When looking at the recently released SANS/FBI Top 20 list of Internet security vulnerabilities, one is struck...
by how many items on the list are related to system configuration mistakes.
Many of the vulnerabilities on the list, which is broken down into the top 10 Windows and top 10 Unix vulnerabilities, are flaws caused by operator error.
The Apache Web server, for example, made the Unix half of the list, even though SANS noted its "well-deserved reputation for security."
"[N]o Web server can be considered secure until it is considered in the context of its interaction with Web applications, especially CGI programs and databases," SANS reported. A malicious or poorly written CGI script can prove as dangerous to the server as an actual flaw in the server, SANS said.
The Apache Web server, however, does come quite secure, with its services and functionality turned off.
"Yet all kinds of holes are created when you run, say, a Java application server on top of it," said David Litchfield, a well-known vulnerability-finder and co-founder of Next Generation Security Software, which is based in Sutton, England.
The list also includes other vulnerabilities that result from configuration blunders, including open network shares, missing passwords for services and incorrect permissions and security settings for the Windows Registry. The Windows Registry is a central hierarchical database for managing software, device configurations and user settings.
The genesis of many of these vulnerabilities is that functionality and services are often turned on by default. As such, users have to actively shut off services they don't use.
In actuality, software should come with all services turn off by default; that way users will only have to worry about services that they need, Litchfield said. "It's actually sad in a way. It is cool being able to get down to business right away," he said.
Microsoft Corp. used to follow this strategy, enabling a bunch of functionality out of the box. The company is getting better, but it's not alone in enabling services by default. "Solaris, for example, has a bunch of services turned on including some that can contain buffer overflows and remote access vulnerabilities," Litchfield said.
Yet there seems to be an odd disparity between how one views an unsecured Unix or Linux box and a Windows system. If someone sets up a Linux box that is unsecured and it gets comprised, then people would call that person an idiot, said Tim Mullen, CIO and chief software architect for AnchorIS.com, a developer of secure, enterprise-based accounting software.
By contrast, if it was an unsecured Windows machine then "people would scream Microsoft is evil," Mullen said. One explanation for the difference might be that there is an expectation that people installing Unix or Linux have a higher level of technical knowledge. "Your level of experience has the most to do with how secure a system will be," he said.
For example, Mullen can make a Windows machine very secure, even without service packs, because he knows the system so well. While he can configure a Unix box, it probably wouldn't be as secure, as he doesn't know the platform so well.
Still, security isn't a one-time thing but a continuous process.
"You can have secure software but then a new class of vulnerability emerges that you never thought of, and your software then become insecure," Litchfield said.