Topic: The Top Internet Security Screw Ups

[Samker]

Security is fast becoming growing concerns in both the private and public sectors. We need to martial all our personal and corporate resources in an effort and bring it's importance to the fore-front of corporate and individual awareness.

With over 22 years experience of defending against Internet Security threats, Brent MacLean, Managing Director of http://www.jbm.net J.B. MacLean Consulting Inc., has seen it all. The top ten Internet security screw ups. So here they are, in reverse order (saving the best to last):

10) Failing to archive firewall log files. Firewalls are often correctly configured with full logging enabled. This tends to generate massive amounts of data, but often they are referred to only when there is a problem. However, left unattended, they can become a problem by their own permissions. Before you know it, you have 10GB of data and a terrible shortage of disk space. Complete system failure soon follows and often the system has to be rebuilt from scratch; not a good thing.

9) Not knowing where your sensitive passwords are documented. Nothing makes supporting customers more of a challenge than if they cannot remember where their passwords are documented and/or stored. That is, of course, if they had correctly and securely documented them at all. Often, passwords remain in the heads of administrators, and are simply shared by word of mouth or by voice mail or email. You might as well write them on a poster and display them on an office wall. Let's get security protocols in place people.

Not systematically scanning all incoming emails for potentially harmful viruses. Without question, email borne viruses are today the biggest internet security threat. Fortunately, most corporations and large networks have aggressive email virus scanning techniques and methodologies--either deployed in-house or using one of the growing numbers of managed services. Unfortunately, some businesses still don't see the need, thinking that it is sufficient to deploy workstation virus products. Why let the viruses through the front door in the first place?

7) Not blocking Instant Messaging on your firewall. With Microsoft now in a big push to get people using their IM technology, we are beginning to see IM clients freely deployed in businesses, mainly by users. Without proper auditing and control procedures, IM simply opens up a porthole that can be used by the unscrupulous to disseminate viruses and worms. If you haven't thought through the challenges of allowing IM onto your network, the simplest thing to do is to block it at the firewall.

6) Depending too much on users to patch their own workstations. Let's face it people; users are terrible at following even the simplest of technical instructions. We all know how difficult Microsoft makes it for administrators to keep their products properly patched. There are tools to make life easier, although it has to be said that some seem to make the task of patching more difficult. Hopefully, one day MS will crack the problem, but until then, depending on users to patch reliably and regularly is a strategy targeted for disaster.

5) Not having an incident response plan (IRP). All networking and security professionals know that even with the best planning in the world, something will always go wrong with technology growing by leaps and bounds. It simply isn't possible, with today's complex environments, to be 100% secure. As luck would have it, the first major problem will come while you are on a glorious vacation up some remote hillside in Tuscany. Have an incident response plan, even a very simple one; at least it is a start. What are you going to do when a problem arises, who are you going to call for help and why didn't you print if off rather than leave it stored on a file server which no-one can now log into? Let's get some emergency policies in place, everyone. It is simply good protocol.

4) Failing to disable accounts for departed employees. You would not believe how frequently HR fails to tell IT managers that an employee has left the business. They might, if you are lucky, remember to ask them for their mobile phone, but hey, why not let's leave all their remote access privileges in place! Can we say a disaster waiting to happen?

3) Failing to configure any security on a wireless access point. We all know wireless is here to stay. But, if you are going to broadcast all your company's data to the world and potential hackers, perhaps it would a good idea to enable the basic security features that comes standard with the product. It may not be the greatest, and it may be inconvenient, but it sure beats having to explain to the boss why he was able to connect to the network from the car park on his new wireless PDA, just purchased at the nearest Best Buy.

2) Not keeping your firewall patched. This is pretty much tantamount to paying for an expensive lock on your front door at home and then leaving the keys in the lock--on the outside! And of course if you are going to patch the firewall software, don't forget to patch the underlying operating system, if there is one. Let's keep those software updates and hardware (firmware) current.

And the Oscar goes to...not securing home PCs with their own firewall, VPN and virus detection. It was difficult to decide what should be top of the list, but this won out. With broad band and laptops becoming widely deployed, users are accessing corporate resources from outside your logical boundary. If these machines are not properly secured, then neither is your network!

http://www.jbm.net Security is here to stay and is a growing field in all aspects. So let's get it right the first time. Here are just a few friendly tips...more to come so stay tuned.

