Slashdot Mirror

← Back to Stories (view on slashdot.org)

Misconfigured Networks Main Cause of Breaches

Posted by CmdrTaco on from the probably-including-you dept.

An anonymous reader writes "Responses to a survey from attendees of the DEFCON 18 conference revealed that 73% came across a misconfigured network more than three quarters of the time – which, according to 76% of the sample, was the easiest IT resource to exploit. Results revealed that 18% of professionals believe misconfigured networks are the result of insufficient time or money for audits. 14% felt that compliance audits that don't always capture security best practices are a factor and 11% felt that threat vectors that change faster than they can be addressed play a key role."

78 comments

  1. statistics by Anonymous Coward · · Score: 0

    Almost 3/4 of 3/4 of the numbers in this summary are about 3/4.

    1. Re:statistics by Anonymous Coward · · Score: 0

      That's nothing when you consider that they only polled 28% of the attendies, and of those, only 63% actually had paying jobs. Naturally the other 37% felt inferior so some of them took the poll twice and therefore make up 52% of the results.

  2. Check those facts & figures by Just_Say_Duhhh · · Score: 2, Funny

    73% came across a misconfigured network more than three quarters of the time – which, according to 76% of the sample, was the easiest IT resource to exploit.

    So are we to believe that 73% is more than three quarters, or is this a case where 90% of IT is half-mental?

    --
    I need trepanation like I need a hole in the head.
    1. Re:Check those facts & figures by Sir_Lewk · · Score: 2, Informative

      Presumably the other 3% thought it was the easiest IT resource to exploit, but did not actually come across them more than three quarters of the time.

      This summary is an absolute nightmare.

      --
      "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
    2. Re:Check those facts & figures by rotide · · Score: 1

      "a survey from attendees of the DEFCON 18 conference revealed that 73% came across a misconfigured network more than three quarters of the time – which, according to 76% of the sample, was the easiest IT resource to exploit."

      Seriously, that throws my head into a god damn wall.

      This is how I slowly try and rephrase the sentence. Anyone else reading it this way? "73% of respondents to the survey found the network misconfigured more than 75% of the time and 76% of those 73% of respondents said that was the easiest IT resource to exploit."

      Terrible writing when you have to try and decode a simple sentence. Feels like I'm trying to figure out some legal doc.

    3. Re:Check those facts & figures by Anonymous Coward · · Score: 1, Funny

      I'm assuming it's part of the Da Vinci Code until proven otherwise.

    4. Re:Check those facts & figures by Vanders · · Score: 1

      They've done studies. 60% of the time, it works every time...

      --
      Syllable : It's an Operating System
    5. Re:Check those facts & figures by WrongSizeGlass · · Score: 0

      If two trains left the station at the same time traveling in opposite directions, and 73% of them were more than three quarters 76% of the time ...

    6. Re:Check those facts & figures by Just_Say_Duhhh · · Score: 1

      After a dozen re-reads of TFA, my head came away from the wall, and I can now understand your rewrite.

      My manager, however, will have to wait for the powerpoint presentation with pie charts and bar graphs. As we all know, 73% of managers can't understand more than three quarters of the information you present to them.

      --
      I need trepanation like I need a hole in the head.
    7. Re:Check those facts & figures by hedwards · · Score: 1

      There's nothing wrong with that. It means that 90% of the IT tasks are half mental, whereas the other 10% of the tasks could be completely mindless or 90% mental. Or it could be on the basis of time spent on IT tasks. But it really doesn't represent any sort of problem of logic or numbers. IT and mental processing aren't so tightly bound as to make that line of reasoning sound.

    8. Re:Check those facts & figures by causality · · Score: 1

      "a survey from attendees of the DEFCON 18 conference revealed that 73% came across a misconfigured network more than three quarters of the time – which, according to 76% of the sample, was the easiest IT resource to exploit."

      Seriously, that throws my head into a god damn wall.

