An easy fix
- By Thomas R. Temin
- Mar 05, 2003
Thomas R. Temin
Sometime around 1992, the term 'low-hanging fruit' came into the federal lexicon. It simply means doing the obvious and relatively easy things first to improve management. Often that's where you will get the largest positive changes the fastest.
The cybersecurity field is rife with low-hanging fruit. Installing patches for operating systems, for example. Enforcing sound password and log-off policies. Barring users from access to Yahoo e-mail and other porous accounts via the agency network.
So it came as a surprise to find how few federal agencies make the effort to mask the server and OS software of their Web sites. As longtime contributing writer John McCormick wrote in a Feb. 24 cover story, using publicly available sites that ping any URL and report back on it, you can find not only software information but also how long it's been since the last reboot. That fact gives a clue to whether the latest security patches have been installed.
The Securities and Exchange Commission and CIA, notably, hide their information. Out of curiosity, I checked the site of the SANS Institute, the Bethesda, Md., security gurus, and got back very little information.
Certain sites always seem to be eagerly sought by crackers with malevolent intent, especially those in the Defense Department. Equally often, though, an attack is nothing personal. It's just that the mischief-makers compile comparison tables of OSes or servers and who's running them, known vulnerabilities and patch dates. That means your next attack may come simply because your site met someone's automated criteria for ripeness.
Preventing the random disclosure of such vital systems data is an example of low-hanging fruit. A savvy systems administrator can change server configuration files so the information isn't communicated to browsers. Plus, many software products can automate the process across server farms.
As SANS' John Green points out, 'Security through obscurity is not good security.' Hackers can find other ways to obtain server information. But at least locking the back door, so to speak, will keep out hackers using scripts to compile lists of sites with particular OSes or servers.
What are you waiting for?