Cold Fusion, the common Web application, normally sets up sample pages that can reveal critical information about your servers (information that can also be revealed by sending specially formatted codes to the application). Poorly configured Cold Fusion servers constituted the fifth most-common reconnaissance vulnerability.

Allowing Internet clients unauthorized access to Internet-accessible hosts is perhaps the most direct threat to your systems. Successful access attacks let users review, modify, or delete data, and reconfigure your network devices so they no longer function. Despite the seriousness of such attacks, more than one in 10 Internet interfaces has a remote-access vulnerability. Chief among the causes of access vulnerabilities is weak user-authentication schemes. Separately, Cisco's security group has been able to crack more than half the passwords obtained from compromised networks using simple password-cracking tools with very basic password dictionaries available on the Internet.

SMTP E-mail servers present several access vulnerabilities through mail-relay functions and PIPE-FROM commands that let a remote user send the contents of an E-mail message to another program on the mail server--effectively letting them E-mail commands to your hosts. Many SNMP devices allow access to device information stored in them merely by using the default "community" string of "private." Because of the popularity of SNMP as an administrative interface to your network infrastructure, properly securing SNMP interfaces and blocking all Internet-based SNMP requests is critical, but often overlooked.

In addition to Cisco Secure Consulting Services' Internet security assessments, the group has also reviewed similar analyses of business and institutional intranets. These nominally private networks showed similarly poor security, though there tended to be more network interfaces and more services running on them. Looking at intranet hosts, Cisco found that more than 28% of their network interfaces show some vulnerability.

While these intranets exposed many of the same vulnerable services found by the Internet-focused study, there were a few other services that appeared in the most-common sources of weakness. Roughly 8% of the vulnerabilities resulted from Finger network services, an outdated tool for discovering user information on the network. There's little reason to run Finger servers, but the sites studied often left them in place. A similar number of intranet interfaces relied on poor authentication in Telnet (a remote terminal service).

Exposure to denial-of-service attacks was even more concentrated in outdated, unnecessary services among intranets studied than among the Internet sites. More than 13% of this type of vulnerability was caused by administrators leaving these services running--many of which are enabled by default when network operating systems are installed. Among denial-of-service vulnerabilities, the remaining problems appeared on less than 1% of the network interfaces and included the availability of Bootstrap Protocol services, the buffer overflow FTP issue noted earlier, and another FTP weakness that occurs when passive transfer commands are allowed.

Not surprisingly, a similar group of weaknesses, RPC, SMTP, and SNMP, could expose these intranets to saboteurs, attempting to gather information about network resources. The same group of services were among the most-common vulnerabilities to intruders actually gaining access to network resources. The frequency of weak-authentication vulnerabilities, more than 10%, was twice that found in the Internet assessments.

Cisco Secure Consulting Services' report shows that many companies have a ways to go in securing their networks. Though managing a complex network is complicated, adhering to simple guidelines would dramatically reduce the number of vulnerabilities among Internet and intranet sites. The starting point for any security audit is to determine what services you must expose in order to support your clients. Often this is little more than HTTP, DNS, and SMTP traffic. All other traffic should be blocked at the firewall or other network-border filtering devices. Similarly, you should disable extraneous services on each host. For required services, you must pay careful attention to configuring only those functions necessary to execute your applications and ensure that you frequently check for security-related patches to each of these applications. A relatively cursory adherence to these three steps would reduce vulnerabilities among the sites surveyed by more than half.

This conclusion raises the question of why so many network interfaces are so poorly configured. Certainly, most of these issues are well-known and have been discussed at CERT and other security-related forums for years. Operating-system and server-application vendors, however, have a particularly poor track record in making it easy to configure only the set of services your application requires. While enabling most features by default lets customers take full advantage of these systems' capabilities and minimizes the time spent troubleshooting services that don't respond, it results in needlessly widespread vulnerability.

President Clinton's grand vision of achieving a "critical information systems defense," as outlined in the U.S. Government's National Plan for Information Systems Protection, Version 1.0 (www.ciao.gov), gives a good sense of the magnitude of security issues faced by both public and private businesses. While E-commerce is driving the need to be connected to the Internet, those businesses involved in online transactions over the Net need to be especially careful to watch for the types of vulnerabilities that Cisco Secure Consulting Services discovered in this study. The full report is available from Cisco's website at: http://www.cisco.com/warp/public/778/security/vuln_stats_02-03-00.html.

return to page 1