      This is how I slowly try and rephrase the sentence. Anyone else reading it this way? "73% of respondents to the survey found the network misconfigured more than 75% of the time and 76% of those 73% of respondents said that was the easiest IT resource to exploit."

      Terrible writing when you have to try and decode a simple sentence. Feels like I'm trying to figure out some legal doc.

      Yeah, sounds like just the sort of thing that professional editors are supposed to clean up. Oh wait, this is Slashdot.

      Another gem from the summary caught my eye:

      11% felt that threat vectors that change faster than they can be addressed play a key role.

      That item is not a (mis)configuration issue. Besides, the best way to maintain the advantage in this arms race is to make sure that your systems do exactly what they are intended to do and nothing else. Default-deny is a good policy and not just for firewalls.

      Results revealed that 18% of professionals believe misconfigured networks are the result of insufficient time or money for audits.

      Actually they're the result of incompetence and/or apathy. The purpose of an audit is to reveal that incompetence and/or apathy has taken place so that it may be corrected in the future. Good auditing may mitigate this issue just like a band-aid can protect a cut on your hand, but the band-aid or lack thereof was not what caused your hand to get cut. Cause-and-effect fail.

      Responses to a survey from attendees of the DEFCON 18 conference revealed that 73% came across a misconfigured network more than three quarters of the time – which, according to 76% of the sample, was the easiest IT resource to exploit.

      Low-hanging fruit like that is the great enabler of botnets and other black-hat criminals everywhere. I wonder how much this problem is caused by "I manage people not machines!" managers who have no idea how to accurately assess the competence of a sysadmin.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    9. Re:Check those facts & figures by jd · · Score: 2, Funny

      Nonono. We had the Russian Station transmit secret numbers recently, this is clearly a response from agents in the field.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    10. Re:Check those facts & figures by jd · · Score: 1

      Understanding the rewrite doesn't help if the margin of error means that 73% == 76% three-quarters of the time.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    11. Re:Check those facts & figures by causality · · Score: 1

      There's nothing wrong with that. It means that 90% of the IT tasks are half mental, whereas the other 10% of the tasks could be completely mindless or 90% mental.

      Does not compute.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    12. Re:Check those facts & figures by Arthur+Grumbine · · Score: 2, Insightful

      This summary is an absolute nightmare.

      I just assumed it was written by the marketing team for Sex Panther.

      --
      Now that I think about it, I'm pretty sure everything I just said is completely wrong.
    13. Re:Check those facts & figures by Locutus · · Score: 0, Troll

      yes, because putting Microsoft Windows on a network is a network configuration error.

      LoB

      --
      "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
    14. Re:Check those facts & figures by Anonymous Coward · · Score: 0

      Actually the Russian Station was just transmitting a message saying that this story is a dupe from the Cold War era. Oh, and the Russians had no idea what the summary meant either.

      Ironic Captcha: "executed"

    15. Re:Check those facts & figures by Anonymous Coward · · Score: 0

      Its just awkwardly phrased.

      73% of the participants each - over the course of all their incursions - encountered a misconfigured network more than 75% of the time.
      76% of those participants thought a misconfigured network was the easiest to exploit.

    16. Re:Check those facts & figures by turbidostato · · Score: 0, Offtopic

      "Actually they're the result of incompetence and/or apathy."

      I know my trade and I know that it will cost more time/money than throwed at it. The fact that it breaks is therefor neither lack of knowledge nor apathy, at least, not at the technical level.

      "The purpose of an audit is to reveal that incompetence and/or apathy has taken place so that it may be corrected in the future."

      Ha! So many times that's the *declared* purpose. The real purpose is to cover managerial asses. Since that can be done with less time/money than the real thing, that's what you get.

      "Good auditing may mitigate this issue"

      For some definitions of "good". If your manager happens to have a different definition for "good", well, tough luck.

    17. Re:Check those facts & figures by Anonymous Coward · · Score: 0

      So are we to believe that 73% is more than three quarters, or is this a case where 90% of IT is half-mental?

      I gather the gist of this story is sort of like of how the lion takes out the antelope, picking off the weakest and slowest. But then I've seen squirrels who could take out the antelope, if you want to call a network an antelope.

    18. Re:Check those facts & figures by Anonymous Coward · · Score: 0

      Out of every 1000 persons surveyed, 730 came across a misconfigured network more than 3 times out of every 4 trials. OK.

      Seems OK.

    19. Re:Check those facts & figures by pinkushun · · Score: 1

      Suddenly this sub-thread isn't so funny now that it actually makes sense.

  3. This is news? by betterunixthanunix · · Score: 0, Flamebait

    Is this really news? I thought everyone knew this already.

    --
    Palm trees and 8
    1. Re:This is news? by blair1q · · Score: 1

      Everyone at Cisco knows this.

      Everyone in their customer list is on their own.

  4. The other 57% by Sir_Lewk · · Score: 1

    Results revealed that 18% of professionals believe misconfigured networks are the result of insufficient time or money for audits. 14% felt that compliance audits that don't always capture security best practices are a factor and 11% felt that threat vectors that change faster than they can be addressed play a key role."

    Ok, so what did the other 57% think that misconfigured networks are the result of?

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
    1. Re:The other 57% by Kepesk · · Score: 1

      Ok, so what did the other 57% think that misconfigured networks are the result of?

      Obviously, too much time spent playing Facebook games.

      --
      Help me fix my brother's injured butt!
    2. Re:The other 57% by mysidia · · Score: 1

      Ok, so what did the other 57% think that misconfigured networks are the result of?

      Incorrect / erroneous / misapplied example configurations ranking high in Google search results?

  5. What Is The Explanation For The Slashdot Outage by Anonymous Coward · · Score: 0

    earlier today?

        1. DDoS
        2. Cocaine break
        3. Lunch
        4. Desperate search for lame stories from other sites to post as "news".
        5 . 1 and 2
        6. 1 and 3
        7. You get the picture and so on and so forth.

    Thanks for playing.

    Yours In Krasnoyarsk,
    K. Trout

    1. Re:What Is The Explanation For The Slashdot Outage by Anonymous Coward · · Score: 0

      Dear Kilgore,

      This is no laughing matter perhaps the big board meeting or bunker bingo party was today?

      Hail to the chief who may have been asleep at the switch or spent ten years on automatic pilot. Oh say, can you smell the money tree?

    2. Re:What Is The Explanation For The Slashdot Outage by WrongSizeGlass · · Score: 1

      If I didn't know better I'd think you'd posted Paris Hilton's 'ToDo' list for today.

  6. The statistics are amazing, just amazing by Swave+An+deBwoner · · Score: 1

    "This realization is made worse when you consider that 57% of the security professionals we surveyed classified themselves as a black or grey hat hacker, and 68% of respondents admitted hacking just for fun," said Reuven Harrison, CTO at Tufin.

    Wow. 57% of the security professionals at DEFCON consider themselves a .. hacker!

    Wow.

    1. Re:The statistics are amazing, just amazing by al0ha · · Score: 1

      Yeah, you can rely on a statistic based on being a self proclaimed hacker, perhaps much akin to statistics on self proclaimed geniuses..

      Based on the responses what we really know is that out of the 43% who did not admit to being a Black Hat, some percentage actually does engage in such activities.

      --
      Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
  7. Misconfigured networks by Culture20 · · Score: 2, Interesting

    So, that means vulnerable ports were open to "the world" on the systems, and the "network" was supposed to be doing the firewalling? Network firewalls and system firewalls should use identical policies.

    1. Re:Misconfigured networks by causality · · Score: 3, Informative

      So, that means vulnerable ports were open to "the world" on the systems, and the "network" was supposed to be doing the firewalling? Network firewalls and system firewalls should use identical policies.

      That's a bit general. Say you want to run a Samba fileserver to share files among Windows clients. You'd want the fileserver on your internal network to accept connections from the relevant ports. You would not want the firewall standing between your network and the Internet to also have that port open to the world.

      While it's true that a conscientious admin would tighten up the Samba server's firewall by specifying both ports and IP addresses/ranges (or other credentials) that are acceptable, you still wouldn't have identical policies between the internal systems and the firewall controlling what can connect from outside.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    2. Re:Misconfigured networks by Culture20 · · Score: 2

      That's a bit general. Say you want to run a Samba fileserver to share files among Windows clients. You'd want the fileserver on your internal network to accept connections from the relevant ports. You would not want the firewall standing between your network and the Internet to also have that port open to the world. While it's true that a conscientious admin would tighten up the Samba server's firewall by specifying both ports and IP addresses/ranges (or other credentials) that are acceptable, you still wouldn't have identical policies between the internal systems and the firewall controlling what can connect from outside.

      Good point. I should think more often before I type.

  8. Devops is the answer by Anonymous Coward · · Score: 0

    Automating configuration and security management is the best way forward to solving this problem, says Harrison

    Damn right. Use Puppet (or Chef, if you must) and configure basic monitoring, and away you go. Devops for the win.

  9. Of those 73 percent of misconfigured networks... by GPLDAN · · Score: 4, Informative

    Probably 95 percent of THOSE networks were defeated using Doug Song's tools.


    http://monkey.org/~dugsong/dsniff/

  10. 73% of the time by OCURServant · · Score: 1

    I'm right 100% of the time...

    1. Re:73% of the time by Anonymous Coward · · Score: 0

      I think you're wrong about that 100% of the time.

  11. I think hackers are responsible for by barfy · · Score: 1

    most of the break-ins.

  12. Best security advice I ever got..... by LibertineR · · Score: 4, Insightful

    "It aint a firewall, unless it stops shit going in BOTH DIRECTIONS."

    1. Re:Best security advice I ever got..... by Anonymous Coward · · Score: 0

      Spam filters need to be bidirectional too. Its good security too because when you check the logs (because you're worth your job title) you'll find infected machines to fix and if you're good an attack vector to close off.

  13. Simple fix? by Bryansix · · Score: 1

    Buy an ASA from Cisco. It come preconfigured to drop all traffic. Configure the local subnet and leave everything else alone. Use hosted solutions for email, file sharing, applications. Pay the money to make sure you get solution providers who know their shit. Force SSL over all of those connections. And Done.

    1. Re:Simple fix? by Anonymous Coward · · Score: 0

      ...and one well crafted piece of malware gets past an email/web filter and boom, all that blocking and encryption is useless.

    2. Re:Simple fix? by Bryansix · · Score: 1

      That's not a misconfigured network. Also Postini is pretty good at that problem. Not perfect, but pretty good.

    3. Re:Simple fix? by LibertineR · · Score: 2, Interesting

      ....and what is your solution when I come in and tell your fat receptionist that she looks nice in that moo-mu, and that I am there to fix the phones, but maybe we can go for a drink when I am done, and can I have access to the IT closet at 5:02pm?

    4. Re:Simple fix? by Bryansix · · Score: 1

      9-1-1 and duck!

    5. Re:Simple fix? by LibertineR · · Score: 1
      The correct answer is to put the ASA in front of an ISA or TMG server, and use it only for packet inspection and port blocking. Forward only the necessary ports for your business, and whatever is allowed is explicitly enabled AND authenticated by domain\user.

      That way, nothing gets in OR out that is not expressly permitted, or tied to a specific user account. An internal effected machine cant send anything out the gateway if its not via 8080 with the firewall client, and with a rule naming its executable.

    6. Re:Simple fix? by Bryansix · · Score: 1

      On a more serious note, more and more phone systems are actually administered by the IT consultants or the IT Staff. So there is only one point of contact for everything.

    7. Re:Simple fix? by LibertineR · · Score: 1

      Yeah, but the Chub-ette at the front desk doesn't know that..., nor does her temp fill-in when she goes for that gastric bypass.... Point being, if they want in, they will get in. You have to stop them even if they are inside.

    8. Re:Simple fix? by Bryansix · · Score: 1

      When I was system admin, only the IT department had the keys to the server room. The CEO had a copy but he wasn't a moron so it was ok.

    9. Re:Simple fix? by c6gunner · · Score: 4, Funny

      Hire lesbians.

    10. Re:Simple fix? by TubeSteak · · Score: 1

      ....and what is your solution when I come in and tell your fat receptionist that she looks nice in that moo-mu, and that I am there to fix the phones, but maybe we can go for a drink when I am done, and can I have access to the IT closet at 5:02pm?

      Network audits.
      It's right there in the summary.

      Detection and mitigation of penetration is equally as important as trying to prevent the intrusion in the first place.

      --
      [Fuck Beta]
      o0t!
    11. Re:Simple fix? by Necrotica · · Score: 1

      You don't work in a large enterprise, do you?

    12. Re:Simple fix? by Anonymous Coward · · Score: 0

      Boy, did you waste your time and money. OUR receptionist will transfer your call to "9" if you explain you are with the phone company and working on our phones.

  14. WAAAAAAAA THE NETWERK! by lanner · · Score: 1

    "Waaaaaa! The network's down!"

    "Waaaaaa! The network's slow!"

    As a real network admin, I hear this at minimum, once a week, sometimes more often.

    95% of the time, it's not the network. It's almost always the endpoints.

    How is the network to blame here? Someone screw up spanning tree, OSPF not using md5 authentication? DHCP mis-configuration? DNS? Wrong gateway used? What? The article gives nothing, just like most of the sysadmins and managers that come to my desk crying about how slow scp/nfs/smb copies are all because of the network and how they can't understand why they can't just bridge Infiniband over Ethernet.

    Stop crying about the network.

    1. Re:WAAAAAAAA THE NETWERK! by mandelbr0t · · Score: 1

      95% of the time, it's not the network. It's almost always the endpoints.

      I'm guessing a new way of saying PIBCAK?

      Stop crying about the network.

      And start looking at where the real problem might be. The guy with an MBA from an online university and an entry-level Microsoft certification being responsible for the hiring just might have something to do with how IT is a great steaming shithole.

      --
      "Please describe the scientific nature of the 'whammy'" - Agent Scully
    2. Re:WAAAAAAAA THE NETWERK! by Anonymous Coward · · Score: 0

      Here's an example of why you are wrong. Take the case of a DNS server change.

      #1 reason for slow server or host response: next to duplex mis-match or the cable not being plugged in? misconfigured host DNS. DNS Timeouts tend to slow down basically every single network service (on a server) or the client's access to the services, from database to email to apache starting up. I had a development server with old dns info, corrected it, and mail coming out of that server went from taking 30 minutes, to instant.

      No one informed me that the DNS had changed.

      I've seen this repeated many times over the years in 4 different jobs. It's usually due to poor communication coming from the network group about service changes and failure on the server guy's part to update what the DHCP server is handing out. Other times there's a conference call for change control and the manager in charge of DHCP is playing with his blackberry instead of listening.

      This leads to desktop people hard setting DNS as a way around the mis-configured DHCP (since the server guys won't entertain the possibility that they need to inspect, let alone fix, something. After all, their manager didn't tell them about the DNS change). Then dns servers change again, this time the DHCP guy "gets it" and adjusts his server, but all the hosts are now set up with static DNS info, the desktop wienies get berated for not using DHCP to set the dns servers, rinse, wash, repeat. All of that pain caused by a failure to communicate on the network guy's part.

      Communicate better and notify all tech people about big changes, then sniff the DNS requests on the network and make sure people implemented your changes. Sitting on your high horse and proclaiming it's not the network is the wrong attitude. Sniffing the network to look for network service requests going to the wrong places after a change would be a better response. While it's not "the network" it IS "the network people"

      Sure it's the manager in charge of DHCP that caused the mess, but everyone in the network is suffering and you coulda prevented it with about 10 minutes of follow up after the change.

      Communication and followup are omnipotent. In a case with something like DNS, which affects everything in the network, the tech people should all get an email about it, in addition to the change control meetings the managers attend, and followup to ensure that the proper changes were made. After such a change, I'd be on a sniffer checking the destination of dns requests and notifying server administrators they missed something, instead of playing minesweeper and parroting "it's not the network" over and over again. Sure the problem isn't the network. You are absolutely right.

      The problem is you.

      It makes people want to fucking strangle you.

    3. Re:WAAAAAAAA THE NETWERK! by Theoboley · · Score: 1

      I prefer the PICNIC problem. Problem In Chair, not in Computer.

      --
      Stupidity only gets you so far, then you've gotta try
  15. Re:Of those 73 percent of misconfigured networks.. by carp3_noct3m · · Score: 1

    Ahh, good old Dsniff, urlsnarf, etc. Had lots of good times with them.

    --
    "It's ok, I'm completely secure as long as my iron is off"
  16. Clarification of TFA by Anonymous Coward · · Score: 0

    SEVENTY-THREE PERCENT OF SURVEYED ATTENDEES FOUND THAT THE MAIN CAUSE OF BREACHES WAS MISCONFIGURED NETWORKS.

    THOSE 73% FOUND MISCONFIGURED NETWORKS TO BE THE PROBLEM IN MORE THAN THREE-QUARTERS OF BREACHES.

    It's not that hard. Learn to read.

  17. A "network" is not a security device by Anonymous Coward · · Score: 0

    There's this misconception that a network is somehow related to security. This is silly - a network switches packets according to some policy.

    Defining that policy to serve security requirements is an exercise for the user. Blaming "the network" isn't only vague, it's a category mistake. Might as well blame the roads for car crashes and thefts.

  18. statistics overload? by scotty.m · · Score: 1

    73% of people encountered a misconfigured network 75% of the time... (by my calculations thats 54% of networks are misconfigured?)
    76% of people beleive a misconfigured newtwork this is the easiest resource to exploit
    18% of people beleive a misconfigured network is due to insufficient time/money

    --
    Has anyone really been far even as decided to use even go want to do look more like?
    [ST8Z6FR57ABE6A8RE9UF]
  19. How much of that is due to old software / hardware by Joe+The+Dragon · · Score: 1

    How much of that is due to old software / hardware? That needs not so much of a misconfigured setup more like a one with some open areas. That are needed to make the old software / hardware work.

  20. Sadly by Anonymous Coward · · Score: 0

    "Detection and mitigation of penetration is equally as important as trying to prevent the intrusion in the first place."
    That's what she said....

  21. Pffffft! by Anonymous Coward · · Score: 0

    We're not stupid. Our receptionists are our network security cheifs. Not only do they use Unix, they are Eunuchs. Flattery will get you no where.

    1. Re:Pffffft! by Anonymous Coward · · Score: 0

      Even Eunuchs are susceptible to bribery.

  22. What Causes What? by Anonymous Coward · · Score: 0

    Misconfigured networks cause breaches.
    Cars cause drunk driving accidents.
    Banks cause embezzlement.
    Liquor stores cause robberies.
    What moron can't figure out that some unethical bastard causes network breaches and needs gelded for his trouble? IT courses need at least a semester of good old fashioned gumshoe detecting and a semester of offensive combat with a chapter in castration.
    In this day and age not only can the average person not take responsibility for themselves, but have a hard time placing responsibility in a functional if not correct way.
    The article goes on to drivel about what beliefs and feelings were on what could have been ponderous subjects. Who can take anyone seriously who can't differentiate between what they feel, believe or think. Thinking, yes, that golden effort that pays the bills when your belief system and tender girly feelings can't.
    The man wants to know what you think will keep Mitnik on the other side of the firewall and couldnt give a damn what you believe Jesus, Allah or Obama can do to help. Damned sure doesn't care how you feel one way or the other.
    Could fuzzy thinking approaches to the problem as represented in the presentation of this article be part of the reason so many jobs are headed to less reputable parts of Asia?
                Think about it Girls

    1. Re:What causes what? by Anonymous Coward · · Score: 0

      Thats NOT the story headline.

  23. What causes what? by Anonymous Coward · · Score: 0

    misconfigured networks ALLOW breaches.

  24. Check your reading comprehension by blueg3 · · Score: 3, Informative

    Imagine everyone was asked how often they came across a misconfigured network. One guy answered "about 80% of the time". Another guy answered "20% of the time." 73% of the respondents, when asked, gave an answer that was higher than "75% of the time".

    Separately, respondents were asked what IT resource was easiest to exploit, and 76% of them said "network".

    1. Re:Check your reading comprehension by DontBlameCanada · · Score: 1

      A recent study found that 74.23% of all statistics quoted in /. articles were invented on the spot in an effort to trick folks who only read the article summary into modding them up.

  25. heh by DFurno2003 · · Score: 0

    50% of the time, it works every time.

  26. Firewall the boundary - all that's needed by pacman+on+prozac · · Score: 1

    There's a lot of comments saying "use a decent firewall and you're sorted".

    On any non-trivial network, if the only security in place is a firewall on the boundary then you're probably one of the 3/4 of easily exploitable networks mentioned in the article.

    Viruses, social engineering, playing with applications that are allowed through (e.g. HTTPS web apps), dial-ins, wireless, abusive staff, there is a never ending list of attack vectors if you only pay attention to the perimeter. Like the article says: 43% of respondents view planting a rogue member of staff inside a company as one of the most successful hacking methodologies..

  27. Shitty study by evel+aka+matt · · Score: 4, Informative

    I was at Defcon this year (like always), and the people conducting this study were essentially paid per response, which I'm sure is quite common. We were standing on the Riv steps, during one of our many cigarette breaks, and some girl came up and asked us to do her survey.

    Us: "This question doesn't really make sense."
    Her: "Just check any box, I need to get them all filled."

    And that's basically how it went. The question/answers seemed a little silly, and there were a lot of excluded middles. The surveyors knew nothing of the questions, and were just trying to get out there of (can't blame 'em). The answer space was a checkbox, and if you saw it, you'd see how easy it'd be to just fill out the rest of the boxes with similar answers if you wanted to go home.

  28. Duh, We already knew that. by Anonymous Coward · · Score: 0

    Duh, We already knew that. That's what McKinnon showed us. The DoD have misconfigured servers and get pwned easy.

    'course rather than admit mistake, they want to arrest and kill him.

  29. Indeed by Anonymous Coward · · Score: 0

    Four places I've worked:

    1. A university. Server rooms locked with an off-series key (so the series masters issued to security and cleaners won't open it). Special key issued on "need to" basis, with most having only 3-4 holders.

    2. Military HQ. Server rooms in concrete bunker with armed guards and doors (actually entry was by turnstile only, to prevent "rushing") opened from inside only.

    3. Now defunct computer company. Server room in separate wing of building, never got to even see, but people entering that wing seemed to use two factor (swipe card, enter PIN)

    4. Small private IT company. Server room off-site, servers in locked rack in locked cage in building with 24 hour CCTV online.

    In none of these organisations was it possible for a friendly but not very bright person on the front desk to let you into the server rooms. In at least two cases the apparently friendly non-technical woman on the front desk had training in "social engineering" and would probably call the cops. In one case there is no front desk, the people you need to get past have rifles and know that straying from procedure will go very badly, once they figure out you don't have authorisation they're going to arrest you for trespass. That leaves the small IT company. You can sweet talk our girl, but trouble is the offices are just a front, a place to hold meetings - you've got nowhere.