Information Security News mailing list archives
IT, Company Execs Add To Security Holes
From: William Knowles <wk () C4I ORG>
Date: Fri, 2 Jun 2000 10:43:11 -0500
http://www.techweb.com/wire/story/TWB20000601S0016 By Mary Mosquera, TechWeb News Jun 1, 2000 (7:30 PM) Common security breaches by IT and business professionals -- not just an attacker's expertise -- contribute to the success of computer break-ins, the SANS Institute said Thursday. The security group released its Top 10 lists of Internet threats and mistakes made by information technology professionals and company executives. SANS is a think tank that works with system and network administrators and security professionals in government, business, and academia to share security information and solutions. SANS found the 10 worst security mistakes IT people make are: 1. Connecting systems to the Internet before hardening them2. Connecting test systems to the Internet with default accounts/passwords 3. Failing to update systems when security holes are found 4. Using telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI 5. Giving passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated 6. Failing to maintain and test backups 7. Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, rservices 8. Implementing firewalls with rules that don't stop malicious or dangerous traffic -- incoming or outgoing 9. Failing to implement or update virus-detection software 10. Failing to educate users on what to look for and what to do when they see a potential security problem The majority of successful attacks on computer systems via the Internet can be traced to exploitation of one of a small number of security flaws, SANS said. Most of the systems compromised in the Solar Sunrise Pentagon hacking incident were attacked through a single vulnerability. A related flaw was exploited to break into many of the computers later used in massive denial-of-service attacks. Recent compromises of Windows NT-based web servers are typically traced to entry via a well-known vulnerability, SANS said. "A few software vulnerabilities account for the majority of successful attacks because attackers are opportunistic -- taking the easiest and most convenient route," the report said. "They count on organizations not fixing the problems, and they often attack indiscriminately, by scanning the Internet for vulnerable systems." NASA has been scanning and fixing its own list of top vulnerabilities for over six months, said NASA Deputy CIO Dave Nelson. "Over time we have driven the number of vulnerabilities down," he said. "In that time we have also seen a reduction in the number of successful attacks on our systems, even though the number of attempted attacks is going up." Nelson added: "Your best friend may be your worst enemy, if his compromised system is attacking yours." Mistakes by senior executives also add to security vulnerabilities, SANS said, including: 1. Assigning untrained people to maintain security and providing neither the training nor the time to learn and do the job 2. Failing to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security 3. Failing to deal with the operational aspects of security -- making a few fixes and then not allowing the follow-through necessary to ensure the problems stay fixed 4. Relying primarily on a firewall 5. Failing to realize how much money their information and organizational reputations are worth 6. Authorizing reactive, short-term fixes so problems re-emerge rapidly 7. Pretending the problem will go away if ignored *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- IT, Company Execs Add To Security Holes William Knowles (Jun 02)