No matter how much we try, users — and sometimes even IT departments — overlook some security mistakes that are relatively easy to correct. In this article, I'll discuss 10 avoidable security mistakes and describe what you can do to correct the oversight.
1: Using poorly chosen passwords
There was a day when people thought that using the password "password" would be a surefire way to fool hackers and other miscreants. After all, who would use such an obvious password? Although most people now realize just how poor a password that is, so many still use equally obvious choices for passwords, particularly in this day of high social engagement. Take this for example: You cleverly use your anniversary year in your password along with the middle name of your oldest child. Both are easily retrieved on Facebook and through other means. Even organizations that have strong password policies can suffer from poorly chosen passwords when users attempt to work around the requirements.Fix it: Don't use obvious patterns in your password. Mix things up. Substitute exclamation points for the number 1, ampersand signs for the number eight, and the like. The more variety you place in a password, the more difficult it is to crack. If you're creating a password policy for your organization, require the use of characters from multiple character sets.
2: Never changing passwords
I've seen this in action too many times. People who keep the same password forever and use the same password on multiple sites are more likely to suffer a breach. Even in organizations that require password changes, some people try to find ways around having to change passwords on a periodic basis. For example, I once had an employee with domain admin rights who decided to exempt himself from the organization's password policy. He was reprimanded (although, in hindsight, I should have fired him for abusing his access rights) and made to comply with policy. Of course, these kinds of situations should be the exception, but how many people use the same or very similar passwords across multiple sites and change only one character in their password when it comes to expiration time?Fix it: Educate your users about the importance of good passwords and why changing them every so often is critical. As a part of your policy, consider using a third-party tool to disallow similar passwords at reset time and to create stronger passwords.
3: Not installing antivirus/anti-malware
This one is a given. If you're not running antivirus software of some kind in your environment, you're wrong. Even with the best firewalls, the concept of layered security still holds true. Anything that the firewall fails to catch can be handled by your antivirus software.Fix it: Install anti-malware software... now.
4: Not using a firewall or being too lax with a firewall
Whether you're at home or running IT for a business, a firewall should be considered required equipment. Although Windows and other operating systems include built-in firewalls, I have always preferred a hardware firewall of some kind, especially when used in conjunction with the aforementioned software firewall. Moreover, any firewall that is deployed should be deployed well.Fix it: Wherever possible, deploy a hardware firewall both at home and in the office. Make sure that firewall rules aren't allowing unnecessary traffic to make its way to the internal network.
5: Never patching machines
Operating system and application vendors release software patches for a reason. While many updates add new functionality, many also correct security flaws in products. I've seen plenty of home machines on which the user has disabled software updates. In the enterprise, patches can sometimes be avoided with the reasoning that the firewall at the edge of the network protects the organization. This isn't a good strategy, as valid traffic can still exploit vulnerabilities.
6: Insecurely storing data
How many of you have stored sensitive data — personal information or for work — on a USB thumb drive? Do you ever take that thumb drive with you out in public? I've seen a lot of USB storage attached, for example, to key rings and carried around. Further, that storage simply sits on people's desks and such.
Now, how many of you back up your organization's data to tape? Do those tapes go offsite and, if so, are they always under your control?
Unprotected data is a big deal. A single lost USB drive, laptop, iPad, or tape with the wrong information can land an organization in a mess financially, legally, and from a public relations perspective.Fix it: Make heavy use of encryption for anything that is portable. Most backup software can be configured to encrypt data on tapes and you can use tools such as BitLocker and BitLocker To Go to protect laptops and portable storage devices. For other mobile devices, such as iPads, consider deploying mobile management security software that separately encrypts and protects particularly sensitive information.
7: Being too generous with permissions
In the enterprise, permissions drive what people can and can't do. The easiest way to enable employees is to grant them carte blanche admin access to everything, but that would quickly devolve into chaos. So most organizations have a policy and structure under which they grant specific permissions based on work-related needs. Over time, unfortunately, "scope creep" comes into play. People change positions within the organization and old permissions are never removed or a temporary permissions increase is never removed, and so forth.Fix it: Make sure that there are clear permissions policies in your company. Your policies and procedures should include a periodic permissions review that matches current needs with existing permissions; permissions that are no longer necessary should be removed.
8: Choosing poor (or no) Wi-Fi security
Even with all the known risks regarding open Wi-Fi networks, there are still tons of them out there that are completely open and insecure. Some have taken the step of implementing Wired Equivalent Privacy (WEP) as a protection mechanism since it's widely supported, but WEP encryption can be cracked in as little as four seconds. That said, it's still better than no encryption at all, which carries its own risks.Fix it: Implement WPA at the bare minimum, or better yet, go with WPA2. WPA2 is a modern wireless security standard that is supported by most modern operating systems. When you implement WPA2, choose a good wireless password, too. It shouldn't be too easy to guess or your wireless protection will be for naught. WPA2 can still be cracked, but cracking WPA2 is far more difficult than cracking WEP or WPA.
9: Avoiding basic mobile device security
Mobile devices will become a hacker's paradise in the coming years. Most people walk around with devices that have unencrypted personal information of some kind and these devices are accessible at a moment's notice. They can also be lost or stolen. I mentioned previously that you should consider what kind of information is on a mobile device and remove anything too sensitive or you should consider software that can compartmentalize sensitive information. But you should also keep the casual snooper from being able to easily access information.Fix it: It's basic, but at the very least, impose some kind of passcode requirement for mobile device users who access company information. While this will not keep determined adversaries from getting information they want, it will thwart the causal snooper who might pick up the device.
10: Never testing backups
Let's suppose that all of your other security mechanisms fail and your environment is so severely compromised, the systems and data are no longer trusted. At that point, it might be time to consider restoring the environment from backup. However, horror stores abound about companies that have attempted to recover from backups only to discover that:
- The backed up files were corrupted.
- The backup tapes were bad.
- No files were actually being backed up even though the tapes were being swapped each night.
None of the above is good and can place an organization in a terrible state.Fix it: Immediately implement policies and procedures that require regular testing of backups. In addition, consider implementing a tiered backup system that backs up data from disk to another disk-based system and from there, to tape or to another offsite, off-network service that can't be compromised in the event of an attack.
Additional security topics
- 10 security problems you might not realize you have
- Five security risks introduced with smartphones in the enterprise
- 10 things you should do to securely dispose of computers
- Five tips for securely destroying data
- Top 10 security mistakes to avoid
- 10 best practices for Windows security
- Five desktop security tips that are easily overlooked
- Top 10 IT Security posts of 2011
- 10 ways to safeguard your college-bound student's computer
Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive with CampusWorks, Inc. Scott is available for consulting, writing, and speaking engagements and can be reached at firstname.lastname@example.org.