The top five Windows security threats - A hacker's valentine

Hackers often utilize holidays to gain an advantage, so what more fitting way to ring in a Happy Valentine's day than to uncover a few nasty hacks involving your Windows systems? Here are five Windows security threats that you should have your heart set on -- today and always.

1. Too Cool for security standards?
   The practice of not having a set of security configuration standards is all too common. With all the different "best practices", hardening recommendations, and ways of configuring Windows security settings, it does require time, effort, and discipline to ensure all your systems are consistently locked down from the elements. I guarantee you, though, if you become complacent in this area and don't harden Windows the way it needs to be, the bad guys will jump all over it eventually. Two good places to start are Configure Group Policy to prevent attacks and Five steps to lock down peer-to-peer networks.

2. Got Love Bug weaknesses or no malware protection at all?
   Still to this day I see Windows systems all around that are not properly protected from all types of malware. I'm not just talking about virus protection -- most people have that (why 100% don't have it always blows my mind). I'm talking about safeguards against spyware, Trojans, and rootkits; and the only surefire means for (mostly) protecting Windows is to install antivirus and antispyware along with personal firewall software on all Windows systems. The "But it's just a server and no one logs on locally and uses it for anything" excuse is shortsighted. The same goes for those seemingly harmless workstations in the reception area and training room. If they're on the network, they need to have all of these layers of protection -- period.

3. U-R My Soul Mate and that's why I can't get rid of you
   Running old versions of Windows (NT, 9x, ME) that have plenty of known security holes is certainly not good for your network's health. I know it's tough to find the money and time that goes with upgrades, and I never advocate spending money on something like Windows upgrades if you don't need it (yes, even if everyone else is doing it). Having said that, when it comes time to budget for cool new VoIP phones, gigabit Ethernet switches, etc. that you may not really need --think twice. Ask yourself if the business wouldn't be better off long term with more secure operating systems such as Windows Server 2003, XP, or the forthcoming Vista. If you can't justify upgrades, at least lock down your older systems and stay on top of the latest hacks.

4. U-R Mine (and I've got the tools to prove it)
   The usage of security testing tools such as Metasploit and RainbowCrack (in the freeware world) and QualysGuard and WebInspect (in the commercial realm) is introducing an entirely new level of unintended side-effects and threats. Practically anyone can (and certainly will given the time) use these tools for malicious purposes and wreak havoc on your Windows network. That means you've got to use them too. Not just one time or every now and then. Security testing needs to be an ongoing part your Windows administrative duties. It's clearly a business function and there's clearly a business need.

   Editors note: See Kevin's upcoming webcast "Windows network vulnerability assessment: From A to Z" for more information on implementing a security testing program.

5. Goodbye to privacy and sensitive information when using wireless haphazardly
   A very serious yet often overlooked threat to the well-being of your Windows systems are when wireless hotspots are used in a careless way and communications are not secured the way they should be. There's a fallacy where people have the mindset of "I'm just going to hop online for a minute" or "it's just e-mail" or "no one's listening in". Unfortunately that's all it takes for users to digitally expose themselves and critical business assets. The business policy should be secure wireless or no wireless at all -- there's just too much too lose.

Be proactive, fight these threats, and get started today. That way you can go out enjoy a bite for Valentine's without having to worry about those bytes back at the office.

About the author: Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.