TOP 10
Return to the Top Ten Corporate IS Gotchas List
1. PATCHES
Install Security Patches to Correct Software Vulnerabilities
2. DRIVES
Set up Mirroring or RAID 5 to Protect Your Data
3. VIRUSES
Install a Managed Virus Protection Solution to Prevent an Epidemic
4. BACKUPS
Make sure your Backup and Disaster Recovery Solution Do Their Job
5. SPAM
Close your Open Relays to Prevent Spammers Abusing Them
6. FIREWALL
Implement a Firewall to Tighten Your Security
7. POLICIES
Make sure your Security Policies keep Intruders Out
8. NETWORK
Make sure your Network Design Won't Give You Problems
9. CABLING
Make sure your cabling and physical plant are up to your demands
10. DOCUMENTATION
Make sure all critical information is documented, especially software licensing information
1. Security Patches

The Threat of Security Holes
The "Code Red" Worm was the first of many widespread worms that brought out an unpleasant fact that some experienced system administrators had already discovered: many off-the-shelf networking products ship with security holes. These holes range in severity. Exploiting some of them requires a complex series of circumstances to occur, or for the attacker to already have some degree of access to your network. Others, though, only require access to a server via the World-Wide Web or through other normally innocuous channels.

The Code Red Worm exploited a vulnerability in the Microsoft Internet Information Service that was not fixed even in the latest Service Pack for Windows NT version 4.0. There was a special patch that must be downloaded and installed to correct the problem. The vulnerability literally let anyone who can reach the server with a web browser to take over the server with, usually, full administrative rights. They could install software, including software that permits them to perform remote control operations. They could, in fact, do anything to your server that you could do.

Code Red, itself, was relatively harmless. The ones that came after it were not -- they would damage a server, destroy data, render the system unbootable, or open other "back doors" in the system that would permit people to enter the system and use it to their own ends. But it served to make very clear one essential point: computer systems are not as secure as everyone thought.

Security Holes in Windows and Linux
The worst part is that the vulnerability that Code Red exploited was far from being an isolated incident. Security holes in software are a recurring issue, and just about every commercial operating system ships with at least one major, gaping vulnerability that, if not patched, allows that system's security to be totally compromised. Both Windows NT 4.0 (with Service Pack 6a) and Windows 2000 (with Service Pack 3) have severe vulnerabilities. So does Internet Explorer version 6.0 (with Service Pack 1). Each of them has at least one vulnerability that lets the system be commandeered from the Internet without even requiring a password.

If you use Linux, don't dismiss this warning just yet. Every release of Red Hat Linux has at least one major, gaping security hole as it comes out of the box. Linux is, if anything, more likely to be attacked because it's much more easily and discreetly controlled from a network. So-called 'script kiddies' can download scripts from the Internet that take advantage of security holes in various versions of software and use them to gain root access.

Hackers and Script Kiddies
Earlier in the days of computing, hacking wasn't something that commonplace. You could rely on not being found or noticed -- on 'security through obscurity'. Only big corporations got attacked because they were high-profile targets, and thus only big companies needed to worry about security. This is, sadly, no longer true. Now, hackers attempt to gain access to servers in order to run covert web servers, store 'warez' (pirated software) for others to download, or simply use your bandwidth to execute attacks against others. Young children armed with scripts that exploit known vulnerabilities compete with each other to develop 'armies' of servers in order to blast each other off the 'net with garbage data. Your server should not be a plaything for a prepubescent teenager with too much free time and too little adult supervision.

The purpose of this isn't to try to frighten people away from using computers, but instead to impress upon everyone the importance of making sure security patches are updated. Whenever you install a product, or when you add new core components, you need to re-apply the security patches, just like a service pack. Any piece of software you install that acts as any kind of server on your network, and that is exposed to the Internet, must be patched. If it isn't, then it's simply a matter of time until it gets successfully attacked.

Protecting Yourself
For Windows workstations and the core windows components, the 'Windows Update' feature can automatically download and install patches for many known security issues easily and painlessly. However, auxiliary packages, such as Exchange Server or Microsoft SQL server, must be patched separately. If you have a fast Internet connection, then consider enabling the Automatic Update feature on workstations and servers. This will automatically retrieve patches as soon as they are available, giving you the best possible level of security.

For products other than the core operating system, contact the software vendor or visit that vendor's web site to determine if you require updates or patches to correct security problems. It's also best to apply the security patches as a new system is being built. This makes sure it goes out onto the floor free from vulnerabilities.

Security is serious business. Hollywood has painted a picture of a 'cyberworld' in which it is impossible to keep hackers out of systems, and where 'cybercriminals' steal data worth millions; that is, of course, fantasy. Instead, most of the hackers are pranksters or kids looking to exploit *any* server available. While theft of sensitive information is something to always keep in mind, these kids can cause a serious disruption to your operations even if you don't have anything 'worth' stealing on your systems.

Additional Resources
Microsoft Security http://www.microsoft.com/security

Click on the TechNet Security link to view security bulletins for specific products.

Red Hat Linux Errata http://www.redhat.com/apps/support/errata

Currently supported versions of Red Hat Linux have security vulnerabilities and patches for fixing them here.

Psychology of a Hacker http://www.enter-networks.net/hackerpsych.html

Forget Hollywood. What are hackers really like?
This page Copyright ©2003 by Enter-Networks.Net. All Rights Reserved. All trademarks referenced herein are trademarks of their respective vendors. Prices and features listed subject to change without notice. All prices are in US Dollars.