Reading this article about the insecurities found from various scan in 2012 is a little scary. I wonder how many of my former employers have videoconferencing systems, remote control/access systems, or some commercial software with a default password connected to the Internet and unsecured? Reading the article I’d bet at least one of them does.
I also wonder how many of them have old versions of software with known vulnerabilities that can be exploited, not just by dedicated hackers, but by script kiddies. Lots of people have excess time available, powerful computing resources, and mischief in their hearts.
This is slightly maddening to those concerned about the security of computer systems. How hard is it to change the default passwords on the installation of an application? How much more time does it take to configure a system properly? It doesn’t’ ta
ke much at the moment, but it does take time in advance. Proper security requires knowledge, which means that an administrator much have spent time learning how to properly configure a system, or getting a comprehensive list of vulnerabilities and their patches.
I’d love to see vendors publish a best practices document, or a couple of them, for each version of software they release. Give people specific steps to follow on the installation of the software to ensure it is securely configured as well as known vulnerabilities and the patches available. I can publish information, and there are likely any number of blogs out there that my give some best practices, but for new users, the vendor’s site is the only resource that many people will follow.
I know I’d be willing to allow vendors to link to any best practices I published, or republish the information on their own site if they wanted to. I’m sure others would feel the same way. Now if only the vendors would agree to use the information.
The Voice of the DBA Podcasts
We publish three versions of the podcast each day for you to enjoy.