(Based on an article originally written Apil 2004)
We attended the annual bunfest InfoSec at Olympia this week. It's always fun to catch up with old friends and colleagues.
On discussing various penetration tests we'd conducted over the past year it's disheartening to find the same things crop up again and again. These are not areas exposed by new vulnerabilities, rather they are down to bad implementation and procedures. So here are our top ten list of Don'ts, in no particular order, based on our experience:
Default install of the operating system
Install of unnecessary (and insecure) applications
Ports open on the firewall for testing and not subsequently closed
Remote management access ports on firewalls open with no restrictions
Multihomed systems with public and private interfaces
Simple, easy to guess passwords
Unpatched systems
Lax access control lists on systems
Posting of internal configuration information to newsgroups/websites
Lack of information security awareness
So do any of these exist in your organisation? Chances are more than one does. Better go check now.