Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: InfoSec News (isn_at_c4i.org)
Date: Fri Aug 23 2002 - 02:31:46 CDT
By Jay Lyman
August 22, 2002
Gartner research director John Pescatore blamed the hiring of people
who turn out to be internal threats or who have submitted inflated
resumes, which results in "sheer incompetence."
When it comes to computer break-ins and breaches, there are plenty of
ways to place blame, but some security missteps are more common than
others -- and most of them fall into the category of often-overlooked
Among these blunders are the usual suspects: misconfigured servers,
lack of patching, dangerous default settings and sloppy password
management. However, security experts also pointed out less obvious
mistakes, including negligent IT hiring and sharing of networks with
While security fiascos are often blamed on IT staff, analysts said
business management personnel also contribute to vulnerabilities,
which are almost always exploited eventually.
"All of the other stuff is supposed to flow from the policy," security
expert Ryan Russell told NewsFactor. "If you don't have it formulated
and you don't have it written down, it changes. Actively keeping
secure means you need a policy."
And Yankee Group analyst Matthew Kovar told NewsFactor that the
biggest security sin often occurs when someone changes a system or
network, inadvertantly creating new vulnerabilities.
"What's most common is not going in and reassessing the system that
you made changes to," Kovar said. "You need vulnerability assessment
with every change."
Kovar said another key contributor to unsecure systems is companies'
lack of attention to the regular stream of alerts released by major
software vendors. "Basically, we're ignoring a lot of important
information because there is an overload of information regarding
security," he noted.
Configured To Fail
Experts also agreed that application design, server configuration and
the default settings of newly installed software often lead to
For example, Kovar said that despite recent improvements, software
vendors do not test their applications thoroughly before releasing
them to the public, largely because speed to market and other business
drivers trump testing on the corporate priority list.
As a result, vendors must release security patches after the fact,
which means IT professionals must constantly monitor vulnerability
Russell added that even if IT departments apply patches properly and
keep their systems up to date, there is still some risk involved.
And while vendors are improving across the board in their efforts to
release more secure software, he noted that running complete default
installations without turning off unnecessary or unused services
remains a recipe for getting attacked.
The Human Factor
Meanwhile, Gartner research director John Pescatore blamed the "people
side" of security, referring to hiring people who turn out to be
internal threats or who have inflated their resumes, which results in
"sheer incompetence" and misconfigured servers.
"We see a lot of the IT shops cause their own biggest problem with
their hiring," he noted.
Pescatore - who commented that "overly helpful help desks" and
corporate Web sites often provide too much information, including
passwords - also blamed companies that pile additional network
management burdens on the same size IT staff to save money.
"That feeds into why systems don't get patched," he said.
Don't Trust Partners
In addition, one of the biggest security risks currently facing
companies is the sharing of networks or access, according to security
analysts. "When you're putting in a pipe to another company, you're
inheriting all of the security posture of that organization," Kovar
And while Russell noted that pursuing business objectives often means
sharing networks without first thinking about security, Pescatore said
that trusting another company with total access can only be described
as a security hazard.
"It's real common to get screwed by a business partner," he explained.
"It's not the pimply-faced teenager. [The threat is] treating a
business partner like an employee and giving them too much access."
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.