Security

Top 10 security mistakes to avoid


Security management has a lot to do with details -- staying on top of the latest threats and patching flaws. But sometimes, it has more to do with the big picture and how you approach security management. Here are the top 10 security mistakes I've seen people make:

  1. 1. Trusting people: The biggest threat to your IT security is ALWAYS the trusted employee. This is especially true of executives because poor personal security practices are just as dangerous (or more dangerous) as having a dishonest employee. If you ever need to cite an example, remember that one former CIA director actually accessed "company" files from his unsecured home PC. President Bill Clinton had to give Director John Deutch a Presidential Pardon to prevent prosecution.
  2. 2. Thinking your OS/server/Web app/wireless network/whatever is already secure: Having confidence is a wonderful thing in business and life in general, but paranoia is KING in security.
  3. 3. Failure to confirm that your disaster recovery plan actually works: Is that backup comprehensive? Is it scheduled (and actually done!) frequently enough? Can you restore your business from those backup tapes? And, most critical of all, is the backup kept physically secure and physically separate from your servers?
  4. 4. Incorrectly prioritizing the protection of specific assets: Few of us have the resources to protect everything completely. In the real world, you need to know what the most important things are to your company so you can protect those assets the most. One size does NOT fit all.
  5. 5. Failing to convince upper management of the need for security -– especially integrated security: If management doesn't support your measures, you might as well just take your paycheck and ignore real security. You can't have real security if you just add it AFTER designing and developing your network and applications.
  6. 6. Forgetting that road warriors WILL use unsecured wireless access points: It doesn't matter what rules you make or how draconian the punishment, road warriors WILL ignore security rules when they feel it hurts their bottom line.
  7. 7. Not properly managing passwords: Make them long and easy to remember -– initial letters of words in a favorite quotation are often a good choice; final letters of those words are even better.
    While we are on the subject of passwords, you need to balance the need to re-enter passwords against the fact that the more often users have to key them in, the simpler the passwords they will pick. Once a day is the minimum, but how about after lunch? Or each time a critical application or database is accessed? The answer is that it depends, and it is up to YOU to decide what it depends on.
    Keeping passwords, even strong ones, for too long a time is a major mistake. Not only does this give attackers a lot of time to test your system, but once you're hacked, you'll remain vulnerable for a long time.
  8. 8. Supplying help desk support without thoroughly authenticating callers: Social engineering is still a serious threat.
  9. 9. Mistaking obscurity for security: People WILL find that Web page you think is hidden -– even if you don't have a search function. Many search engines let people search just a specific URL.
  10. 10. Writing down ALL your security measures and failing to properly secure that document: There's nothing like finding a guide to hacking a particular network. While you should write everything down, you have to protect that document better than anything else in your company.

Mistakes 11 through 99 are all the same: "Not being paranoid ENOUGH!"

Perhaps the most important security mistake is the one not on this list -- thinking the list doesn't apply to YOU. 

I've left out a few obvious items, such as failure to update security software and not monitoring the need for updates, especially security updates -- I presume we are all professionals here. Obviously, this list will need to be adjusted to fit your specific needs, but if you feel I've missed something completely, please add your suggestions in the comments.

22 comments
ami_261
ami_261

hello, its really a good article..it helped me lot. thank you.

nayeem.kn
nayeem.kn

The very true and professional points.All are valid. For me following four are obvious as I have the direct experience with these. 1. Trusting people: The biggest threat to your IT security is ALWAYS the trusted employee. (If the trusted person has done something wrong, he will try to mend it without your knowledge and that may sometimes take to bigger disaster) 4. Incorrectly prioritizing the protection of specific assets: Few of us have the resources to protect everything completely. In the real world, you need to know what the most important things are to your company so you can protect those assets the most. One size does NOT fit all. (Prioritization is very much important where deadlines and the stipulated timeframe is key to a project) 7. Not properly managing passwords: Make them long and easy to remember -? initial letters of words in a favorite quotation are often a good choice; final letters of those words are even better. (Passwords can be hacked easily if it is very small and guessable) 8. Supplying help desk support without thoroughly authenticating callers: Social engineering is still a serious threat. (Some helpdesk personnel do take advantage of the situation )

d.pladgeman
d.pladgeman

So you lock down all access points to your network and then what do you do. You produce back up tapes, with all the important data on them, data that is important to you. So you send these off to an outside facility, the truck driver doesn't care about your data, its just a parcel to him. What do you do if the tape is lost, or borrowed (to extract your valuable data). Where is your data now? Time to look at data security in a holistic way. How many of you encrypt your backups? There are some white papers on this issue at http://www.theq3.com

Locrian_Lyric
Locrian_Lyric

-Failure to make security a 'habbit'. Our company doesn't go in for punishments or threats, it will just inconvenience you if you violate security policy. Leave confidential docuements out, they get confiscated and a note is left to pick them up at security. ditto that for unsecured laptops. pretty soon people get into the habbit as they learn that the inconvenience of following the policies aren't nearly as bad as not following the policies. You could also add "failing to stress the importance of security. If you get the "Yeah, yeah" response, they're not taking it seriously. Another place I worked would periodically try to hack your passwords. If they succeeded, you would get an email detailing how long it took, and that your password had been reset. You would then have to go through a somewhat painful process to reset it again.

tundraroamer
tundraroamer

You briefly touched on management. One of my biggest threats has been failure by management to keep up with or even close to newer software versions. While I understand that our current version NT and related software works just fine, I can't fully patch it. Management complains when I start necking down what users can do to lessen the threat that I can't fully defend against. When bad things happen, I can only say "I told you so" so many times. So, management can hack your system by hamstringing it.

david.shane
david.shane

The biggest mistake security people make is strapping systems down so that enterprise production is damaged. The enterprise does not exist to let you practice security. Security exists to serve the enterprise.

Neon Samurai
Neon Samurai

I thought I may have something to add, these two did jump out at me though. 5. The only place I?ve seen a network admin actually granted the authority to apply real security outside of influence from job titles was on a military base. Civilian business still doesn?t ?get it? when talking about security. Worse still, try and convince managers already uncomfortable with there workstations that working in a secure manner does not have to be at the expense of getting work done. 10. I liked this one too. Here are all our admin passwords and security related information hidden away on this publicly accessible website subfolder. In the case of the university I attended; if you need to access the campus Wifi, simply walk past the computer labs and read the super-secure network name and router password off the banner posted beside each lab door. There?s a MAC filter on the router so it should take anyone motivated about two minutes longer since they?ll have to spoof.

levi.rogers
levi.rogers

I was recently at a security seminar that the speaker focused on this issue for quite awhile. If you think about it all the network security in the world isn't going to help you if your information assets are walking out the door.

dmaster
dmaster

Might want to also check with Merriam Webster (or a spell checker). That could be a good habit (not habbit). You might also have a defective keyboard, so you might want to test the repeat values? Let's all be proactive and look at biometric security. Passwords are only as good as those that use them. Security is extremely important and should be emphazied to every person on a corporate network. Administrators should monitor server and network activity for violations and or threats. However, we don't quite live in a perfect world. Therefore other "business needs" often take priority over the business model.

tundraroamer
tundraroamer

One way I train users that "forget" to log off at night is to do it for them. In the morning they find their desktop a horrible color and all the icons in either a smiley face or frowny face depending if they have done it before. Then they get to reset their password. Again and again and again until they learn to log off correctly. I have had some people take a week to 10 days to figure it out. The worse offenders are then locked out and an e-mail sent to the supervisor reporting why. Let them deal with the issue. Even now, I occasionally see one of the bad desktops still in use years later. Maybe they liked after all. Maybe the user policy actually applied preventing desktop changes... :)

dlittle
dlittle

I believe that one of the items that was missed on the list and should really be at the top is end user training. Failing to train the users on security measures, such as, ?Why you shouldn?t open email from unknown senders? or simply ?What is a virus and how to prevent them?? Through education you can gain support from your user community for your security measures.

blackburne99
blackburne99

Of course, security is important, but it isn't an end in itself. We have a pocket Hitler as our security manager, and productivity suffers hugely. Not just because of what you can't do, but also impact on execution time by havng AV software running almost permanently on every PC. The PCs are mostly old, and performance suffers, but it doesn't matter because everything is 'secure'.

Clint Hartner
Clint Hartner

The same principle applies to anyone who walks away from their machine without locking it up. It's way too easy for someone to walk up and have instant access, and in some cases the ability to grant themselves elevated access (and audit logs aren't any help to track this one down). I have found that showing users that they can quickly lock the machine using the windows key + 'L' shortcut.

boxfiddler
boxfiddler

experience on my campus is that inevitably a percentage of those 'educated' ignore the lesson and open those emails and attachments, as well as continue to run Limewire and the like. Furthermore, in at least one of the student computer labs, the head of that department refuses to maintain data on a network drive, doesn't enforce any backup policies, allows the use of Limewire and the like by the students, etc... Why she still has her job, and why our network is still highly functional I often wonder.

arran.price
arran.price

See to me the issue appears to be: "The PCs are mostly old" If performance is suffering because you cannot otherwise protect your machines, perhaps there is a need to upgrade/replace those PCs.

zyphlar
zyphlar

Who's the first person you'll blame when you catch a worm and lose weeks of productivity, all because the virus scanner was disabled? You frequently can't have the best of both worlds, and I ran into this same problem at my job: everyone complained of slow computing when we installed AV software, so I was forced to disable on-access scanning. In addition, some people insist on using software that requires local admin privileges. Now there's a worm loose and guess who gets the blame and wasted man-hours? It certainly isn't mister road warrior who downloaded Naked Dancing Pig screensavers. You might be saying I need perimeter AV scanning and IDS AV scanning, but I either already have it or it's too costly for my manager's tastes. My point is, in an organization that wants to have the best of all worlds, security frequently gets the squeeze and the eventual result isn't good for anyone.

vbnomad
vbnomad

This is a matter of looking out for yourself as much as your company. Leave a machine open, and someone walks up and sends a email - from your account - telling off management or having a really bad attachment. Will you avoid firing long enough to prove it wasn't you? The potential cost of leaving your system open and unattended is just too great.

andrew
andrew

Experience isn't everything, but, you have a situation where security is minimal and yet the lab/system continues to work. The lesson you are not learning here is that the security risk is far less real than the 'security people' make out. That said, I agree, better to be safe than sorry, so close the lab till the professor toes the line.

zyphlar
zyphlar

All the talk about best practices and security measures gets watered down when "we're doing just fine without them." Of course when it stops being just fine it's IT's fault, and instead of implementing system-level security we should have wasted man-hours on something like walking to each computer, manually testing every file in a backup, etc.

RknRlKid
RknRlKid

...perhaps there is a need to replace the operating system! :D (With kudos to the Linus aficionados here)

Editor's Picks