9 popular IT security practices that just don't work

The security products and techniques you rely on most aren't keeping you as secure as you think

By Roger A. Grimes, InfoWorld |  Security

Security fail No. 8: Your appliances are an attacker's dreamThe main benefit of appliances -- increased security -- hasn't panned out. By having a smaller OS footprint, usually a locked-down version of Linux or BSD, appliances promise to be less exploitable than fully functional computers running traditional OSes. Yet, in more than 10 years of testing security appliances for InfoWorld, I've only once been sent an appliance that didn't contain a known public exploit. Appliances are nothing but operating systems on closed hard drives or firmware, and those designs are innately harder to keep patched.

For example, last week in the midst of red-team testing against a large Fortune 100 company, I found that each of the hundreds of wireless network controllers had unpatched Apache and OpenSSH services running; both would have let hackers on the public wireless network reach their internal corporate networks as admin. Their IDS and firewall devices contained public scripts that had long ago been found to have remote bypass vulnerabilities to get around any silly authentication. Their email appliance was running an insecure FTP service that allowed anonymous uploads.

These are not unusual findings. Appliances often contain just as many vulnerabilities as their software-only counterparts; they're just harder to update and usually aren't. Instead of being hardened security devices, they are an attacker's dream. I love doing penetration testing on environments with lots of appliances. It makes my life significantly easier.

Security fail No. 9: Sandboxes provide straight line to underlying systemI sigh every time a new security sandbox is announced. These sandboxes are supposed to make exploits against the software they protect impossible or at least significantly harder to pull off. The reality is that every security sandbox developed so far has fallen under hacker attention.

Today the biggest security sandboxes are probably best represented by Java and Google's Chrome browser, and both have suffered over 100 exploits that perforated the sandbox and allowed direct access to the underlying system. However, that doesn't stop the dreamers who think they'll find one that will halt all exploits and put down computer maliciousness forever.


Originally published on InfoWorld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Ask a Question
randomness