N+I: The ten most common IT security mistakes

By Byron Kaye, ZDNet Australia
09 March 2001 10:14 AM
Tags: hackers, security, staff, assume, say, mistake
A wise man once said: "Never assume. It makes an ass out of u and me." And assumption was the brunt of IT security consultant Keith Glennan's list of mistakes most commonly made by Web-connected companies.

Speaking at NetWorld+Interop 2001, he sought to shatter assumptions e-businesses too often made about the nature of their own security measures, the people who made them, and the people who break them.

Any of these blunders ring a bell?

  1. Assume you're not a target. What are you, special? Invisible? Your site is no less appealing to hackers than anyone else's, says Glennan.

  2. Assume your firewall will keep the bad guys out. Bad guys love firewalls. They're a challenge and challenges are what make hackers tick.

  3. Assume your IT staff can handle security. Sure, you have skilled, dedicated staff, but "the hacker community is probably more organised than your IT staff," says Glennan.
    "If we had staff with the intensity (hackers) have, the economy would be booming."

    However, Glennan was quick to dispel the supposition that hackers are generally "intelligent but misguided". Most hackers were unintelligent, unemployed, and simply followed "recipes" found in a "cookbook", he said.

  4. Assume your network won't be broken into.
    "People spend money on their 'front door' and completely forget about everything else," says Glennan. If you're realistic, he says, you'll assume you will be broken into.

  5. Assume you don't have the budget.
    Companies that install simplistic, cheap or minimal security solutions are living with a "false sense of security", says Glennan.

    Plus, what CIOs and CEOs don't realise is that they are now liable to be sued for failing to adequately protect company assets.

    Of course, intellectual property is counted as an asset. If you have the budget for a burglar alarm, you have the budget for a regularly audited, thorough IT security system.

  6. Assume no one else is reading your email.
    Glennan says reading other people's email is so easy it's trivial. Remember, email is "just data travelling through public networks". He cited an example of some Australian employees sent to a regional office who decided to read every single email their manager received, simply because they felt they were not being briefed as regularly as they would have liked. Which brings us to mistake number seven...

  7. Assume you can trust your employees.
    The above example in mind, Glennan warns that "disgruntled employees" constitute one of the largest categories of malicious attack on company systems.

  8. Assume that security products are secure.
    Market demands on software vendors outweigh their integrity, Glennan says. In many cases, if these vendors don't get their latest gizmo out the door five seconds ago, their competitor will. At least, that's the perception. And the priority.

    Besides, no matter how much integrity, security software vendors are "just as capable of stupid mistakes as anyone else", he says. And "they don't think outside the box like hackers."

  9. Assume that you would know if an incident occurred.
    This may seem ludicrous, but Glennan admits it can often be hard to tell when someone's stolen something that isn't material.

    "Sometimes it's just a matter of duplicating a set of electrons. Often you can't tell," he says.

    In the infamous Microsoft attack of late 2000, the software giant admitted that the culprit - who was eventually caught - had been entering their systems for three months prior to detection. Of course, it's Microsoft which makes it funny, but you get the picture.

  10. Assume the problem can be "fixed".
    One isolated security problem might be fixed today, but another one will appear tomorrow, says Glennan. "Every time we do something, they do something."

    He advises companies to employ objective outside parties to regularly "test the gates" on their IT systems.

    Keith Glennan is the general manager for consulting services at e-Sec.

Advertisement

Talkback 0 comments

Latest Videos

Sponsored content

Power Centre - Content from our premier sponsors

Blogs

  • Suzanne Tindal Sick of broken tender sites
    Some of the state governments desperately need to invest in more user-friendly tender sites so that looking for information on government tenders doesn't have to be a game of blind man's bluff.
  • Array Cyberwar: What is it good for?
    In this week's episode, Cyberwar. What is Australia's place in the world of digital warfare? What are the implications for the NBN?
  • Array Is wholesale-only backhaul just a pipedream?
    The potential acquisition of Pipe Networks by SP Telemedia has raised the question about whether vertically integrated backhaul providers will mean higher wholesale prices for ISP customers.
  • More blogs »

Tags

Back to top

Featured