Lenny Zeltser, noted security researcher and reverse engineering specialist, shared his thoughts on how to suck at security. Lenny put together his cheat sheet of common information security mistakes or practices that he regularly sees by "security experts", so you can avoid making them.
[The idea is that you should do the opposite of what it says below.]
What do you think of this revised list as a starting point for the SMB IT professional?
The List: You might suck at Internet security if you......
- Assume you don't have to worry about security, because your company or client is too small or insignificant.
- Assume you're secure because you haven’t been compromised recently.
- Expect end-users to forgo convenience in place of security.
- Have no DMZ for Internet-accessible servers.
- Assume your patch management process is working, without checking on it.
- Delete logs because they get too big to read.
- Hire somebody just because he or she has a lot of certifications.
- Expect users to remember passwords without writing them down.
- Assume users will read security policy.
- Create security policies you cannot enforce.
- Assume that being compliant means you're secure.
- Assume that policies don't apply to owners or executives.
- Deploy a security product out of the box without tuning it.
- Buy security products without considering maintenance and implementation costs.
- Rely on anti-virus & firewall products without additional user controls.
P.S. Lenny's list is MUCH longer!
0 comments:
Post a Comment