Common Security Mistakes – By End Users, Executives and IT Departments

First off, apologies to the original author of this content… I had tucked this away in an Outlook note probably 8 years ago (I’ve updated it a little as it references modems, thankfully of which, I haven’t touched one in nearly that long). I didn’t note the author at the time and if they want to contact me, I’d be happy to reference their work. It is still applicable today.

THE FIVE WORST SECURITY MISTAKES END USERS MAKE

1. Opening unsolicited email attachments without verifying their source and checking their content first.
2. Failing to install security patches, especially Windows, MS Office, IE (and other web browsers).
3. Installing Screen Savers or games without safety guarantees.
4. Not making and testing backups.
5. Connecting a wireless router/access point to the local network without securing it (or seeking permission)

THE SEVEN WORST SECURITY MISTAKES SENIOR EXECUTIVES MAKE

1. Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job.
2. Failing to understand the relationship of information security to the business problem – they understand physical security but do not see the consequences of poor information security.
3. Failing to deal with the operational aspects of security: making a few fixes and then not allowing the follow through necessary to ensure that problems stay fixed.
4. Relying primarily on a firewall.
5. Failing to realize how much money their information and organizational reputations are worth.
6. Authorizing reactive, short term fixes so problems re-emerge rapidly.
7. Pretending the problem will go away if they ignore it.

THE TEN WORST SECURITY MISTAKES INFORMATION TECHNOLOGY PEOPLE MAKE

1. Connecting systems to the Internet before hardening them (removing unnecessary devices and patching necessary ones).
2. Connecting test systems to the Internet with default accounts and passwords.
3. Failing to update systems when security vulnerabilities are found and patches or upgrades are available.
4. Using telnet and other unencrypted protocols for managing systems, routers, firewalls and PKI (Public Key Infrastructure).
5. Giving users passwords over the phone, or changing passwords in response to telephone or personal request when the requester is not authenticated.
6. Failing to maintain and test backups.
7. Running unnecessary services, especially FTP, TELNET, SMTP and RPC
8. Implementing firewalls with rules that allow malicious or dangerous traffic – incoming or outgoing.
9. Failing to implement or update virus detection software.
10. Failing to educate users on that to look for and what to do when they see a potential security problem.