthew Kovar told NewsFactor that the
biggest security sin often occurs when someone changes a system or
network, inadvertantly creating new vulnerabilities.

"What's most common is not going in and reassessing the system that
you made changes to," Kovar said. "You need vulnerability assessment
with every change."

Kovar said another key contributor to unsecure systems is companies'
lack of attention to the regular stream of alerts released by major
software vendors. "Basically, we're ignoring a lot of important
information because there is an overload of information regarding
security," he noted.

Configured To Fail

Experts also agreed that application design, server configuration and
the default settings of newly installed software often lead to
computer break-ins.

For example, Kovar said that despite recent improvements, software
vendors do not test their applications thoroughly before releasing
them to the public, largely because speed to market and other business
drivers trump testing on the corporate priority list.

As a result, vendors must release security patches after the fact,
which means IT professionals must constantly monitor vulnerability
announcements.

Russell added that even if IT departments apply patches properly and
keep their systems up to date, there is still some risk involved.

And while vendors are improving across the board in their efforts to
release more secure software, he noted that running complete default
installations without turning off unnecessary or unused services
remains a recipe for getting attacked.

The Human Factor

Meanwhile, Gartner research director John Pescatore blamed the "people
side" of security, referring to hiring people who turn out to be
internal threats or who have inflated their resumes, which results in
"sheer incompetence" and misconfigured servers.

"We see a lot of the IT shops cause their own biggest problem with
their hiring," he noted.

Pescatore - who commented that "overly helpful help desks" and
corporate Web sites often provide too much information, including
passwords - also blamed companies that pile additional network
management burdens on the same size IT staff to save money.

"That feeds into why systems don't get patched," he said.

Don't Trust Partners

In addition, one of the biggest security risks currently facing
companies is the sharing of networks or access, according to security
analysts. "When you're putting in a pipe to another company, you're
inheriting all of the security posture of that organization," Kovar
said.

And while Russell noted that pursuing business objectives often means
sharing networks without first thinking about security, Pescatore said
that trusting another company with total access can only be described
as a security hazard.

"It's real common to get screwed by a business partner," he explained.  
"It's not the pimply-faced teenager. [The threat is] treating a
business partner like an employee and giving them too much access."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.