For example, last week in the midst of red-team testing against a large Fortune 100 company, I found that each of the hundreds of wireless network controllers had unpatched Apache and OpenSSH services running; both would have let hackers on the public wireless network reach their internal corporate networks as admin. Their IDS and firewall devices contained public scripts that had long ago been found to have remote bypass vulnerabilities to get around any silly authentication. Their email appliance was running an insecure FTP service that allowed anonymous uploads.
These are not unusual findings. Appliances often contain just as many vulnerabilities as their software-only counterparts; they're just harder to update and usually aren't. Instead of being hardened security devices, they are an attacker's dream. I love doing penetration testing on environments with lots of appliances. It makes my life significantly easier.
Security fail No. 9: Sandboxes provide straight line to underlying systemI sigh every time a new security sandbox is announced. These sandboxes are supposed to make exploits against the software they protect impossible or at least significantly harder to pull off. The reality is that every security sandbox developed so far has fallen under hacker attention.
Today the biggest security sandboxes are probably best represented by Java and Google's Chrome browser, and both have suffered over 100 exploits that perforated the sandbox and allowed direct access to the underlying system. However, that doesn't stop the dreamers who think they'll find one that will halt all exploits and put down computer maliciousness forever.
Unfortunately, a lot of computer security is more security theater than protection. Your job is to pick through the myriad solutions and employ the ones that truly reduce risk. The security practices listed above are overhyped. How do you know? Because IT is implementing every one of them and malicious hacking and exploitation is more popular than ever. You can't ignore the facts.
- 10 crazy IT security tricks that actually work
- Malware Deep Dive Report
- Data Loss Prevention Deep Dive Report
- Insider Threat Deep Dive Report
- Malware IQ test: Round 2
- Malware IQ test: Round 1
This story, "9 popular IT security practices that just don't work," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.
Read more about security in InfoWorld's Security Channel.
This story, "9 popular IT security practices that just don't work" was originally published by InfoWorld.