While many causes exist for security problems, at least three types of fundamental weaknesses open the door to security problems.
Obviously, we could probably add human weakness and some others, but our purpose is to concentrate on those issues that, once recognized, can be managed, monitored, and improved within a security strategy.
Every technology has some known or unknown inherent weaknesses, or vulnerabilities that can be exploited by a sufficiently motivated troublemaker. Some weaknesses are publicized widely in the media because they’re associated with a well-known product. Don’t fall into the faulty logic that because you don’t hear about the other products, they must be secure. Just because no one cares enough to hack a product, doesn’t mean it’s necessarily secure.
Starting right at the top, TCP/IP wasn’t designed with security as a high priority. One of the drawbacks to being the first at anything is the inability to see how others might manipulate and transform a technology into something else. The designers were looking for a reliable vehicle to allow research organizations to share information. The many early protocols and tools that make up the TCP/IP suite were developed in an environment of trust and openness.
Today, various Request for Comments (RFCs), security best practices, security services, and an array of products from many vendors work together to reduce the risks inherent in the environment.
Regardless of the manufacturer or whether it’s an open standard or proprietary product, every operating system (OS) has vulnerabilities that need to be addressed through patches, upgrades, and best practices. Every time a major upgrade comes out, the possibility for new or even revived vulnerabilities can, and does, appear.
While a company tries to produce and deliver a secure final product, the addition of new features, implementation of new standards, and even hardware changes can lead to potential problems that don’t get caught in prerelease testing.
Given the number of lines of code in most modern OSs, it isn’t wholly unreasonable that some problems will slip through. While our focus is security, the OS developers and product testers are looking at usability, accessibility, features, performance, stability, backward compatibility, and many other characteristics, plus security. Right or wrong, it’s also important to remember that security hasn’t always been the highest priority of developers, product managers, customers, product reviewers, financial analysts, writers, and so forth.
Whether IOS based or embedded in the circuitry, such as application-specific integrated circuit (ASIC), network devices can have vulnerabilities, often called “holes,” that can be exploited. Some might lay dormant for years until someone stumbles across one, and either exploits it or documents it. Often the process of documenting and notifying the user base of a problem lays out a roadmap to troublemakers.
When possible patches, IOS upgrades, and best practices should be applied to eliminate or mitigate known problems. In some cases, it might be determined that the device should be abandoned or moved to a part of the network that would be impacted less by the problem.
To find security advisories and related information without a CCO ID, go to http:// www.cisco.com and do a search on security.
Policy weakness is a catchall phrase for company policies, or a lack of policies, that inadvertently lead to security threats to the network system. Chapter 2 covers in detail the importance and implementation of a written security policy, which is the essential foundation of a good security implementation.
The following examples are some of the policy issues that can negatively impact a businesses computer system:
No written security policy Lack of a documented and adopted plan means the security efforts evolve and are enforced, if at all, in a best-effort manner.
Lack of disaster recover plan Without a plan, the efforts to fight a network attack—or even a physical emergency such as fire, flood, or earthquake—are left to the judgment and knowledge of the staff on hand. Even the best-trained and most experienced staff can make foolish decisions when faced with an unexpected catastrophic event.
No policy for software and hardware additions or changes Whether motivated by increasing productivity or recreation, any addition or upgrade to software or hardware can introduce unexpected security vulnerabilities. Adding an unauthorized wireless access point to a network can throw open a virtual garage door to the network and the company resources. Similarly, an unauthorized screensaver might also be harvesting passwords, user IDs, and other information for someone else.
Lack of security monitoring Even if a secure network is developed, failure to monitor logs and processes or weak auditing allows new vulnerabilities and unauthorized use to evolve and proliferate. The worst case would be not recognizing that a serious loss had occurred or was continuing.
Employment policies Frequent staff turnover, lower than typical compensation, and lack of training opportunities can all impact network security by bringing new untested and underskilled employees into positions of authority and responsibility.
Internal policies Lax business attitudes and practices often create temptations and a relatively safe environment for the opportunist within to ply their craft. This is the “we are all like family here” syndrome. Unfortunately, even some of the best families have a thief in their midst. Similarly, infighting, backbiting, power struggles, or turf struggles can lead to security issues or divert attention, allowing problems to go undetected.
Many network devices have default settings that emphasize performance or ease of installation without regard for security issues. Installation without adequate attention to correcting these settings could create serious potential problems. Some common configuration issues include the following:
Ineffective access control lists failing to block intended traffic
Default, missing, or old passwords
Unneeded ports or services left active
User IDs and passwords exchanged in clear text
Weak or unprotected remote access through the Internet or dial-up services
Monitoring vendor announcements and advisories, combined with industry news services, can identify the most common, best-known vulnerabilities and often include the appropriate mitigation solution.
Know the three causes of security problems.