How vulnerable are most companies to hacking? So vulnerable that hackers claim they can point their systems at pretty much any target and be guaranteed of breaking in fairly quickly. Most run-of-the-mill vulnerability testers I know can break into a company in a few hours or less. It must be child's play for professional criminals.
It doesn't have to be this way. The problem is that most IT admins are making the same huge mistakes over and over.
[ InfoWorld's Malware Deep Dive special report tells you how to identify and stop online attacks. Download it today! | Roger A. Grimes offers a guided tour of the latest threats in InfoWorld's Shop Talk video, "Fighting today's malware." | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Security mistake No. 1: Assuming that patching is good enough
Every company I've ever audited tells me it has patching under control. What the company means is that the operating systems running on most of its computers have been patched. The most popular and most attacked applications? Not so much.
For example, when I find an Apache Web server running, it's never fully patched. If the computer has Adobe Acrobat Reader, Adobe Flash, or Java, the same is true. They're almost never patched. It's not a coincidence that they're also the most successfully exploited applications. This huge disconnect has been true for years.
IT admins think they have patching under control because they bought a comprehensive patching program, assigned someone to oversee it, got better patching than before, and checked it off their to-do list. Never mind that the patching was never perfect, never patched all computers, and didn't patch every piece of vulnerable software. Somehow all that was glassed over and quickly forgotten.
On top of that, many departments won't patch many of the applications they want to patch because of real (or perceived) application compatibility problems. For example, they update Java one day, hear that it caused some random error to appear in one department's application, and by default are forbidden to update Java -- forever. Or they have to keep a bazillion versions of Java around because updating it could possibly cause problems.
Years pass while most computers aren't fully patched. Management goes along happily thinking that the patching problem is solved, whereas it's just as bad as ever. Hackers have a field day.
Security mistake No. 2: Failing to understand what apps are running
Most IT departments have no clue about the programs running on their computers. New computers come preloaded with dozens of utilities and programs the user doesn't need, then users routinely add more. It's not unusual for a normal PC to be running hundreds of programs and utilities at startup.
How can you manage what you don't even know you have? Lots of these programs have huge, known vulnerabilities or vendor-implemented backdoors that anyone can take advantage of. If you want to secure your environment, you have to inventory what programs are running, get rid of what you don't need, and secure the rest.