False IT security confidence leaves business exposed

False confidence in security solutions is unwittingly exposing businesses to attack, according to a report by Context Information Security.

False confidence in security solutions is unwittingly exposing businesses to attack, according to a report by Context Information Security.

The report suggests false confidence can be a significant cause of high-impact vulnerabilities, where security devices are implemented to improve corporate security, but because they’re incorrectly configured, they have the opposite effect.

Examples of misplaced confidence include the default (or out-of-the-box) installation of security devices, an over-reliance on automated vulnerability assessment scanning systems, and misplaced trust in encryption and authentication systems.

Issues also include misconfigured Secure Socket Layer (SSL) appliances, enabling attackers to gain full access to internal, business critical applications; intrusion detection systems allowing intruders into corporate networks; and the ability to gain unauthorised access to strongly encrypted wireless Lans.

SSL virtual private network (VPN) appliances were found to be a particular pain point in 2006, as many businesses deployed them to deliver secure remote access to internal network resources and critical applications, yet forgot that the appliances can be susceptible to the same vulnerabilities as fully-functioning web-based applications.

Context’s recommendations include making sure users realise that security products are not a failsafe method of ensuring security, and that there is no point in automatically applying default configurations to appliances without assessing whether that configuration will support the appropriate network environment.

Why would you program your VCR at home to work effectively, and not configure your business security to reflect your corporate topology? Is there some blind assumption that security solutions should be ready out-of-the box? And when has that ever been the case? Sometimes it’s no wonder hackers have a ball.

Read David Lacey’s security blog

Read Stuart King’s risk management blog

Comment on this article: [email protected]

Read more on Antivirus, firewall and IDS products