Security – Top 10 Mistakes
Security management has a lot to do with details — staying on top of the latest threats and patching flaws. But sometimes, it has more to do with the big picture and how you approach security management. Here are the top 10 security mistakes I've seen people make:
1. Trusting people: The biggest threat to your IT security is ALWAYS the trusted employee. This is especially true of executives because poor personal security practices are just as dangerous (or more dangerous) as having a dishonest employee. If you ever need to cite an example, remember that one former CIA director actually accessed "company" files from his unsecured home PC. President Bill Clinton had to give Director John Deutch a Presidential Pardon to prevent prosecution.
2. Thinking your OS/server/Web app/wireless network/whatever is already secure: Having confidence is a wonderful thing in business and life in general, but paranoia is KING in security.
3. Failure to confirm that your disaster recovery plan actually works: Is that backup comprehensive? Is it scheduled (and actually done!) frequently enough? Can you restore your business from those backup tapes? And, most critical of all, is the backup kept physically secure and physically separate from your servers?
4. Incorrectly prioritizing the protection of specific assets: Few of us have the resources to protect everything completely. In the real world, you need to know what the most important things are to your company so you can protect those assets the most. One size does NOT fit all.
5. Failing to convince upper management of the need for security -– especially integrated security: If management doesn't support your measures, you might as well just take your paycheck and ignore real security. You can't have real security if you just add it AFTER designing and developing your network and applications.
6. Forgetting that road warriors WILL use unsecured wireless access points: It doesn't matter what rules you make or how draconian the punishment, road warriors WILL ignore security rules when they feel it hurts their bottom line.
7. Not properly managing passwords: Make them long and easy to remember -– initial letters of words in a favorite quotation are often a good choice; final letters of those words are even better.
While we are on the subject of passwords, you need to balance the need to re-enter passwords against the fact that the more often users have to key them in, the simpler the passwords they will pick. Once a day is the minimum, but how about after lunch? Or each time a critical application or database is accessed? The answer is that it depends, and it is up to YOU to decide what it depends on.
Keeping passwords, even strong ones, for too long a time is a major mistake. Not only does this give attackers a lot of time to test your system, but once you're hacked, you'll remain vulnerable for a long time.
8. Supplying help desk support without thoroughly authenticating callers: Social engineering is still a serious threat.
9. Mistaking obscurity for security: People WILL find that Web page you think is hidden -– even if you don't have a search function. Many search engines let people search just a specific URL.
10. Writing down ALL your security measures and failing to properly secure that document: There's nothing like finding a guide to hacking a particular network. While you should write everything down, you have to protect that document better than anything else in your company.
Updated Web Browsers: Which One Works Best?
Back when the earliest programs for viewing Web content simply browsed flat pages of images and text, the name browser truly fit the software.
But yesterday's amateur pages have evolved into dynamic, content-rich portals and powerful online programs. For many online habitués, the do-it-all browser has become a PC's single most important program.
Recognizing that fact, Apple's Safari, Microsoft's Internet Explorer, and Mozilla's Firefox are battling to win the nod as your browser of choice. So which one should you use--Safari 3.1, Firefox 3, or Internet Explorer 8?
Apple's latest offering, Safari 3.1, preserves the company's signature focus on clean design and smooth usability, but it lacks any phishing or malware filters.
For its part, Mozilla should have applied the finishing touches to Firefox 3 by the time you read this. From under-the-hood memory improvements to a major reworking for bookmarks, version 3 represents a big step forward.
Whereas the new Firefox and Safari browsers are ready to roll, Microsoft's early beta of Internet Explorer 8 remains a work in progress. Bugs and rough edges are to be expected in a first beta intended for developers and testers. But IE 8 beta 1 provides a glimpse of new features such as WebSlices (which let sites create widgety snippets of information that you can view by clicking a bookmark button) and Activities (which add right-click menu options for looking up selected text and pages on map, translation and other sites) that will distinguish the browser Microsoft eventually releases.
Firefox, IE, and Safari are the three most popular browsers, according to Internet usage statistics, but they aren't the only ones available. So I also took a separate look at two worthwhile, free programs--Flock and Opera.
Windows XP vs Vista: What you need to know
Will Windows XP still be properly supported by Microsoft and, as a primary development target, by third parties? Is there something XP die-hards have missed, some hidden gotcha that's going to trip them up 12, 18, or 24 months from now?
Of course, there's no universal answer to the Vista upgrade question. Yes, in all likelihood you'll be just fine sticking with Windows XP – at least until Windows 7 ships in 2009 or 2010. But let's not rush to universal judgement. Let's take a close, measured look at the key considerations, and compare Vista's merits against the state of XP on the essential points that IT organisations and end-users care about. And if we can't solve this calmly and objectively, like fair-minded professionals, then let's at least have a good fight.
Are you ready to rumble? Okay, then. Operating systems, return to your corners, and come out swinging.
Round 1: Security
Security is one of the first areas to come to mind when considering a Vista migration. Features such as UAC (User Account Control) and Internet Explorer Protected Mode have been making headlines for more than a year – but not always in the context Microsoft would have wanted. UAC, in particular, has been savaged by critics who balk at its many annoying confirmation dialogs. Just try enabling or disabling multiple network connections quickly or moving a file into a protected folder.
However, even with UAC – which is really just a more visible, 'in your face' implementation of the user account controls that have been built into Windows NT since day one – Vista still isn't fully secure. There are documented ways around UAC involving Internet Explorer, security token privilege escalation, and the exploitation of the 'deprecated administrator' status of the default Vista account model.
More importantly, however, is the fact that most IT shops have already implemented a form of UAC under Windows XP by not allowing domain users to run as local administrators and, in some cases, writing their own 'elevation' utilities to make it all work seamlessly. In practice, these 'locked down' XP systems are in some ways more secure than a UAC-protected Vista system, because they're immune to the aforementioned privilege elevation exploit. To bring Vista systems on par with XP, you need to force users to work with a true non-admin account, as opposed to Vista's 'deprecated admin' account, which puts you right back at square one (that is, where XP is today).
Other security features, such as the updated firewall and more esoteric, internal fixes such as Address Space Layout Randomisation, are interesting but by no means compelling. Most IT shops have implemented a proper hardware firewall solution or third-party software for mobile/remote users, and address-based code exploits usually require some degree of social engineering to get them to work – a phenomenon even Vista can't thwart.
Decision: From a security standpoint, there's just not a lot to compel XP shops to upgrade. Many of the issues addressed by Vista have already been resolved under Windows XP using in-house applications or third-party tools.
