spacer
  • SANS Site Network
    • Current Site
    • spacer Internet Storm Center
    • Choose a different site Help
    • spacer Training
    • spacer Certification
    • spacer Cyber Security Graduate School
    • spacer Security Awareness Training
    • spacer Computer Forensics
    • spacer Penetration Testing
    • spacer IT Audit
    • spacer Software Security
Threat Level: spacer
  • Storm Center
    • Diary Page
    • Diary Archive
    • ISC Podcasts
    • Daily Stormcast!
    • Security News
    • ISC Handlers
    • ISC Events
    • ISC on Twitter
    • ISC Poll
    • ISC Search
  • Tools
    • Tools List
    • Feeds (XML/RSS)
    • Infocon Status
    • Link to ISC
    • Video/Audio
    • Presentations/Papers
    • Links
    • Glossary
    • Download Our Sensor!
  • Data/Reports
    • Summary Page
    • ISC/DShield API
    • HTTP Headers
    • 404Project
    • Suspicious Domains
    • Report Fake Calls
    • Submit Logs
    • Using DShield Data
    • Webhoneypot
  • My ISC
    • ISC Login
    • SANS Portal »
  • Contact
    • About ISC
    • Contact Form
    • Security Contact
    • Submit Site Bug
    • Submit Logs
    • Privacy Policy

ISC Diary

Refresh Latest Diaries

Handler on Duty:
Daniel Wesemann
Contact Us
  • previous
  • next

How to Suck at Information Security

Published: 2009-01-09,
Last Updated: 2009-01-19 14:49:25 UTC
by Lenny Zeltser (Version: 3)

2 comment(s)

The following list presents common information security mistakes and misconceptions, so you can avoid making them.

Security Policy and Compliance

  • Ignore regulatory compliance requirements.
  • Assume the users will read the security policy because you've asked them to.
  • Use security templates without customizing them.
  • Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you're ready.
  • Create security policies you cannot enforce.
  • Enforce policies that are not properly approved.
  • Blindly follow compliance requirements without creating overall security architecture.
  • Create a security policy just to mark a checkbox.
  • Pay someone to write your security policy without any knowledge of your business or processes.
  • Translate policies in a multi-language environment without consistent meaning across the languages.
  • Make sure none of the employees finds the policies.
  • Assume that if the policies worked for you last year, they'll be valid for the next year.
  • Assume that being compliant means you're secure.
  • Assume that policies don't apply to executives.
  • Hide from the auditors.

Security Tools

  • Deploy a security product out of the box without tuning it.
  • Tune the IDS to be too noisy, or too quiet.
  • Buy security products without considering the maintenance and implementation costs.
  • Rely on anti-virus and firewall products without having additional controls.
  • Run regular vulnerability scans, but don’t follow through on the results.
  • Let your anti-virus, IDS, and other security tools run on "auto-pilot."
  • Employ multiple security technologies without understanding how each of them contributes.
  • Focus on widgets, while omitting to consider the importance of maintaining accountability.
  • Buy expensive product when a simple and cheap fix may address 80% of the problem.

Risk Management

  • Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles.
  • Make someone responsible for managing risk, but don't give the person any power to make decisions.
  • Ignore the big picture while focusing on quantitative risk analysis.
  • Assume you don't have to worry about security, because your company is too small or insignificant.
  • Assume you're secure because you haven’t been compromised recently.
  • Be paranoid without considering the value of the asset or its exposure factor.
  • Classify all data assets as "top secret."

Security Practices

  • Don't review system, application, and security logs.
  • Expect end-users to forgo convenience in place of security.
  • Lock down the infrastructure so tightly, that getting work done becomes very difficult.
  • Say "no" whenever asked to approve a request.
  • Impose security requirements without providing the necessary tools and training.
  • Focus on preventative mechanisms while ignoring detective controls.
  • Have no DMZ for Internet-accessible servers.
  • Assume your patch management process is working, without checking on it.
  • Delete logs because they get too big to read.
  • Expect SSL to address all security problems with your web application.
  • Ban the use of external USB drives while not restricting outbound access to the Internet.
  • Act superior to your counterparts on the network, system admin, and development teams.
  • Stop learning about technologies and attacks.
  • Adopt hot new IT or security technologies before they have had a chance to mature.
  • Hire somebody just because he or she has a lot of certifications.
  • Don't apprise your manager of the security problems your efforts have avoided.
  • Don't cross-train the IT and security staff.

Password Management

  • Require your users to change passwords too frequently.
  • Expect your users to remember passwords without writing them down.
  • Impose overly-onerous password selection requirements.
  • Use the same password on systems that differ in risk exposure or data criticality.
  • Impose password requirements without considering the ease with which a password could be reset.

The above list of common security mistakes and misconceptions incorporates contributions from fellow ISC handlers. (Thanks!) If you'd like to print this list on a single page, you're welcome to use the PDF version from my site.

Update: In addition to the comments below, see the Devil's Advocate Security blog for additional notes regarding this list. Also, there are some excellent comments on the Slashdot thread that discusses this write-up.

Liked this? Post it to Twitter!

-- Lenny

Lenny Zeltser
Security Consulting - Savvis, Inc.

Lenny teaches a SANS course on analyzing malware.

Keywords:
2 comment(s)
Top of page

  • previous
  • next

Top of page

Comments

Great list, though I have a few modifications and some additions.

Risk Management
Classify all data assets as <anything>.

Security Practices
Use only public IP's in the DMZ.

Saying "We're just a <blank> company, why would anyone want our data".

Assume that the deployment of an IPS/SIEM/<blank> is all that security needs to do versus actually using and managing the devices.

Assume that IT Security and Information Security are the same thing.

Security Policy and Compliance
Refuse to change or create new policies in lieu of an outdated master policy.

Use variances as a catch-all. Misusing variances result in everything being a variance, but at least it's documented.

posted by Rick, Fri Jan 09 2009, 02:32
...and one more thing... Assuming or believing that 'Risk Analysis' and 'Risk Management' are the same thing
posted by Lee, Fri Jan 09 2009, 15:46

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

spacer Diary Archives

Top of page
site/port/ip search:

Get ISC Swag!!


Advertisement

Security News Feeds

InternetStormCenter
  • How your Webhosting Account is Getting Abused, (Tue, Mar 26th)
SANS Newsbites
  • Full Scholarships For Top Cyber Talent; Governors McDonnell and Christie Launch Governor's Cyber Challenges (March 23-25, 2013)
SANS @Risk
  • (1) HIGH: Google Chrome Sandbox Escapes

Diary Archives

How your Webhosting Account is Getting Abused - by: Daniel Wesemann (2013-03-26)

How Your Webhosting Account is Getting Hacked - by: Kevin Liston (2013-03-25)

IPv6 Focus Month: IPv6 over IPv4 Preference - by: Johannes Ullrich (2013-03-25)

View Diary Archives

Search Diaries:

spacer

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute

gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.