Fred Avolio's Musings

musings on security and other topics topics archives
July
Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
most recent headlines other links, other blogs  

:: home :: security :: TopTenSecurityThreats.html ::
Thu, 31 Aug 2006
Top Ten Security Threats

Background: This is from a 3 or more year old course I gave in support of what I say in The same old stuff further in support of Top Five Reasons Why I Hate Network- and Computer-Security. In short, this is old and, yet, is still relevant. (Kinda like me.)

When we consider Internet system security, these are what I consider to be the top ten security threats.

Default Install
All types of systems are vulnerable to this: desktops, servers, appliances, routers … anything that can be configured. Personal computers and servers often have unneeded services running. And although No security updates VATs can help So can proper policies with proper implementation

Passwords
There are multiple problems here, The first are demo or guest accounts. (This also can be considered part of the Default Installation problem, as many default installations come with preset passwords.) Easily guessed passwords are almost as bad. Guessed passwords do not necessarily provide complete control, but they do provide a foothold. And a foothold is an attackers “Step 1.”

There are, of course, solutions to this. An enterprise can set password policy, but then has to back up policy with policing, using many of the password checking and scanning programs available. Even better, is to replace user-id/password with 2- or 3-factor authentication, including security tokens and biometrics. Recently, when I have taught a course, I ask who has 2-factor authentication. I am pleased to see that the percentage of raised hands is on the rise. Still, most hands remain down.And still, like most things “security,” strong user authentication is an “add-on.”

Bad Backup Policy
Most enterprises do a decent job here, but many do not consider backing up teleworkers’ computers. And many do not routinely verify backups.

Open Ports
This is still a problem on many gateways. (“ Default deny” still has not caught on, even though done correctly it is nearly invisible and protects better than “ default allow.”) On our servers, desktops, and gateways we have opened unused network ports and used ports that are not required. Think of a house with 65,537 open doors.

Lax filtering
IP Spoofing is still used. Do not allow your gateways to pass any source-routed packets

Bad logging practice
Unread logs are not very useful. Logs that are incomplete are worse.

CGI Scripts
Common Gateway Interface scripts are necessary for all but the most basic web pages. The risk is to the web server. Web servers come with example code. Some of that example code has, in the past and today, contained exploitable bugs. (See CGI Script Source Code Disclosure Vulnerability in Apache for Windows.) The solution? Write your own code, if you are able, and test, test, test.

Remote Procedure Calls and Remote access
RPCs allow one computer to run a program on another computer. Buffer overflows and other security weaknesses can and have led to an attacker running a program on the local computer. Unix, Windows, and Mac OS X systems run RPC servers. Global file sharing is a potential point of vulnerability. Do you know what the default settings are on your computers? Firewalls can stop connections. Do yours? What about your teleworkers?

Browsers
There are “necessary,” but remember: all popular browsers—IE, Opera, Mozilla, Firefox, Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon—have had reported vulnerabilities. All are subject to spoofing vulnerabilities. (Check your browser out at http://secunia.com/multiple_browsers_dialog_box_spoofing_test/.) Also, browsers (and so, client systems) may be vulnerabile to Java and Javascript vulnerabilities. Errors in the Java or Javascript system could allow a web page to trigger a local user action (anything the user could do locally). Any active code on a web page follows this same basic idea: the web page based program is downloaded and executed, and the browser makes sure the operation stays contained. This is apparently very hard to get right. See Cross platform javascript vulnerability leaves IE, Firefox open.

Enterprises should strip Java or Javascript from HTTP traffic at the firewall. Users will be up in arms over it. It doesn’t help with HTML e-mail messages. E-mail Acceptable Use Policy: Disable all HTML, Java, JavaScript, VB, and any other interpreting in e-mail reader

Outlook
Okay, really any fancy e-mail client that:

  • Automatically renders Java, JavaScript or ActiveX.
  • Automatically launches dangerous applications, remembering that any “helper” program may be dangerous (browsers. Picture viewers, Word, PDF viewer).

    If you are stuck with Outlook, turn off some features:

    • Any that users do not really, really, really need. (Disable them and wait for complaints. Then selectively add.)
    • Do not allow Outlook to auto-display HTML
    • Disable Java, JavaScript, ActiveX and VBS controls (under Internet options)
    See The Things I Hate About Outlook and Outlook—Just say “no”.

    Further, be very selective in what attachments your organization will admit through an e-mail gateway or firewall. Does your enterprise require .scr, .bat, .com, .exe, .dll files? Start with what it needs. Disallow all except the ones you absolutely need. (See Buried in Swen! from 2003.)

    This was my top ten security threats list. These are not the top ten security threats that keep me up at night. All of these have some kind of reasonable mitigation, none of which are useful unless they are implemented.

    Comment on this.
    [/security/] permanent link


    •