There's a perpetual buzz around software flaws and exploits researchers disclose daily, but security experts say it often distracts IT pros from a growing and more serious problem -- networks so sloppily configured and maintained that the bad guys can drive a virtual bulldozer through them without attracting attention.
The problem runs the gamut from mismatched applications and hardware, security systems that are put in place but not regularly maintained to wireless access points that are opened with no defenses attached, according to IT consultants who have seen the problems first hand.
"One of the problems I've come across is the way IT infrastructure is patched together," said Lee Benjamin, principal at ExchangeGuy Consulting in Waltham, Mass. "Look at Wi-Fi access points in a hotel as one example. There are often five or six access points going all the time. Pull into a parking lot and you can find access points."
On top of that, Benjamin has come across IT infrastructures pieced together with devices that seem to work well but are not properly configured, which makes it a prime target for those who would go hunting for security holes to exploit.
Look around online and it won't take long to find people who are doing just that. Ajay Shivaa, a student and researcher from India, wrote in the Jambai blog recently about several ways hackers can punch through a poorly configured and maintained wireless network. In one example, he wrote, "If your wireless network is connected to a corporate network through a site-to-site VPN, an open wireless network punches a hole through the network and opens up both sides of the VPN to anyone attaching to the network. Another threat is with improperly configured client VPNs which can be more easily compromised to provide the hacker access through the VPN." After listing five types of attacks, he urged IT pros to properly secure their wireless networks.
Lisa Phifer, vice president of Chester Springs, Pa.-based Core Competence Inc., has been involved in the design, implementation and evaluation of data communications, internetworking, security, and network management products for over 20 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices. She said it's a generally accepted fact in the IT community that misconfiguration and missing patches are the most significant vulnerabilities enterprises face.
In an email interview she noted that the infamous CodeRed worm was still infecting servers at the end of 2007, even though server patches and virus signatures have been available to neutralize the threat since 2001. "If you're a Web server admin and you haven't remediated this most notorious virus yet, that certainly counts as gross misconfiguration," she said, adding that Gartner has predicted misconfiguration will account for 70% of successful WLAN attacks through 2009.
Benjamin's assessment is that the larger enterprise IT shops are doing better than the small to midmarket operations when it comes to conducting regular penetration tests and security control audits, essential practices if a company is to uncover security holes caused by misconfiguration before the bad guys do. In a lot of cases there's a set-it-and-forget-it approach to network security that exacerbates the situation.
"There are enterprises and smaller companies that have that kind of mentality," he said. "They put it in, it looks like the security device works, they do some testing and then forget about it."
Meanwhile, he said, the perimeter is dissolving with more people working on the go and from branch offices. Ensuring a well-configured network across such distance will be increasingly difficult. "Where is the perimeter?" he asked. "We don't even know any more. There are people in branch offices and home offices using all these mobile devices. How does one secure this when everything keeps changing?" Benjamin said he shudders to think about what will happen when Wi-Fi access is available everywhere.
Peter Bamber, vice president of information security consulting services for Waltham, Mass.-based Security Management Partners, said regulated industries like banking have solid security procedures and configurations in place that are regularly looked over by examiners. It's a different story in the unregulated, private organizations, especially those with budget constraints.
He added that companies are paying attention to headline-grabbing incidents like the TJX data security breach and are worrying about how to better secure their wireless configurations, but they are missing the basics. Like Phifer, he has seen examples of companies that suffered an attack that would have been impossible to pull off had the IT infrastructure been more up to date and fully patched.
"IT networks often have too many default settings that go unnoticed because the company isn't getting the staff properly trained to find settings that should be different," he said. "One of my customers got hit by a rootkit that drew in five different viruses exploiting Windows 2000 boxes with missing patches. This was last year. It was a sexy exploit, but had they taken care of the basics that exploit would not have been successful."
The lesson is that if older technology can't be replaced, the IT shop has to at least keep up on all the patches available, Bamber said. And when it comes to building a security net around the infrastructure, companies must do more than just install a firewall or IDS system.
"You need to cover the basics and patch your systems, use more complex passwords and train staff to know how to check for devices that aren't properly configured."
Heed that advice and the threat of attacks targeting misconfigured systems will decrease, he said.