http://www.newsfactor.com/perl/story/19116.html By Jay Lyman NewsFactor Network August 22, 2002 Gartner research director John Pescatore blamed the hiring of people who turn out to be internal threats or who have submitted inflated resumes, which results in "sheer incompetence." When it comes to computer break-ins and breaches, there are plenty of ways to place blame, but some security missteps are more common than others -- and most of them fall into the category of often-overlooked basics. Among these blunders are the usual suspects: misconfigured servers, lack of patching, dangerous default settings and sloppy password management. However, security experts also pointed out less obvious mistakes, including negligent IT hiring and sharing of networks with business partners. While security fiascos are often blamed on IT staff, analysts said business management personnel also contribute to vulnerabilities, which are almost always exploited eventually. Common Mistakes "All of the other stuff is supposed to flow from the policy," security expert Ryan Russell told NewsFactor. "If you don't have it formulated and you don't have it written down, it changes. Actively keeping secure means you need a policy." And Yankee Group analyst Matthew Kovar told NewsFactor that the biggest security sin often occurs when someone changes a system or network, inadvertantly creating new vulnerabilities. "What's most common is not going in and reassessing the system that you made changes to," Kovar said. "You need vulnerability assessment with every change." Kovar said another key contributor to unsecure systems is companies' lack of attention to the regular stream of alerts released by major software vendors. "Basically, we're ignoring a lot of important information because there is an overload of information regarding security," he noted. Configured To Fail Experts also agreed that application design, server configuration and the default settings of newly installed software often lead to computer break-ins. For example, Kovar said that despite recent improvements, software vendors do not test their applications thoroughly before releasing them to the public, largely because speed to market and other business drivers trump testing on the corporate priority list. As a result, vendors must release security patches after the fact, which means IT professionals must constantly monitor vulnerability announcements. Russell added that even if IT departments apply patches properly and keep their systems up to date, there is still some risk involved. And while vendors are improving across the board in their efforts to release more secure software, he noted that running complete default installations without turning off unnecessary or unused services remains a recipe for getting attacked. The Human Factor Meanwhile, Gartner research director John Pescatore blamed the "people side" of security, referring to hiring people who turn out to be internal threats or who have inflated their resumes, which results in "sheer incompetence" and misconfigured servers. "We see a lot of the IT shops cause their own biggest problem with their hiring," he noted. Pescatore - who commented that "overly helpful help desks" and corporate Web sites often provide too much information, including passwords - also blamed companies that pile additional network management burdens on the same size IT staff to save money. "That feeds into why systems don't get patched," he said. Don't Trust Partners In addition, one of the biggest security risks currently facing companies is the sharing of networks or access, according to security analysts. "When you're putting in a pipe to another company, you're inheriting all of the security posture of that organization," Kovar said. And while Russell noted that pursuing business objectives often means sharing networks without first thinking about security, Pescatore said that trusting another company with total access can only be described as a security hazard. "It's real common to get screwed by a business partner," he explained. "It's not the pimply-faced teenager. [The threat is] treating a business partner like an employee and giving them too much access." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 02:58:38 PDT