January 05, 2001, 2:06 PM — Each year, your risk for a hack attack grows. In 1999, 9,859 security incidents were reported to Carnegie Mellon University's CERT Coordination Center, a premier computer emergency response team. By June 2000, the number had already reached 8,836. Better awareness accounts for some of the increase, but not all: People submitted information on 417 software vulnerabilities to CERT in 1999. By mid-year 2000, that number had already reached 442.
Best-kept secret No. 1: Most security holes hired experts find are well-known vulnerabilities with easily accessible patches.
Most Internet-related hacks are traceable to a dozen security holes. These tend to be months -- even years -- old and easy to discover, says Phil Cox, a consultant for security firm SystemExperts in Sudbury, Mass., and former member of the Department of Energy's Computer Incident Advisory Capability team. The Systems Administration, Networking and Security (SANS) Institute keeps a list of the top 10 Internet security threats at www.sans.org/topten.htm. These are all preventable -- "all of them are [due to] a simple lack of configuration management," he says.
For example, the SANS Institute found that, in mid-1999, as many as 50% of Domain Name System servers were running vulnerable copies of the popular Berkeley Internet Name Domain program. Yet this same warning appears on the list today. Much the same can be said of others: An FTP vulnerability, called FTP Bounce, was reported in 1997. A malicious Visual Basic Script, known as network.vbs, was discovered in March. A vulnerability in the rpc.statd command found in several Linux variants was discovered in August. If you run any of this software, you have no excuse for not patching these holes.
You also have no justification for not configuring firewalls to block Internet Control Message Protocol (ICMP) pings originating externally, Cox says. It's well known that numerous attacks tunnel through in that protocol's echo reply. You should also block outgoing ICMP pings, lest your network be an accessory in a distributed denial-of-service attack.
While security consultants will happily take your money to find such obvious flaws, why not better apply your cash and their talents?
Best-kept secret No. 2: Contrary to common practice, scanning for vulnerabilities and patching holes does not constitute good Internet security.