Tis the season to be…fearful? Naah, that can’t be right. That is, unless you listen to all the pronouncements of doom and gloom from the countless numbers of security trend reports that come out this time of year.
Security vendors love to remind the naïve masses of their insecurity, which is not necessarily a bad thing since more people shop online this time of year. The bad part is that often the pronouncements of insecurity, in my opinion, exist largely to help drive the vendors’ own businesses. Yet, there are still some very real security risks out there that IT users need to be aware of.
What to do, what to do?
Well good reader, you’ve come to the right place. I’m going to break down my own stocking stuffer list of the top 10 security risks that face IT today and likely into 2008 as well.
(1) Windows 98
You may not be running it but your child’s school and neighbor might be.
There are no real hard numbers on how many Windows 98 PCs are actually still running, but there is no question that they are still out there. Microsoft no longer provides regular support for Windows 98 and, as such, it’s an OS that represents great security risks. Often when I encounter a location that still has Windows 98 running, it’s running on an old PC that still works for e-mail and basic word processing.
The owner of the old PC will say something like, it works so why should I fix it? To complicate matters even more, an old PC cannot be upgraded easily (if at all) to the latest Windows XP SP 2 (definitely not Vista).
There is always Linux though, which will run on just about any old piece of hardware you can find. Users could then be set up with a proper update program to ensure they’ve got the latest security patches. Bottom line on this is: If you’re aware of Windows 98 PCs, get them shelved or changed to something more secure.
(2) Desktop Firewalls
Microsoft Windows XP SP2 has a built in firewall which is woefully inadequate to protect against modern threat vectors. Many anti-virus (AV) vendors (including Microsoft’s own Windows Live OneCare) will replace the default Windows firewall with a more secure firewall.
It’s still not enough.
One of the first things that many pieces of malware attempt to do is disable AV firewalls that run in Windows. Additionally if the PC in question is being targeted by some form of Denial of Service attack, due to the fact that the firewall is on the PC itself, the attacker essentially wins every time since the firewall spins more cycles to combat the attack and thereby turns your own firewall against you.
The answer is to supplement the desktop firewall with a true enterprise grade firewall at the network gateway. A stateful packet inspection (SPI) based firewall that can also do basic intrusion prevention should really be a mandatory thing for all. Otherwise firewall security is in my opinion woefully incomplete.
(3) Firewall/Security Software Subscriptions
The other issue is security software that is out of date because the user hasn’t renewed a subscription. Most hardware firewall vendors update their software regularly, yet in my experience I’ve seen many users who simple bought the gateway, plugged it into the network and never bothered to renew the subscription after the first year.
The problem is that in many cases the firewall and other security software will continue to run even though it may well be out of date.
Firewalls and security software without updated subscriptions are almost worst than not having them at all since they may provide users with a false sense of security.
(4) No Auto-Update
Directly related to item #3 are users that don’t have auto update enabled for their software. Nearly all software is buggy and nearly all vendors patch their software. So long as your subscription is valid you need to have auto update enabled otherwise you’re missing the point.
Once a vendor has made an update available what typically happens is the details of the vulnerability become known making all unpatched users targets for the patched vulnerability, which the users themselves have yet to patch.
(5) Empty Your Cookie Cache — Beware the “cookie monster”
Your cache is a veritable treasure trove of personal information saving recently viewed items, including cookies for faster retrieval. Some things should not be retrieved though, items such as credit card numbers are one such example.
There are a myriad of attack vectors that could compromise your cache and let your cookies fall into the hands of a real cookie monster (not the cuddly sesame street kind).
The best course of action is to empty your cache immediately after completing a transaction in which you entered personal information. If the information is not there, it can’t be stolen.
Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) are the real bogeymen of modern IT. The reason is because there is precious little an end user can do about it, or so some security vendors would have you believe.
XSS and CSRF attacks occur at the application side of thing and not on user desktop. A user’s credentials are essentially taken from the user and used in a different context for fraudulent purposes.
So how can a user protect themselves against something that isn’t at their end?
Well go back to item #5 on this list and empty your cache — again if the info isn’t there, it can’t be stolen. Additionally don’t have multiple tabs open for sites, which you have to log into. The most common attack vector for XSS and CSRF is by way of taking info from one tab and stealing it for another. Lastly, while XSS and CSRF can exist on any site, it’s not any site that will attempt to steal information from you. Just be smart and don’t go clicking on suspicious links looking for free copies of paid software.
Botnets are another very legitimate and serious scourge. By way of some form of malware an attacker turns an army of PC’s into zombies that can then be used to attack other computers.
The answer to dealing with botnets is also very simple. See items 1,2,3 and
4 to protect yourself from becoming a living dead. In terms of defending yourself against a botnet attack that’s more difficult. Typically a botnet will attack a specific IP or IP range. So if you are at risk or want to be super careful, it’s never a bad idea to have multiple connections to the Internet from two different ISPs with two different IP ranges.
(8) Logging into sites/email without SSL
If you enter your password for e-mail or for site access without SSL, anyone can easily sniff your password and steal your login identity. It’s really that straight forward.
No one should provide a password online without SSL (HTTPS
Though this may seem like common sense, it happens far too often. So just stay alert and make sure the key to your security (that’s the SSL key) is in place before you give up your information.
(9) Enterprises without NAC
While many IT vendors have hyped NAC (network access control) over the past year, it’s important to remember why NAC is important. NAC validates that user that is using an enterprise network is not a security risk.
If your enterprise isn’t using NAC, than how can you be sure that your endpoints are not insecure or even hostile? In a small organization it might be possible on a machine by machine basis, but in larger organization?
Forget about it.
NAC should be part of every enterprise IT infrastructure, period.
(10) Humans that don’t read InternetNews.com
Well, it doesn’t necessarily have to be InternetNews.com (though I’d prefer
that), but when you don’t read up about security and IT trends than how would you know what to do? Simple AV software won’t do it, your PC vendors won’t tell you everything either.
By staying current and aware, you’re taking a step in the right direction. This is the information age after all and information can make you more secure.
Sean Michael Kerner is a senior editor for InternetNews.com.