What is the largest gap in security?

5502george

So me and some security co-workers were debating this topic.
What is the largest lack in security for businesses?

-I think it is user/admin education and responsibility

The other ideas are

-software security; I agree but with an appropriate baseline and testing this can be avoided.

-hardware security; Again, with a tested and proved baseline there should be no issues

-network security; This is debatable

What is your take and personal experience?

TechGuy215

In my own experience, Encryption. Within the different companies I've worked for I've seen poor encryption standards, to some companies that have no enryption standards.

SteveLord

Obvious and most dangerous are users of course. But I would also agree with encryption. I suspect most laptops that contain sensitive information out there are not encrypted.

networker050184

I definitely agree with users/admins. You can have the most secure set up in the world but if it is not properly used and administered it's not going to matter.

DevilWAH

The largest gap is the one some one finds and can exploit.

5502george

TechGuy215 wrote: »

In my own experience, Encryption. Within the different companies I've worked for I've seen poor encryption standards, to some companies that have no enryption standards.

LOL, my wife told me the other day that her company "x" which deals with nothing but HIPPA and PII just realized that there were regulations governing this type of data. They paid company "x" to implement email encryption to comply with regulation for a good penny!




.....The funny thing is when they encrypted the emails the intended recipient could not open them ha ha ha

jvrlopez

Uninformed/inexperienced users.

Always come across users downloading questionable software to try and do something outside their rights and access. That or they are just trying to do something in which they don't know the legitimate or safe way to do so. Most of the programs come from questionable sources and are packaged with other by products.

You can imagine the sites and activity these users have at home, and when they bring in USB drives and plug them into work assets, it creates a nightmare.

TechGuy215

jvrlopez wrote: »

You can imagine the sites and activity these users have at home, and when they bring in USB drives and plug them into work assets, it creates a nightmare.

Eeek...You should have atleast a GPO that disables write read/write for USB devices!

Then, you can have a separate group, to apply an override to users that MUST have this access.

redz

Lack of flaw remediation/patching procedures.

I've seen tons of organizations that either:
1. Patch without concern for what it's going to do to their systems.
2. Don't patch for fear of what it will do to their systems.

You don't even have to be at the "script kiddie" level to figure out how to download and use a custom metasploit module to exploit a known vulnerability. It takes a Google search and a couple free downloads. Oh, and if this is your first time ever using a computer, maybe ~15-20 minutes of familiarization with that weird QWERTY keyboard layout before you'd feel comfortable costing a company millions of dollars due to their own idiocy.

ptilsen

It depends on the environment and what the organization's security needs are. I would argue for many, maybe most organizations, it's actually patching. Known exploits remain unpatched for far too long, sometimes indefinitely. Both client applications (especially browsers and browser plugins) and server applications sit unpatched and unprotected and make for an easy attack vector. I think this is the biggest gap because it's generally difficult to mitigate known exploits on services that are being used, and when things aren't being patched, what mitigation can be done probably isn't being considered.

I don't think users are the biggest problem. Yes, training is critical, but it doesn't matter if the majority of what they use is inherently insecure regardless of how they use it, and in my experience (which has possibly just been bad, for lack of a better term) that's probably the case more often than not.

Edit: Redz beat me to it. When anyone even approaching moderate skill can break in using GUI tools, pretty much every other measure being taken is for nought.

bermovick

5502george wrote: »

LOL, my wife told me the other day that her company "x" which deals with nothing but HIPPA and PII just realized that there were regulations governing this type of data. They paid company "x" to implement email encryption to comply with regulation for a good penny!

.....The funny thing is when they encrypted the emails the intended recipient could not open them ha ha ha

That's seriously scary that her company didn't know about it, considering HIPPA's been a federal regulation for what? 6 years? I remember working at BCBS:IL at the time and there was a good year's worth of preparation before it went into effect.

4_lom

+1 for Users/admin education

philz1982

Building Automation and SCADA systems. If you go to the right sites you can gain access to the environmental controls for Airports, hospitals, research labs and the like...

cisco_trooper

jvrlopez wrote: »

Uninformed/inexperienced users.

Always come across users downloading questionable software to try and do something outside their rights and access. That or they are just trying to do something in which they don't know the legitimate or safe way to do so. Most of the programs come from questionable sources and are packaged with other by products.

You can imagine the sites and activity these users have at home, and when they bring in USB drives and plug them into work assets, it creates a nightmare.

This is poor admins.

cisco_trooper

ptilsen wrote: »

It depends on the environment and what the organization's security needs are. I would argue for many, maybe most organizations, it's actually patching. Known exploits remain unpatched for far too long, sometimes indefinitely. Both client applications (especially browsers and browser plugins) and server applications sit unpatched and unprotected and make for an easy attack vector. I think this is the biggest gap because it's generally difficult to mitigate known exploits on services that are being used, and when things aren't being patched, what mitigation can be done probably isn't being considered.

I don't think users are the biggest problem. Yes, training is critical, but it doesn't matter if the majority of what they use is inherently insecure regardless of how they use it, and in my experience (which has possibly just been bad, for lack of a better term) that's probably the case more often than not.

Edit: Redz beat me to it. When anyone even approaching moderate skill can break in using GUI tools, pretty much every other measure being taken is for nought.

I had a customer get owned by the MS08-067 vuln. FIVE YEARS after the patch.

YFZblu

If we're talking about companys in general, like, all of them, IMO the biggest problem is a lack of investment in security as a whole. I can't tell you how many times I've notified domain owners that their web servers were compromised and serving malicious code to their customers - 80% of the time that organization even HAVING a website was a victory. Forget about them actually having the skills/resources to remediate an intrusion.

If we're talking about the medium - large size enterprise, I think the biggest concers are network visibility, patch-management, and buy-in/belief from high-level executives in the organization. I used to blame the end-user most, until I saw the ridiculous amount of commodity malware in existence. To give some context, just this year I've seen the following high traffic compromised websites getting Users exploited:

-YouTube.com - Their ad rotator was serving malicious code to Users which dropped the Sweet Orange exploit kit.
-SpeedTest.net
-Glassdoor.com
-WaffleHouse.com
-NBCsports.com
-Bible.org

...along with countless popular local companies which generated a bunch of web hits from the area I live in. I won't include them here simply because they wouldn't ring any bells.

Aside from the time-wasting factor of the sites above, I don't think many of us would disapprove of our Users hitting these sites from a security perspective - yet I saw all of these sites involved in silently dropping rootkits on Users in the last org I worked for.

In the end we can train our Users not to click links in phishing emails, not to open attachments, not use removable media, etc etc; but if your organization allows web browsing to the internet, the commodity malware will find a way in. Multiply that by 1000 if your org isn't patching Java, Adobe Reader, or Flash on its endpoints.

Not to say Users shouldn't be educated, or that they aren't part of the problem, because they certainly are. I just don't think Users are the ONLY problem and in many cases they are sitting ducks due to crappy security policy.


TL;DR

1. C-level buy-in / Investment in GOOD security people/products/processes
2. Patching/Admins
3. Users - I put the Users last because without the two above, they have no hope of remaining secure.

jvrlopez

cisco_trooper wrote: »

This is poor admins.

I agree. I don't know how after 5 years of this being a known issue that the ports are still live. I guess its because the company ban is on personally owned USB devices. Funny because removable, company owned media doesn't even come across too often.

If it was up to me, they'd be disabled entirely unless needed. Maybe even filled with epoxy.

At least the system is flagged if there is an insert and use. The user's access is then removed until remedial training is re-accomplished. Too bad by then its probably too late.

Shadow Realm

In my opinion it would have to be the WAS (Web application Software) and things like Apache and IIS. If you check out Shodanhq.com you would be amazed at how many servers still run IIS 5.0/6.0 all with known vulnerabilities