By: Rafe Zetasci
Most
IT experts and security professionals try to safeguard their
organisational framework as securely as possible. Sometimes, no
matter how secure the IT structure is in an organisation, more often
than not there is some kind of a loophole wherein data theft can
occur. Here are some of the common mistakes that most security
professionals keep getting wrong. Look out for these four persistent
faults and take immediate action against them.
1.
Assuming that all software is updated and patched
Almost
every organisation has some form of un-patched software or the other.
Although, this is an area of concern, what is deeply unnerving is
that the personal computers used by most IT professionals and
security experts themselves are at risk. When enquired whether the
software in the entire organisation is patched, most security
professionals point out to the results of the recent scan in their
Windows Update program. Some others point out to their preferred
autonomous patch-analysing program. Unfortunately, security
professionals are not aware how faulty and dangerous some of these
programs might be. Most independent patch-analysing programs look out
for popular and widely available updates but tend to miss customised
or tailored security software. Some others do not look into the
BIOS versions or firmware, as updated versions can help in plugging
serious security traps. It is important to conduct a manual survey
and search for software programs that the patch-analysing program
might have missed. All installed software must be scanned; glancing
at the Operating System's installed applications list is not helpful,
rather all the folders and directories must be checked, the date of
executables and DLLs must be looked into, as well a record of all the
software versions must be maintained. Once the check has been done,
the CVE database should be opened and the list should be compared
with what is listed in the CVE database. In almost every case,
unpatched software is usually discovered in this manner.
2.
Spending sleepless nights over unnecessary threats
Most
IT experts tend to worry about vague threats that might be far lower
in risk than the really big dangers that they are facing head-on. On
a theoretical note, it is important to address the most likely
threats and prepare a robust security defence plan. But sometimes,
basic things such as patching the software and updating critical
programs can be a huge boon, rather than planning an expensive and
elaborate defence strategy. For example, IT professionals in an
organisation may debate with the management on the advantages of
biometric identities vis-à-vis smartcards, but in reality cutting
down the total number of full-time administrator accounts within the
IT environment can sometimes be a better security strategy than going
in for expensive installs.
3.
Archaic education to users
The
run-of-the-mill advice that is imparted in every organisation is
thus: employees should not visit untrusted websites while e-mail
attachments from unknown people should not be opened.
Advice
2.0 states thus: Do not install software from the web unless there is
a guarantee that it is coming from a legitimate vendor as websites
visited each day are likely to be compromised. In addition, users
must be advised never to click on any unknown link or install/run
active content and by strangers, even by people known to them. For
example, if an e-mail contains a line, "this e-mail has been
analysed and is 100% virus free," is a sure-shot sign that the
attachment is malicious. End-users need to be taught the next round
of safeguarding their own terminals; they must be imparted guidelines
on social engineering and phishing and the steps that they can
undertake to confirm any dubious e-mail or web offer.
4.
Failing to inform the management about the right concerns.
It
has been seen that senior management are usually not aware nor told
about the biggest and most impactful threats facing the organisation.
In spite of spending thousands of dollars every year to defend an
organisation's environment, most CIOs and CTOs are unable to spell
out exactly what are the biggest threats to their organisation. If
security professionals themselves do not collect the right metrics,
it is not possible to gauge the danger facing the organisation.
Almost every IT security professional reports on the number of
malicious programs exposed and eliminated or the number of
un-authorised messages barricaded by the firewall, but do not report
on the number of malware programs that go undiscovered and for how
long. It is important to start assessing the largest and most likely
threats to every organisation; how such threats are entering the
environment, and transmit this crucial data up the management line.
Simple yet highly effective and powerful software can save millions
of dollars while at the same time ensure complete peace of mind from
hackers and data thieves.
###
Rafe
Zetasci
is a web analyst and avid blogger.
Comments
Post a Comment