Network Security Tips
Technological holes account for a great number of the successful
break-ins, but people do their share, as well.
The Five Worst Security Mistakes End Users Make
- Failing to install anti-virus, keep its signatures up to date,
and apply it to all files.
- Opening unsolicited e-mail attachments without verifying their
source and checking their content first, or executing games or
screen savers or other programs from untrusted sources.
- Failing to install security patches-especially for Microsoft
Office, Microsoft Internet Explorer, and Netscape.
- Not making and testing backups.
- Using a modem while connected through a local area network.
The Seven Worst Security Mistakes Senior Executives Make
- Assigning untrained people to maintain security and providing
neither the training nor the time to make it possible to learn
and do the job.
- Failing to understand the relationship of information security
to the business problem-they understand physical security but
do not see the consequences of poor information security.
- Failing to deal with the operational aspects of security: making
a few fixes and then not allowing the follow through necessary
to ensure the problems stay fixed
- Relying primarily on a firewall.
- Failing to realize how much money their information and organizational
reputations are worth.
- Authorizing reactive, short-term fixes so problems re-emerge
rapidly.
- Pretending the problem will go away if they ignore it.
The Ten Worst Security Mistakes Information Technology People
Make
- Connecting systems to the Internet before hardening them.
- Connecting test systems to the Internet with default accounts/passwords
- Failing to update systems when security holes are found.
- Using telnet and other unencrypted protocols for managing systems,
routers, firewalls, and PKI.
- Giving users passwords over the phone or changing user passwords
in response to telephone or personal requests when the requester
is not authenticated.
- Failing to maintain and test backups.
- Running unnecessary services, especially ftpd, telnetd, finger,
rpc, mail, rservices.
- Implementing firewalls with rules that don't stop malicious
or dangerous traffic-incoming or outgoing.
- Failing to implement or update virus detection software
- Failing to educate users on what to look for and what to do
when they see a potential security problem.
- BONUS: Allowing untrained, uncertified people to take responsibility
for securing important systems.
Information from The SANS Institute: http://www.sans.org.
|