Does your information security implementation suffer from mistakes in approach? Everyone is focused on information security, and security is a constant addition into every corporate mission statement. And yet in nearly every security implementation there is a recurring range of mistakes in information security. Here are the most common five
- Focusing primarily on perimeter security - Put in firewalls and other firewalls behind those firewalls, and some IPS in the middle, and set them all up to defend the Internet link of the corporation. And that's it, no need to do anything else. Sounds familiar? Defending the perimeter is important, but it's not the only point of security strengthening. A successful attack does not try to punch a hole through the thickest wall - it finds a way to bypass such walls. Security needs to be layered and focused at properly protecting information storing and processing resources.
- Relying on hard coded elements - whether it be a hostname, an IP address or a username/password pair, hard coded elements in a file open a gaping hole in security. Anyone managing to read or disassemble the file has access to a nice set of information very useful to attack. Always rely on user input elements or single sign-on instead of hard coded elements.
- Trusting people - Any casino owner will tell you the grim truth - 30% of employees are out to steal from you. This is true in any industry, and by the way, you can never know which are included in the 30%. Therefore, implicit trust and saying "he/she can never do us harm, the loyalty is too great" will only land you in trouble. Always enforce security rules and policies for every process and employee.
- Relying on an issue being fixed in the "other element" - "This will be fixed in the program", or "This will be fixed in the database". Finding an issue and hoping that someone else will fix it is stupid to say the least. Address the issue immediately, for noone else will!
- Improper discarding of documentation - Hundreds of thousands of confidential documents are thrown into the garbage every day - even whole laptops which are for some reason not functioning properly. This act of simple neglect of unnecessary information is the nicest (and most legal) way of information and identity theft. Institute simple procedures for information destruction, ranging from paper up to malfunctioning hard drives. The technical resources needed for this are inexpensive and plentiful!
Do you have an example of mistakes? Add it in the comments!!!
Talkback and comments are most welcome
3 Things no book about hacking will ever tell you
5 SLA Nonsense Examples - Always Read the Fine Print