To make matters worse, recreational hacking is being fueled by the efforts of folks who appreciate the inner workings of operating systems and network applications. They prize the holes that they find—broadcasting vulnerabilities over Internet Relay Chat, and packaging techniques into do-it-yourself toolkits for joyriders to share. Sometimes the attack starts with a captured password—pulled from the network by a packet sniffer. Often, it comes through a hole in a service, such as a carelessly coded CGI script, or the deliberate overflow of a stack variable. All that is typically needed is a foot in the door: once a hacker has access to a machine under the guise of a legitimate user, he can work from the inside and begin the cycle anew.
While it is impossible to protect against all threats, there are eight widespread practices on the Internet of today that make host security far worse than it needs to be. These practices are:
Failure to think about security as a fundamental aspect of system setup and design (establishing policy)
Transmitting of plaintext, reusable passwords over networks
Failure to use security tools
Failure to obtain and maintain software that’s free of all known bugs and security holes
Failure to track security developments and take preventative action
Lack of adequate logging
Lack of adequate backup procedures
Lack of adequate system and network monitoring
Security is defined by policy. In some environments, every user is ...