back to article Psst, hackers. Just go for the known vulnerabilities

Despite all the publicity about zero-day exploits, a big percentage of breaches (44 per cent) come from vulnerabilities which are two to four years old. Server misconfigurations were the number one vulnerability, according to the latest edition of HP’s annual Cyber Risk Report, which concludes that well-known issues posed the …

Silver badge

The biggest vulnerability

It is called PEBKAC

6
0
Silver badge
Coat

Re: The biggest vulnerability

Add to the list, the Jr admin who discovered dcpromo... I would hope PEBKAC refers to the (l)users. But on second thought....

0
1
Anonymous Coward

Re: The biggest vulnerability

Not just Jr Admins. There are Sr Admins and even System Architects out there who know better but cut corners. Sometimes the decisions are mostly out of their hands (CxOs who won't cough up the bucks or demand that vendors fix known problems in must use software), other times it's not (default root passwords left unchanged for 5+ years, too simple passwords on administrative level accounts so everyone can remember and use it).

0
0
Silver badge
Trollface

Reactive only management

> organisations must employ fundamental security tactics to address known vulnerabilities

I.E. spend money and hire competent people which is why they can just store this report, change the date and release it next year with very little changed.

7
0

Re: Reactive only management

What I'm coming to realize over a lifetime is that there aren't that many competent people on the planet. A lot of the population who think they're intelligent, are merely clever. Competence and management are two words that often don't ever match.

5
0
Anonymous Coward

Re: Reactive only management

It's the Dunning-Kruger effect.

2
0
Anonymous Coward

Re: Reactive only management

Nah they would rather hire a bunch of H1B's with no true skills because they cost less. Until they get smashed all red faced that one competent person they have left discovers these people left some huge holes letting the whole world in, but hey they were cheap am I right?

2
0

Re: Reactive only management

You are correct.

0
0
Silver badge

The Flip side of the COIN coin

Discover a new and virtually unknown vulnerability or exercise a more sophisticated and quite exclusive capability, and one can earn billions rather than settling for peanuts ...... http://flashcritic.com/great-cyber-bank-heist-1-billion-theft-highlights-danger-posed-financial-cyber-threats/

1
1
Anonymous Coward

You mean like the HP ilo vulnerability

IPMI cipher 0. Nuff said.

0
1

I must be a magnitude 10 heretic

HP says,

"Threats can be minimised with a well-thought-out patching strategy, regular penetration testing, layered security defences, threat intelligence sharing and a strategy for introducing new technologies."

That all sounds like locking the stables after the proverbial horse has already bolted.

As necessary as the items in the above list from HP are, they seem to be rather studiously ignoring the real first line of threat minimization.

How about suggesting that people run good code. Isn't it far better to write good code rather than install and patch?

It is easier to build the system secure (or correct) than to try to retrofit security onto a deployed system.

0
0
Meh

We're all doomed

So . . . despite endless discussions about what to do about security and no can do it well, no one is smart enough to do it well, no one's operating system is any good, no one gets paid enough to do it well and the dumbest person behind the keyboard can mess it up anyway in a blink of an eye.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017