The number one vulnerability in computer systems, says one of the outfits that’s supposed to know about these things, lies not in faulty firewalls but in . . . default settings.
Here’s why, according to the folks at the SANS Institute (that’s System Administration, Networking and Security):
When technicians install new programs or operating systems on a network, they usually run vendor-supplied programs or scripts to do it as efficiently as possible. Typically, they let the default settings run, with the result that every component and feature is installed. It’s entirely predictable; they’ve probably been instructed to install an entire program or system, not just parts of it.
Unfortunately, some dangerous vulnerabilities go along with those redundant components, because administrators forget about them. That means they are seldom updated when the vendor issues security bulletins or patches. Without doing an exhaustive search, IT administrators may not know what executable programs are hidden in their networks. Operating systems are particularly at risk from default installations, because they almost invariably provide open ports that hackers can use to attack a system.
Any organization that has ever used an installation program is potentially at risk. The SANS Institute recommends getting rid of software components that are never used, closing unused ports and providing technicians with installation guidelines that look beyond the default settings and focus on what the organization really needs.
Russ Cooper of the IT security company TruSecure Corp — known as the Surgeon General, because he tells clients what they need to hear, not what they want to hear — is particularly alert to this issue. He’s a long-time beta and alpha tester for Microsoft, whose desktop products have some glaring security defects.
Cooper points to Microsoft Outlook, which defaults to HTML (Hypertext Markup Language) as the format for all e-mail messages.
“HTML e-mail is the most malicious form of message that we have today,” Cooper says. His advice to the security-conscious organization is simple” “Block all HTML email and say, ‘I’m not going to communicate with anybody that is sending me HTML e-mail.’ Or get a gateway product that goes at the border of the network and converts it.”
Cooper responded to the HTML vulnerability by writing a plug-in for Outlook that he made freely available. “It automatically converts any e-mail received in HTML into plain or rich text format depending on which version of Outlook you’re using, so you don’t have to deal with HTML-based e-mail.”
Most system administrators are probably aware of Outlook’s security shortcomings by now, but the pressure to pack more features into every program has led to a default setting problem with the program that is probably the second most commonly used after e-mail — Microsoft Word.
The Track Changes feature in Word is much beloved in government circles, allowing multiple authors of a document to follow changes with colorful highlighting of additions and deletions. The final version of a document contains a running history of the reasoning behind it.
A 2001 press release from a modem manufacturer about problems with one of its products provided an excellent example of the embarrassment that can result from releasing a Word document complete with successive revisions. Anyone could download the document, open it in Word and, by selecting Track Changes from the Tools menu, see that the company was apparently aware of security problems yet chose to do nothing about them.
“By default, you’re sharing these documents with people who you want to have see these changes,” Cooper said. “Traditionally what has been done by those people who were aware of the feature was that they would just cut and paste the entire document into a new document. It’s an action they had to take. Otherwise the changes would be embedded in the document.”
Still, Cooper sees what might be an encouraging trend from Microsoft in Internet Information Server, the company’s latest (and still unreleased) operating system.
“Microsoft has traditionally enabled all features, so by default when you do an installation you get everything. (But) .Net servers are taking a new approach that says, ‘let’s turn all this stuff off, and make the user turn on things that they want.'”
A basic security principle, says Cooper, is, “by default, deny. People responsible for IT security are learning to just say no.”