Sunday, February 17, 2013

Security - Most Dangerous Things to Have on Your Network

1.       Anything with a DHCP serviceBe it a wireless router, personal firewall, or a virtual machine instance on a bridged connection, adding anything that runs DHCP onto a production network can cause problems for everyone on that VLAN. Remember DHCP is a broadcast service, and when a client asks for a lease, it will take the first one it hears offered. What’s going to be faster, the device you just connected, or the overworked three-year-old server?

2.       An open share with all the application installersIt really sounds like a great idea. Create a share, give everyone read access, and put installers for all the different applications you use in that directory so folks can easily find and install what they need, when they need it. If you have a site license for everything in that folder, it is not a bad idea. If you bought ten licenses for Adobe Acrobat, and 100 people find and install it, suddenly it is a compliance and licensing nightmare. Never leave software installers on the network where regular users can get to them unless you are prepared for a massive annual true-up bill.

3.       The second, third, fourth…and Nth  remote control toolThere’s nothing wrong with having a remote control application installed on your workstations and servers so you can assist users and manage systems. The problem comes in when you have eight different admins and they each have their personal favourite. Each remote control app you install on a workstation is another port listening, another memory hog, another app to patch, and another way for an attacker to break in. When you do that to a server, the potential impact is even worse. Choose one, choose wisely, and ban all the rest.

4.       Bulk email toolsWhat’s the quickest way to get your entire IP range on a blacklist? Leave an open relay. What’s the second quickest? Let someone in marketing  install a bulk mailer application that starts spewing out hundreds if not thousands of emails per hour. Seriously, get in front of this by working with marketing to ensure they have a satisfactory external bulk mailer service so you don’t have to deal with being blacklisted.

5.       Password crackersWhile authorized personnel working within the context of security might use a password cracking tool to either audit the network, or attempt recovery of data, a password cracking tool can easily be run improperly, resulting in the lockout of every user account on the network. These tools, in the right hands and run in closed environments, can be very useful, but so too can a blowtorch. Both can cause serious damage when used incorrectly.

6.       Open Guest NetworksAn open guest network may seem like a great “tool” both for your guests, and for when you need to test something outside the confines of your corporate LAN, but can be easily misused, and even when separated from your internal network, they usually use the same Internet connection as your corporate network does, which means bad traffic coming from your guest network still comes from your corporate network as far as the rest of the Internet is concerned. Use a captive portal and run IDS on your guest network so you can control who uses it, and make sure they don’t misuse it.

7.       Anything that is out of supportIt doesn’t matter how great a job that app does, or how much the business complains that they can neither live without it, or replace it, anything that is no longer supported needs to get the heck off your network. I have seen dozens of upgrades get 90% of the way through, only to encounter that one legacy app no one even remembers setting up, that some group has built their entire mission critical workflow around, and that cannot be upgraded to work with your new system. Make it the 11th commandment – Thou Shalt Not Run Any Unsupported App.
8.       Anything that can send an unlimited number of alertsThis one kills me every time I run into it, and I run into it at practically every customer I work with. Some monitoring systems is set up to send out email alerts when something bad happens, like a server goes down or a service stops, and it is misconfigured such that it sends thousands of email alerts as quickly as it can spawn them. That in turn overwhelms your email system, which slows everything else down, and you spend more time deleting the alerts than you did fixing the problem that caused them. Alerts are good, when they have reasonable limits.

9.       Bittorrent applicationsBittorrent is an extremely useful protocol, that can be used for downloading a variety of different binaries, most good. A misconfigured Bittorrent client uses up a tremendous amount of bandwidth though, so if you are going to use this tool, be very careful how you configure it, and ensure that only authorized users run these tools.

10.   Security auditing softwareOkay, before everyone hits the panic button on this, hear me out. Security auditing tools, when installed on a security professional’s workstation, run with the knowledge of what they are for, and the authority to use them, are just fine. When they are run by a Curious George and run against the entire network during the production day, they can wreak havoc, locking out accounts, crashing services, and generally causing everyone a bad day.

No comments:

Post a Comment