I’ve learned over the years that if a system has an IP address or a URL, then it is fair game for attack. Having been performing technical vulnerability assessments and writing about common security flaws for more than 10 years, I never would have dreamed that I would still be seeing the same problems in 2012.
As we have all experienced in security, the more things change the more they stay the same. Be it a high-level security review of a data center environment or an in-depth vulnerability assessment of a mid-market enterprise, the information security vulnerabilities I come across are predictable and consistent.
Here are six security weaknesses I see all the time, and they are virtually guaranteed to be present on your network at this very moment:
1. Web flaws: They are abundant, and they cover everything from default user names and passwords in video and access control management systems to more technical issues such as cross-site scripting and SQL injection in Internet-facing Web applications.
2. Mobile insecurities: Just because your executives mandate iPhones and iPads for everyone doesn’t mean their deployment was well thought out; in fact, it is often just the opposite, and very few people in IT will push back against mobile devices when executives make the call. The same problem exists with laptops and mobile storage devices that are not encrypted. All it takes is one theft or loss for your business to end up in the headlines and in the data breach halls of shame. And before you jump on the BitLocker bandwagon, know that “free disk encryption” is not always free. Check out the white paper I wrote entitled “The Hidden Costs of Microsoft BitLocker” at http://bit.ly/yNh2zK.
3. Access controls that have not been checked for years: Unnecessary administrator privileges and orphaned accounts are everywhere. Fueling the fire are weak passwords on non-Active Directory systems — which are especially dangerous since these accounts and systems often fall outside typical security controls and audits.
4. Limited patching of software and firmware: Arguably the most dangerous flaws, outdated software and firmware on workstations, servers and network infrastructure systems facilitate external denial of service attacks, internal exploits, malware infections and data leakage. Often, network administrators’ hands are tied or there is limited accountability. Reasoning I’ve heard includes “It’s a critical business system and we can’t afford to have it go down,” or “Our vendor doesn’t support us making any changes,” or “I thought so-and-so was taking care of that.” These are arguably legitimate excuses, but that still doesn’t make it right — the security risks are there regardless.
5. Single points of failure in and around IT personnel and processes: When one person is the only person who knows how to administer critical systems such as databases, storage systems, intrusion prevention systems, etc., your business is one car crash away from potential business continuity issues. Gaining control requires good documentation, proper incident response and disaster recovery planning, and a management team that understands that IT personnel issues are not “just an IT problem.”
6. Little to no logging and, thus, limited visibility into security-related problems: Audit logging and system monitoring are arguably the most mundane and painful of security administrative tasks — that’s why businesses are weak in this area. A phone call to a managed security services provider that specializes in this work is all it takes to get this monster off your back. Do it!
These are six big issues that introduce tremendous business risks; yet, many organizations will still claim to be “compliant” with this or that regulation and report to management that everything’s OK in IT land. This approach creates a serious false sense of security and undoubtedly explains why we keep seeing data breaches, no matter how much money is spent on technical controls and internal audit functions.