Continued from page 1
Important, and sometimes critical documents left on web servers. Information that only internal or technical people should have access to;
Poor password and authentication policy. Users using weak passwords to access accounts, especially remote access devices that are present on Internet;
Test servers that have been forgotten about and are still present on Internet;
Poor network border architecture For instance; installing a firewall and forgetting that there are other network that need to be protected or should be placed behind firewall.
The above is just a handful of "Little Things" that get overlooked and can result in undoing of your networks security measures.
As an example; Many organizations provide their internal and external customers with a public FTP service. Most times, this is done to allow people to easily post "non-critical" or public information and share it with other associates.
Recently, I identified just such an FTP server. The server allowed anonymous logons, however it contained sub-directories that were secured. These secure directories were only accessible by people who owned account. It was obvious to me that I was not going to easily compromise these accounts. On other hand, sitting right in anonymous "root" directory was a .zip file that was rather large. I downloaded file, which took quite a while, unzipped it on my desktop, and guess what it contained? It was a compressed file of entire FTP server, including secure directories.
I would bore you with what I found within these directories. The bottom line is, I should have never had access to information they contained.
Conclusion ---------- The bottom line is this; it really is little things that will come back to haunt you when it comes to computer security. No system should ever be rushed into production. This is one of most common causes for poorly secured systems. The team in charge of implementing new technology needs to be educated on how to securely deploy new systems. And if you are installing support software from outside vendors, make sure you thoroughly review their products security features. Also, make sure they fully disclose any known bugs or improperly functioning features.
Darren Miller is an Information Security Consultant with over sixteen years experience. He has written many technology & security articles, some of which have been published in nationally circulated magazines & periodicals.