Vulnerability in network security is not just a matter of poor system design or configuration. Nor is a successful attack solely the work of an enterprising hacker or a lucky cast by a phisher. Often weaknesses in IT security are the result of simple mistakes.
Some of the mistakes electronic security installers and integrators sometimes make that compromise customer security networks include:
1: Connecting systems to the Internet before they’ve been adequately hardened
2: Connecting test systems, subnets and devices to the Internet with default accounts and/or passwords
3: Failing to update systems after security holes are discovered
4: Employing weak protocols with no encryption to manage structural fundamentals like routers, firewalls and authentication applications
5: Giving passwords over the phone, via email, or changing user passwords in response to telephone or personal requests when the caller is not authenticated
6: Failure to maintain and test backups
7: Running unnecessary (usually default) services on networks that don’t need them
8: Implementing firewalls with rules that don’t stop malicious or dangerous traffic passing inward or outward, or that don’t notify admin of events
9: Failure to implement/update virus scanning software everywhere it might be required
10: Failure to educate end users on what to look for and what action to take when confronted by a possible network security weakness.
The top mistakes committed by management in relation to networks supporting security solutions include:
1: Assigning untrained people to implement and maintain network security, and/or failing to provide training and time to learn the role
2: Failing to understand the relationship of information/network security and the business problem – or understanding the business problem but not seeing the consequences of poor IT security
3: Failing to deal with the operational aspects of security – making a few fixes and then not allowing the follow-through necessary to ensure the problems stay fixed
4: Relying primarily on a firewall – or an air gap – not on proactive procedures and solutions
5: Failing to realise how much money data security and organisational reputation is worth
6: Authorising reactive, short-term fixes so problems re-emerge rapidly
7: Pretending/hoping the problem will go away if it’s ignored.