An easy fix

Thomas R. Temin

Sometime around 1992, the term 'low-hanging fruit' came into the federal lexicon. It simply means doing the obvious and relatively easy things first to improve management. Often that's where you will get the largest positive changes the fastest.

The cybersecurity field is rife with low-hanging fruit. Installing patches for operating systems, for example. Enforcing sound password and log-off policies. Barring users from access to Yahoo e-mail and other porous accounts via the agency network.

So it came as a surprise to find how few federal agencies make the effort to mask the server and OS software of their Web sites. As longtime contributing writer John McCormick wrote in a Feb. 24 cover story, using publicly available sites that ping any URL and report back on it, you can find not only software information but also how long it's been since the last reboot. That fact gives a clue to whether the latest security patches have been installed.

The Securities and Exchange Commission and CIA, notably, hide their information. Out of curiosity, I checked the site of the SANS Institute, the Bethesda, Md., security gurus, and got back very little information.

Certain sites always seem to be eagerly sought by crackers with malevolent intent, especially those in the Defense Department. Equally often, though, an attack is nothing personal. It's just that the mischief-makers compile comparison tables of OSes or servers and who's running them, known vulnerabilities and patch dates. That means your next attack may come simply because your site met someone's automated criteria for ripeness.

Preventing the random disclosure of such vital systems data is an example of low-hanging fruit. A savvy systems administrator can change server configuration files so the information isn't communicated to browsers. Plus, many software products can automate the process across server farms.

As SANS' John Green points out, 'Security through obscurity is not good security.' Hackers can find other ways to obtain server information. But at least locking the back door, so to speak, will keep out hackers using scripts to compile lists of sites with particular OSes or servers.
What are you waiting for?


  • 2020 Government Innovation Awards
    Government Innovation Awards -

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected