Holes in the Wall
The following security problems often plague sites connected to the
Internet. They are listed from most frequent to least frequent.
Sites do not dedicate enough resources to improve and maintain security.
Network and system support personnel do not have the management support
or the authority to deploy appropriate security measures.
Vendors still shipping systems with poor default security configurations
and customers are still buying these systems even though they know they
have security problems.
Vendors do not disseminate information regarding patches to their customer
sites and sites do not install vendor patches for security problems they
do know about.
Sites still use a login authentication system which uses reusable passwords
or passwords which are transmitted over the net in clear text.
Sites with strong Internet security but poor dial-up security.
Sites do not monitor or restrict network access to their internal hosts.
Sites do not install user accounts in a consistent manner.
Sites do not monitor account activity and do not always remove accounts
for terminated users.
Sites do not place good controls on root and other special system accounts.
Sites do not implement/enforce procedures and standards for installing
new hosts on their network.
Source: Network Security Institute