I had the pleasure of being in a meeting room a few weeks ago in a large, respected company with some of their technical experts discussing the security considerations for a project I am consulting on.
Since I am paranoid about security, I obviously tried to push that they upped the security on the system dramatically (they are hosting it and will eventually take over the responsibility for securing it). It was just so startling to witness their responses to many of my recommendations, that I started to realise exactly how ignorant many people are towards IT security.
In specific, two statements freaked me out completely. One of their technical experts told me that I am being overly paranoid for wanting to install a firewall on the server, since the server is not exposed to the Internet but part of the Retail Network.
My response to this was that most attacks usually come from inside the network - not from the outside, and secondly that exposing services such as NFS and RPC to the outside is like having an open invite to all script kiddies and crackers alike.
The second statement that shocked me was actually a response on me asking them about their policies regarding the patching of system services, such as Apache (they run Redhad Linux Enterprise Edition). The other guy (their Linux expert) in the meeting room asked me why I would want to patch a system service if it passed QA at go live, and it is working?
Needless to say, there is something called security patches fixing fundamental flaws being discovered daily in applications - and once publically disclosed every script kiddie out there has access to that exploit information. It is only a matter of time before they deface the system.
And I have proof - security vulnerabilities in PHP discovered in October (see CAN-2004-1019 and CAN-2004-1065) was exploited by a cracker on the 10th of December 2004 on our company web server running phpBB 2.0.8, and they uploaded DDoS scripts flooding the network with ICMP pings. UUNET shut down our network access because of this, causing a DoS on our web server. Apart from the embarrassment and denial of service, they could have done much worse things. Fortunately we stopped them quickly and patched our system. Would this have ocurred if we had applied the security patches in time? Definitely not using this vulnerability.
I just so wish I could find a way of educating IT managers and directors on the importance of especially system and application level security.