IT, Company Execs Add To Security Holes

[William Knowles <wk () C4I ORG>]

http://www.techweb.com/wire/story/TWB20000601S0016

By Mary Mosquera, TechWeb News
Jun 1, 2000 (7:30 PM)

Common security breaches by IT and business professionals -- not just
an attacker's expertise -- contribute to the success of
computer break-ins, the SANS Institute said Thursday. The security
group released its Top 10 lists of Internet threats and
mistakes made by information technology professionals and company
executives. SANS is a think tank that works with system
and network administrators and security professionals in government,
business, and academia to share security information and
solutions.

SANS found the 10 worst security mistakes IT people make are:

1. Connecting systems to the Internet before hardening them2.
Connecting test systems to the Internet with default
accounts/passwords 3. Failing to update systems when security holes
are found 4. Using telnet and other unencrypted
protocols for managing systems, routers, firewalls, and PKI 5. Giving
passwords over the phone or changing user passwords in
response to telephone or personal requests when the requester is not
authenticated 6. Failing to maintain and test backups 7.
Running unnecessary services, especially ftpd, telnetd, finger, rpc,
mail, rservices 8. Implementing firewalls with rules that don't
stop malicious or dangerous traffic -- incoming or outgoing 9. Failing
to implement or update virus-detection software 10.
Failing to educate users on what to look for and what to do when they
see a potential security problem

The majority of successful attacks on computer systems via the
Internet can be traced to exploitation of one of a small number
of security flaws, SANS said. Most of the systems compromised in the
Solar Sunrise Pentagon hacking incident were attacked
through a single vulnerability. A related flaw was exploited to break
into many of the computers later used in massive
denial-of-service attacks.

Recent compromises of Windows NT-based web servers are typically
traced to entry via a well-known vulnerability, SANS
said.

"A few software vulnerabilities account for the majority of successful
attacks because attackers are opportunistic -- taking the
easiest and most convenient route," the report said. "They count on
organizations not fixing the problems, and they often attack
indiscriminately, by scanning the Internet for vulnerable systems."

NASA has been scanning and fixing its own list of top vulnerabilities
for over six months, said NASA Deputy CIO Dave
Nelson.

"Over time we have driven the number of vulnerabilities down," he
said. "In that time we have also seen a reduction in the
number of successful attacks on our systems, even though the number of
attempted attacks is going up."

Nelson added: "Your best friend may be your worst enemy, if his
compromised system is attacking yours."

Mistakes by senior executives also add to security vulnerabilities,
SANS said, including:

1. Assigning untrained people to maintain security and providing
neither the training nor the time to learn and do the job 2.
Failing to understand the relationship of information security to the
business problem -- they understand physical security but do
not see the consequences of poor information security 3. Failing to
deal with the operational aspects of security -- making a few
fixes and then not allowing the follow-through necessary to ensure the
problems stay fixed 4. Relying primarily on a firewall 5.
Failing to realize how much money their information and organizational
reputations are worth 6. Authorizing reactive, short-term
fixes so problems re-emerge rapidly 7. Pretending the problem will go
away if ignored


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".