…And although there are companies that blatantly violate the standards, security is a constantly changing condition, not a static one. Every time a company installs new programs, changes servers or alters its architecture, new vulnerabilities can be introduced. A company that is certified compliant one month can quickly become non-compliant the next month if administrators install and configure a new firewall incorrectly or if systems that were once carefully segregated become connected because an employee didn’t adhere to access restrictions. Companies that conduct audits also have to rely on their clients to be honest about disclosing what they have on their network — such as stored data.
To answer the question posed by the title of the Wired.com post – No. Therein lies the problem. [footnote] The nature of audits, in most professions, is that their usefulness is a function of the competency of those conducting them [/footnote]
Wired link: Will Target’s Lawsuit Finally Expose the Failings of Security Audits?
Moore’s census involved regularly sending simple, automated messages to each one of the 3.7 billion IP addresses assigned to devices connected to the Internet around the world (Google, in contrast, collects information offered publicly by websites). Many of the two terabytes (2,000 gigabytes) worth of replies Moore received from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could to let anyone take control of them.
On Tuesday, Moore published results on a particularly troubling segment of those vulnerable devices: ones that appear to be used for business and industrial systems. Over 114,000 of those control connections were logged as being on the Internet with known security flaws. Many could be accessed using default passwords and 13,000 offered direct access through a command prompt without a password at all.
via Pinging the Whole Internet Reveals Unsecured Backdoors That Could Tempt Hackers and Cyber Criminals | MIT Technology Review.
Read the whole thing.