10) Failing to archive firewall log files. Firewalls are often correctly configured with full logging enabled. This tends to generate massive amounts of data, but often they are referred to only when there is a problem. However, left unattended, they can become a problem by their own permissions. Before you know it, you have 10GB of data and a terrible shortage of disk space. Complete system failure soon follows and often the system has to be rebuilt from scratch; not a good thing.

9) Not knowing where your sensitive passwords are documented. Nothing makes supporting customers more of a challenge than if they cannot remember where their passwords are documented and/or stored. That is, of course, if they had correctly and securely documented them at all. Often, passwords remain in the heads of administrators, and are simply shared by word of mouth or by voice mail or email. You might as well write them on a poster and display them on an office wall. Let's get security protocols in place people.

Not systematically scanning all incoming emails for potentially harmful viruses. Without question, email borne viruses are today the biggest internet security threat. Fortunately, most corporations and large networks have aggressive email virus scanning techniques and methodologies--either deployed in-house or using one of the growing numbers of managed services. Unfortunately, some businesses still don't see the need, thinking that it is sufficient to deploy workstation virus products. Why let the viruses through the front door in the first place?

7) Not blocking Instant Messaging on your firewall. With Microsoft now in a big push to get people using their IM technology, we are beginning to see IM clients freely deployed in businesses, mainly by users. Without proper auditing and control procedures, IM simply opens up a porthole that can be used by the unscrupulous to disseminate viruses and worms. If you haven't thought through the challenges of allowing IM onto your network, the simplest thing to do is to block it at the firewall.

6) Depending too much on users to patch their own workstations. Let's face it people; users are terrible at following even the simplest of technical instructions. We all know how difficult Microsoft makes it for administrators to keep their products properly patched. There are tools to make life easier, although it has to be said that some seem to make the task of patching more difficult. Hopefully, one day MS will crack the problem, but until then, depending on users to patch reliably and regularly is a strategy targeted for disaster.

5) Not having an incident response plan (IRP). All networking and security professionals know that even with the best planning in the world, something will always go wrong with technology growing by leaps and bounds. It simply isn't possible, with today's complex environments, to be 100% secure. As luck would have it, the first major problem will come while you are on a glorious vacation up some remote hillside in Tuscany. Have an incident response plan, even a very simple one; at least it is a start. What are you going to do when a problem arises, who are you going to call for help and why didn't you print if off rather than leave it stored on a file server which no-one can now log into? Let's get some emergency policies in place, everyone. It is simply good protocol.

4) Failing to disable accounts for departed employees. You would not believe how frequently HR fails to tell IT managers that an employee has left the business. They might, if you are lucky, remember to ask them for their mobile phone, but hey, why not let's leave all their remote access privileges in place! Can we say a disaster waiting to happen?

3) Failing to configure any security on a wireless access point. We all know wireless is here to stay. But, if you are going to broadcast all your company's data to the world and potential hackers, perhaps it would a good idea to enable the basic security features that comes standard with the product. It may not be the greatest, and it may be inconvenient, but it sure beats having to explain to the boss why he was able to connect to the network from the car park on his new wireless PDA, just purchased at the nearest Best Buy.

2) Not keeping your firewall patched. This is pretty much tantamount to paying for an expensive lock on your front door at home and then leaving the keys in the lock--on the outside! And of course if you are going to patch the firewall software, don't forget to patch the underlying operating system, if there is one. Let's keep those software updates and hardware (firmware) current.

And the Oscar goes to...not securing home PCs with their own firewall, VPN and virus detection. It was difficult to decide what should be top of the list, but this won out. With broad band and laptops becoming widely deployed, users are accessing corporate resources from outside your logical boundary. If these machines are not properly secured, then neither is your network!

http://www.jbm.net Security is here to stay and is a growing field in all aspects. So let's get it right the first time. Here are just a few friendly tips...more to come so stay tuned.

(Brent MacLean - CEO of J.B. MacLean - Toronto)