Increasing data security threats are plain to see for most firms, and an increasing number are turning to penetration testing, which sees outside experts being brought in to check a company’s network vulnerabilities.
Based on its penetration testing experience, Eurodata Systems has identified the following 10 most common loopholes/mistakes made by businesses that compromise the security of their networks.
But along with the problems, Eurodata has also listed the corrective measures that can be taken by firms:
Default installation of Server Operating Systems
Excluding Windows Server 2003 (which only installs the required files by default), all other versions of Windows install with many sample pages, insecure registry settings and unnecessary service extensions that provide many avenues of attack.
It is therefore essential to agree and enforce corporate server build standards.
Out of date or un-patched servers and desktops
Viruses can spread quicker than the time it takes to update the patches on servers and desktops. Whilst vendors such as Microsoft are committed to releasing patches faster, they are only effective when an organisation keeps their infrastructure well patched.
Even today, a few years after Code Red first appeared, machines are still infected by it. Patch management can be a time consuming process so companies need to use automated deployment tools such as Microsoft’s System Update Server (SUS) to ease the management burden.
Easy to guess passwords
How many times do people use a family name, a pet’s name or the name of their company as a log-in for the company network? It’s a common, yet lethal mistake.
Setting easy to guess passwords such as “passw0rd”, “password12” or the name of the company is dangerous. Password cracking tools can easily break these via a mixture of dictionary techniques and numeric attachment. Typically, these tools can break passwords of less than eight characters in less than five seconds!
It is therefore imperative to use an extensive, non generic alphanumeric password to make it harder for hackers to figure.
Default installations of web servers
One of the most common mistakes made is to install applications such as IIS (Internet Information Server) and leave it at the default setting. These usually include unnecessary help pages and sample scripts that can be exploited by hackers. They also highlight the
fact that it is an “out of the box” installation.
Many of the worms which continually circle the internet, actively seek out default installations of IIS. Ensure that only the required applications are installed in a controlled manner.
Insecure validation of online applications
Many in-house (and even professionally) developed applications suffer from simple input validation problems – a website may have an online form, ranging from simple online ordering to Internet banking. If the form does not confirm to strict standards, the
organisation may be inadvertently allowing hackers to manipulate the input data to retrieve sensitive information or even completely compromise the server.
Ensure that all form fields are properly validated and where possible use drop down selection boxes to control input.
No fire-walling of web servers
Many professional web hosting companies rarely, if ever, provide any form of firewall or filtering. At best, they may block all the low (below 1024) ports.
However, applications such as Microsoft SQL and Terminal Server use ports above 1024 and this could enable hackers to attach to the boxes remotely.
Additionally, outbound ports are usually left as “anything outbound”, which can enable hackers to get the server to send a remote command shell out to their machines, thereby circumventing any inbound policy that may be in place. Ensure that web servers are properly protected by firewalls and remember to limit both inbound and outbound access.
‘Fit it and forget it’ approach to firewalls
Many companies adopt a “fit it and forget it” approach to firewall security. They fail to realise that, as with servers, firewall code can become vulnerable over time and also needs to be patched regularly. Secondly, a firewall’s strength depends largely on the rules
that are defined. While a firewall may be secure when first installed, security is often seriously compromised over time by poor rule-base maintenance – eg rules may be added to allow access to new services.
When a user complains that he cannot access the service, usually the rule is opened up, which may fix the problem at the time but may also leave the firewall wide open to attack.
It is therefore important that firewall administrators are properly trained and that the rule-base is regularly audited by an accredited external body.
Remember a car may pass its MOT on a given day but that does not mean that it is going to be roadworthy the next day.
Did you know many organisations leave their databases insecure? Until Service Pack 3a, Microsoft’s SQL Server allowed blank passwords to be set for the system administrator (SA) account without notification. Many IT managers do not realise the potential threat of having access via the SA account, which could not only compromise the data stored in the database, but may also enable the server to be used as a platform for further attacks into the network. Ensure that the SA password is strong and ideally uses Windows Integrated Authentication.
Monitoring/auditing of servers at hosting centres
Out of sight, out of mind! Servers which are placed at hosting centres are often effectively ignored until they crash or are hacked into. However, you can easily prevent a number of threats by simply configuring audit/logging. Even then, this is only useful if someone actually monitors the server and examines the reports periodically. Too often, audit reports are filed and pushed to the back of a very long to do list. When the company is hacked into, it’s too late. Being proactive is the answer.
Open remote control ports
Remote control ports (e.g. VNC, PCanywhere, RDP) are often open to the world. The only thing sitting between total remote compromise is a simple password.
If hackers discover a vulnerability within an application, it may enable them to reset or change the remote control password and completely compromise the server. Remote control ports should be restricted to only those IP addresses that require access.
For more news on managed applications click here >>