As much concern and fear that computer viruses and denial of service (DoS) attacks have generated recently, most such incidents can be blamed on a small number of security issues, according to The SANS Institute’s living document titled "How To Eliminate The Ten Most Critical Internet Security Threats." Critically important for all systems administrators to read, this is a "consensus document" resulting from unprecedented cooperation among leading security software vendors and consulting firms, security-conscious federal agencies, top university-based security programs, and others.
For IT consultants and independent contractors who perform systems administration for their clients, this is also a must-read document, as security threats in a client’s network could cost thousands of dollars and likely lead to the termination of a contract. This document is even more important when you consider that system administrators have difficulty prioritizing security issues simply because there are so many potential threats to deal with. System administrators can turn to this document for step-by-step instructions, complete with Common Vulnerabilities and Exposure reference numbers, to eliminate these security vulnerabilities.
The short list
The language of the top ten list below is in system-administrator-speak. It is beyond the scope of this article to go into additional details, so please refer to the document itself. Here are the ten most critical Internet security threats:
- BIND weaknesses: nxt, qinv, and in.named allow immediate root compromise.
- Vulnerable CGI programs and application extensions (e.g., ColdFusion) installed on Web servers.
- Remote Procedure Call (RPC) weaknesses in rpc.ttdbserverd (ToolTalk), rpc.cmsd (Calendar Manager), and rpc.statd that allow immediate root compromise.
- RDS security hole in the Microsoft Internet Information Server (IIS).
- Sendmail buffer overflow weaknesses, pipe attacks, and MIMEbo that allow immediate root compromise.
- sadmind and mountd.
- Global file sharing and inappropriate information sharing via NetBIOS and Windows NT ports 135->139 (445 in Windows2000), or UNIX NFS exports on port 2049, or Macintosh Web sharing or AppleShare/IP on ports 80, 427, and 548.
- User IDs, especially root/administrator with no passwords or weak passwords.
- IMAP and POP buffer overflow vulnerabilities or incorrect configuration.
- Default SNMP community strings set to ”public” and ”private.”
The report also notes that various scripting holes in Internet Explorer and Office 2000 are a high-priority security issue for Windows users and administrators. Given the ubiquitousness of IE5 and Office2000 in the enterprise, this eleventh bonus item should certainly warrant additional research by such system administrators.
Common security mistakes
In addition to this somewhat dry but necessary information, here are two additional lists from the SANS Institute that should be of interest to anyone who relies on the Internet.
The Seven Worst Security Mistakes Senior Executives Make
- Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job.
- Failing to understand the relationship of information security to the business problem—they understand physical security but do not see the consequences of poor information security.
- Failing to deal with the operational aspects of security—making a few fixes and then not allowing the follow-through necessary to ensure the problems stay fixed.
- Relying primarily on a firewall.
- Failing to realize how much money their information and organizational reputations are worth.
- Authorizing reactive, short-term fixes so problems reemerge rapidly.
- Pretending the problem will go away if they ignore it.
The Ten Worst Security Mistakes Information Technology People Make
- Connecting systems to the Internet before hardening them.
- Connecting test systems to the Internet with default accounts/passwords.
- Failing to update systems when security holes are found.
- Using Telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI.
- Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated.
- Failing to maintain and test backups.
- Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, and rservices.
- Implementing firewalls with rules that don't stop malicious or dangerous traffic—incoming or outgoing.
- Failing to implement or update virus detection software.
- Failing to educate users on what to look for and what to do when they see a potential security problem.
Edwin W. Smith is vice president of training for IntraLinux, Inc., the first open source networking solution that comes with on-site installation and support at the customer's premises. He’s also founder and CEO of ITtalent.com, an award-winning, one-stop employment and recruiting resource for IT, IS, and MIS professionals.What would your list of ”worst security mistakes” look like? What should IT pros do to avoid them? To share your thoughts, post a comment below or send us a note.