Security

Top 10 security mistakes to avoid


Security management has a lot to do with details -- staying on top of the latest threats and patching flaws. But sometimes, it has more to do with the big picture and how you approach security management. Here are the top 10 security mistakes I've seen people make:

  1. 1. Trusting people: The biggest threat to your IT security is ALWAYS the trusted employee. This is especially true of executives because poor personal security practices are just as dangerous (or more dangerous) as having a dishonest employee. If you ever need to cite an example, remember that one former CIA director actually accessed "company" files from his unsecured home PC. President Bill Clinton had to give Director John Deutch a Presidential Pardon to prevent prosecution.
  2. 2. Thinking your OS/server/Web app/wireless network/whatever is already secure: Having confidence is a wonderful thing in business and life in general, but paranoia is KING in security.
  3. 3. Failure to confirm that your disaster recovery plan actually works: Is that backup comprehensive? Is it scheduled (and actually done!) frequently enough? Can you restore your business from those backup tapes? And, most critical of all, is the backup kept physically secure and physically separate from your servers?
  4. 4. Incorrectly prioritizing the protection of specific assets: Few of us have the resources to protect everything completely. In the real world, you need to know what the most important things are to your company so you can protect those assets the most. One size does NOT fit all.
  5. 5. Failing to convince upper management of the need for security -– especially integrated security: If management doesn't support your measures, you might as well just take your paycheck and ignore real security. You can't have real security if you just add it AFTER designing and developing your network and applications.
  6. 6. Forgetting that road warriors WILL use unsecured wireless access points: It doesn't matter what rules you make or how draconian the punishment, road warriors WILL ignore security rules when they feel it hurts their bottom line.
  7. 7. Not properly managing passwords: Make them long and easy to remember -– initial letters of words in a favorite quotation are often a good choice; final letters of those words are even better.
    While we are on the subject of passwords, you need to balance the need to re-enter passwords against the fact that the more often users have to key them in, the simpler the passwords they will pick. Once a day is the minimum, but how about after lunch? Or each time a critical application or database is accessed? The answer is that it depends, and it is up to YOU to decide what it depends on.
    Keeping passwords, even strong ones, for too long a time is a major mistake. Not only does this give attackers a lot of time to test your system, but once you're hacked, you'll remain vulnerable for a long time.
  8. 8. Supplying help desk support without thoroughly authenticating callers: Social engineering is still a serious threat.
  9. 9. Mistaking obscurity for security: People WILL find that Web page you think is hidden -– even if you don't have a search function. Many search engines let people search just a specific URL.
  10. 10. Writing down ALL your security measures and failing to properly secure that document: There's nothing like finding a guide to hacking a particular network. While you should write everything down, you have to protect that document better than anything else in your company.

Mistakes 11 through 99 are all the same: "Not being paranoid ENOUGH!"

Perhaps the most important security mistake is the one not on this list -- thinking the list doesn't apply to YOU. 

I've left out a few obvious items, such as failure to update security software and not monitoring the need for updates, especially security updates -- I presume we are all professionals here. Obviously, this list will need to be adjusted to fit your specific needs, but if you feel I've missed something completely, please add your suggestions in the comments.

22 comments
ami_261
ami_261

hello, its really a good article..it helped me lot. thank you.

nayeem.kn
nayeem.kn

The very true and professional points.All are valid. For me following four are obvious as I have the direct experience with these. 1. Trusting people: The biggest threat to your IT security is ALWAYS the trusted employee. (If the trusted person has done something wrong, he will try to mend it without your knowledge and that may sometimes take to bigger disaster) 4. Incorrectly prioritizing the protection of specific assets: Few of us have the resources to protect everything completely. In the real world, you need to know what the most important things are to your company so you can protect those assets the most. One size does NOT fit all. (Prioritization is very much important where deadlines and the stipulated timeframe is key to a project) 7. Not properly managing passwords: Make them long and easy to remember -? initial letters of words in a favorite quotation are often a good choice; final letters of those words are even better. (Passwords can be hacked easily if it is very small and guessable) 8. Supplying help desk support without thoroughly authenticating callers: Social engineering is still a serious threat. (Some helpdesk personnel do take advantage of the situation )

d.pladgeman
d.pladgeman

So you lock down all access points to your network and then what do you do. You produce back up tapes, with all the important data on them, data that is important to you. So you send these off to an outside facility, the truck driver doesn't care about your data, its just a parcel to him. What do you do if the tape is lost, or borrowed (to extract your valuable data). Where is your data now? Time to look at data security in a holistic way. How many of you encrypt your backups? There are some white papers on this issue at http://www.theq3.com

Locrian_Lyric
Locrian_Lyric

-Failure to make security a 'habbit'. Our company doesn't go in for punishments or threats, it will just inconvenience you if you violate security policy. Leave confidential docuements out, they get confiscated and a note is left to pick them up at security. ditto that for unsecured laptops. pretty soon people get into the habbit as they learn that the inconvenience of following the policies aren't nearly as bad as not following the policies. You could also add "failing to stress the importance of security. If you get the "Yeah, yeah" response, they're not taking it seriously. Another place I worked would periodically try to hack your passwords. If they succeeded, you would get an email detailing how long it took, and that your password had been reset. You would then have to go through a somewhat painful process to reset it again.

tundraroamer
tundraroamer

You briefly touched on management. One of my biggest threats has been failure by management to keep up with or even close to newer software versions. While I understand that our current version NT and related software works just fine, I can't fully patch it. Management complains when I start necking down what users can do to lessen the threat that I can't fully defend against. When bad things happen, I can only say "I told you so" so many times. So, management can hack your system by hamstringing it.

david.shane
david.shane

The biggest mistake security people make is strapping systems down so that enterprise production is damaged. The enterprise does not exist to let you practice security. Security exists to serve the enterprise.

Neon Samurai
Neon Samurai

I thought I may have something to add, these two did jump out at me though. 5. The only place I?ve seen a network admin actually granted the authority to apply real security outside of influence from job titles was on a military base. Civilian business still doesn?t ?get it? when talking about security. Worse still, try and convince managers already uncomfortable with there workstations that working in a secure manner does not have to be at the expense of getting work done. 10. I liked this one too. Here are all our admin passwords and security related information hidden away on this publicly accessible website subfolder. In the case of the university I attended; if you need to access the campus Wifi, simply walk past the computer labs and read the super-secure network name and router password off the banner posted beside each lab door. There?s a MAC filter on the router so it should take anyone motivated about two minutes longer since they?ll have to spoof.

Editor's Picks