 Everyone knows the concept of the weakest link, and that any chain is only as strong as that stick of chewing gum binding its middle links. This old cliche has never been so true as when it is applied to technical security practices. Hackers are not going to bother running a complex, time-intensive, brute-force attack against our new, cool, triple-hashed password file if they can simply walk into the assistant's office and find the password written on a desk. Most organizations have a heavy mix of strong and weak security measures, which is often the fatal mistake that grants an eager attacker access to systems and data. The Rule of the Weakest Link is: A security practice is only as strong as its weakest control! Concept Contemplating the weakest link requires some consideration of the security practice as a whole. We must be able to contemplate an organization not in its individual pieces, but as one large entity with a related series of defenses, and make decisions from this perspective. If, for instance, we spend 90% of our time, attention, and budget putting a firewall in place and then allocate no time or resources to the security of a new dial-up server, the firewall is worth nothing. If we spend $50,000 on a front door, $20,000 on a back door, and $500 on a side door, the entire enterprise security will be worth $500, even though we are still left with a $70,500 bill! The tendency in many organizations is to place a lot of attention on the most common security controls, while the not so obvious controls receive little or no attention at all. Frequently, so much attention is focused on an organization's Internet connection that the staff becomes oblivious to the numerous security holes in its internal environment. Here, the firewall becomes the $50,000 front door, while the other entrances are protected by the $500 special. Practicing This Rule To apply the Rule of the Weakest Link, one must think and act with a global mind set. Each security decision must reflect the strength of other security choices made. We must be continually aware of the environment and always be able to identify the weakest links within the infrastructure. Any "weak links" in the security chain must be given some amount of attention, even if it is to simply say, "We acknowledge this weakness and are going to do nothing about it." Good practices to follow for this rule include: Continually search for the "weakest link" Perform regular audits and risk assessments of your entire environment (as discussed later in Chapter 8). Be sure to keep abreast of new projects, initiatives, and changes within the environment. Remember, the weakest link is a moving target and can hide quite well inside of even the most successful projects. Document where security weaknesses exist Wherever the weakest links are in the environment, it is important to acknowledge them. They should be discussed and documented with appropriate staff members. Even if there is nothing that can be done about them, simply knowing where they are is invaluable to the security of the organization. Hiding the weakest links from the organization is always a very bad idea. Avoid introducing new weak links Have strong policies governing changes within the environment, especially where new methods of access, new applications, and new methods of data storage and management are concerned. Try to minimize the number of weaknesses introduced into the environment. Follow the Rule of Change discussed earlier.
Remove the Most Common "Weakest Links" The following is a list of the most common weak links that I have seen expose organizations to attack. Another good vulnerabilities list was compiled by the FBI and can be found at: www.sans.org/top20.htm Default installations This includes servers, devices, and applications installed with default installations, without any security applied, or without any default services turned off. A high percentage of products come with features enabled by default, which will introduce vulnerabilities in the environment. Bad passwords by end-users and administrators The security of an object with 100 great passwords and 2 lousy passwords is only as good as the 2 bad passwords. It is very common to find bad passwords protecting otherwise secure objects. Active modems attached to desktops, servers, and routers Modems are not always recognized for the incredible security hazard they are. Modems often come pre-installed in computers and are used by users wishing to bypass corporate Internet restrictions, dial in from home, or simply do not know any better and do not follow company policies. Modems are commonly exploited to attack an otherwise secure organization. Neglect of logging and monitoring When objects go unmonitored, it is nearly impossible to know if they have been compromised or not. I have seen many situations where the firewall and IDS report suspicious activities, but no one is assigned to monitor the logs. Such organizations are unable to react to attacks and prevent future attacks. Unsecured backup/redundancy connections Redundant Internet connections, backup dial-in access, and other emergency wide area network (WAN) links often have far less security applied than main connections, thus exposing an organization to attacks. Temporary servers, workstations, and other devices Such objects are usually not secured and left online for far longer than originally expected, thus leaving their vulnerabilities exposed. Neglected backups and untested backups Most organizations never seem to test their backups. Unfortunately, backup media can be really tricky to restore and are prone to error. This exposes many organizations to the threat of data loss. It is bad enough to have a server failure and suffer through downtime. Imagine, however, how it would be to discover that a backup device was configured improperly and critical data cannot be restored! Unauthorized applications End-users and administrators tend to install new applications on their systems without concern for security. Complicated applications often leave a system vulnerable to attack. Some applications even contain back doors or are infected with a virus. Outdated antivirus software Most organizations install antivirus software on the majority of their systems. The main problem seems to be keeping all the systems current. I often see viruses and worms break out in organizations that have small pockets of systems with no updated antivirus software.
|
