As enterprises expose their perimeters to customers and business partners more and more, there is less room or tolerance for security lapses.
Yet, there are those e-businesses and corporations that still lack basic security tenets, that are not using adequate firewall or intrusion-detection protection and do not have security policies, said several consultants and security experts contacted by SearchSecurity.com, who identified five common security mistakes made in the enterprise. In no particular order, they are:
- Failure to keep systems patched
- Lack of security policies and procedures
- Lack of a centralized, in-house security office
- Inadequate firewall protection
- Inadequate intrusion detection protection
Code Red and Nimda ran roughshod through enterprises worldwide last year by exploiting vulnerable versions of Microsoft's Web server, Internet Information Server (IIS). Though a patch was available for months, the two pieces of malicious code found smooth sailing through corporate networks because many companies had failed to patch a vital security hole.
"Patching is mind-numbingly dull and boring. It's not fun. It's not sexy. It's not interesting," said Ed Skoudis, vice president of security strategy for Predictive Systems' consulting arm, Global Integrity. "There are other things that system administrators would rather be doing that are interesting."
Skoudis acknowledged that patching has its difficulties, namely making sure that they are applied in order and applied first in a test environment. "It's hard to get them just right," he said.
Usually, companies skate by until a hack exposes their data or costs them dearly on the bottom line, or until an auditor produces a scathing report for a CEO.
"I did some consultant work for a major bank that patched its systems only when it fit into their schedule to do so," said Ed Yakabovicz, board member of the Delaware FBI Infragard Chapter. "All the while, they were being hacked because they had not applied certain patches. An auditor found that someone had stored 40G bytes of files on their network because they had not patched an FTP they used for three years."
Where's the policy?
Some studies contend that the biggest threat to an enterprise comes from within. Employees have instant network access to files and applications, and in many cases, loss of data and intellectual property can be traced to a current or former employee.
Generally, however, employee flubs aren't malicious, though they can be just as costly. Experts said that a thorough security policy could cure these ills.
"Companies still lack well-defined security policies," said Steve Mencik, a senior security engineer for ACS Defense, a Burlington, Mass.-based system engineering and development services provider for military and commercial organizations. "Employees don't know what they can do and what they cannot do. You've got people installing their own software, bypassing any security controls that are in place. You want to give people what they need to do their jobs, but you also have to make sure there is a way to lock things down."
Policies must be living documents too; a mandate that must be flexible enough to adjust to an equally flexible business plan.
"Your security may happen to be good for a while, but without defined processes and policies, it'll inevitably decay with time," Skoudis said.
Centralize security in your organization
Right along with the lack of policy is the lack of a security point person in an enterprise. Too often, experts said, security is rolled into an IT administrator's duties. Having a chief security officer or someone responsible for security who reports to a chief information officer is a vital administrative linchpin between IT and the executive level.
"The most common mistake that comes to mind is that there is no central office in many companies that worries about security," said Mencik. "Enterprises need a CSO or someone in an administrative role who is in charge of security. They need to know who is listening."
The CSO position often has little to do with technology, instead the person in that position acts as a coordinator of security administration, policy development and technical support. Right now, however, most enterprises don't have that luxury and those holding the CSO title will have a rough immediate future, especially if enterprises don't appoint them as frontline executives in the corporate structure, said Steve Hunt Giga Information Group vice president and research leader said at this summer's Security Decisions conference.
No IDS, no network lockdown
Yes, it's true: some enterprises still don't monitor network activity with intrusion detection systems (IDS).
IDS is expensive and generates volumes of log data that needs to be monitored and reviewed by someone experienced in network issues. But it's a near-fatal mistake not to invest.
Yakabovicz recalled a former client, a dot-com, that was close to three years behind in patching its systems, much less having IDS installed. Upon installing an intrusion detection system, he watched as an intruder used a system administrator password to hack their SQL Server. In addition to poor patching, there was inadequate encryption and authentication protection on their system.
"Management in these cases felt it was more important to get stuff out, get to market and worry about security later," Yakabovicz said. "It was a big shock to them to learn they were being hacked."
Firewall faux pas
Most companies have firewalls protecting their perimeters, but in most cases, the protection is inadequate. And that relates to an administrator's lack of experience, in most cases.
"This is especially true for midrange, smaller companies," said Yakabovicz. "Some of them may have IDS and firewalls, but they have no one to read logs or they have the wrong type of firewalls installed."
Yakabovicz recalled another former client that had not audited its files for more than two years, never looked at its firewall or IDS logs. It operated in a depressed area where pay and experience was poor.
"They thought their Cisco PIX firewall was enough," Yakabovicz said. "Turns out someone had been hacking their network and had stored 100G bytes of MP3s on their network."