- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
Network World - When you look at the worst corporate security breaches, it's clear that network managers keep making the same mistakes over and over again, and that many of these mistakes are easy to avoid.
In 2008, Verizon Business analyzed 90 security breaches that represented 285 million compromised records. Most of these headline-grabbing incidents involved organized crime finding an unprotected opening into a network and using it to steal credit card data, Social Security numbers or other personally identifiable information.
What's astonishing is how often these security breaches were the result of network managers forgetting to take obvious steps to secure their systems, particularly non-critical servers.
"We're just not doing the basics," says Peter Tippett, vice president of innovation and technology at Verizon Business, who has been auditing security breaches for 18 years.
Tippett helped us put together a list of the simplest steps that a network manager can take to eliminate the majority of security breaches. Not to follow the items on this list would be, quite simply, stupid.
1. Not changing the default passwords on all network devices.
Tippett says it's "unbelievable" how often corporations have a server, switch, router or network appliance with the default password -- usually "password" or "admin" -- still enabled. Most CIOs think this problem could never happen to them, but Tippett sees it every day.
To avoid this problem, you need to run a vulnerability scanner against every device on your network with an IP address, not just the critical or Internet-facing systems, Tippett says. Then you need to change the default passwords that you find to something else. More than half of all the records that were compromised last year were the result of using a default password on a network device, according to the Verizon Business study.
2. Sharing a password across multiple network devices.
IT departments often use the same password across multiple servers, and several people know the password. It might be a good password -- a complicated string of numbers and letters -- but once it's shared among several systems, these systems are all at risk.
For example, one of the people who knows the password could switch companies and reuse the password at his new company. Or an outsourcer who handles a non-critical system such as a data center cooling system could use the same password on all of the systems it operates for all of its customers. In either case, if the password is discovered by a hacker, the hacker can get into many servers and wreak more damage.
Tippett says IT departments need a process -- automated or manual -- to make sure that server passwords are not shared among multiple systems, are changed regularly and are kept secure. He says it's as simple as keeping the current server passwords written down on cards that are kept in a lockbox controlled by one person.
3. Failing to find SQL coding errors.
The most common hacking attack -- representing 79% of all compromised records -- is against an SQL database that is connected to a Web server. The way that hackers get into these systems is to enter an SQL command in a Web-based form. If the form is coded properly, it shouldn't accept SQL commands. But sometimes developers accidentally create what are called SQL injection errors.
Tippett says the easiest way to prevent these errors is to run an application firewall in "learn" mode so that it can watch how users enter data into a field and then put the application firewall in "operate" mode so that SQL commands can't be injected into a field. The SQL coding problem is widespread. "If a company tests 100 servers, they will probably find a SQL injection problem on 90 of them," Tippett says.
Often, companies fix only the SQL injection errors on their critical servers, forgetting that most hackers get into their networks through non-critical systems. Tippett suggests that network managers segment their networks using access control lists to restrict servers from talking to nonessential devices. This would prevent a hacker from gaining widespread access to data through an inevitable SQL coding error.
4. Misconfiguring your access control lists.
Segmenting your network using access control lists is the simplest way to make sure that systems communicate only with the systems that they should. For example, if you allow business partners to access two servers on your network through your VPN, you should use the access control lists to make sure that these business partners only have access to these two servers. Then if a hacker comes into your network through the opening for business partners, the hacker can only get into the data on these two servers.
"Often a bad guy coming into the network through the VPN has access to everything," Tippett says. Indeed, having properly configured access control lists would have protected 66% of the records that were compromised last year, according to the Verizon report. The reason CIOs don't take this simple step is that it involves using your routers as firewalls, and many network managers don't want to do that.
5. Allowing nonsecure remote access and management software.
One of the most popular ways for hackers to get into your network is to use a remote access and management software package, such as PCAnywhere, Virtual Network Computing (VNC) or Secure Shell (SSH). Often, these software applications are lacking the most basic security measures, such as good passwords.
The simplest way to find this problem is to run an external scan across your entire IP address space to look for PCAnywhere, VNC or SSH traffic. Once you find these applications, put extra security measures on them such as tokens or certificates in addition to passwords. Another option is to scan the Netflow data of your external facing routers and see if you have any remote access management traffic flowing across your network.
This problem is common enough to account for 27% of the compromised records in the Verizon Business report.