Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Security's Three Deadly Sins

It all boils down to sloth, hubris, and greed

People love lists, and I'm no different. I'm a sucker for all those "10 Best Places to Live" sorts of things, even though I know the town where I live won't make the list.

At the beginning of the year, I was looking at a bunch of the "XX Top Threats" and "XX Biggest IT Dangers" lists, and found that I couldn't really disagree with any of them. There is, truly, a lot of stupid activity you can undertake using a computer, and much of that stupidity will have consequences.

Still, as I looked more closely at the lists, I began to feel that they could have been much shorter. Because, in the end, most of the security dangers we see are the result of one or more of three basic problems: sloth, hubris, and greed. Since we've just come through the year's shortest month, then, I offer my own shortened list of dangers to your network.

1. Sloth

No, not the three-toed Amazonian mammal (though I can't image that one would do much good for your NOC). Laziness, dereliction of duty -- call it what you will, it boils down to not taking the time to do things right. Let me give you some examples.

  • Defaults. Every piece of hardware ships with a default username and password. Some have default network names, security keys, or SSIDs. There are lists of these defaults on the Internet, and every hacker has a copy of the list. Take the time to change the defaults unless you want to host a bunch of tenth-grade hackers on your corporate server.

  • Training. No one really likes training, whether they're giving or taking the class. But that doesn't mean training isn't critical. I can't count the number of times I've heard a user say, "I didn't know we weren't supposed to do that!" after allowing criminals to run amok in the enterprise network. Make the time to train every user, and build additional training and refresher courses into the employee system.

  • Bad Passwords. No, Sparky, spelling your username backwards as a password isn't brilliant. It is marginally better than simply repeating your username as the password, but the margin isn't huge. It doesn't take long to create a system of passwords that you can remember, that are long enough to be difficult to brute-force, and that don't involve your name or your birthday. Figure it out.

2. Hubris

Nothing sends a chill down my spine like hearing a corporate official say, "Our network is completely secure." Yes, and I'm quite handsome -- but in each case, keywords are open to interpretation. I find that the folks who are most at ease with their level of security tend to be the ones who know the least about it. But hubris does take some common forms.

  • The magic bullet. "We've installed the DunderWall V19.6, and it makes every device impervious to every attack." If your system is still usable, it's vulnerable. I'm a big believer in the Swiss cheese model of security -- you know, the one where you acknowledge that there are likely to be holes, you've just made the block thick enough so that none of them go all the way through. I've yet to find that magic bullet, and your company is still looking, too.

  • Our programmers are brilliant. They may be, but experience says if they've built a Web-facing application, they've created some vulnerabilities. Depending on their level of sloth, they may leave small, subtle holes or large, gaping holes, but you should count on security issues. This isn't to denigrate the programmers -- they were hired for their strengths in programming, not security. Build additional layers of security around their work, and everyone will sleep better.

  • We remember. You've gotten the old-time password religion and decided that everyone needs a 16-digit strong password with no string that can be found in a three-character dictionary lookup, at least four punctuation marks, and an even distribution of characters and numbers. The password must be changed every 30 days, and no one, under pain of dismissal, can write it down. Oh, yes, you don't believe single sign-on is secure, so every application and network segment has its own password, and they must all conform to the corporate standard. Get real. You've just made things so ridiculous that you practically require your employees to break the rules. Good multi-factor authentication, yes; ludicrous memorization requirements, no.

3. Greed

Take "buy low, sell high" to its logical conclusion, and you want something for nothing. Whether you're on the acquiring end of the transaction or the providing end, it's a dangerous place to be.

  • Free hotspots. Who doesn't love a good, free wireless hotspot? Most corporate security folks could do without them, especially when they're near a bogus hotspot set up by an enterprising hacker. If you haven't taken the time to train your users in the difference between "ad hoc" and "infrastructure" connections, you'll hate free hotspots a lot more.

  • Free software. Software, photos, gadgets. Geegaws. Bright shiny strings. Convincing users that they aren't helping when they bring in the latest freeware can be a full-time job. Train your users that they shouldn't bring random freeware crap to the table, and keep the ports closed.

That's it -- a top-20 list compressed to three of the seven deadly sins. Sometime soon I'll get around to the other four -- but since patience is a virtue, you'll have to wait just a bit.

— Curt Franklin is an enthusiastic security geek who used to be one of the Power Rangers (the red one, we think). His checkered past includes stints as a security consultant, an IT staffer at the University of Florida, security editor at Network Computing, chief podcaster for CMP Technology, and various editorial positions at places like InternetWeek, Byte, and Hog Monthly. Special to Dark Reading.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10287
PUBLISHED: 2020-07-15
The IRC5 family with UAS service enabled comes by default with credentials that can be found on publicly available manuals. ABB considers this a well documented functionality that helps customer set up however, out of our research, we found multiple production systems running these exact default cre...
CVE-2020-10288
PUBLISHED: 2020-07-15
IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.
CVE-2020-15780
PUBLISHED: 2020-07-15
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
CVE-2019-17639
PUBLISHED: 2020-07-15
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. This...
CVE-2019-20908
PUBLISHED: 2020-07-15
An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.