The Three Most Common Mistakes in IT Security
The most common security mistake organizations make is not institutionalizing awareness of computer security and not training employees as to why it’s important. A password’s importance extends beyond telling companies when users have logged on to a machine, and the importance of a hardware inventory goes beyond telling companies who has what laptop and when. Both are important for the entire organization and for regulatory compliance.
For this reason, it’s important to foster proper awareness of the purpose behind computer security — employees frequently misidentify security measures as restrictions rather than protections. The mistake is in valuing hardware over people and not recognizing the significance of the human factor in security computers and data. Beyond that, the most common mistakes IT departments themselves make are a little more specific.
What follows is the three most common mistakes in IT security:
1. Using Default Configurations for Hardware and Software. Installing software or hardware appliances with the default password configurations or out-of-the-box settings opens an organization’s IT infrastructure to brainless attack.
“If you install a piece of software that has administrative passwords on it, for example, and you don’t change the default passwords and configurations, then anyone who knows what the default configurations or passwords are can access that software or hardware,” said Allen Clarkson, Western Governors University interim program manager and faculty mentor for the IT Program.
Clarkson administers WGU’s security degree, has taught classes on security and has published articles about security.
2. Having a Poorly Implemented or Incoherent Password Policy. Passwords are still the lynchpins of user authentication and user-level assess systems.
“We have other technologies — biometrics, smart cards and whatever else that are becoming more realistic solutions for small and medium-sized organizations — but passwords are still the first step in securing systems,” Clarkson said. “It’s how we know who users are, when they log on and that they have the access they’re supposed to have.”
Poorly designed and implemented password policies, however, can end up exposing networks to easy attacks. Potential missteps include neglecting to articulate a policy for password expiration or to enforce best practices for password creation.
“For example, a password policy may require that you have a combination of lowercase and capital letters, symbols, numerals, that you don’t use words — that sort of thing,” Clarkson said. “If you don’t enforce that policy systematically, if you just sort of suggest it to people, most non-IT people will stick with ‘password’ or ‘letmein’ or their dog’s name or their birth date or whatever.”
But if an IT department enforces a complex password policy without anything in the way of user training, it can lead to an even more profound vulnerability.
“A strong password policy where users have to have very complex passwords may end up creating an even more dangerous situations or defeating the whole purpose because users write down their passwords on a sticky note and stick them right on their screen,” Clarkson said. “The reason that people do that is not because they don’t care what their password is or don’t care about people being able to access the network but simply because the passwords are too complex for them to memorize.”
The key is to enforce a strong password policy while training users on how to design one they can memorize such as spelling a word they’ll remember with numerals intermingled.