Background: This is from a 3 or more year old course I gave in support of what I say in The same old stuff further in support of Top Six Reasons Why I Hate Network- and Computer-Security. In short, this is old and, yet, is still relevant. (Kinda like me.)When we consider Internet system security, these are what I consider to be the top ten security threats.
All types of systems are vulnerable to this: desktops, servers, appliances, routers … anything that can be configured. Personal computers and servers often have unneeded services running. And although No security updates VATs can help So can proper policies with proper implementation
There are multiple problems here, The first are demo or guest accounts. (This also can be considered part of the Default Installation problem, as many default installations come with preset passwords.) Easily guessed passwords are almost as bad. Guessed passwords do not necessarily provide complete control, but they do provide a foothold. And a foothold is an attackers "Step 1." There are, of course, solutions to this. An enterprise can set password policy, but then has to back up policy with policing, using many of the password checking and scanning programs available. Even better, is to replace user-id/password with 2- or 3-factor authentication, including security tokens and biometrics. Recently, when I have taught a course, I ask who has 2-factor authentication. I am pleased to see that the percentage of raised hands is on the rise. Still, most hands remain down.And still, like most things "security," strong user authentication is an "add-on."
Bad Backup Policy
Most enterprises do a decent job here, but many do not consider backing up teleworkers' computers. And many do not routinely verify backups.
This is still a problem on many gateways. (" Default deny" still has not caught on, even though done correctly it is nearly invisible and protects better than " default allow.") On our servers, desktops, and gateways we have opened unused network ports and used ports that are not required. Think of a house with 65,537 open doors.
IP Spoofing is still used. Do not allow your gateways to pass any source-routed packets
Bad logging practice
Unread logs are not very useful. Logs that are incomplete are worse.
Common Gateway Interface scripts are necessary for all but the most basic web pages. The risk is to the web server. Web servers come with example code. Some of that example code has, in the past and today, contained exploitable bugs. (See CGI Script Source Code Disclosure Vulnerability in Apache for Windows.) The solution? Write your own code, if you are able, and test, test, test.
Remote Procedure Calls and Remote access
RPCs allow one computer to run a program on another computer. Buffer overflows and other security weaknesses can and have led to an attacker running a program on the local computer. Unix, Windows, and Mac OS X systems run RPC servers. Global file sharing is a potential point of vulnerability. Do you know what the default settings are on your computers? Firewalls can stop connections. Do yours? What about your teleworkers?
Okay, really any fancy e-mail client that:
- Automatically launches dangerous applications, remembering that any "helper" program may be dangerous (browsers. Picture viewers, Word, PDF viewer).
- Any that users do not really, really, really need. (Disable them and wait for complaints. Then selectively add.)
- Do not allow Outlook to auto-display HTML
Further, be very selective in what attachments your organization will admit through an e-mail gateway or firewall. Does your enterprise require .scr, .bat, .com, .exe, .dll files? Start with what it needs. Disallow all except the ones you absolutely need. (See Buried in Swen! from 2003.)
This was my top ten security threats list. These are not the top ten security threats that keep me up at night. All of these have some kind of reasonable mitigation, none of which are useful unless they are implemented.