Reach Kevin Beaver through his website, www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.
I’ve learned over the years that if a system has an IP address or a URL, then it is fair game for attack. Having been performing technical vulnerability assessments and writing about common security flaws for more than 10 years, I never would have dreamed that I would still be seeing the same problems in 2012.
As we have all experienced in security, the more things change the more they stay the same. Be it a high-level security review of a data center environment or an in-depth vulnerability assessment of a mid-market enterprise, the information security vulnerabilities I come across are predictable and consistent.
Here are six security weaknesses I see all the time, and they are virtually guaranteed to be present on your network at this very moment:
1. Web flaws: They are abundant, and they cover everything from default user names and passwords in video and access control management systems to more technical issues such as cross-site scripting and SQL injection in Internet-facing Web applications.
2. Mobile insecurities: Just because your executives mandate iPhones and iPads for everyone doesn’t mean their deployment was well thought out; in fact, it is often just the opposite, and very few people in IT will push back against mobile devices when executives make the call. The same problem exists with laptops and mobile storage devices that are not encrypted. All it takes is one theft or loss for your business to end up in the headlines and in the data breach halls of shame. And before you jump on the BitLocker bandwagon, know that “free disk encryption” is not always free. Check out the white paper I wrote entitled “The Hidden Costs of Microsoft BitLocker” at http://bit.ly/yNh2zK.
3. Access controls that have not been checked for years: Unnecessary administrator privileges and orphaned accounts are everywhere. Fueling the fire are weak passwords on non-Active Directory systems — which are especially dangerous since these accounts and systems often fall outside typical security controls and audits.
4. Limited patching of software and firmware: Arguably the most dangerous flaws, outdated software and firmware on workstations, servers and network infrastructure systems facilitate external denial of service attacks, internal exploits, malware infections and data leakage. Often, network administrators’ hands are tied or there is limited accountability. Reasoning I’ve heard includes “It’s a critical business system and we can’t afford to have it go down,” or “Our vendor doesn’t support us making any changes,” or “I thought so-and-so was taking care of that.” These are arguably legitimate excuses, but that still doesn’t make it right — the security risks are there regardless.
5. Single points of failure in and around IT personnel and processes: When one person is the only person who knows how to administer critical systems such as databases, storage systems, intrusion prevention systems, etc., your business is one car crash away from potential business continuity issues. Gaining control requires good documentation, proper incident response and disaster recovery planning, and a management team that understands that IT personnel issues are not “just an IT problem.”
6. Little to no logging and, thus, limited visibility into security-related problems: Audit logging and system monitoring are arguably the most mundane and painful of security administrative tasks — that’s why businesses are weak in this area. A phone call to a managed security services provider that specializes in this work is all it takes to get this monster off your back. Do it!
These are six big issues that introduce tremendous business risks; yet, many organizations will still claim to be “compliant” with this or that regulation and report to management that everything’s OK in IT land. This approach creates a serious false sense of security and undoubtedly explains why we keep seeing data breaches, no matter how much money is spent on technical controls and internal audit functions.
You cannot secure what you don’t acknowledge. Are you using the proper tools and hacking techniques to bring out the worst in your systems? If you don’t, someone else with ill-intent probably will. Making these all-too-common flaws part of an ongoing security testing process is the key. You have to look at your systems from every angle.
It is time to turn the page on this low-hanging security fruit in your environment once and for all. Make sure all of your critical systems fall within the scope of your in-depth security testing as well as any ongoing higher-level vulnerability scans and audits. Unless and until you address these problems head on, your business will continue to be at risk.
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With more than 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. He has authored/co-authored 10 books on information security including the best-selling “Hacking For Dummies” as well as the newly-released “Implementation Strategies for Fulfilling and Maintaining IT Compliance.” In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.