Takeaway: What’s worse than
getting hit with a security breach? Getting hit with an easily preventable one.
No matter how much we
try, users — and sometimes even IT departments — overlook some security
mistakes that are relatively easy to correct. In this article, I’ll discuss 10
avoidable security mistakes and describe what you can do to correct the
oversight.
1: Using poorly
chosen passwords
There was a day when people
thought that using the password “password” would be a surefire way to fool
hackers and other miscreants. After all, who would use such an obvious
password? Although most people now realize just how poor a password that is, so
many still use equally obvious choices for passwords, particularly in this day
of high social engagement. Take this for example: You cleverly use your
anniversary year in your password along with the middle name of your oldest
child. Both are easily retrieved on Facebook and through other means. Even
organizations that have strong password policies can suffer from poorly chosen
passwords when users attempt to work around the requirements.
Fix it: Don’t use obvious patterns in your
password. Mix things up. Substitute exclamation points for the number 1,
ampersand signs for the number eight, and the like. The more variety you place
in a password, the more difficult it is to crack. If you’re creating a password
policy for your organization, require the use of characters from multiple character
sets.
2: Never changing
passwords
I’ve seen this in action
too many times. People who keep the same password forever and use the same
password on multiple sites are more likely to suffer a breach. Even in
organizations that require password changes, some people try to find ways
around having to change passwords on a periodic basis. For example, I once had
an employee with domain admin rights who decided to exempt himself from the
organization’s password policy. He was reprimanded (although, in hindsight, I
should have fired him for abusing his access rights) and made to comply with
policy. Of course, these kinds of situations should be the exception, but how
many people use the same or very similar passwords across multiple sites and
change only one character in their password when it comes to expiration time?
Fix it: Educate your users about the
importance of good passwords and why changing them every so often is critical.
As a part of your policy, consider using a third-party tool to disallow similar
passwords at reset time and to create stronger passwords.
3: Not installing
antivirus/anti-malware
This one is a given. If
you’re not running antivirus software of some kind in your environment, you’re
wrong. Even with the best firewalls, the concept of layered security still
holds true. Anything that the firewall fails to catch can be handled by your
antivirus software.
Fix it: Install anti-malware software… now.
4: Not using a firewall or being too
lax with a firewall
Whether you’re at home or running IT for a business, a
firewall should be considered required equipment. Although Windows and other
operating systems include built-in firewalls, I have always preferred a
hardware firewall of some kind, especially when used in conjunction with the
aforementioned software firewall. Moreover, any firewall that is deployed
should be deployed well.
Fix it: Wherever possible, deploy a hardware
firewall both at home and in the office. Make sure that firewall rules aren’t
allowing unnecessary traffic to make its way to the internal network.
5: Never patching machines
Operating system and
application vendors release software patches for a reason. While many updates
add new functionality, many also correct security flaws in products. I’ve seen
plenty of home machines on which the user has disabled software updates. In the
enterprise, patches can sometimes be avoided with the reasoning that the
firewall at the edge of the network protects the organization. This isn’t a
good strategy, as valid traffic can still exploit vulnerabilities.
Fix it: Patch machines! Turn on automatic
updates and implement robust patch management policies and procedures in your
organization.
6: Insecurely storing data
How many of you have
stored sensitive data — personal information or for work — on a USB thumb
drive? Do you ever take that thumb drive with you out in public? I’ve seen a
lot of USB storage attached, for example, to key rings and carried around.
Further, that storage simply sits on people’s desks and such.
Now, how many of you back
up your organization’s data to tape? Do those tapes go offsite and, if so, are
they always under your control?
Unprotected data is a big
deal. A single lost USB drive, laptop, iPad, or tape with the wrong information
can land an organization in a mess financially, legally, and from a public
relations perspective.
Fix it: Make heavy use of encryption for
anything that is portable. Most backup software can be configured to encrypt
data on tapes and you can use tools such as BitLocker and BitLocker To Go to protect
laptops and portable storage devices. For other mobile devices, such as iPads,
consider deploying mobile management security software that separately encrypts
and protects particularly sensitive information.
7: Being too generous with
permissions
In the enterprise,
permissions drive what people can and can’t do. The easiest way to enable
employees is to grant them carte blanche admin access to everything, but that
would quickly devolve into chaos. So most organizations have a policy and
structure under which they grant specific permissions based on work-related
needs. Over time, unfortunately, “scope creep” comes into play. People change
positions within the organization and old permissions are never removed or a
temporary permissions increase is never removed, and so forth.
Fix it: Make sure that there are clear
permissions policies in your company. Your policies and procedures should
include a periodic permissions review that matches current needs with existing
permissions; permissions that are no longer necessary should be removed.
8: Choosing poor (or no) Wi-Fi
security
Even with all the known risks regarding open Wi-Fi networks,
there are still tons of them out there that are completely open and insecure.
Some have taken the step of implementing Wired Equivalent Privacy (WEP) as a
protection mechanism since it’s widely supported, but WEP encryption can be
cracked in as little as four seconds.
That said, it’s still better than no encryption at all, which carries its own risks.
Fix it: Implement WPA at the bare minimum,
or better yet, go with WPA2.
WPA2 is a modern wireless security standard that is supported by most modern
operating systems. When you implement WPA2, choose a good wireless password,
too. It shouldn’t be too easy to guess or your wireless protection will be for
naught. WPA2 can still be cracked, but cracking WPA2 is far more difficult than
cracking WEP or WPA.
9: Avoiding basic mobile device security
Mobile devices will
become a hacker’s paradise in the coming years. Most people walk around with
devices that have unencrypted personal information of some kind and these
devices are accessible at a moment’s notice. They can also be lost or stolen. I
mentioned previously that you should consider what kind of information is on a
mobile device and remove anything too sensitive or you should consider software
that can compartmentalize sensitive information. But you should also keep the
casual snooper from being able to easily access information.
Fix it: It’s basic, but at the very least,
impose some kind of passcode requirement for mobile device users who access
company information. While this will not keep determined adversaries from
getting information they want, it will thwart the causal snooper who might pick
up the device.
10: Never testing backups
Let’s suppose that all of
your other security mechanisms fail and your environment is so severely
compromised, the systems and data are no longer trusted. At that point, it
might be time to consider restoring the environment from backup. However,
horror stores abound about companies that have attempted to recover from
backups only to discover that:
·
The
backed up files were corrupted.
·
The
backup tapes were bad.
·
No
files were actually being backed up even though the tapes were being swapped
each night.
None of the above is good
and can place an organization in a terrible state.
Fix it: Immediately implement policies and
procedures that require regular testing of backups. In addition, consider
implementing a tiered backup system that backs up data from disk to another
disk-based system and from there, to tape or to another offsite, off-network
service that can’t be compromised in the event of an attack.
Thanks :-
http://www.techrepublic.com/blog/10things/10-security-mistakes-that-are-easy-to-avoid/2968
No comments:
Post a Comment