I just came a across an article that I wanted to discuss. The article is titled “10 security mistakes that will get you fired” written by Roger A. Grimes. I have know too many sysadmins and IT security specialists that have committed at least one or more of these huge mistakes. I’ll cover the highlights here with a link below as well.
Mistake #1 Killing Business Functionality
Although network security is job one to a IT professional, it is not to the company you are working for. Closing down critical business information systems while trying to remediate an intrusion can find you in hot water with management. Just assume management will believe the loss of business systems will outweigh the cost ridding the system from the bad guys
Mistake # 2 Don’t Mess with the CEO
This happened to me personally in my career, I was a GoldMine Software partner and working at a software company and installed an upgrade on the CEO’s PC. The mere act of me being in her office after hours almost lost us the contract. I have seen Sysadmins crank down internet access to the point the CEO couldn’t access certain sites. They lost their jobs over it.
Mistake # 3 Ignoring Critical Events
Target’s security software detected the trojan on it’s systems. The IT department deemed the event log message a false positive.Event logs are huge, and I am sure most if not all of us have looked at those logs and thought OMG this will take forever. Make sure to define critical events that most likely are attributed to malicious software.
Mistake # 4 Reading Confidential Data
I know Sysadmins who have admitted to reading emails from the owner or CEO of their companies. They are actually proud of the snooping they are doing. All I have to say is it’s both morally and legally wrong and you deserve to have your ass fired for it.
Mistake # 5 Invading Privacy.
The author gives the story of how a sysadmin at a hospital learned a celebrity was staying there. He ran a SQL query and let others view the celebs records. He deserved to be canned for that.
Mistake # 6 Using Real Data in Test Systems
Most of us have done this and probably still do. For example when rolling out a new CRM system I would grab data from the old system for testing. I never once thought about privacy or accessing information that shouldn’t have. To be safe use bogus data.
Mistake # 7 Using Corporate Passwords on the Web at Large
It’s amazing the number of people to use the same credentials at work as they do Facebook or personal Gmail. The same people fall prey to phishing scams as well. Make sure employees understand the risk of sharing passwords.
Mistake # 8 Opening Big Any Any Holes
How many times have you set firewalls to allow all traffic and block none when you are trouble shooting an application thats not working properly. Now after you got things working o, did you set it back? Most people don't. You could get fired for this someday.
Mistake # 9 Not Changing Passwords
I know users are loathe to change their passwords, and sysadmins are pretty much the same although more complicated.I know that in my experience admin passwords get shared around to the point they are useless. Change admin and service account passwords regualary and frequently.
Mistake # 10 Crying Wolf!
One of my most popular products is GFI LanGaurd. Upon an initial scan Sysadmins will generally see many many vulnerabilities show up on the report. To the untrained it might look the sky is falling because many of these vulnerabilities look pretty scarey. The reality is most of them are pretty benign. But if your a Sysadmin who sees every new threat as a huge problem for your company, sooner or later you won't be taken seriously even if your right.
Bonus:
Mistake # 11 The God Complex
Repeat after me, the network is not your personal playground or kingdom. It is there to provide services to the company and it’s customers. Do not abuse your position to make life more difficult for others, snoop on others are collect data on others. Treat users with respect, not the problem. After all you wouldn’t have a job without them!
#5 isn't just bad ethics, it's a HIPAA violation - which could result in *big* fines.
ReplyDeleteYes of course.
Delete