Unpatched Services; Inattentive Administration; Inherently Insecure Services - Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

Unpatched Services

2.3.2. Unpatched Services
Most server applications that are included in a default installation are solid, thoroughly tested pieces
of software. Having been in use in production environments for many years, their code has been
thoroughly refined and many of the bugs have been found and fixed.
However, there is no such thing as perfect software and there is always room for further refinement.
Moreover, newer software is often not as rigorously tested as one might expect, because of its recent
arrival to production environments or because it may not be as popular as other server software.
Developers and system administrators often find exploitable bugs in server applications and publish
the information on bug tracking and security-related websites such as the Bugtraq mailing list (http://
www.securityfocus.com) or the Computer Emergency Response Team (CERT) website
(http://
www.cert.org). Although these mechanisms are an effective way of alerting the community to security
vulnerabilities, it is up to system administrators to patch their systems promptly. This is particularly
true because crackers have access to these same vulnerability tracking services and will use the
information to crack unpatched systems whenever they can. Good system administration requires
vigilance, constant bug tracking, and proper system maintenance to ensure a more secure computing
environment.
Chapter 3, Security Updates
Refer to for more information about keeping a system up-to-date.

2.3.3. Inattentive Administration

Administrators who fail to patch their systems are one of the greatest threats to server security.
According to the System Administration Network and Security Institute (SANS), the primary cause of
computer security vulnerability is to "assign untrained people to maintain security and provide neither
1
the training nor the time to make it possible to do the job." This applies as much to inexperienced
administrators as it does to overconfident or amotivated administrators.
Some administrators fail to patch their servers and workstations, while others fail to watch log
messages from the system kernel or network traffic. Another common error is when default passwords
or keys to services are left unchanged. For example, some databases have default administration
passwords because the database developers assume that the system administrator changes these
passwords immediately after installation. If a database administrator fails to change this password,
even an inexperienced cracker can use a widely-known default password to gain administrative
privileges to the database. These are only a few examples of how inattentive administration can lead
to compromised servers.

2.3.4. Inherently Insecure Services

Even the most vigilant organization can fall victim to vulnerabilities if the network services they choose
are inherently insecure. For instance, there are many services developed under the assumption that
they are used over trusted networks; however, this assumption fails as soon as the service becomes
available over the Internet — which is itself inherently untrusted.
One category of insecure network services are those that require unencrypted usernames and
passwords for authentication. Telnet and FTP are two such services. If packet sniffing software is
monitoring traffic between the remote user and such a service usernames and passwords can be
easily intercepted.
https://www.sans.org/reading_room/whitepapers/hsoffice/
Source:
addressing_and_implementing_computer_security_for_a_small_branch_office_620
11