The best-kept security secrets
Each year, your risk for a hack attack grows. In 1999, 9,859 security incidents were reported to Carnegie Mellon University's CERT Coordination Center, a premier computer emergency response team. By June 2000, the number had already reached 8,836. Better awareness accounts for some of the increase, but not all: People submitted information on 417 software vulnerabilities to CERT in 1999. By mid-year 2000, that number had already reached 442.
Best-kept secret No. 1: Most security holes hired experts find are well-known vulnerabilities with easily accessible patches.
Most Internet-related hacks are traceable to a dozen security holes. These tend to be months -- even years -- old and easy to discover, says Phil Cox, a consultant for security firm SystemExperts in Sudbury, Mass., and former member of the Department of Energy's Computer Incident Advisory Capability team. The Systems Administration, Networking and Security (SANS) Institute keeps a list of the top 10 Internet security threats at www.sans.org/topten.htm. These are all preventable -- "all of them are [due to] a simple lack of configuration management," he says.
For example, the SANS Institute found that, in mid-1999, as many as 50% of Domain Name System servers were running vulnerable copies of the popular Berkeley Internet Name Domain program. Yet this same warning appears on the list today. Much the same can be said of others: An FTP vulnerability, called FTP Bounce, was reported in 1997. A malicious Visual Basic Script, known as network.vbs, was discovered in March. A vulnerability in the rpc.statd command found in several Linux variants was discovered in August. If you run any of this software, you have no excuse for not patching these holes.
You also have no justification for not configuring firewalls to block Internet Control Message Protocol (ICMP) pings originating externally, Cox says. It's well known that numerous attacks tunnel through in that protocol's echo reply. You should also block outgoing ICMP pings, lest your network be an accessory in a distributed denial-of-service attack.
While security consultants will happily take your money to find such obvious flaws, why not better apply your cash and their talents?
Best-kept secret No. 2: Contrary to common practice, scanning for vulnerabilities and patching holes does not constitute good Internet security.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
