The Internet is not a safe place. It is a war-torn wasteland; a landscape of viruses, script kiddies, hackers, and corporate spies out to gain access to the little oasis known only as your network. What’s a sysadmin to do? They say the first step to nullifying a threat is knowing it; let’s take a look at the top ten security threats facing sysadmins today!
1. Outdated Software
By far one of the most dangerous threats to your network is outdated software. No matter how good your security policies are, or how well-informed your users are (though well-informed users will update their software, mitigating this vulnerability) outdated software with known vulnerabilities are a huge threat to your network.
You wouldn’t think so at first, since many of you are running behind firewalls or other networks with safety precautions behind them, but these vulnerabilities don’t just apply to services that run inside the LAN. Many protocols that depend on showing themselves to the outside world are also very vulnerable when it comes to bugs in their unpatched versions; some very famous vulnerabilities have been exploited in some very common software suites, such as Apache, VNC, and even SSH have had vulnerabilities crop up in their otherwise rock-solid stable releases.
The diligent sysadmin will of course, at this point, swear up and down that everything on their network is patched to kingdom come as soon as a security patch is released. To this I say: are you sure? Are you positive you’ve never upgraded Postgres because the next version didn’t work with your legacy program? Does every machine in your office run IE8, even though your corporate intranet doesn’t work with anything after IE6?
According to a recent study, a shocking 7.8% of corporations still use XP + IE6 in their daily day-to-day operation. The fact of the matter is that sometimes programs slip through the cracks; you have to be dedicated and diligent to upgrade and update your software without causing problems and errors, especially in small and home businesses who may not have the money, expertise, or manpower to upgrade and debug their software as often as they should, and this threat remains as real as it has been in the past.
Some of you might be surprised that this entry is on the list while others might be fuming that this isn’t the #1 threat. The fact of the matter is, users are often surprisingly consistent in the threat they pose to your network. Specifically, they tend to be unaware of the dangers that the Internet poses as well as resistant to change, a quality that often makes it notoriously hard to upgrade them to newer versions of operating systems, office suites, and web interfaces.
Interestingly, when people think of “user” they think of a cubicle peon; this isn’t always the case, and the PEBKAC (“Problem Exists Between Keyboard and Chair”) phenomenon can extend very far up the hierarchical ladder. Often there is a push back from management when IT wants to move from XP to 7, or from Office 2003 to 2007, as the bigwigs in a company are no more keen to re-learn a UI than the accountants or the secretaries are.
That said, their resistance to change isn’t as much of a threat as their general trusting nature is. Users will install things they shouldn’t, visit sites they shouldn’t, and click on “Crazy story storm click here” emails with EXEs attached to them. As much as you may try to educate them, be aware that users implicitly trust everything (and seem to like to click on things in general). In a 2007 study, 16% of users would click on an email labeled “Hey! Check this out!” and enter in their username/password to gain access to the cool video. If the email was sent by a name they recognized, that number jumped to 70%. As much as you may try to lock down their workstations there is always one intrepid user that just has to have that free iPad (bringing down a storm of trojans on your network in the process). And for that one, special user, this threat goes out as being #2 on the top ten.
3. Malicious Users
While some might say that this should be under the prior entry, the fact of the matter is that malicious users are an entirely different category of threat. Regular users, for the most part, are a threat only because of their good-natured outlook; they click on things, they want to win free stuff. They can be educated, or protected against, and in general are rather predictable in their behavior. This trait, while leaving them dangerous, makes them easier to defend against.
Malicious users, on the other hand, are gunning for you and your network. They will try to actively harm and destroy everything on the network in an attempt to gain revenge (or sabotage, or whatever the reason is that they are trying to wreck things as opposed to simply stealing them and profiting). These users are dangerous because, except for outside of a few cases, you truly don’t know how long they have been plotting to bring down your network (unless the malice is from an immediate fit of rage from being fired that day).
The most famous of these cases tend to be high-profile ones performed by disgruntled IT workers; the failed logic bombs at Fannie Mae and the TSA in 2009 come to mind, for example. It isn’t just IT who has access to critical systems, however; accountants, executives, and other high-level employees quite often have access to critical systems that they can damage in a hurry if they want to. While good shops will have backups, they may be up to a week old and such an event will still severely damage the company’s ability to operate for awhile.
So how do you protect against these threats? Unfortunately, sometimes there’s not much you can do; some employees will begin to guard against their early termination years before their termination is even a thought in anybody’s mind. The best thing to do is to have a good working relationship with them, and when terminating employees revoke their access before you fire them!
4. Legacy Configurations and Protocols
Legacy protocols and configurations are quite often a very prominent threat in organizations, especially organizations with long-standing, proprietary software or hardware systems. Quite often, these systems that were designed ten years ago simply did not have the foresight to look forward into the future of security, and rely on protocols like FTP or Telnet to communicate with the outside world in plaintext. This happens especially with very specialized software, which is usually custom-designed or otherwise lacking in regular updates.
The problem is not limited to hardware/software systems that demand it; it is sadly also attributable to legacy employees as well. In the past, two separate companies I worked for insisted on keeping an FTP server operating in plaintext open on a standard FTP port to the outside world. The reason for doing so was that that was how the management was used to uploading and sharing documents, and they resisted any attempt at convincing them that these protocols were actually putting their systems at risk.
Mitigating these sorts of risks are tough, usually because of the massive amount of overhead and inertia required to overhaul these systems (whether they are proprietary or managerial). The best thing to do is to try to win small victories, such as adding VPN in-between the connections. The best solutions to these problems aren’t always technical, and some threats are best approached through personable teaching and education.
5. Misconfigured Software
Legacy systems aren’t the only problem- software and hardware misconfigurations can also really hurt your network security. Many networking systems, such as firewalls and routers, are extraordinarily complex beasts that often require both very specialized knowledge and extreme attention to detail in order to configure them to be the least vulnerable they can be.
Unfortunately, in the real world, many sysadmins don’t have the luxury of being masters of every system as well as having an inordinate amount of free time to go over their configurations a half-dozen times. Many sysadmins are overworked and learning new technologies on the job, making it very easy for them to either overlook or simply not know that they should be adding (or removing) a line of configuration that should or should not be there. Additionally, many security vulnerabilities were already there before from a previous sysadmin, and the new sysadmin’s security audit fails to catch it for the same reasons outlined above.
Ideally, companies would have more technical staff on hand and try to specialize their IT workers, but this is almost never the case, and misconfigurations in network security are fairly common as a result. In a 2010 survey, 76% of hackers at DEFCON responded that a misconfigured IT network was the easiest and most common IT resource to hack; any steps to combat intrusions from the outside should begin with network security configuration!
Phishing is a very damaging threat simply because it’s very easy to specialize; it doesn’t require very much research to figure out the names of some employees at a business and their emails, and getting a payload into an email system once you know your victim’s social network is very effective (note the 70% statistic in the opening emails above).
Many people will say that phishing doesn’t happen to them, or their employees are too smart for it, but the sad fact of the matter is that our brain is wired to accept input from sources we trust, and once an attacker either poses as a trusted source or gains trust he will have very little problem infiltrating the network or convincing the victim to download and run a payload that gives him shell access or steals usernames and passwords for a similar reason. In a famous social engineering attack, a customer support rep at AOL was convinced into downloading a supposed picture of a car. The picture of the car turned out to be an exploit program, and the hacker gained access to AOL’s customer database through a simple phone call.
Hackers don’t have to go through this amount of effort, either; if they know a company’s tech guys are Bob, Pam, and Sue, they can call Bob and say “Hi Bob, this is X… I spoke to Pam and she said to talk to you to reset my password”. While many techs would see through that, some would not, and that’s even a very simplistic example; a very complex and slick phishing / social engineering attack might be so sophisticated that you may not realize what happened until it’s too late!
7. Improper Budget & Planning
This one isn’t so much a technical threat, but a managerial one; a good deal of IT infrastructure and staffing at many companies suffer from a lack of budget and/or organizational vision and planning. Many IT departments don’t have the time or human resources to have effective, streamlined practices for upgrading computers, applying patches, and performing regular network security audits; at best, these beleaguered departments operate on a triage system, constantly fixing and addressing the highest priority problems while fervently hoping that they might get a slow day to work on the problems that fall somewhere under “mission-critical”.
The reasons for this are myriad, but one thing is clear: an under budgeted, under-staffed IT department can’t properly plan or execute the steps needed to make a network as secure as it can be, and therefore this threat, though administrative, is no less a threat than the other technical threats present on this list!
8. Autorun and USB “Switchblades”
USB switchblades are USB sticks that come preloaded with software designed to turn off Antivirus, sniff passwords from Windows and other programs, install malware, and then turn the antivirus back on. Many of these switchblades depend on autorun, silently running in the background to process the passwords and put them on the USB key; many of them take no more than 30 seconds after insertion to pull all of the necessary hashes, letting the cracker crack them at their leisure.
The worst part of this threat is that it’s not entirely defensible even by giving users standard or restricted access. If the switchblade is incapable of shutting off the antivirus due to lack of access, it can still quite cheerfully dump stored passwords from Firefox or IE into the USB stick. Given many users’ tendency to use the same passwords for all of their logins, this sort of dump is just as devastating as if the hacker managed to gain access to the password hashes of an XP machine, or shut down the antivirus and put malware on the machine.
Many organizations still allow USB sticks and have autorun enabled, a potentially deadly combination; an enterprising cracker or malicious user can get one of these very easily, and they are indistinguishable from a normal-looking USB stick (he could even wipe a company-branded stick and put his cracking software on it!). Watch out for USB hacking as a threat on our countdown!
As a network administrator, you can only control that which lies within your purview. The security of your network could be immaculate, your users highly-educated, and your USB drives safely tucked away; all of this can be ruined by an infected 3rd-party VPN-ing into your system and cheerfully, unwittingly uploading some malicious payload he was infected with on his own company’s network.
Unfortunately, the risk of 3rd-party infection is always a significant one. Many businesses no longer perform everything in-house, and they contract out everything from graphic design to accounting. There is no way to ensure the safety of the outsourced team’s network, especially since they so often require access to your most sensitive systems and VLANs; one compromised machine is all it takes to bring your network down to its knees or make off with some extremely vital info, and it’s nigh-impossible (read: practically impossible) to be positive that every laptop, PDA, and file on your network from theirs isn’t infected.
10. Mobile Devices
Mobile devices are a threat to modern networks simply because of their ubiquity and relative small size; you can’t tell if, at any given point, some smartphone on your wifi is cheerfully broadcasting data back to a malware site. Thankfully, there have been relatively few exploits in the wild for smartphones, but that won’t last long, and already there have been a few proof of concepts showing that it’s possible to hack into and pull data from a smartphone using market exploits and other backdoor vulnerabilities.
The second threat from smartphones is even more insidious: plain old analog theft. Many smartphones have passwords saved in them and have little to no security; it is trivially easy to grab a smartphone off someone’s desk and use it to hack into their email or other secure areas. By the time the user realizes the phone has been stolen, it is most likely too late, and the sensitive information will have long been in the hands of an insidious corporate spy or rogue co-worker.
All of these threats are very real and should be taken into account when administering or planning a network. The Internet is a dangerous place, the Wild West of our generation; make sure you’re aware of every threat out there. Awareness, as they say, is the first step towards prevention!