1: Using poorly chosen passwords
There was a day when people thought that using the password
“password” would be a surefire way to fool hackers and other miscreants.
After all, who would use such an obvious password? Although most people
now realize just how poor a password that is, so many still use equally
obvious choices for passwords, particularly in this day of high social
engagement. Take this for example: You cleverly use your anniversary
year in your password along with the middle name of your oldest child.
Both are easily retrieved on Facebook and through other means. Even
organizations that have strong password policies can suffer from poorly
chosen passwords when users attempt to work around the requirements.
Fix it: Don’t use obvious patterns in your password.
Mix things up. Substitute exclamation points for the number 1,
ampersand signs for the number eight, and the like. The more variety you
place in a password, the more difficult it is to crack. If you’re
creating a password policy for your organization, require the use of
characters from multiple character sets.
2: Never changing passwords
I’ve seen this in action too many times. People who keep the same
password forever and use the same password on multiple sites are more
likely to suffer a breach. Even in organizations that require password
changes, some people try to find ways around having to change passwords
on a periodic basis. For example, I once had an employee with domain
admin rights who decided to exempt himself from the organization’s
password policy. He was reprimanded (although, in hindsight, I should
have fired him for abusing his access rights) and made to comply with
policy. Of course, these kinds of situations should be the exception,
but how many people use the same or very similar passwords across
multiple sites and change only one character in their password when it
comes to expiration time?
Fix it: Educate your users about the importance of
good passwords and why changing them every so often is critical. As a
part of your policy, consider using a third-party tool to disallow
similar passwords at reset time and to create stronger passwords.
3: Not installing antivirus/anti-malware
This one is a given. If you’re not running antivirus software of some
kind in your environment, you’re wrong. Even with the best firewalls,
the concept of layered security still holds true. Anything that the
firewall fails to catch can be handled by your antivirus software.
Fix it: Install anti-malware software… now.
4: Not using a firewall or being too lax with a firewall
Whether you’re at home or running IT for a business, a firewall
should be considered required equipment. Although Windows and other
operating systems include built-in firewalls, I have always preferred a
hardware firewall of some kind, especially when used in conjunction with
the aforementioned software firewall. Moreover, any firewall that is
deployed should be deployed well.
Fix it: Wherever possible, deploy a hardware
firewall both at home and in the office. Make sure that firewall rules
aren’t allowing unnecessary traffic to make its way to the internal
network.
5: Never patching machines
Operating system and application vendors release software patches for
a reason. While many updates add new functionality, many also correct
security flaws in products. I’ve seen plenty of home machines on which
the user has disabled software updates. In the enterprise, patches can
sometimes be avoided with the reasoning that the firewall at the edge of
the network protects the organization. This isn’t a good strategy, as
valid traffic can still exploit vulnerabilities.
Fix it: Patch machines! Turn on automatic updates and implement robust patch management policies and procedures in your organization.
6: Insecurely storing data
How many of you have stored sensitive data — personal information or
for work — on a USB thumb drive? Do you ever take that thumb drive with
you out in public? I’ve seen a lot of USB storage attached, for example,
to key rings and carried around. Further, that storage simply sits on
people’s desks and such.
Now, how many of you back up your organization’s data to tape? Do
those tapes go offsite and, if so, are they always under your control?
Unprotected data is a big deal. A single lost USB drive, laptop,
iPad, or tape with the wrong information can land an organization in a
mess financially, legally, and from a public relations perspective.
Fix it: Make heavy use of encryption for anything
that is portable. Most backup software can be configured to encrypt data
on tapes and you can use tools such as BitLocker and BitLocker To Go to
protect laptops and portable storage devices. For other mobile devices,
such as iPads, consider deploying mobile management security software
that separately encrypts and protects particularly sensitive
information.
7: Being too generous with permissions
In the enterprise, permissions drive what people can and can’t do.
The easiest way to enable employees is to grant them carte blanche admin
access to everything, but that would quickly devolve into chaos. So
most organizations have a policy and structure under which they grant
specific permissions based on work-related needs. Over time,
unfortunately, “scope creep” comes into play. People change positions
within the organization and old permissions are never removed or a
temporary permissions increase is never removed, and so forth.
Fix it: Make sure that there are clear permissions
policies in your company. Your policies and procedures should include a
periodic permissions review that matches current needs with existing
permissions; permissions that are no longer necessary should be removed.
8: Choosing poor (or no) Wi-Fi security
Even with all the known risks regarding open Wi-Fi networks, there
are still tons of them out there that are completely open and insecure.
Some have taken the step of implementing Wired Equivalent Privacy (WEP)
as a protection mechanism since it’s widely supported, but WEP
encryption can be cracked in as little as four seconds. That said, it’s still better than no encryption at all, which carries its own risks.
Fix it: Implement WPA at the bare minimum, or better yet, go with WPA2.
WPA2 is a modern wireless security standard that is supported by most
modern operating systems. When you implement WPA2, choose a good
wireless password, too. It shouldn’t be too easy to guess or your
wireless protection will be for naught. WPA2 can still be cracked, but cracking WPA2 is far more difficult than cracking WEP or WPA.
9: Avoiding basic mobile device security
Mobile devices will become a hacker’s paradise in the coming years.
Most people walk around with devices that have unencrypted personal
information of some kind and these devices are accessible at a moment’s
notice. They can also be lost or stolen. I mentioned previously that you
should consider what kind of information is on a mobile device and
remove anything too sensitive or you should consider software that can
compartmentalize sensitive information. But you should also keep the
casual snooper from being able to easily access information.
Fix it: It’s basic, but at the very least, impose
some kind of passcode requirement for mobile device users who access
company information. While this will not keep determined adversaries
from getting information they want, it will thwart the causal snooper
who might pick up the device.
10: Never testing backups
Let’s suppose that all of your other security mechanisms fail and
your environment is so severely compromised, the systems and data are no
longer trusted. At that point, it might be time to consider restoring
the environment from backup. However, horror stores abound about
companies that have attempted to recover from backups only to discover
that:
- The backed up files were corrupted.
- The backup tapes were bad.
- No files were actually being backed up even though the tapes were being swapped each night.
"Remember Me When You Raise Your Hand For Dua"
Raheel Ahmed Khan
System Engineer
send2raheel@yahoo.com
send2raheel@engineer.com
sirraheel@gmail.com
send2raheel (skype id)
My Blog Spot
http://raheel-mydreamz.blogspot.com/
http://raheeldreamz.wordpress.com/
My Face book pages
http://www.facebook.com/pages/My-Dreamz-Rebiuld-our-nation
http://www.facebook.com/pages/Beauty-of-islam
http://www.facebook.com/pages/Health-is-wealth
No comments:
Post a Comment