Experts: Easy Installations Kill

posted onOctober 3, 2001
by hitbsecnews

The biggest computer security threat isn't a vicious virus or a skilled and malicious hacker.

The real danger, according to dozens of experts, is easy-to-install software and software vendors who focus too heavily on adding convenient features instead of solid security solutions into their applications.

The default software installations performed by most operating systems and applications top the SANS (System Administration, Networking, and Security) Institute and the FBI-led National Infrastructure Protection Center's new Top 20 security threats list.

The Top 20 list does not focus on the specific viruses or worms that may be active at any given time, but instead concentrates on the root problems: the system and software holes that all viral and hack attacks exploit.

Most of the significant holes detailed on the list were created by those default software installations, according to the list's documentation.

Default installations allow a software vendor's pick of an application's most useful components or services to be installed on a computer. It's a no-brain, hassle-free way to install software, but many security experts contend that default installations too often enable features that users do not need or use but may not know are active on their computers.

"Software vendors' philosophy is that it is better to enable functions that are not needed than to make the user install additional functions when they are needed," according to documentation of the top threats provided by SANS. "This approach, although convenient for the user, creates many of the most dangerous security vulnerabilities because users do not actively maintain and patch software components they don't use. Those unpatched services provide clear and easy paths for attackers to take over computers.

"Software vendors simply have got to start opting for security over convenience," said Jack Dahany, vice-president of the Server Security Division at Watchguard Technologies. "If users don't know what applications or services are running on their machines, then how will they know to apply patches to fix critical issues?"

SANS is a cooperative research and education organization through which more than 96,000 system administrators, security professionals and network administrators share information about security.

System administrators have reported to SANS and other security organizations that holes often go unpatched because the constant barrage of patches and security alerts are overwhelming. So the Top 20 list prioritizes the threats and also offers comprehensive advice on detecting and fixing these dangerous vulnerabilities from dozens of leading security experts.

The Top 20 Threat list is directed at network administrators rather than individual computer users, although the list can certainly be useful for any technically knowledgeable person.

For those who want less complex security advice, the National Infrastructure Protection Center (NIPC) has posted a companion list of seven simple security tips. This details basic solutions for many of the issues in the Top 20 list, but ignores the Top 20 list's primary issue of the problems inherent in default software installation.

Security consultant Nicholas Versan suggests that all users should always opt for "custom" installation option when installing any software, and then choose carefully from the list of software and services to be installed.

"Default installations aren't a huge issue for Mac users, or even Windows 95, 98, and Windows ME users," Versan said. "But those who are running Windows 2000 or XP professional should certainly educate themselves about what applications are being installed and activated on their machines. I assume Linux users are already pretty competent, but obviously default installations on Linux servers are an issue, too."

Versan suggested that those who have purchased computers with pre-installed Windows 2000 or NT operating systems and applications should scan their machines with Microsoft's free, web-based MPSA security tool and apply the suggested fixes and patches.

Ineffectual, easy-to-guess or default passwords are listed as the second biggest general security threat.

The third biggest threat for all systems was a bit of a surprise to some -- not backing up data or backing it up improperly.

"Certainly backups are critical, but I don't know if I'd say they are a security threat," systems administrator Frank Kelley said. "I suppose the argument can be made that it's a true threat, because without backups your systems and data are certainly crippled. But to me, backups are more of a good practice procedure than a threat."

Despite the fact that there are patches available for all of the threats listed on the list, SANS did not chide systems administers for not applying patches.
Many systems administrators say that recent budget and staffing cutbacks make it impossible for them to keep up with proper security procedures, so patches aren't being applied to software as conscientiously as they should be.

Security becomes a priority for some companies only when it adversely affects business as usual, security experts agree.

"When the total expense for security goes up, the interest from managers goes down," Dahany said.

Wired.

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs