The biggest vulnerability
It is called PEBKAC
Despite all the publicity about zero-day exploits, a big percentage of breaches (44 per cent) come from vulnerabilities which are two to four years old. Server misconfigurations were the number one vulnerability, according to the latest edition of HP’s annual Cyber Risk Report, which concludes that well-known issues posed the …
It is called PEBKAC
Add to the list, the Jr admin who discovered dcpromo... I would hope PEBKAC refers to the (l)users. But on second thought....
Not just Jr Admins. There are Sr Admins and even System Architects out there who know better but cut corners. Sometimes the decisions are mostly out of their hands (CxOs who won't cough up the bucks or demand that vendors fix known problems in must use software), other times it's not (default root passwords left unchanged for 5+ years, too simple passwords on administrative level accounts so everyone can remember and use it).
> organisations must employ fundamental security tactics to address known vulnerabilities
I.E. spend money and hire competent people which is why they can just store this report, change the date and release it next year with very little changed.
What I'm coming to realize over a lifetime is that there aren't that many competent people on the planet. A lot of the population who think they're intelligent, are merely clever. Competence and management are two words that often don't ever match.
Nah they would rather hire a bunch of H1B's with no true skills because they cost less. Until they get smashed all red faced that one competent person they have left discovers these people left some huge holes letting the whole world in, but hey they were cheap am I right?
You are correct.
Discover a new and virtually unknown vulnerability or exercise a more sophisticated and quite exclusive capability, and one can earn billions rather than settling for peanuts ...... http://flashcritic.com/great-cyber-bank-heist-1-billion-theft-highlights-danger-posed-financial-cyber-threats/
IPMI cipher 0. Nuff said.
"Threats can be minimised with a well-thought-out patching strategy, regular penetration testing, layered security defences, threat intelligence sharing and a strategy for introducing new technologies."
That all sounds like locking the stables after the proverbial horse has already bolted.
As necessary as the items in the above list from HP are, they seem to be rather studiously ignoring the real first line of threat minimization.
How about suggesting that people run good code. Isn't it far better to write good code rather than install and patch?
It is easier to build the system secure (or correct) than to try to retrofit security onto a deployed system.
So . . . despite endless discussions about what to do about security and no can do it well, no one is smart enough to do it well, no one's operating system is any good, no one gets paid enough to do it well and the dumbest person behind the keyboard can mess it up anyway in a blink of an eye.
Biting the hand that feeds IT © 1998–2017