Deadly sins caused by Insecurity

Deadly sin No. 1: Using weak and default passwords.

Most system administrators know better, but they just don't take steps to verify that no default or empty passwords are in use.

Make this task easier, Toxen said, by not giving each user the same default password when you set up new accounts. Also, avoid unencrypted passwords on disks and over networks.

If at all possible, select passwords for users. If that's impossible, then teach users to create strong passwords that contain no complete word or pair of words, have at least 10 characters and are not based on personal information. Other Toxen tips: Avoid obvious terms and tactics, like using computing or science fiction words, relying on capitalization and substituting the number one for the letter l.

Systems administrators can make sure that users' passwords meet security standards by using CrackLib. CrackLib is a library containing a C function that tests passwords for compliance with set security-oriented characteristics. Toxen advises administrators to get written management approval for using this tool, as it may punch users' privacy buttons.

Administrators can't be sure that every system behind a firewall is configured securely. As a rule of thumb, if it's not in use turn it off. That goes for NFS (Network File System), portmap, mountd, telnet, FTP, ldp/cups, and auth ports, as well as daemons, sendmail options and domain names. In particular, the ports above "have a long history of being compromised," Toxen said.

Deadly sin No. 3: Running old software versions.

Admittedly, it's hard to keep up with all the patches coming out today, Toxen said. Even so, patching quickly is a security "must." That said, IT shops need to test patches before deploying them. Patches don't always work, contain bugs and can break a system, he said. Automatic patching is not a best practice.

Keep close tabs on your software vendors. "Update your version before the vendor stops supporting it," Toxen advised. "Dump vendors who do not issue timely patches." Good vendors issue patches in 24 hours. Microsoft is usually tardy, he said, issuing patches months after the fact. If you're waiting for a patch, your systems are at risk.

Deadly sin No. 4: Running insecure and badly configured programs.

Do use good programming practices, and run audits of common gateway interfaces (CGIs) regularly, Toxen said. Many programmers don't know secure programming techniques. The auditor should.

On Toxen's "don'ts" list: Don't use PHP, even though it's convenient. Don't run DNS, auth (ident) or Apache as root. But, do user suEXEC, a tool first introduced in Apache 1.2, that increases security by allowing users to develop and run private CGI or SSI programs.

Finally, use rings of security -- like suEXEC -- to protect your system. "No wall of security is 100% secure," Toxen said. "There is no perfect security tool."

Deadly sin No. 5: Having insufficient resources and misplaced priorities.

This non-technical issue is the weakest link in many security systems, Toxen said. It's a tough job, but systems administrators must convince management that security must be a top budget and labor priority. To persuade managers, do a demonstration to show the security weaknesses of an existing system, he suggested. Then, show how to harden the system. Also, tell management about the corporate IT security failures cited in Toxen's book and others.

Deadly sin No. 6: Failing to delete stale and unnecessary accounts.

This is the opening for the classic security attack by the laid-off employee seeking revenge, Toxen said. He offered these preventative measures: document everywhere each class of users has passwords or access cards. Include sys admins, vendors and consultants in this inventory; don't give the same initial password to every user. Most never change it; use a different password for each high-security account. You'd be surprised at how many companies use the same title, say a vendor's name, for all similar high-security accounts; set up an "immediate notification system," in which your human resources department tells IT to disable access while a person is being dismissed by a superior.

Deadly sin No. 7: Procrastinating.

Most systems administrators who have suffered a break-in knew in advance that their system had a vulnerability. They just put off fixing it, until it was too late.