[ISN] The Seven Deadly Security Sins

From: InfoSec News (isnat_private)
Date: Fri Aug 23 2002 - 00:31:46 PDT

  • Next message: InfoSec News: "[ISN] Warning about possible "research" ruse"

    By Jay Lyman
    NewsFactor Network 
    August 22, 2002 
    Gartner research director John Pescatore blamed the hiring of people
    who turn out to be internal threats or who have submitted inflated
    resumes, which results in "sheer incompetence."
    When it comes to computer break-ins and breaches, there are plenty of
    ways to place blame, but some security missteps are more common than
    others -- and most of them fall into the category of often-overlooked
    Among these blunders are the usual suspects: misconfigured servers,
    lack of patching, dangerous default settings and sloppy password
    management. However, security experts also pointed out less obvious
    mistakes, including negligent IT hiring and sharing of networks with
    business partners.
    While security fiascos are often blamed on IT staff, analysts said
    business management personnel also contribute to vulnerabilities,
    which are almost always exploited eventually.
    Common Mistakes
    "All of the other stuff is supposed to flow from the policy," security
    expert Ryan Russell told NewsFactor. "If you don't have it formulated
    and you don't have it written down, it changes. Actively keeping
    secure means you need a policy."
    And Yankee Group analyst Matthew Kovar told NewsFactor that the
    biggest security sin often occurs when someone changes a system or
    network, inadvertantly creating new vulnerabilities.
    "What's most common is not going in and reassessing the system that
    you made changes to," Kovar said. "You need vulnerability assessment
    with every change."
    Kovar said another key contributor to unsecure systems is companies'
    lack of attention to the regular stream of alerts released by major
    software vendors. "Basically, we're ignoring a lot of important
    information because there is an overload of information regarding
    security," he noted.
    Configured To Fail
    Experts also agreed that application design, server configuration and
    the default settings of newly installed software often lead to
    computer break-ins.
    For example, Kovar said that despite recent improvements, software
    vendors do not test their applications thoroughly before releasing
    them to the public, largely because speed to market and other business
    drivers trump testing on the corporate priority list.
    As a result, vendors must release security patches after the fact,
    which means IT professionals must constantly monitor vulnerability
    Russell added that even if IT departments apply patches properly and
    keep their systems up to date, there is still some risk involved.
    And while vendors are improving across the board in their efforts to
    release more secure software, he noted that running complete default
    installations without turning off unnecessary or unused services
    remains a recipe for getting attacked.
    The Human Factor
    Meanwhile, Gartner research director John Pescatore blamed the "people
    side" of security, referring to hiring people who turn out to be
    internal threats or who have inflated their resumes, which results in
    "sheer incompetence" and misconfigured servers.
    "We see a lot of the IT shops cause their own biggest problem with
    their hiring," he noted.
    Pescatore - who commented that "overly helpful help desks" and
    corporate Web sites often provide too much information, including
    passwords - also blamed companies that pile additional network
    management burdens on the same size IT staff to save money.
    "That feeds into why systems don't get patched," he said.
    Don't Trust Partners
    In addition, one of the biggest security risks currently facing
    companies is the sharing of networks or access, according to security
    analysts. "When you're putting in a pipe to another company, you're
    inheriting all of the security posture of that organization," Kovar
    And while Russell noted that pursuing business objectives often means
    sharing networks without first thinking about security, Pescatore said
    that trusting another company with total access can only be described
    as a security hazard.
    "It's real common to get screwed by a business partner," he explained.  
    "It's not the pimply-faced teenager. [The threat is] treating a
    business partner like an employee and giving them too much access."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 02:58:38 PDT