An organization can create its own vulnerabilities by not ensuring that the following issues are resolved through process or procedure:
■ The lack of a effective and consistent security policy due to any of the following conditions:
— Politics—Politics within an organization can cause a lack of consistency within the policies or a lack of uniform application of policies.
— Lack of a written policy—The lack of a written policy is essentially the same as not having any policy.
— Lack of continuity—When personnel change too frequently, there is often a loosening in the care people take to ensure that policies are enforced.
— Lack of disaster recovery planning—The resultant confusion after a disaster often results in virtually all security efforts being dropped if the administrators are not careful in their recovery efforts.
— Lack of upgrade plans within the security policy—A detailed procedure for implementing new hardware and software ensures that security does not become forgotten while implementing new equipment.
— Lack of monitoring—Failure to monitor logs and intrusion detection systems appropriately exposes many organizations to constant attack without any knowledge that those attacks are occurring.
— Lack of proper access controls—Improper password length, infrequent password changes, passwords written on notes attached to monitors, and freely shared passwords are all items that can lead to security breaches.
■ Configuration weakness within a organization can result in significant vulnerability exposure.
— Misconfigured equipment—A simple misconfiguration can cause severe security issues.
— Insufficient passwords—Passwords that are too short, are easily guessed, or consist of common words, especially when transmitted over the Internet, are cause for concern.
— Misconfigured Internet services—Knowing exactly which services are required and which services are running ensures that Internet services do not create potential security breaches.
— Using default settings—The default settings on a great number of products are designed to assist in their configuration and are placed in a production environment.
■ All technologies have intrinsic weaknesses. These weaknesses can reside in the operating system, within the protocol, or within networking equipment.
— All operating systems have weaknesses. You must take proper measures to make these systems as secure as possible.
— Certain protocols can be exploited because of the way they were written and the functionality that was written into the protocol.
■ Although all manufacturers strive to make the best product possible, any system of sufficient complexity is prone to human and mechanical errors. Additionally, all systems have their particular strengths and weaknesses. Knowing the nuances of your particular equipment is the best way of overcoming technology weaknesses.
Was this article helpful?