Configuration errors at the root of most security woes

The recent SANS/FBI vulnerability list is rampant with security flaws that are essentially system configuration mistakes.

When looking at the recently released SANS/FBI Top 20 list of Internet security vulnerabilities, one is struck by how many items on the list are related to system configuration mistakes.

FOR MORE INFORMATION:
SearchSecurity.com news exclusive: "SANS, FBI identify top 20 Windows, Unix vulnerabilities"

SearchSecurity.com news exclusive: "Guard against Bugbear using these tips"

Best Web Links on common vulnerabilities


Feedback on this story? Send your comments to News Writer Edward Hurley

Many of the vulnerabilities on the list, which is broken down into the top 10 Windows and top 10 Unix vulnerabilities, are flaws caused by operator error.

The Apache Web server, for example, made the Unix half of the list, even though SANS noted its "well-deserved reputation for security."

"[N]o Web server can be considered secure until it is considered in the context of its interaction with Web applications, especially CGI programs and databases," SANS reported. A malicious or poorly written CGI script can prove as dangerous to the server as an actual flaw in the server, SANS said.

The Apache Web server, however, does come quite secure, with its services and functionality turned off.

"Yet all kinds of holes are created when you run, say, a Java application server on top of it," said David Litchfield, a well-known vulnerability-finder and co-founder of Next Generation Security Software, which is based in Sutton, England.

The list also includes other vulnerabilities that result from configuration blunders, including open network shares, missing passwords for services and incorrect permissions and security settings for the Windows Registry. The Windows Registry is a central hierarchical database for managing software, device configurations and user settings.

The genesis of many of these vulnerabilities is that functionality and services are often turned on by default. As such, users have to actively shut off services they don't use.

In actuality, software should come with all services turn off by default; that way users will only have to worry about services that they need, Litchfield said. "It's actually sad in a way. It is cool being able to get down to business right away," he said.

Microsoft Corp. used to follow this strategy, enabling a bunch of functionality out of the box. The company is getting better, but it's not alone in enabling services by default. "Solaris, for example, has a bunch of services turned on including some that can contain buffer overflows and remote access vulnerabilities," Litchfield said.

Yet there seems to be an odd disparity between how one views an unsecured Unix or Linux box and a Windows system. If someone sets up a Linux box that is unsecured and it gets comprised, then people would call that person an idiot, said Tim Mullen, CIO and chief software architect for AnchorIS.com, a developer of secure, enterprise-based accounting software.

By contrast, if it was an unsecured Windows machine then "people would scream Microsoft is evil," Mullen said. One explanation for the difference might be that there is an expectation that people installing Unix or Linux have a higher level of technical knowledge. "Your level of experience has the most to do with how secure a system will be," he said.

For example, Mullen can make a Windows machine very secure, even without service packs, because he knows the system so well. While he can configure a Unix box, it probably wouldn't be as secure, as he doesn't know the platform so well.

Still, security isn't a one-time thing but a continuous process.

"You can have secure software but then a new class of vulnerability emerges that you never thought of, and your software then become insecure," Litchfield said.

Dig deeper on Configuration Management Planning

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close