Basic security threats not changed in 15 years

There may have been significant technological advances to the hardware and software organisations use, but according to Roy Hills, who co-founded NTA Monitor in 1996, the basic security threats have not changed in the last 15 years.

"Looking at the results of the thousands of penetration tests we've carried out and the hundreds of companies and organisations we've consulted for since we first started the business, three recurring security issues stand out," says Roy.

"Poor patch management, badly configured software and weak passwords are some of the most persistent security risks seen by our testers. These issues have remained so prevalent because they tend to be the result of human, rather than technical problems. For example, people use easily guessable passwords, or inadequate staff training means a lack of knowledge could give rise to holes in network security."

Research recently carried out by Gartner suggests that as many as 85 per cent of the network attacks that successfully penetrate companies' network defences are made through vulnerabilities for which patches and fixes have already been released.

While a survey carried out by Tufin highlighted that badly configured networks accounted for around three quarters of network breaches, with many respondents citing that IT professionals 'did not know what to look for' or they did not have enough time and money for audits.

Roy added: "It can be surprising to discover that a company is leaving themselves open to attack simply because they either have missing or out of date patches, or no patching policy in place.

"Patching is often regarded as time consuming but by automating the process and adopting a prioritised risk-based approach it becomes easier for companies to develop and enforce rigorous patch management."

Managing password policy requires a balancing act of encouraging people to move away from easy to guess or default settings to choosing more difficult examples - but not too complicated that they forget them or are forced to write them down on a piece of paper, which is then kept next to the computer! Best practice examples include making a password of first letter mnemonics from a memorable phrase or event, changing the password three or four times a year and not sharing passwords - or leaving them in insecure places.

Generally, badly configured software and networks can be avoided by putting in controls that prevent unauthorised users from making changes to the system and testing that the software actually works seamlessly with the rest of the network. Coupled with adopting good security procedures, following industry best practice, rigorously testing after any changes are made and addressing the findings from tests, and amending procedures if required, will all help to ensure correct configuration.

Roy continued: "Worryingly, some companies are continuing to ignore the security basics - and there's simply no excuse for this. With the Information Commissioner's Office now able to fine organisations up to £500,000 for data loss, it is absolutely vital companies have a clearly defined security policy and audit trail.

"Security breaches because of a lack of patching, poor password policy or badly configured software will not be tolerated. Installing the newest technology and equipment to protect your business from the latest threats is all very well, but unless ICT departments start tackling the human element of these three fundamental problems then information systems will continue to remain vulnerable to attack.

"Organisations can help overcome these issues by developing a robust security policy that focuses on employee awareness training and education, regular communication with staff and making sure members of the ICT department fully understand - and are trained in - all aspects of their role."

NTA Monitor is the oldest commercial security testing and auditing firm in the UK and in 2011 will be celebrating its 15th anniversary.

For general security tips, click here.

This article features in the current issue of our newsletter From the Perimeter. Sign up to From the Perimeter for the latest industry insight and comment.

This article was first released on: 1st February 2011