Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

9 popular IT security practices that just don't work

Roger A. Grimes | Aug. 14, 2012
The security products and techniques you rely on most aren't keeping you as secure as you think

Part of the problem is that the websites and programs using digital certificates have been lackadaisical in their use, allowing certificate error messages to become an everyday occurrence. End-users who did not ignore digital certificate error messages would not be able to participate in a large segment of legitimate online life, sometimes including remote access to their own workplace systems. Browser vendors could enforce digital certificate errors so that any error, earned or mistaken, would result in the site or service not being presented, but customers would revolt and choose another browser. Instead, everyone blithely ignores our broken PKI system. On the whole, the masses don't care.

Security fail No. 8: Your appliances are an attacker's dream       The main benefit of appliances -- increased security -- hasn't panned out. By having a smaller OS footprint, usually a locked-down version of Linux or BSD, appliances promise to be less exploitable than fully functional computers running traditional OSes. Yet, in more than 10 years of testing security appliances for InfoWorld, I've only once been sent an appliance that didn't contain a known public exploit. Appliances are nothing but operating systems on closed hard drives or firmware, and those designs are innately harder to keep patched.

For example, last week in the midst of red-team testing against a large Fortune 100 company, I found that each of the hundreds of wireless network controllers had unpatched Apache and OpenSSH services running; both would have let hackers on the public wireless network reach their internal corporate networks as admin. Their IDS and firewall devices contained public scripts that had long ago been found to have remote bypass vulnerabilities to get around any silly authentication. Their email appliance was running an insecure FTP service that allowed anonymous uploads.

These are not unusual findings. Appliances often contain just as many vulnerabilities as their software-only counterparts; they're just harder to update and usually aren't. Instead of being hardened security devices, they are an attacker's dream. I love doing penetration testing on environments with lots of appliances. It makes my life significantly easier.

Security fail No. 9: Sandboxes provide straight line to underlying systemI sigh every time a new security sandbox is announced. These sandboxes are supposed to make exploits against the software they protect impossible or at least significantly harder to pull off. The reality is that every security sandbox developed so far has fallen under hacker attention.

Today the biggest security sandboxes are probably best represented by Java and Google's Chrome browser, and both have suffered over 100 exploits that perforated the sandbox and allowed direct access to the underlying system. However, that doesn't stop the dreamers who think they'll find one that will halt all exploits and put down computer maliciousness forever.


Previous Page  1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.