We don’t mean to be insecure

Don’t want to sound preachy, but system administrators and network administrators are not always to blame for insecure systems. Sometimes (often) the blame falls on the heads of management.

Keeping a system up to date, fully patched and properly configured after words will usually keep any system relatively secure… until the next exploit comes out and is made public.

Doing this takes time. One needs to make sure applied patches won’t affect running services (i.e Framework 3.5 SP1 on Citrix Presentation Server -this one seems solved now). Lots of reading and testing should be done before deploying major changes. For us, the tech-guys, this is normal and the sensible thing to do. It’s our job to keep things running smoothly… For management, time equals money… and they seem to always have the mentality “..if it ain’t broke don’t fix it...” Of course, when a system gets compromised or crashes it’s our fault for not applying the proper updates and patches.

Recently I had the pleasure of showing my current employer how easy it would be to compromise a customer’s system. Without raising any alarms or triggering an malware/anti-virus application I got a reserve shell on my home computer. Must admit, he was surprised how easy it was. Unfortunately nothing came out of that demonstration. I even spoke about a customer’s FTP server, and how we should updated it seeing the amount of DoS exploits and local privilege escalation exploits currently in the wild… Again nothing.

So, from where I’m sitting we are not at fault. Pretty sure it’s the same for others…
< /rant>