In Depth
The Seven Deadly Sins of Network Security
Companies that suffer serious network security breaches have almost always committed one (or all) of 7 deadly sins. Is your company guilty?
By Bill Brenner, Senior Editor
Too much access for too many
Most respondents agreed a lack of access control is the sin that has sent many a company down the road to trouble.
"The biggest failure I've seen is the lack of management support for the necessary expenditures and for the ongoing need to have a clear, working policy on who has authority to do what, who's responsible for granting or denying access, who's responsible for vetting changes, and having it all done in such a manner as to not be too cumbersome on the operations of the company," says Toivo Voll, a network administrator for an educational institution in the southeast.
George Johnson, chief security officer at the National Center for Crisis and Continuity Coordination (NC4), says IT shops often assign everyone administrative access to reduce the workload tighter controls involve. This, he says, is a recipe for a massive compromise.
But the opposite practice of allowing only executives administrative access while locking everyone else out is fraught with danger as well.
"Hackers are targeting execs -- a tactic called 'whaling' -- so this is a huge risk," Johnson says. "It also severely damages the credibility of the security mission when it is obvious that the boss doesn't care about it. Culture springs from the top."
This summer's incident in San Francisco provides another illustration of the risks of putting too much control in one person's hands. A network administrator for the city was able to lock everyone else out of a critical system.
Lax patching procedures
A common security failure often stems from a company's inability to keep up with all the patches needed on the network's various devices. Proof of this problem was offered in a recent study from Verizon showing that 90 percent of successful exploits these days involve vulnerabilities for which a patch has been available for six months or longer.
"For the overwhelming majority of attacks exploiting known vulnerabilities, the patch had been available for months prior to the breach," Verizon says on page 15 of its 2008 Data Breach Investigations Report. "Also worthy of mention is that no breaches were caused by exploits of vulnerabilities patched within a month or less of the attack."
The bad guys know a lot of companies are slow to patch, and so they continue to cook up exploits for the older vulnerabilities, experts say. In fact, security experts say, worms like Blaster and Sasser -- launched four to five years ago against vulnerabilities for which patches were made available around the same period -- are still in wide circulation today.
Dan Ward, an IT security analyst at Acxiom, cites this as one of the major sins on his personal list. This problem, he says, extends not just to poor operating system patching, but also middleware, application and even device driver security updates.
(See Ed Ziots's recent column for advice on How to Handle Security Patches with Sanity.)
network security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
