Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
| The 10 dumbest mistakes network managers make
Excerpt Network World article, 07/05/2009
When you look at the worst corporate security breaches, it's clear that network managers keep making the same mistakes over and over again, and that many of these mistakes are easy to avoid.
In 2008, Verizon Business analyzed 90 security breaches that represented 285 million compromised records. Most of these headline-grabbing incidents involved organized crime finding an unprotected opening into a network and using it to steal credit card data, Social Security numbers or other personally identifiable information.
What's astonishing is how often these security breaches were the result of network managers forgetting to take obvious steps to secure their systems, particularly non-critical servers.
"We're just not doing the basics," says Peter Tippett, vice president of innovation and technology at Verizon Business, who has been auditing security breaches for 18 years.
Tippett helped us put together a list of the simplest steps that a network manager can take to eliminate the majority of security breaches. Not to follow the items on this list would be, quite simply, stupid.
1. Not changing the default passwords on all network devices.
2. Sharing a password across multiple network devices.
3. Failing to find SQL coding errors.
4. Misconfiguring your access control lists.
5. Allowing nonsecure remote access and management software.
6. Failing to test noncritical applications for basic vulnerabilities.
7. Not adequately protecting your servers from malware.
8. Failing to configure your routers to prohibit unwanted outbound traffic.
9. Not knowing where credit card or other critical customer data is stored.
10. Not following the Payment Card Industry Data Security Standards.
»www.networkworld.com/news/2009/0···l?page=1
--
Smokey's Security Forums »www.smokey-services.eu/forums/
Smokey's Security Weblog »smokeys.wordpress.com/
Site Member ASAP - Alliance of Security Analysis Professionals |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | The really dumb mistake is "A breakin is not likely to happen here, so we can save a lot of money by not having a professional security team."
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Smokey Bear
> 3. Failing to find SQL coding errors.
> 6. Failing to test noncritical applications for basic vulnerabilities.
I'm not sure that application issues are really in the network manager's bailiwick
> 9. Not knowing where credit card or other critical customer data is stored.
That's not a network issue either.
> 10. Not following the Payment Card Industry Data Security Standards.
Following PCI is the bare minimum - one should aim for actual security, not compliance with a standard (and they are often at odds).
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site |
|
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs: | reply to Smokey Bear
I would add, letting idiots take laptops off-premise. How much data has already been compromised just because people who don't have the security sense of a gnat have had their laptops lost, misplaced, or stolen? |
|
VikingBob
join:2004-06-05
Ste Anne, MB | On that laptop note... ENCRYPT IT! A laptop is portable - some idiot will take it out the door... |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
1 edit | reply to Smokey Bear
Also, not having a good and ENFORCED policy for all removable devices..esp. USB sticks. Nowadays, an entire customer Db fits on a flash drive..a disaster in the making. |
|
Neyland
join:2003-02-04
USA | reply to Smokey Bear
Many have great logical controls but leave physical security high and dry. |
|
