False confidence in security solutions is unwittingly
exposing businesses to attack, according to a report by
Context Information Security.
The report suggests false confidence can be a significant cause
of high-impact vulnerabilities, where security devices are
implemented to improve corporate security, but because they’re
incorrectly configured, they have the opposite effect.
Examples of misplaced confidence include the default (or
out-of-the-box) installation of security devices, an over-reliance
on automated vulnerability assessment scanning systems, and
misplaced trust in encryption and authentication systems.
Issues also include misconfigured Secure Socket Layer (SSL)
appliances, enabling attackers to gain full access to internal,
business critical applications; intrusion detection systems
allowing intruders into corporate networks; and the ability to gain
unauthorised access to strongly encrypted wireless Lans.
SSL virtual private network
(
VPN) appliances were found to be a particular pain point in
2006, as many businesses deployed them to deliver secure remote
access to internal network resources and critical applications, yet
forgot that the appliances can be susceptible to the same
vulnerabilities as fully-functioning web-based applications.
Context’s recommendations include making sure users realise that
security products are not a failsafe method of ensuring security,
and that there is no point in automatically applying default
configurations to appliances without assessing whether that
configuration will support the appropriate network environment.
Why would you program your VCR at home to work effectively, and
not configure your business security to reflect your corporate
topology? Is there some blind assumption that security solutions
should be ready out-of-the box? And when has that ever been the
case? Sometimes it’s no wonder hackers have a ball.
Read
David Lacey’s
security blog
Read
Stuart King’s
risk management blog
Comment on this article:
computer.weekly@rbi.co.uk