Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

An individual using a single workstation, a small business
with two or three PCs connected to the Net through a high-speed cable modem,
the team responsible for the security of an enterprise network: Regardless of
an organization’s size, they all face the same security challenges—keeping
intruders away from their private information.

Unfortunately, people tasked with security keep making the
same basic mistakes. Since it’s once again been a relatively quiet week in the
security world, I’m taking this opportunity to list the five worst security
practices found in businesses both large and small.

1. Failing to enforce policies

Number one with a bullet is failing to properly set security
policies, neglecting to train anyone with access to computers, and especially declining
to enforce an established policy.

It’s a truism that you get what you reward for and don’t see
as much of what you forbid. So if your organization wants good security
practices, it must establish a clearly enunciated set of policies. Among other
things, these policies must define basic usage rules, such as never opening
strange e-mails, surfing random sites on personal business, or downloading
files from the Web.

But security experts have been saying this for years, so why
isn’t it working? That’s simple: Even when there are policies in place, there are
seldom any real consequences for breaking the rules—or any reward for those who
don’t.

There are a few organizations, including
Harvard Medical School and Beth Israel Deaconess Medical Center, where
being responsible for a single security breach is grounds for termination for anyone
at any level. However, this practice is extremely rare, and few organizations,
if any, have established a point system tied to rewards for following good
practices.

Consider the impact that a significant prize for the
employee with the best security record could have on security. For example, everyone
could start with 100 points, losing one point for every out-of-policy security
mistake, even if it doesn’t result in actual damage or loss.

Establishing security policies that are more than a stack of
paper and providing employee incentives for such policies could go a long way
to helping organizations improve security.

2. Ignoring new vulnerabilities

Second on my list of the worst security mistakes is failing
to take appropriate action when new vulnerabilities surface.

Most security managers receive automatic notification of new
patches and/or monitor at least one security Web site. A significant number
even subscribe to security-related newsletters, such as IT Locksmith, which attempt
to filter out the noise and focus on serious problems.

But there is simply so much information available that many
people don’t even bother to read the alerts they subscribe to. A far smaller
number actually adjust policy or perform updates to fix the problems they do
learn about.

3. Relying too much on technology

Another big mistake is relying excessively on technological
fixes and paying too little attention to actually using them.

For example, if you tell upper management that you’ve
installed the top antivirus software or the latest star in the firewall world,
they’ll think you’ve done your job. But unless you’ve carefully configured that
firewall and maintained the antivirus software, you really haven’t done much of
anything.

Setting up a firewall properly in some environments can be
as much art as science. It isn’t a set-it-and-forget-it task any more than
installing antivirus software ends all your malware worries. Instead, you have
to keep tweaking the firewall to meet new needs, sometimes even blocking some
ports for a few weeks after a new port scanning epidemic surfaces.

And that goes back to the second biggest mistake—you have to
pay attention to new security updates and vulnerabilities as they emerge. For
example, to keep track of the top 10 ports that would-be attackers are
targeting, bookmark this SANS Web page.
For antivirus programs, you not only need to update signature files; you must also
monitor the need for patches to fix newly disclosed vulnerabilities in the
antivirus software itself.

Anti-spyware software is much less complex than antivirus
programs, so patches are seldom necessary. However, they require as much
attention to downloading the latest database information as do antivirus
programs.

Finally, don’t forget that all these security utilities
become worthless if you ignore the reports they generate.

4. Failing to thoroughly investigate job candidates

The fourth biggest mistake is failing to properly screen job
candidates for criminal records or even poor financial decisions, particularly
for candidates outside of the IT department.

Americans in particular feel that personal privacy is one of
the most important basic human rights, and they tend to respect others’ desires
for privacy, which often results in a reluctance to investigate the background
of job candidates. In fact, a
recent IT Locksmith discussion questioned whether it’s reasonable to use a
person’s financial history as a tool in deciding if he or she would make a
dependable employee.

Many readers questioned this practice despite the fact that companies
have widely employed it for two simple reasons. First of all, if people are
careless with their own finances, how well will they protect yours? Second, if
someone’s under financial pressure, he or she is more subject to outside
pressures to indulge in activities that compromise security.

Whether it’s due to poor planning, poor impulse control, or
simple carelessness, a recent bankruptcy in someone’s financial history is
always a big red flag unless there’s a very good explanation. It may be sad, it
may be unfortunate, but it’s a common practice because it works.5. Expecting too much from technical skills

The fifth biggest mistake—and this is one I see all the time—is
an unhealthy reliance on the IT staff’s technical skills for security planning.

When choosing someone to head up security, most managers see
nothing but the incredible complexity of networks and software, and they then
assume the best person for the job is the one with the most technical skills.
However, while technical knowledge is necessary, a gut feeling for security
along with a healthy dose of paranoia is far more important for the head of
security, provided someone on the IT team has the knowledge and skills related
to the technical side of software and hardware security.

Having a strong security background from a stint with a
university police department and more time with a detective agency, I can often
walk through a company and spot a dozen critical security errors, which render all
the best software security practices completely useless. If I wanted to
compromise some company’s IT security, I would either get a job with the
cleaning company or fake a UPS or FedEx uniform. I could walk in carrying a big
package and simply walk out with what I wanted in the previously empty box. Think
about it: Would that work at your business?

Final word

Last week, I listed some recent security breaches in
California. Since then, details of yet another information theft have come to
light, and this incident points out just how much security depends on an old-fashioned
cop mentality.

On March 11, someone walked into a University of California
Berkley office and walked
out with a laptop containing personal data about more than 98,000 people,
including Social Security numbers. This theft not only highlights the need for
simple and basic physical security, but it also emphasizes a misplaced reliance
on technology. Apparently, the university had instituted encryption technology.
However, while they had scheduled the laptop for encryption, no one had yet
encrypted the notebook’s hard drive at the time of the theft.

This theft, as well as the
data theft incidents at other California universities I described last time,
are even more striking when you consider that California State University is
presenting the third annual Information
Technology Security Conference in San Diego this month.

The irony abounds, especially in this quote: “Major
sponsorship from The California State University highlights the commitment of
the higher education community to understanding and addressing the issues
surrounding information security…” I was thinking of attending, but I balked
at the idea of providing registry information online!

Also watch for …

  • Although
    they’re years behind the curve on this, the U.S. Secret Service is now
    taking advantage of technology long popular in the scientific community
    for networking PCs to deal with massive computing problems. Dubbed the
    Distributed Networking Attack (DNA) program    , it links 4,000 PCs to
    decrypt files captured from bad guys, using the same approach the SETI@home
    project has used for years. The DNA project recently decrypted a WinZip-encrypted
    file in less than three hours.
  • Mozilla
    has released a second update to patch another vulnerability in Firefox. Released
    March 23, version
    1.0.2     fixes a buffer overflow threat that came from legacy Netscape
    Navigator code. Hmm, this sounds like the same sort of thing that’s always
    hitting Internet Explorer—too much reliance on legacy code.
  • Apple
    has patched nearly a dozen flaws in Mac OS X. For more details, check out
    this recent
    news article    .

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.