Two or three years ago, it used to be the latest vulnerability that would get you into a network or box on the Internet. Whether it was IIS 4 or an old Red Hat 6.x box, you could be sure it was missing a patch or two that would allow you to sploit it.
Today, Microsoft’s latest revision of it’s web server, IIS 6.0, has not had one security bulletin issued for it. Enough organizations have gotten slammed by worms that patches are kept mostly up-to-date. What remains the weakest link? The human element, and I’m not even referring to social engineering. I’m simply referring to people and their passwords.
The most common means of compromising a network lately, at least for me, has been a poor choice of passwords. Service accounts that were set up years ago with a simple password and haven’t been changed since. Passwords stored in spreadsheets or technical documents.
Then once you have that initial access, it’s usually a matter of patience and persistence until you find avenues into all kinds of other systems. …because of one weak password.
This leads me to my current obsession with identity management, which is a rising trend in Information Security. The IT industry is beginning to realize what the banking industry has long known (think ATM’s and your card/PIN combination) - a simple username and password is not enough to protect critical assets. Some other form of authentication should be put in place; a physical token of some sort to ensure that authenticity is maintained. Verisign has even launched a lofty initiative called Open Authentication or OATH that aims to provide a “strong, universal authentication” for “all users, all devices, all networks” everywhere. The concept is quite enticing.
Now if only companies could get on the ball and either lock down old, stale accounts or implement some multi-factor authentication, I would feel a lot better about…having something else to worry about! ;)