The 10 dumbest mistakes network managers make
When you look at the worst corporate security breaches, it's clear that network managers keep making the same mistakes over and over again, and that many of these mistakes are easy to avoid.
In 2008, Verizon Business analyzed 90 security breaches that represented 285 million compromised records. Most of these headline-grabbing incidents involved organized crime finding an unprotected opening into a network and using it to steal credit card data, Social Security numbers or other personally identifiable information.
[ See also: 10 woeful tales of data gone missing ]
What's astonishing is how often these security breaches were the result of network managers forgetting to take obvious steps to secure their systems, particularly non-critical servers.
"We're just not doing the basics," says Peter Tippett, vice president of innovation and technology at Verizon Business, who has been auditing security breaches for 18 years.
Tippett helped us put together a list of the simplest steps that a network manager can take to eliminate the majority of security breaches. Not to follow the items on this list would be, quite simply, stupid.
1. Not changing the default passwords on all network devices.
Tippett says it's "unbelievable" how often corporations have a server, switch, router or network appliance with the default password -- usually "password" or "admin" -- still enabled. Most CIOs think this problem could never happen to them, but Tippett sees it every day.
To avoid this problem, you need to run a vulnerability scanner against every device on your network with an IP address, not just the critical or Internet-facing systems, Tippett says. Then you need to change the default passwords that you find to something else. More than half of all the records that were compromised last year were the result of using a default password on a network device, according to the Verizon Business study.
2. Sharing a password across multiple network devices.
IT departments often use the same password across multiple servers, and several people know the password. It might be a good password -- a complicated string of numbers and letters -- but once it's shared among several systems, these systems are all at risk.
For example, one of the people who knows the password could switch companies and reuse the password at his new company. Or an outsourcer who handles a non-critical system such as a data center cooling system could use the same password on all of the systems it operates for all of its customers. In either case, if the password is discovered by a hacker, the hacker can get into many servers and wreak more damage.
Tippett says IT departments need a process -- automated or manual -- to make sure that server passwords are not shared among multiple systems, are changed regularly and are kept secure. He says it's as simple as keeping the current server passwords written down on cards that are kept in a lockbox controlled by one person.
Follow ITworld on Twitter here
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
SSH on the mistakes list?
Please correct me if i'm wrong, my wife does it every day. But how did SSH make it to the list of mistakes IT managers make? VNC sends passwords in clear text, SSH traffic is encrypted. While SSH-1 does have issues, i don't come across it often as SSH-2 has taken over in most devices and servers.SSH Insecurity
Yes, I did a double take on that too. The author could have made his statement a little bit more clear.The author is right, ssh is a security risk "when it is configured insecurely".
Using a weak password with ssh makes it insecure. Also failing to protect it from brute force attacks makes it insecure.
A big problem with the standard ssh server daemon is that it reports but does not take action upon failed password attempts. I found this out the hard way, one day while reviewing the logs I discovered that there had been thousands of brute force attempts to login to the ssh server. Long lists of user names had been tried with special focus on the names of common services & functions. Although it used to be quite rare, the internet is now saturated with these types of attacks. You must install a separate program such as "fail2ban" in order to block brute force attempts.
Another really huge problem is the practice of using the same password everywhere. This is why initiatives like "OpenID" are not really a very good idea. Another very common problem for instance is with systems in which the email password is the same as the login password. Email passwords tend to be insecure, if that password can then been used to login.... oops there goes all of your security.