7 Ways Security Pros DON'T Practice What They Preach

7 Ways Security Pros DON'T Practice What They Preach
7 Ways Security Pros DON'T Practice What They Preach 

By Bill Brenner
Senior Editor
September 22, 2009 

IT security pros are often driven to drink -- literally -- over the 
daily battles of their job: bosses unwilling to accept the rationale for 
some new security investment, employees who regularly infect their 
computers by doing things that have nothing to do with their jobs, and 
vendors who don't understand the company's needs. [The latter example is 
examined in 8 Dirty Secrets of the IT Security industry.]

But in a recent, unscientific and informal poll CSOonline conducted over 
such social networks as Twitter and LinkedIn, many IT security pros 
admitted they've often looked the enemy in the eye only to find 
themselves staring back in the mirror. Or, they've seen carelessness in 
well-meaning professionals who should know better.

Paul V de Souza, a former chief security engineer at AT&T and owner of 
the CYBER WARFARE Forum Initiative (CWFI), has seen many an example 
where IT security pros fail to practice what they preach. "I have 
noticed that many security professionals do not encrypt their hard 
drive," he said. "I also see a lack of two-factor authentication 
deployment. Many of us security professionals rely only on passwords."

Based on the poll and a list provided by Andy Willingham, former network 
security engineer at EBFC, information security engineer at MARTA and 
founder/owner of AndyITGuy Consulting, here are seven examples of how 
security pros cut corners:

1.) Using URL shortening services

URL shortening services have become immensely popular in recent years, 
especially among security pros who use such forums as Twitter to share 
content. The problem is that URL-shortening services are sometimes 
insecure and unstable. For examples, see New Spam Trick: Shortened URLs 
and 5 More Facebook, Twitter Scams to Avoid.

In the latter example, Graham Cluley, senior technology consultant with 
U.K.-based security firm Sophos, noted in a recent interview that some 
URL-shortening services have begun to try filtering out bad sites by 
checking URLs against known black lists, but that the issue is far from 
resolved, particularly because despite increased efforts to block 
malicious links, Twitter and Facebook do not have a filtering mechanism 
for bad shortened URLs.


Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods