Reducing "Human Factor" Mistakes

posted onApril 6, 2004
by hitbsecnews

L33tdawg: This article first appeared over at our affiliate's site Frame4 Security. The original article can be found here.

By: Dancho Danchev

Nowadays companies and organizations face the problem where massive attempts
at illegal intrusions hit their network on a daily basis. In spite of the latest
technological improvements in security, it's still the network users who are
often unknowingly inviting security breaches through carelesnes and a lack of
awareness. This paper will try to summarize various mistakes done by system
administrators, company executives and of course the end users, and will also
provide you with useful strategies that will definitely help you reduce or completely
eliminate the mistakes.

Nowadays companies and organizations face the problem where massive attempts
at illegal intrusions hit their network on a daily basis. Whether successful
or not, they still pose a significant threat to the proper functionality and
continuity of the institution's processes. The majority of these institutions
tend to think that any future security related implementations would cost too
much effort and resources and place a burden on the budget. On the other hand,
the constant media reports of large and well-known corporations broken into
really discourage them.

In spite of the latest technological improvements, it's still us, those interacting
and configuring these devices/programs; it's our staff members, the ones unknowingly
contributing to the dissemination of malicious code, to the exposure of sensitive
or classified business information.

This paper will try to summarize various mistakes done by System Administrators,
Company Executives and of course the end users, and will also provide you with
useful strategies that will definitely help you reduce or completely eliminate
the mistakes.

The Top 5 System Administrator Mistakes

System Administrators are those mainly responsible for the continued operation
of your computers and for the proper functionality of your network, however
in most of the organizations these people are also responsible for the Security
of the devices, the detection of potential intrusions and securing the organization's
network. Taking a lot of responsibilities increases the number of potential
mistakes by the individual due to the stress and the constant work on several
issues simultaneously. Here I'll review the most common mistakes done by System
Administrators which could somehow endanger your organization and the sensitive
data you're holding.

1. The lack of a well established Personal Security Policy

Believe it or not, most of the average System Administrators don't have a personal
Security Policy covering important issues like Physical Security of the terminal,
the chaotic way a system's software is being updated and the way that new patches
are applied. Even the big and well-known companies suffer from the fact that
some of their systems are not patched as soon as a new bug is discovered, another
proof of the importance of this issue.

Sometimes the Administrator isn't even aware of the latest vulnerabilities
discovered, which could lead to a potential security breach within the organization.
Security is a never-ending process that requires constant monitoring of new
threats and technologies. Although most of the Administrators are not Security
Experts they should continue to learn about new and much more powerful methods
to protect and secure their networks, while on the other hand increase their
competitiveness. Nowadays those having some sort of Security certification or
extended knowledge in the Information Security field are usually a step ahead
of those whose skills are up to networking only. Below I've tried to summarize
various recommendations and tips for improving the Security of your terminal,
organization and broaden your knowledge on the subject.

  • Physically secure your terminal and working place, realize the dangers of
    malicious "snoopers" walking around your workplace, having access
    to your terminal.
  • Logout each time your leave the terminal, or set up a time out, so even
    if you forget to logout, the system will be protected once it detects you're
    not in front of the keyboard.
  • Consider subscribing to various Security related newsletters, mailing lists
    with the idea to keep an eye on the latest vulnerabilities discovered.
  • Visiting the appropriate exploits related web sites is an important process
    acting as an early warning system for potential intrusions due to outdated
    or unpatched software.
  • Reading the latest Security related white papers is an essential step of
    the Administrator's self education process, which ensures he/she is up to
    date with the latest topics discussed over the community.
  • Limit the use of notes and papers for any sensitive information such as
    passwords, IP's and anything that might help a potential intruder gain access
    to your systems. However if you use these, shred and destroy them each time
    before you leave your work place. Malicious "snoopers" around the
    workplace might take advantage of this well known weakness, so limit or completely
    eliminate the use of these notes.


2. Connecting misconfigured systems to the Internet

  • With the ever-expanding company's needs, new systems and servers are connected
    to the Internet on a regular basis, thereby increasing the current level of
    productivity or significantly limiting the overall expenses of the institution.
    However, most of these systems are connected to the Internet without the proper
    Security Auditing, thus being exposed to malicious attackers by the time a
    proper Security Audit is done.

The majority of Administrators mainly rely on the fact that the system is new,
no one knows about it, no one knows its reserved IP, and so it will be impossible
to break into something you don't know that exists. However, this mode of thinking
represents a threat to any organization. There are people or automated scripts
scanning the Internet, or specific company's network, especially for such "test
systems" with the idea to break into them, hide within, and use the system
for committing further illegal activities. And how about if someone knew the
right day, time and the IP reserved for the system, through advanced social
engineering techniques, how about if someone is non-stop stealthily scanning
your network for such systems? Realize the dangers and take the appropriate
measures by following some recommendations listed below.

  • Conduct a complete Security Audit of the system, before you physically connect
    it to your network.
  • Make sure the system has the latest versions of the software, installed
    and securely configured.
  • If there are network tests that need to be done, consider blocking the
    access to the test system from the Internet.
  • Verify that the system you're about to connect doesn't contain any sensitive
    data yet.
  • You might be interested in how often the new system is probed for various
    vulnerabilities. Install an Intrusion Detection System, and I'm sure you'll
    be surprised at the number of scans within the first day.

3. Relying on tools

Vulnerability scanners are often used to gather information about the current
level of Security within the network scanned. Host Vulnerability Scanners are
very useful in checking the Security within the host, like file permissions,
passwords policies and many other issues related to potential local break-in.
On the other hand, Network Vulnerability Scanners provide the Administrator
with the hacker's point of view on the network, highly beneficial tools as far
as Penetration Testing is concerned. Generally, these scanners would eliminate
half of the potential security problems within the system, however they're not
a complete solution in order to achieve maximum level of Security. Admins tend
to run as many Vulnerability scanners, as possible thinking that the more they
run, the higher is the chance to eliminate all the problems. Wrong mode of thinking,
and there're even cases where inappropriate scanners are ran to check the Security
of an OS they're not specifically created for. Indeed, Vulnerability scanners
can save you a lot of time, resources and troubles, but they're not a complete
solution and you should not rely only on these. Instead, learn more about the
Security of the OS you're running, so that you'll be able to manually (or via
some sort of scripts created for your very specific needs) eliminate potential
Security problems that cannot be discovered by any Vulnerability scanner.

4. Failing to monitor the logs

Monitoring the system's logs is an essential step in detecting ongoing or forthcoming
intrusions. It will help you understand the common vulnerabilities, attackers
are scanning for, so that you'll be able to verify all of your systems are protected
against specific attack. In case of an intrusion, it's your system logs that
might help you trace back the attacker, if they're not modified of course. Realize
the benefits of regularly checking and securely storing your log files, while
on the other hand a contribution to the scene will help everyone. Dshield.org
is a reasonable example.

5. Running extra and unnecessary services/scripts

Using the company's resources and network as a personal playground for testing
various scripts and services, is another common mistake done by the average
Administrator. Having these scripts and extra services running, results in a
variety of potential new entry points for a malicious attacker, and let's not
mention if this is done from the main server. If you really need to test scripts,
run extra services for personal issues, consider doing it from an isolated computer,
not connected to the network, while still having Internet access, thus limiting
the chances of someone discovering these services and scripts.

The Top 5 Company Executive Mistakes

Company Executives are those managing and dealing with the company's resources,
budget, those who are responsible for leading and expanding the institution.
Nowadays, the Internet offers amazing advantages for any company worldwide.
The term E-business is getting more popular and E-business Strategy is an issue
included in every Business Plan. However, the global connectivity represents
a threat to the sensitive information if the company is lacking a Security strategy.
I’ll try to summarize common mistakes done by the Company Executives that
could possibly contribute to a Security breach.

1. Employing untrained and inexperienced experts

Without a doubt, every highly qualified and experienced Expert is a valuable
asset to any company's resources. However their qualification and professional
abilities require the Executive or the one responsible for employing them, to
have extended knowledge on the issue, thereby hiring the appropriate person
for the right job. Having a basic understanding of various, if not the most
popular certifications, ensures that you'll be able to make the best decision.
I would advise you to take a look at gocertify.com/security in order to deepen
your knowledge on the most popular Security/Network certifications available.

2. Failing to realize to consequences of a potential security breach

By realizing the devastating consequences of the problem, and eliminating the
"This won't happen to us" mode of thinking, you'll be able to properly
react instead of endangering your company's business activities due to lack
of understanding the issue.

  • Damaging other businesses online, by contributing to a DDoS attack
  • Storing illegal information and unknowingly distributing it due to an undetected
    intrusion
  • Exposing sensitive customer's information to a malicious attacker, thus
    endangering their privacy
  • Damaging the company's image, loss of customers, loss of partner trust

And it's just the tip of the iceberg, realize the consequences and take the
appropriate actions.

3. Not spending enough money on the Information Security issue

Convincing a Company's Executive on the benefits or the potential losses of
proper/improper management of the Information Security budget can be a difficult
task. Managers tend to limit the budget to the minimum because of their failure
to realize the potential damages to the company, or sometimes it's the budget
that limits them. Internet as a global network offers unlimited and fascinating
opportunities for every Business out there, once the Information Security issue
is well taken care of. Consider conducting a Risk Analyses, so that you'll be
able to distinguish critical or less critical systems, thus fitting in the budget,
while on the other hand have your sensitive systems properly protected.

4. Relying mainly on commercial tools and products

"We use a world-known firewall, and a server based virus protection, so
we are secured against hackers attacks" is one of the most common answers
on "How is your company protected against hackers?” Security is a
process, not a product. Although theoretical concepts became real-life solutions
with the help of technology, this is not a complete solution for your Security.
Company Executives need to have a basic understanding of what a firewall can,
and cannot do, how useful and in some cases, useless a virus scanner is, thus
they'll be able to invest in the right direction. Commercial tools and products
are part of the process - securing your company's sensitive data, but they're
tools that will not absolutely protect your organization.

5. Thinking that security is a one time investment

Security is an ever-evolving and ever-adapting concept, which requires monitoring,
investments in both technology and most importantly, in people's education.
New technologies appear every day, significantly saving you time and money,
thus providing both the enterprise and the customers with a much reliable, yet
cheaper services. However, new technologies and services pose different threats
from those that you're currently protected from, which means that each time
a new technology/service is implemented it will definitely enhance your productivity,
but on the other hand the process requires a different Risk Management and the
implementation of various new security measures.

The Top 5 End User Mistakes

End users are those handling the sensitive company's data on a daily basis.
It's their decisions and activities that protect or somehow expose this highly
critical data to a potential intruder/competitor. Here I'll review some of the
most dangerous mistakes that end users tend to make.

1. Violating the company's Security Policy

The Company Security Policy is a document outlining the responsibilities of
each of the staff members, having access to sensitive systems and information.
The document is considered to be an inseparable part of any organization's Security
Model, thus providing the staff members with an easy to understand way on how
to protect the company's systems while using them. However, end users tend to
violate the policy, thus exposing critical systems and sensitive information
to a malicious attacker. The consequences of these activities could be devastating
to your whole organization, that's why it is strongly recommended to provide
everyone with explanation on why it is so important to follow the Security Policy,
as we as discuss the potential damages of violating the Policy.

2. Forwarding sensitive data to their home computers

One of the most dangerous ways of having your sensitive data exposed to attackers,
an activity which turns all of your Security measures into a completely useless
process, is that of the staff member's habit to forward sensitive data to his/her
home computer. The reasons are obvious, the consequences devastating. In fact,
the users tend to forward a non-finished project or a business plan to their
home computer, so that they'll be able to finish their work later at home, while
on the other hand they don't realize that changing the company's secured environment,
with their less secured home computer one, seriously exposes this information
to an attackers/competitors. If it is absolutely necessary to forward data to
their home computer, a regular Security Audits has to be conducted, ensuring
their notebooks or home computers are protected from malicious attacks, while
on the other hand the whole process increases the Risk level.

3. Writing down any accounting data

Creating and maintaining strong passwords, that's not your company's employees
favorite process, as it's a time and nerves consuming one. Users hate creating
passwords which they can't remember, while on the other hand the company's Security
Policy states that this is the way a password should be created/maintained.
Memorizing such a password is another issue that bothers them. In order to solve
their problem, users tend to keep "secret" notes, under the keyboard,
in their wallet, or anywhere else around their working place. These notes contain
their sensitive accounting data, and using this way of storing, increases the
chance of a Security breach due to irresponsibility. You should make your users
aware of the potential problems that might occur, consider providing them with
various password-memorizing techniques in order to reduce the current number
of staff, keeping accounting data on notes. Play various scenarios on how a
malicious attacker could find their note, and what would follow after that.

4. Downloading from untrusted web sites

Given the opportunity to download from the Internet, the staff members often
abuse their privileges and even endanger the Security of their company. Downloading
from unknown and untrusted web sites helps the spread of malicious programs
all over the Internet. Once infected with any sort of malicious program (virus/trojan/worm)
the infection will cause serious effects on the organization's functionality,
and let's not mention the potential spread of these programs on other networks.
Staff members should keep the downloads to the minimum, in case they need a
specific application, it is strongly recommended to contact the IT Department
instead of downloading the program from an untrusted web site. Another problem
that companies face these days is the installation of pirated (warez) software
(downloaded from the Internet) on their systems. Educate the staff members via
any sort of Malicious Code Best Practices, summarize the entire problem and
help them understand the dangers.

5. Failing to pay serious attention to the Physical Security issue

Having a basic understanding of various Physical Security issues will definitely
result in much more secured workplace, and thus adequately protect sensitive
data. Generally, the staff member's behavior while using the company's workstations
is likely to be highly irresponsible and "security illiterate”. Users
often leave their workstations unattended, their screensavers rarely have proper
passwords, the list of problems is an endless one. Educate them on various strategies
while using the company's systems; ensure they're able to properly handle sensitive
information having the Physical Security issue in mind.

Summary

This paper explored in-depth the most common mistakes that could lead to a potential
Security breach. Take these very seriously and if necessary renovate your current
Security Model. Educating your users, administrators and even the company's
executives will increase everyone's level of Security Awareness, thus ensuring
the secured and continuous functionality of the organization. The author of
this paper can be contacted at dancho.danchev@windowsecurity.com.

1.) Reducing "Human Factor" Mistakes - Dancho Danchev
2.) Virtual File System - /proc - Danny “Dr.T”
3.) Hiding Files - [in]visible
4.) Better Living Through Mod Security - L33tdawg
5.) Guide to ARP Spoofing - Barfbag
6.) SMOKE="gentoo" - mel
7.) Nessus - Doing more with Less - christian

Source

Tags

Articles

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs