Four deadly security sins

Four deadly security sins
Four deadly security sins

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Lynn Tan
ZDNet Asia
June 11 2007

Organizations should not rely on its staff to ensure its network is 
secured as employees are not infallible and one slip is all it takes for 
cyber criminals to launch a vicious attack.

"If you are an organization that is relying on your employees to do the 
right thing with respect to security, you've already made a number of 
mistakes," said Scott Montgomery, global vice president for product 
management at Secure Computing, in a phone interview with ZDNet Asia.

Montgomery noted that end users are typically the "least educated" of 
proper corporate security practices and are "most prone to doing things" 
that do not adhere to the company's security policy.

He highlighted four most damaging security habits that are commonplace 
among organizations in this region and around the world, and underscored 
the need for IT administrators to closely monitor these areas.

1. Fixed passwords

The Sans Institute, over the last decade, has identified passwords as 
one of top 10 most damaging security practices, Montgomery said.

Unlike token-generated or one-time passwords, he noted that fixed 
passwords do not change and some users may even write them down to avoid 
forgetting the sequence. As such, fixed passwords are "dangerous" 
because any person who knows the right password can log into the network 
and cannot be identified as an imposter, he said.

"Everybody knows that fixed passwords are weak and a problem. It's been 
the same way for 10 to 15 years, but it doesn't change organizations 
from investing in it," Montgomery said.

In contrast, the use of one-time passwords has been found to 
"dramatically increase the security profile of organizations" because 
the perpetrator would not be able to compromise the user's credentials, 
he said.

"Even the use of one-time password on an application-by-application 
basis dramatically increases your security profile because you can't 
do=E2=80=A6password guessing," Montgomery said. He added that the use of a 
hardware token for one-time password deployment--whether it is 
time-based or event-based--is a good way to prevent systems from being 

2. Neglecting inbound threats from e-mail, the Web and instant messaging

When end-users receive a spam message in their e-mail inbox, their 
administrators have already "lost the battle", Montgomery said. "At that 
point, you're expecting the users to do the right thing [but] they 
won't... They don't have any perception of the greater risk of their 
activities." He noted that e-mail, Web mail and IM (instant messaging) 
are among the high-risk areas and IT administrators need to ensure data 
received via these platforms are safe and protected.

3. Forgetting that data traffic is two-way

When keeping the organization's network secure, IT administrators should 
keep in mind that data traffic is bidirectional and consider 
possibilities of outbound data leakage.

Montgomery noted that organizations often forget that their traffic is 
bidirectional and many spent the last several years protecting only the 
data that enters their networks. "Organizations have been very slow to 
look at what's leaving their network, in terms of data leakage, due to 
malicious and criminal intent or that are simply [the result of 
employee] mistakes," he said.

4. Not encrypting data

Without encryption, data sent and received via email is literally "like 
putting an ad out in the paper" and for anyone in the public to view, 
said Montgomery. He added that some users wrongly assume the data they 
send is private and cannot be seen by the public.

"People who want to read your e-mail will have to look for it to find 
it, but they can find it if they want to," he said.

"There is a level of protection only if people use encryption in their 
e-mail, [but] most people don't," Montgomery said.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2014 CodeGods