Pen Testing for Low Hanging Fruit - Part 6 of 7

Tuesday, November 02, 2010

Bryan Miller


Do It Yourself or Outsource? - Part 6 of a 7-part series - (Part 1 Here) (Part 2 Here) (Part 3 Here) (Part 4 Here) (Part 5 Here)

Categories of Vulnerabilities

The category of passwords includes all forms of passwords and similar authentication schemes. 

They take the form of default application passwords, missing, blank and easily guessed passwords on operation system accounts and other password uses such as SNMP community strings. 

Another common area of password weaknesses is cases where administrators use similar passwords across different platforms. 

In other words, this becomes a problem when network administrators use the same password for their Microsoft Windows account, the Oracle “system” account and the Cisco administrative account.

Patch management for desktop PC’s and servers always seems to be an issue even in organizations that have robust patch management applications and policies already in place. 

It is not uncommon to find missing patches from vulnerabilities that were announced three or four years ago. The implications of missing patches on security and privacy cannot be overstated. 

Missing patches accounts for a very large percentage of successful network attacks.

Information Technology policy and procedures are often the bane of a network administrator. 

Next to documenting network topologies and device configurations, policies and procedures are often the IT stepchild and receive the least amount of effort. 

Nobody likes to write them and few people read them. But they are critical to the overall success of any information security and privacy plan and should drive the configuration of all security devices.

There are many reasons why organizations don’t have current IT policy and procedure documents. The first reason is that it takes a lot of time and managers don’t often get evaluated on such projects. 

Metrics are developed to measure and reward for successful network implementations, short times for help desk users and great call qualities for the new VoIP implementation. 

Few corporate leaders are going to reward IT managers for well-written policy documents. 

Another reason for not having accurate policy documents is that often the person writing them has no authority to enforce them.

Despite all of these reasons, IT managers need to work together with human resources, legal and compliance personnel to convince top management of the need for current, accurate policies and procedures. 

Well written documentation is the key to an effective management strategy and in the long run will help save the company money by ensuring a consistent process for each management task. 

Consistent procedure documents also reduce the time spent training new employees which also helps to save money. 

Finally, accurate documentation is also a key component of most security and privacy regulations.

Possibly Related Articles:
Information Security
Passwords Policy Patch Management Documentation
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.