Anxious IT managers are often uncertain that their servers are up-to-date with security and safe from successful network-based attacks. They could worry a lot less by doing what a software team does to ensure that what they have coded works properly - by testing it.
Specialist companies and government departments have expertise in performing network security audits, generally called penetration tests.
With time and experience in conducting such tests, in which the tester carries out the same actions as a hacker would (and then produces a report), a profile of the typical organisation can be formed.
Findings on network security failings are surprising as it is often the basics of security that are overlooked. Here are some of the principles and specifics that crop up a lot, based on where organisations commonly fail (in no particular order):
Harden machines
Although security hardening problems are less widespread than they once were due to changes made by operating system providers, it is important that computers only run the programs that they need to. Irrelevant services left available on a machine will be tested for security vulnerabilities by hackers.
Web servers can support common gateway interface (CGI) programs to provide interactivity in web pages such as data collection and verification.
Many web servers come with 'sample' CGI programs installed by default. Sadly many CGI programmers fail to consider ways in which their programs may be misused to execute malicious commands.
These vulnerable CGI programs present a particularly attractive target as they are relatively easy to find, and they operate with the privileges and power of the web server software itself. Exploitation of CGI programs can lead to credit card information theft, web page defacement and much more.
Removal of sample programs is therefore another way to help to security harden a machine.
Maintain firewalls properly
Hardware and software firewalls create a protective barrier between networks (such as a company internal network and the internet).
They prevent access by unauthorised users. Poorly configured firewalls are common among small businesses and this often leads to security breaches.
Merely possessing a firewall does not mean that it is properly installed, configured and up-to-date but when used properly these bastions can be extremely effective control points for network traffic.
Use access authentication controls
Access authentication software checks the identity of users who attempt to enter the computer network.
The goal is that access is granted only to parts of the network or server that have been nominated, thus ensuring that users only have access to the files and data to which they are permitted.
When improperly configured, some services that allow file sharing over networks may also expose system files or in some circumstances give full file system access to anyone connected to the network.
Many system administrators use such services to make their file systems readable and writeable in an effort to improve the convenience of data access.
Establish strong network passwords
Users will be prompted to input confidential network passwords when they attempt to access network resources. In an ideal world employees should create passwords that are not easily guessed.
Requiring employees to change their passwords frequently is also important. Some systems come with 'demo' or 'guest' accounts with no passwords (yes, it's very common) or with widely-known default passwords.
Use encryption
Network encryption prevents those who do not hold an encryption key from accessing data stored on a network. All data sent between two or more parties on the network is encoded, meaning that only the intended parties have access to such data.
Often internal penetration testing assignments reveal clear text communications that can be eavesdropped and unencrypted sensitive data which is easily viewable. Where it is required encryption can be a valuable tool for enhancing security.
Patch machines
Making sure operating systems and applications are patched with the latest service packs and hotfixes is such an important undertaking.
It is stating the obvious but it should not be forgotten that keeping systems patched will close vulnerabilities that can be exploited by hackers.
Systems administrators are often busy with user requests and it can be easy for them to become complacent about the mundane task of keeping operating system, software and anti-virus up-to-date.
Conclusion
An interesting question is: Who monitors the systems administrators to ensure that they are keeping the organisation safe?
Usually the answer is 'nobody', showing the importance of impartial, third party penetration testing, which often shows that some basic principles have been overlooked.
Many of today's system administrators are able to perform such testing on their own networks (in addition to the independent tests) after receiving appropriate training in this area.
Alan Phillips MBCS is a registered BCS security practitioner and contributing author of IT security training courses at 7Safe, an independent information security services consultancy delivering an innovative portfolio of services including penetration testing, BS7799 consulting, forensic investigation and information security training.
