Increasing data security threats are plain to see for
most firms, and an increasing number are turning to penetration
testing, which sees outside experts being brought in to check a
company’s network vulnerabilities.
Based on its penetration testing experience, Eurodata Systems
has identified the following 10 most common loopholes/mistakes made
by businesses that compromise the security of their networks.
But along with the problems, Eurodata has also listed the
corrective measures that can be taken by firms:
Default installation of Server Operating
Systems
Excluding Windows Server 2003 (which only installs the required
files by default), all other versions of Windows install with many
sample pages, insecure registry settings and unnecessary service
extensions that provide many avenues of attack.
It is therefore essential to agree and enforce corporate server
build standards.
Out of date or un-patched servers and desktops
Viruses can spread quicker than the time it takes to update the
patches on servers and desktops. Whilst vendors such as Microsoft
are committed to releasing patches faster, they are only effective
when an organisation keeps their infrastructure well patched.
Even today, a few years after Code Red first appeared, machines
are still infected by it. Patch management can be a time consuming
process so companies need to use automated deployment tools such as
Microsoft’s System Update Server (SUS) to ease the management
burden.
Easy to guess passwords
How many times do people use a family name, a pet’s name or the
name of their company as a log-in for the company network? It’s a
common, yet lethal mistake.
Setting easy to guess passwords such as “passw0rd”, “password12”
or the name of the company is dangerous. Password cracking tools
can easily break these via a mixture of dictionary techniques and
numeric attachment. Typically, these tools can break passwords of
less than eight characters in less than five seconds!
It is therefore imperative to use an extensive, non generic
alphanumeric password to make it harder for hackers to figure.
Default installations of web servers
One of the most common mistakes made is to install applications
such as IIS (Internet Information Server) and leave it at the
default setting. These usually include unnecessary help pages and
sample scripts that can be exploited by hackers. They also
highlight the
fact that it is an “out of the box” installation.
Many of the worms which continually circle the internet,
actively seek out default installations of IIS. Ensure that only
the required applications are installed in a controlled manner.
Insecure validation of online applications
Many in-house (and even professionally) developed applications
suffer from simple input validation problems – a website may have
an online form, ranging from simple online ordering to Internet
banking. If the form does not confirm to strict standards,
the
organisation may be inadvertently allowing hackers to manipulate
the input data to retrieve sensitive information or even completely
compromise the server.
Ensure that all form fields are properly validated and where
possible use drop down selection boxes to control input.
No fire-walling of web servers
Many professional web hosting companies rarely, if ever, provide
any form of firewall or filtering. At best, they may block all the
low (below 1024) ports.
However, applications such as Microsoft SQL and Terminal Server
use ports above 1024 and this could enable hackers to attach to the
boxes remotely.
Additionally, outbound ports are usually left as “anything
outbound”, which can enable hackers to get the server to send a
remote command shell out to their machines, thereby circumventing
any inbound policy that may be in place. Ensure that web servers
are properly protected by firewalls and remember to limit both
inbound and outbound access.
‘Fit it and forget it’ approach to
firewalls
Many companies adopt a “fit it and forget it” approach to
firewall security. They fail to realise that, as with servers,
firewall code can become vulnerable over time and also needs to be
patched regularly. Secondly, a firewall’s strength depends largely
on the rules
that are defined. While a firewall may be secure when first
installed, security is often seriously compromised over time by
poor rule-base maintenance – eg rules may be added to allow access
to new services.
When a user complains that he cannot access the service, usually
the rule is opened up, which may fix the problem at the time but
may also leave the firewall wide open to attack.
It is therefore important that firewall administrators are
properly trained and that the rule-base is regularly audited by an
accredited external body.
Remember a car may pass its MOT on a given day but that does not
mean that it is going to be roadworthy the next day.
Insecure databases
Did you know many organisations leave their databases insecure?
Until Service Pack 3a, Microsoft’s SQL Server allowed blank
passwords to be set for the system administrator (SA) account
without notification. Many IT managers do not realise the potential
threat of having access via the SA account, which could not only
compromise the data stored in the database, but may also enable the
server to be used as a platform for further attacks into the
network. Ensure that the SA password is strong and ideally uses
Windows Integrated Authentication.
Monitoring/auditing of servers at hosting
centres
Out of sight, out of mind! Servers which are placed at hosting
centres are often effectively ignored until they crash or are
hacked into. However, you can easily prevent a number of threats by
simply configuring audit/logging. Even then, this is only useful if
someone actually monitors the server and examines the reports
periodically. Too often, audit reports are filed and pushed to the
back of a very long to do list. When the company is hacked into,
it’s too late. Being proactive is the answer.
Open remote control ports
Remote control ports (e.g. VNC, PCanywhere, RDP) are often open
to the world. The only thing sitting between total remote
compromise is a simple password.
If hackers discover a vulnerability within an application, it
may enable them to reset or change the remote control password and
completely compromise the server. Remote control ports should be
restricted to only those IP addresses that require access.
For more news on managed applications
click here >>