The majority of successful internet-based attacks on computer systems can be traced to one of a small number of security flaws, according to the SANS (System Administration, Networking, and Security) Institute, a Maryland-based research and education group.
The group has published a report of the top 10 security threats to computer networks, along with detailed steps you can take to eliminate them.
“A few software vulnerabilities account for the majority of successful attacks, because attackers are opportunistictaking the easiest and most convenient route,” the report said. “They count on organizations not fixing the problem, and they often attack indiscriminately, by scanning the internet for vulnerable systems.”
Meanwhile, system administrators say, they haven’t corrected these flaws because they don’t know which of more than 500 potential problems are the ones that are most dangerous and they are too busy to correct them all, according to the report.
That should no longer be an excuse. The group’s list of the 10 most commonly exploited security flaws was compiled with the help of federal agencies, security software vendors, consulting firms, and some of the top university-based security programs in the country.
The list, which can be found at http://www.sans.org/ topten.htm, reads like a technical document but gives easy-to-understand directions for fixing the flaws.
SANS also released a list of the most common security mistakes information technology professionals make. According to the institute, IT workers all too often:
• Connect systems to the internet before hardening them;
• Connect test systems to the internet with default accounts or passwords;
• Fail to update systems when security holes are found;
• Use telnet and other unencrypted protocols for managing systems, routers, firewalls, and public key infrastructures (digital certificates that authenticate the identity of each party involved in an internet transaction);
• Give out passwords over the phone or change users’ passwords in response to telephone or eMail requests, without verifying the authenticity of the requests;
• Fail to maintain and test system back-ups;
• Implement firewalls that don’t stop malicious or dangerous network traffic;
• Fail to update virus protection software;
• Fail to educate users about security problems; and
• Allow untrained users to take responsibility for securing important systems.
Mistakes by upper-level management also add to security vulnerabilities, SANS said, including:
• Assigning untrained people to maintain security and providing neither the time nor the training for them to learn to do the job,
• Failing to see the consequences of poor security,
• Failing to follow up properly on security fixes,
• Relying primarily on a firewall for security,
• Failing to realize how much money their informational and organizational reputations are worth,
• Authorizing short-term fixes so problems recur, and
• Pretending the problem will go away if ignored.