Forget new threats: It's the old-school attacks that keep getting you

[InfoSec News <alerts () infosecnews org>]

http://www.csoonline.com/article/692274/forget-new-threats-it-s-the-old-school-attacks-that-keep-getting-you

By Taylor Armerding
CSO
October 21, 2011

Everybody in IT knows it is a dangerous world out there, filled with an 
endless variety of cyber attacks aimed at compromising and taking 
advantage of security flaws.

But there is still a persistent lack of awareness of specific threats 
and how best to confront them, according to Rob Havelt, director of 
penetration testing for Trustwave, an international provider of 
information security and compliance solutions.

The irony, he says, is that it is not necessarily the newest, scariest 
malware or hack technique that can compromise an enterprise.

"You see people get whipped up into a frenzy about the latest technique 
that requires all kinds of technical skill to exploit," he says, "while 
ignoring stuff that has been around since forever. One of the most 
common things we find on an internal network is bad password policy -- 
egregious things like 'admin' for an administrative password, or that 
the system administration password is blank."

Havelt wrote most of "Earth vs. The Giant Spider: Amazingly True Stories 
of Real Penetration Tests," which Trustwave members presented at SecTor 
2011 in Toronto earlier this week. He says one of the things he urges IT 
leaders to realize is that a "tiny flaw," like a master default password 
for a PBX exchange can be "blown up into something that has a serious 
impact."

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn