The real danger, according to dozens of experts, is easy-to-install software and software vendors who focus too heavily on adding convenient features instead of solid security solutions into their applications.
The default software installations performed by most operating systems and applications top the SANS (System Administration, Networking, and Security) Institute and the FBI-led National Infrastructure Protection Center’s new Top 20 security threats list.
The Top 20 list does not focus on the specific viruses or worms that may be active at any given time, but instead concentrates on the root problems: the system and software holes that all viral and hack attacks exploit.
Most of the significant holes detailed on the list were created by those default software installations, according to the list’s documentation.
Default installations allow a software vendor’s pick of an application’s most useful components or services to be installed on a computer. It’s a no-brain, hassle-free way to install software, but many security experts contend that default installations too often enable features that users do not need or use but may not know are active on their computers.
“Software vendors’ philosophy is that it is better to enable functions that are not needed than to make the user install additional functions when they are needed,” according to documentation of the top threats provided by SANS. “This approach, although convenient for the user, creates many of the most dangerous security vulnerabilities because users do not actively maintain and patch software components they don’t use. Those unpatched services provide clear and easy paths for attackers to take over computers.
“Software vendors simply have got to start opting for security over convenience,” said Jack Dahany, vice-president of the Server Security Division at Watchguard Technologies. “If users don’t know what applications or services are running on their machines, then how will they know to apply patches to fix critical issues?”
SANS is a cooperative research and education organization through which more than 96,000 system administrators, security professionals and network administrators share information about security.
System administrators have reported to SANS and other security organizations that holes often go unpatched because the constant barrage of patches and security alerts are overwhelming. So the Top 20 list prioritizes the threats and also offers comprehensive advice on detecting and fixing these dangerous vulnerabilities from dozens of leading security experts.
The Top 20 Threat list is directed at network administrators rather than individual computer users, although the list can certainly be useful for any technically knowledgeable person.
For those who want less complex security advice, the National Infrastructure Protection Center (NIPC) has posted a companion list of seven simple security tips. This details basic solutions for many of the issues in the Top 20 list, but ignores the Top 20 list’s primary issue of the problems inherent in default software installation.
Security consultant Nicholas Versan suggests that all users should always opt for “custom” installation option when installing any software, and then choose carefully from the list of software and services to be installed.
“Default installations aren’t a huge issue for Mac users, or even Windows 95, 98, and Windows ME users,” Versan said. “But those who are running Windows 2000 or XP professional should certainly educate themselves about what applications are being installed and activated on their machines. I assume Linux users are already pretty competent, but obviously default installations on Linux servers are an issue, too.”
Versan suggested that those who have purchased computers with pre-installed Windows 2000 or NT operating systems and applications should scan their machines with Microsoft’s free, web-based MPSA security tool and apply the suggested fixes and patches.
Ineffectual, easy-to-guess or default passwords are listed as the second biggest general security threat.
The third biggest threat for all systems was a bit of a surprise to some — not backing up data or backing it up improperly.
“Certainly backups are critical, but I don’t know if I’d say they are a security threat,” systems administrator Frank Kelley said. “I suppose the argument can be made that it’s a true threat, because without backups your systems and data are certainly crippled. But to me, backups are more of a good practice procedure than a threat.”
Despite the fact that there are patches available for all of the threats listed on the list, SANS did not chide systems administers for not applying patches. Many systems administrators say that recent budget and staffing cutbacks make it impossible for them to keep up with proper security procedures, so patches aren’t being applied to software as conscientiously as they should be.
Security becomes a priority for some companies only when it adversely affects business as usual, security experts agree.
“When the total expense for security goes up, the interest from managers goes down,” Dahany said.