Sponsored By

6 Deadly Enterprise Security Mistakes6 Deadly Enterprise Security Mistakes

These small, subtle security mistakes can have big data breach consequences.

Dark Reading Staff

October 27, 2011

2 Min Read

Sometimes it's the unknown or overlooked little mistakes that leave an organization wide open to attack: a missing hash mark in a server configuration, a long-forgotten PBX user account, or an embedded Web server in an office printer.

With compliance pressures, increasingly cagey malware, and the fear of being the next front-page data breach victim, it's no wonder that enterprises might not notice potential problems with their lower-profile devices, or make subtle configuration mistakes.

Even so, ignorance is no excuse when the bad guys hone in on an inconspicuous weakness, like a few older, rarely used desktops that haven't been updated with the latest patches. It takes only one weak link for an attacker to gain a foothold into an organization and steal valuable data, or set up shop for long-term cyberespionage.

Spooked yet? Take a look at some subtle but potentially dangerous mistakes enterprises make that could come back to haunt you.

1. Improperly configuring an SSL server.
SSL has gotten a bad rap lately for some inherent security weaknesses. But many SSL servers aren't configured properly such that they aren't even exploiting the benefits of an encrypted session. Only about one-fifth of SSL websites actually redirect to SSL for authentication, and about 70% of SSL servers handle credential logins in plain text. More than half submit passwords in plain text.

That's according to a global SSL survey by SSL Labs, Qualys' community project. But that's not all: Now the bad guys can perform a denial-of-service (DoS) attack on an SSL server without the help of a botnet. A new hacking tool unleashed this week abuses the SSL renegotiation feature to launch a DoS attack on an SSL server from a single laptop or other machine.

Organizations that mistakenly leave SSL renegotiation enabled are vulnerable to this attack with the so-called THC-SSL-DOS tool now circulating. Security experts say SSL renegotiation on a Web server isn't really necessary, anyway, and recommend disabling it altogether.

Read the rest of this article on Dark Reading.

Read more about:

2011

About the Author(s)

Dark Reading Staff

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

See more from Dark Reading Staff
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Okta logo
Application Security
Okta Breach Widens to Affect 100% of Customer BaseOkta Breach Widens to Affect 100% of Customer Base
byBecky Bracken, Editor, Dark Reading
Nov 30, 2023
4 Min Read
Businesswoman with ponytail in black suit and businessman in black suit with laptop sit at office desk with stack of presents, look at laptop
Endpoint Security
10 Holiday Gifts for Stressed-Out Security Pros10 Holiday Gifts For Stressed-Out Security Pros
byEricka Chickowski, Contributing Writer
Nov 30, 2023
10 Slides
A row of brown cowboy boots in the su
Endpoint Security
Critical 'LogoFAIL' Bugs Offer Secure Boot Bypass for Millions of PCsCritical 'LogoFAIL' Bugs Offer Secure Boot Bypass for Millions of PCs
byNathan Eddy, Contributing Writer
Dec 1, 2023
4 Min Read
Reports
More Reports
White Papers
More Whitepapers
Events
More Events