Sponsored By

6 Deadly Enterprise Security Mistakes6 Deadly Enterprise Security Mistakes

These small, subtle security mistakes can have big data breach consequences.

Dark Reading Staff

October 27, 2011

2 Min Read

Sometimes it's the unknown or overlooked little mistakes that leave an organization wide open to attack: a missing hash mark in a server configuration, a long-forgotten PBX user account, or an embedded Web server in an office printer.

With compliance pressures, increasingly cagey malware, and the fear of being the next front-page data breach victim, it's no wonder that enterprises might not notice potential problems with their lower-profile devices, or make subtle configuration mistakes.

Even so, ignorance is no excuse when the bad guys hone in on an inconspicuous weakness, like a few older, rarely used desktops that haven't been updated with the latest patches. It takes only one weak link for an attacker to gain a foothold into an organization and steal valuable data, or set up shop for long-term cyberespionage.

Spooked yet? Take a look at some subtle but potentially dangerous mistakes enterprises make that could come back to haunt you.

1. Improperly configuring an SSL server.
SSL has gotten a bad rap lately for some inherent security weaknesses. But many SSL servers aren't configured properly such that they aren't even exploiting the benefits of an encrypted session. Only about one-fifth of SSL websites actually redirect to SSL for authentication, and about 70% of SSL servers handle credential logins in plain text. More than half submit passwords in plain text.

That's according to a global SSL survey by SSL Labs, Qualys' community project. But that's not all: Now the bad guys can perform a denial-of-service (DoS) attack on an SSL server without the help of a botnet. A new hacking tool unleashed this week abuses the SSL renegotiation feature to launch a DoS attack on an SSL server from a single laptop or other machine.

Organizations that mistakenly leave SSL renegotiation enabled are vulnerable to this attack with the so-called THC-SSL-DOS tool now circulating. Security experts say SSL renegotiation on a Web server isn't really necessary, anyway, and recommend disabling it altogether.

Read the rest of this article on Dark Reading.

Read more about:


About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights