Forgot your password?
typodupeerror
Networking Security IT

Misconfigured Networks Main Cause of Breaches 78

Posted by CmdrTaco
from the probably-including-you dept.
An anonymous reader writes "Responses to a survey from attendees of the DEFCON 18 conference revealed that 73% came across a misconfigured network more than three quarters of the time – which, according to 76% of the sample, was the easiest IT resource to exploit. Results revealed that 18% of professionals believe misconfigured networks are the result of insufficient time or money for audits. 14% felt that compliance audits that don't always capture security best practices are a factor and 11% felt that threat vectors that change faster than they can be addressed play a key role."
This discussion has been archived. No new comments can be posted.

Misconfigured Networks Main Cause of Breaches

Comments Filter:
  • by Just_Say_Duhhh (1318603) on Tuesday August 31, 2010 @04:58PM (#33430494)

    73% came across a misconfigured network more than three quarters of the time – which, according to 76% of the sample, was the easiest IT resource to exploit.

    So are we to believe that 73% is more than three quarters, or is this a case where 90% of IT is half-mental?

    • Re: (Score:3, Informative)

      by Sir_Lewk (967686)

      Presumably the other 3% thought it was the easiest IT resource to exploit, but did not actually come across them more than three quarters of the time.

      This summary is an absolute nightmare.

      • Re: (Score:1, Funny)

        by Anonymous Coward

        I'm assuming it's part of the Da Vinci Code until proven otherwise.

        • Re: (Score:3, Funny)

          by jd (1658)

          Nonono. We had the Russian Station transmit secret numbers recently, this is clearly a response from agents in the field.

      • Re: (Score:3, Insightful)

        This summary is an absolute nightmare.

        I just assumed it was written by the marketing team for Sex Panther.

    • by rotide (1015173)

      "a survey from attendees of the DEFCON 18 conference revealed that 73% came across a misconfigured network more than three quarters of the time – which, according to 76% of the sample, was the easiest IT resource to exploit."

      Seriously, that throws my head into a god damn wall.

      This is how I slowly try and rephrase the sentence. Anyone else reading it this way? "73% of respondents to the survey found the network misconfigured more than 75% of the time and 76% of those 73% of respondents said that was t

      • by Vanders (110092)
        They've done studies. 60% of the time, it works every time...
      • After a dozen re-reads of TFA, my head came away from the wall, and I can now understand your rewrite.

        My manager, however, will have to wait for the powerpoint presentation with pie charts and bar graphs. As we all know, 73% of managers can't understand more than three quarters of the information you present to them.

        • by jd (1658)

          Understanding the rewrite doesn't help if the margin of error means that 73% == 76% three-quarters of the time.

      • by causality (777677)

        "a survey from attendees of the DEFCON 18 conference revealed that 73% came across a misconfigured network more than three quarters of the time – which, according to 76% of the sample, was the easiest IT resource to exploit."

        Seriously, that throws my head into a god damn wall.

        This is how I slowly try and rephrase the sentence. Anyone else reading it this way? "73% of respondents to the survey found the network misconfigured more than 75% of the time and 76% of those 73% of respondents said that was the easiest IT resource to exploit."

        Terrible writing when you have to try and decode a simple sentence. Feels like I'm trying to figure out some legal doc.

        Yeah, sounds like just the sort of thing that professional editors are supposed to clean up. Oh wait, this is Slashdot.

        Another gem from the summary caught my eye:

        11% felt that threat vectors that change faster than they can be addressed play a key role.

        That item is not a (mis)configuration issue. Besides, the best way to maintain the advantage in this arms race is to make sure that your systems do exactly what they are intended to do and nothing else. Default-deny is a good policy and not just for fi

        • Re: (Score:1, Offtopic)

          by turbidostato (878842)

          "Actually they're the result of incompetence and/or apathy."

          I know my trade and I know that it will cost more time/money than throwed at it. The fact that it breaks is therefor neither lack of knowledge nor apathy, at least, not at the technical level.

          "The purpose of an audit is to reveal that incompetence and/or apathy has taken place so that it may be corrected in the future."

          Ha! So many times that's the *declared* purpose. The real purpose is to cover managerial asses. Since that can be done with les

    • If two trains left the station at the same time traveling in opposite directions, and 73% of them were more than three quarters 76% of the time ...
    • by hedwards (940851)
      There's nothing wrong with that. It means that 90% of the IT tasks are half mental, whereas the other 10% of the tasks could be completely mindless or 90% mental. Or it could be on the basis of time spent on IT tasks. But it really doesn't represent any sort of problem of logic or numbers. IT and mental processing aren't so tightly bound as to make that line of reasoning sound.
      • by causality (777677)

        There's nothing wrong with that. It means that 90% of the IT tasks are half mental, whereas the other 10% of the tasks could be completely mindless or 90% mental.

        Does not compute.

    • Re: (Score:1, Troll)

      by Locutus (9039)
      yes, because putting Microsoft Windows on a network is a network configuration error.

      LoB
    • by blueg3 (192743) on Tuesday August 31, 2010 @10:32PM (#33432348)

      Imagine everyone was asked how often they came across a misconfigured network. One guy answered "about 80% of the time". Another guy answered "20% of the time." 73% of the respondents, when asked, gave an answer that was higher than "75% of the time".

      Separately, respondents were asked what IT resource was easiest to exploit, and 76% of them said "network".

      • A recent study found that 74.23% of all statistics quoted in /. articles were invented on the spot in an effort to trick folks who only read the article summary into modding them up.

  • Is this really news? I thought everyone knew this already.
  • Results revealed that 18% of professionals believe misconfigured networks are the result of insufficient time or money for audits. 14% felt that compliance audits that don't always capture security best practices are a factor and 11% felt that threat vectors that change faster than they can be addressed play a key role."

    Ok, so what did the other 57% think that misconfigured networks are the result of?

    • by Kepesk (1093871)

      Ok, so what did the other 57% think that misconfigured networks are the result of?

      Obviously, too much time spent playing Facebook games.

    • by mysidia (191772)

      Ok, so what did the other 57% think that misconfigured networks are the result of?

      Incorrect / erroneous / misapplied example configurations ranking high in Google search results?

  • "This realization is made worse when you consider that 57% of the security professionals we surveyed classified themselves as a black or grey hat hacker, and 68% of respondents admitted hacking just for fun," said Reuven Harrison, CTO at Tufin.

    Wow. 57% of the security professionals at DEFCON consider themselves a .. hacker!

    Wow.

    • by al0ha (1262684)
      Yeah, you can rely on a statistic based on being a self proclaimed hacker, perhaps much akin to statistics on self proclaimed geniuses..

      Based on the responses what we really know is that out of the 43% who did not admit to being a Black Hat, some percentage actually does engage in such activities.
  • by Culture20 (968837) on Tuesday August 31, 2010 @05:06PM (#33430578)
    So, that means vulnerable ports were open to "the world" on the systems, and the "network" was supposed to be doing the firewalling? Network firewalls and system firewalls should use identical policies.
    • by causality (777677) on Tuesday August 31, 2010 @05:57PM (#33430994)

      So, that means vulnerable ports were open to "the world" on the systems, and the "network" was supposed to be doing the firewalling? Network firewalls and system firewalls should use identical policies.

      That's a bit general. Say you want to run a Samba fileserver to share files among Windows clients. You'd want the fileserver on your internal network to accept connections from the relevant ports. You would not want the firewall standing between your network and the Internet to also have that port open to the world.

      While it's true that a conscientious admin would tighten up the Samba server's firewall by specifying both ports and IP addresses/ranges (or other credentials) that are acceptable, you still wouldn't have identical policies between the internal systems and the firewall controlling what can connect from outside.

      • by Culture20 (968837)

        That's a bit general. Say you want to run a Samba fileserver to share files among Windows clients. You'd want the fileserver on your internal network to accept connections from the relevant ports. You would not want the firewall standing between your network and the Internet to also have that port open to the world. While it's true that a conscientious admin would tighten up the Samba server's firewall by specifying both ports and IP addresses/ranges (or other credentials) that are acceptable, you still wouldn't have identical policies between the internal systems and the firewall controlling what can connect from outside.

        Good point. I should think more often before I type.

  • by GPLDAN (732269) on Tuesday August 31, 2010 @05:14PM (#33430644)
    Probably 95 percent of THOSE networks were defeated using Doug Song's tools.


    http://monkey.org/~dugsong/dsniff/ [monkey.org]
  • I'm right 100% of the time...
  • most of the break-ins.

  • by LibertineR (591918) on Tuesday August 31, 2010 @05:25PM (#33430730)
    "It aint a firewall, unless it stops shit going in BOTH DIRECTIONS."
  • Buy an ASA from Cisco. It come preconfigured to drop all traffic. Configure the local subnet and leave everything else alone. Use hosted solutions for email, file sharing, applications. Pay the money to make sure you get solution providers who know their shit. Force SSL over all of those connections. And Done.
    • Re: (Score:3, Interesting)

      by LibertineR (591918)
      ....and what is your solution when I come in and tell your fat receptionist that she looks nice in that moo-mu, and that I am there to fix the phones, but maybe we can go for a drink when I am done, and can I have access to the IT closet at 5:02pm?
      • by Bryansix (761547)
        9-1-1 and duck!
      • by Bryansix (761547)
        On a more serious note, more and more phone systems are actually administered by the IT consultants or the IT Staff. So there is only one point of contact for everything.
        • Yeah, but the Chub-ette at the front desk doesn't know that..., nor does her temp fill-in when she goes for that gastric bypass.... Point being, if they want in, they will get in. You have to stop them even if they are inside.
          • by Bryansix (761547)
            When I was system admin, only the IT department had the keys to the server room. The CEO had a copy but he wasn't a moron so it was ok.
      • by c6gunner (950153) on Tuesday August 31, 2010 @07:17PM (#33431474)

        Hire lesbians.

      • by TubeSteak (669689)

        ....and what is your solution when I come in and tell your fat receptionist that she looks nice in that moo-mu, and that I am there to fix the phones, but maybe we can go for a drink when I am done, and can I have access to the IT closet at 5:02pm?

        Network audits.
        It's right there in the summary.

        Detection and mitigation of penetration is equally as important as trying to prevent the intrusion in the first place.

    • The correct answer is to put the ASA in front of an ISA or TMG server, and use it only for packet inspection and port blocking. Forward only the necessary ports for your business, and whatever is allowed is explicitly enabled AND authenticated by domain\user.

      That way, nothing gets in OR out that is not expressly permitted, or tied to a specific user account. An internal effected machine cant send anything out the gateway if its not via 8080 with the firewall client, and with a rule naming its executable.

    • by Necrotica (241109)
      You don't work in a large enterprise, do you?
  • "Waaaaaa! The network's down!"

    "Waaaaaa! The network's slow!"

    As a real network admin, I hear this at minimum, once a week, sometimes more often.

    95% of the time, it's not the network. It's almost always the endpoints.

    How is the network to blame here? Someone screw up spanning tree, OSPF not using md5 authentication? DHCP mis-configuration? DNS? Wrong gateway used? What? The article gives nothing, just like most of the sysadmins and managers that come to my desk crying about how slow scp/nfs/smb copie

    • 95% of the time, it's not the network. It's almost always the endpoints.

      I'm guessing a new way of saying PIBCAK?

      Stop crying about the network.

      And start looking at where the real problem might be. The guy with an MBA from an online university and an entry-level Microsoft certification being responsible for the hiring just might have something to do with how IT is a great steaming shithole.

  • How much of that is due to old software / hardware? That needs not so much of a misconfigured setup more like a one with some open areas. That are needed to make the old software / hardware work.

  • There's a lot of comments saying "use a decent firewall and you're sorted".

    On any non-trivial network, if the only security in place is a firewall on the boundary then you're probably one of the 3/4 of easily exploitable networks mentioned in the article.

    Viruses, social engineering, playing with applications that are allowed through (e.g. HTTPS web apps), dial-ins, wireless, abusive staff, there is a never ending list of attack vectors if you only pay attention to the perimeter. Like the article says: 43% o

  • Shitty study (Score:5, Informative)

    by evel aka matt (123728) on Wednesday September 01, 2010 @09:04AM (#33435068)

    I was at Defcon this year (like always), and the people conducting this study were essentially paid per response, which I'm sure is quite common. We were standing on the Riv steps, during one of our many cigarette breaks, and some girl came up and asked us to do her survey.

    Us: "This question doesn't really make sense."
    Her: "Just check any box, I need to get them all filled."

    And that's basically how it went. The question/answers seemed a little silly, and there were a lot of excluded middles. The surveyors knew nothing of the questions, and were just trying to get out there of (can't blame 'em). The answer space was a checkbox, and if you saw it, you'd see how easy it'd be to just fill out the rest of the boxes with similar answers if you wanted to go home.

The most exciting phrase to hear in science, the one that heralds new discoveries, is not "Eureka!" (I found it!) but "That's funny ..." -- Isaac Asimov

Working...