With compliance pressures, increasingly cagey malware, and the fear of being the next front-page data breach victim, it's no wonder that enterprises might not notice potential problems with their lower-profile devices, or make subtle configuration mistakes.
Even so, ignorance is no excuse when the bad guys hone in on an inconspicuous weakness, like a few older, rarely used desktops that haven't been updated with the latest patches. It takes only one weak link for an attacker to gain a foothold into an organization and steal valuable data, or set up shop for long-term cyberespionage.
Spooked yet? Take a look at some subtle but potentially dangerous mistakes enterprises make that could come back to haunt you.
1. Improperly configuring an SSL server.
SSL has gotten a bad rap lately for some inherent security weaknesses. But many SSL servers aren't configured properly such that they aren't even exploiting the benefits of an encrypted session. Only about one-fifth of SSL websites actually redirect to SSL for authentication, and about 70% of SSL servers handle credential logins in plain text. More than half submit passwords in plain text.
That's according to a global SSL survey by SSL Labs, Qualys' community project. But that's not all: Now the bad guys can perform a denial-of-service (DoS) attack on an SSL server without the help of a botnet. A new hacking tool unleashed this week abuses the SSL renegotiation feature to launch a DoS attack on an SSL server from a single laptop or other machine.
Organizations that mistakenly leave SSL renegotiation enabled are vulnerable to this attack with the so-called THC-SSL-DOS tool now circulating. Security experts say SSL renegotiation on a Web server isn't really necessary, anyway, and recommend disabling it altogether.