Hosting Provided By

Re: Ten least secure programs

From: Roger A. Grimes <rogerg(at)cox.net>
Date: Mon Jun 30 2003 - 18:27:18 EDT

Chris, most rationale network administrators (or whatever you are) cannot generally dictate by themselves what is and isn't allowed on "your network". It's a business decision made by management after you've told them of the risks of using such-and-such a program. Nearly any program can be hacked, and nearly any program can be made secure. The key is how what is dictated by your business environment that must be used, and has to be secured regardless of its inherent vulnerabilities. You may hate MS-Outlook and MS-Internet Explorer, but if your CEO tells you have to support it, then it's best to learn how to secure vs. just saying someone can't have it.

All the programs you mention below can easily be made relatively secure by following the vendor's recommended configuration settings and patches. The key is keeping up with vendor patches and deploying each of these programs in a reasonably prudent way. So, I wouldn't recommend telling any end-user they can't use such and such...it's better to tell them (or mgmt), "you should have it configured this way and use this patch mgmt tool" if you are going to use that software package.

If you're not into my business advice and philosophy and you want your hard and fast list, consider looking at SANS (www.sans.org) top 10 list (or is it top 20 now). The list mentions some commonly vulnerable systems, that are frequently left unpatched and misconfigured.

Also, I consider any P2P program to be high on my list as increased risk, simply because the security configuration and patching mechanisms aren't there.

Good luck,

Roger

*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg@cox.net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*
http://www.oreilly.com/catalog/malmobcode
****************************************************************************
*************

Original Message ----- From: "Chris Berry" <compjma@hotmail.com> To: <oclug@oclug.org>; <windows2000@freelists.org>; <security-basics@securityfocus.com> Sent: Saturday, June 28, 2003 6:08 PM Subject: Ten least secure programs

> I'm putting together a list of what seem to be the ten least secure
computer
> items in use today with the idea of having a set of things to recommend
note
> like "NO, you cannot use the following!!". Here is what I have so far,
I'm
> looking for additions and comments. The list is in order from with the
vigorous
> discussion. *putting on flame retardent garments* Oh, and leave Operating
-
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!

--

>



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: 
http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Received on Wed Jul 2 11:52:24 2003

Do you need help?

This message: [ Message body ]
Next message: isox: "Re: Digital Evidence Question - What is an effective Windows hard -disk search tool?"
Previous message: KoRe MeLtDoWn: "Re: What is this port? is it a trojan?"
In reply to: Chris Berry: "Ten least secure programs"
In reply to Paul Kurczaba: "RE: Ten least secure programs"
Next in thread: compguruman(at)mail.comcast.net: "Re: Ten least secure programs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:05:20 EDT