The SANS Institute lists the most common mistakes made by Information Technology People that lead to security breaches.
In an effort to provide some assistance with addressing these mistakes; I’m going to take you through each mistake and provide you with some perspectives that may help you reduce your exposure.
The Ten Worst Security Mistakes Information Technology People Make from SANS
Information technology people are not always information technology security people. I think that the threat landscape of today has led to a greater awareness of security by all people in the information technology field but here are 11 steps to take to ensure that you don’t make the top mistakes IT people make that lead to security breaches.
1. Connecting Systems to the Internet Before Hardening Them
I think unhardened and unpatched should apply to this mistake. Any system that is attached to the Internet should be hardened to industry best practices prior to connection to the Internet.
In a world of fast Internet connections the temptation to attach a newly installed system to the Internet to download updates and patches may be very tempting but it can also be very dangerous. A large portion of the updates that are downloaded are to address security flaws in the software. While the system is attached to the Internet downloading these patches; the system is vulnerable to exploits that leverage holes these patches address.
This can be avoided by using offline methods such as burn the updates to CD or use a staging environment that is not connected to the Internet.
2. Connecting Test Systems to the Internet With Default Accounts/Passwords
If you know the default username/password for a given piece of software; how many others (including hackers) also know that default username/password. Rename accounts and change default passwords. This will at least make it much more difficult for hackers to compromise your system.
3. Failing to Update Systems When Security Holes are Found
This is where a sound vulnerability management strategy will keep your systems safe. This strategy can be very complex and use specialized tools or it can be very simple as long as it meets your organizational needs. The core parts to any vulnerability strategy are to detect the vulnerabilities and then mitigate the risk due to these vulnerabilities. This mitigation strategy includes applying system updates when vulnerabilities are found.
4. Using Telnet and Other Unencrypted Protocols for Managing Systems, Routers, Firewalls, and PKI
This mistake reminds me of an old Unisys advertisement that stated “While you slept the world changed”. This statement is certainly truer than it ever has been. Protocols that were originally developed for managing these systems did not include encryption for a number of reasons but suffice it to say that in the world of today unencrypted management traffic will eventually lead to a security breach. Use encrypted protocols to manage these valuable corporate assets.
5. Giving Users Passwords Over the Phone or Changing User Passwords in Response to Telephone or Personal Requests When the Requester is not Authenticated
Helpdesks and support staff are still
big targets for hackers because people have a natural tendency to want to be helpful. The hacker’s job gets much easier once they have an account and password into a system. Institute an authentication policy for helpdesk password resets. This authentication policy could simply be a list of user chosen ‘keywords’ that are only known to the helpdesk and the user that will allow the helpdesk to authenticate that individual.
6. Failing to Maintain and Test Backups
While time consuming and most often successful; routine testing of backups will save a lot of time, money, sleep, and maybe your job. Schedule regular intervals to test your backups by restoring them to a test system so that if your production system ever needs to be rebuilt you are not left an unusable system and no valid backups to rebuild it.
Backup policies are very important.
7. Running Unnecessary Services, Especially ftpd, telnetd, finger, rpc, mail, rservices
Every unnecessary service that is running on your systems is another avenue for attackers to compromise your system. Disable any unnecessary services and reduce your risk of system compromise.
8. Implementing Firewalls With Rules That Don't Stop Malicious or Dangerous Traffic-Incoming or Outgoing
Firewalls should always be configured to allow the minimum amount of traffic into and out of an organization that still allows the organization to function. As a large number of viruses, worms, and other malicious traffic all have easily identifiable traffic patterns; also configure your firewall to block this traffic before it ever gets to your network.
9. Failing to Implement or Update Virus Detection Software
McAfee recently released it 2000000th virus definition. This is how many potential problems you face if you don’t implement or keep your virus detection systems up to date. Include
anti-virus as part of your vulnerability management strategy.
10. Failing to Educate Users on What to Look for and What to do When They see a Potential Security Problem
Users do not typically want to work against IT in their day to day job. Much in the same way the corporate financial controller tells IT that they can’t expense a new car;
IT needs to educate the staff about how to recognize a potential security problem and what to do when they see it. This is easily accomplished with a user awareness program.
BONUS, Number 11: Allowing Untrained, Uncertified People to Take Responsibility for Securing Important Systems
While everyone always has something to learn; don’t let the most junior IT staff member secure the most important system in your organization.
