As a security professional, you know how to keep your environment safe and secure from both internal and external threats. But, there’s a lot to lock down.
It’s easy to overlook seemingly innocuous security items from time to time. How these neglected items affect your company may vary. Sometimes there are serious consequences. Other times, there aren’t any perceivable problems afterward at all — on the surface, at least.
Here’s a look at a few mistakes that even seasoned ITSec pros tend to bungle from time to time — and how you can avoid them.
1. Lapses in User Privileges
It is hard to believe, but there are still organizations that don’t manage user permissions by groups. Without a clear hierarchical structure for your Active Directory, you have to manually create users and assign permissions to file shares and other network resources. This is not only unnecessarily tedious, but it is also a huge security risk.
Think about a user that transfers to a new department. They don’t have their old access revoked to important file shares and other sensitive access. If his/her organization gets hit by a cryptovirus or any other virulent malware instances, then the infection could spread like wildfire.
Other common scenarios involve users that are no longer with the company. Again, it’s hard to believe, but sometimes ex-users are not removed from the systems within the business. Dormant accounts are sought out by crafty hackers who can infiltrate your network from a seemingly innocuous account. If such accounts have admin access or other elevated permissions, the potential damage is virtually unlimited.
2. Weak Password Policies
Think about default logins for your network appliances such as routers and switches. A curious intruder won’t take very long to cycle through all of the most commonly used passwords in order to gain access to your systems.
One remedy is to ditch the default passwords and bulk up on security by following at least the bare minimum security standard. Do you have any lockout policies in place? If you don’t, then people that are trying to guess your credentials can try until the cows come home.
Use a low number of login attempts before an account gets locked out. Some IT pros prefer three tries, others a little more. If you don’t have lockout policies in place, then you should think about implementing one as soon as possible. Remember, you can’t always count on your end users.
3. UAC aka User Account Controls
As annoying as it is, the User Account Control dialog that pops up in Windows 7, 8, and 10 actually works. It blocks rogue applications from running amok on your computer by prompting you to accept the changes that an application is trying to make to your system.
Sometimes, you are actually trying to make changes to your system and the UAC popup gets a little annoying. But it is a small price to pay for added security.
4. No Reporting or Monitoring
Just because your systems are up and running doesn’t mean there aren’t problems. You should have an automated reporting routine set up for daily, weekly, and monthly summaries. It’s important to know how appliances, such as firewalls and routers, are working. It’s tempting to dismiss these reports, but they can make your life a lot easier.
These reports give you a heads up if there were any intrusion attempts or if any suspicious activity is occurring on specific interfaces. Suspicious behavior could be malware or viruses. If you don’t check up on these reports then you won’t know what’s going on. If you don’t have any reports set up, then you really don’t know what’s going on.
Critical servers on your network or in the cloud also need to be monitored. As an administrator, you should never be the last to know about a server going offline. This further drives home the need for active monitoring.
Monitoring solutions will send you alerts as soon as anything goes offline. This enables you to start the troubleshooting process from the moment a machine drops off the network. You can use some out of the box solutions, either paid for or free. Or if you are feeling especially creative, you can write your own in PowerShell or Bash.
5. Ignoring Best Practices/Compliance Recommendations
If you take the time to perform a security audit, don’t treat it as just another thing to cross off your to-do list. Take the time to review the audit, and whatever you do, don’t ignore recommendations. Put every one of them into action — no matter how small they may seem.
Ignoring recommendations, especially from a security specialist, is not something you want to do, no matter how redundant (or tedious) the action sounds. If you are unclear about something, swallow your pride and ask the auditor. Recommendations and best practices are there for a reason, so follow them. If not, you risk not being in compliance, especially if you work in a heavily regulated sector like finance or healthcare.
Make sure that you have a documented IT security policy for your department — one that handles all of the details of what the bare minimum requirements are for your network setup. Basic security principles such as minimum password complexity requirements, password attempt lockouts, and set password expiration timelines are all a part of the basic security principles that must be followed.
6. No Investment in Training
It’s pretty hard to combat threats if you don’t have the necessary skills. Because hackers are getting more creative and sophisticated, you need to know the latest security trends and best practices. But all too often, it’s easy to put off training. Or worse, not train at all.
If you want to stay ahead of cybercriminals and thwart potential attacks, you need training. While you’re at it, why not get certified? It demonstrates your commitment to ITsec and keeping your skills up to date. Because IT security is paramount to every org, there’s a heavy demand for certified IT pros.
There are entry-level certs like CompTIA Security+. A step above that could be CCNA Cyber Ops. Yeah, there’s a lot of ITsec training out there, so it’s a mistake not to take advantage of it. Don’t be one of those shops that neglect training. We get it, it’s easy to neglect when you’re running around putting out end-user fires. But it’s a mistake you can’t afford to make.
The Bottom Line
Everyone makes mistakes, so don’t beat yourself up too much if you are guilty of any of the above items on the list. Working with sensitive and valuable information means your systems are bound to attract the wrong kind of attention at some point, it’s just a question of when.
As you hustle to keep your organization’s data safe, don’t forget about the seemingly unimportant small stuff. If you do, you could soon be sweating big time over the small stuff. The good news is a lot of these trip-ups are easy to avoid and don’t take long to address, so be sure to revise your security policies today. You’ll thank yourself later.