Failing to recognize that computing as we know it is changing is the basis for many security problems. Information system complexity is growing by the minute, and there’s more information in more places than ever. Still, many desktop administrators are proclaiming that their current state of information security is “good enough” and ignoring very real security threats. If only it were that simple. Here are 10 of the most common information security mistakes that admins are still making:
1. Tolerating weak passwords
From operating system logins and file encryption to Web accounts and beyond, weak passwords are arguably the most nonsensical, yet simplest security flaws to fix. Come up with a password policy, apply it across the board, periodically check for weaknesses, and be done with this issue once and for all.
2. Giving security policies too much credit
Security policies are great. They set everyone’s expectations, please the auditors and regulators and serve as a fallback when something goes awry and ends up in court. Sadly, many managers assume that just because the rules have been documented that everyone suddenly knows about them. Make sure that all employees are on board with these rules, and they’ll enforce themselves.
3. Relying too heavily on technology
As with policies, security technologies are not a silver bullet, either. Sure, firewalls, antivirus and encryption sound cool and can serve the business well, but they’re only the beginning of an information security architecture. People and processes are also factors in this equation. Leave one out and most technology benefits won’t be fully realized, if not completely negated altogether.
4. Connecting to random WiFi hotspots
We’ve come to expect a wireless signal wherever we are. Many people don’t think twice about hopping onto a random (and unprotected) wireless network just to get some work done. But a quick email is no excuse. That’s all it takes for someone with ill intent to capture a user’s login credentials and work his way onto your wireless network.
5. Ignoring the need to encrypt hard drives and mobile storage
Simply encrypting workstation hard drives can eliminate a huge portion of a company’s information risks today. Given the huge bang for the buck ofwhole-disk encryption, many admins -- especially in small and medium-sized businesses -- have looked the other way.
6. Trusting users to keep endpoints in check
More and more environments are making users responsible for patching, data backups and even ensuring their antivirus protection is current -- talk about a great way to set everyone up for failure. Employees and other network users should never be held responsible for security. Sure, employees can be a good line of defense, but do whatever you can to put the proper controls and processes in place so that they’re not held responsible for IT's daily tasks.
7. Assuming that patches are under control
As far as we’ve come with patching, there are typically hundreds of missing patches on both workstations and servers in any given environment. In many situations, admins are unaware of specific hosts on their network or whether their patch management system is reporting the current status properly. Missing OS and third-party application patches can lead to breaches you might not ever know about.
8. Performing simple vulnerability scans and checklist audits
Many admins simply don’t acknowledge what’s really at risk with their systems. Therefore, when performing security assessments, they tend not to dig deep enough, often enough. Exacerbating this problem is the underlying assumption that compliant equals secure. But it never has, and it never will.
9. Assuming that security incidents will be highly visible
Thanks in part to the media and Hollywood glamourizing hack attacks and data breaches, management often expects that these incidents are going to be glaringly obvious. However, it’s almost always the opposite. The lack of perceived risk doesn’t mean there is no risk. We have to be careful not to fool ourselves into thinking that all’s well because there’s no bleeding.
10. Not balancing security with convenience
One of the cornerstone principles of good information security is balancing security with usability so that it doesn’t get in the way of day-to-day business. Yet, either by design or the law of unintended consequences, security controls often get in the way of users, who then find ways around it. Writing passwords on sticky notes is just the beginning.
Long after these security weaknesses become well-known, they often continue to be ignored, so it’s important to address them before you have to. As Ayn Rand once said, “We can evade reality, but we cannot evade the consequences of evading reality.” The power of choice is a wonderful gift we’ve all been given -- use it wisely, and you’ll do just fine.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. With over 22 years of experience in the industry, he specializes in performing independent security assessments revolving around information risk management. Beaver has authored/co-authored eight books on information security including The Practical Guide to HIPAA Privacy and Security Compliance and the newly-updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the "Security On Wheels" information security audio books and blog providing security learning for IT professionals on the go. Beaver can be reached at www.principlelogic.com, and you can follow in on Twitter at @kevinbeaver.
This was first published in June 2011