Home PageEnter the Online ShopCipher-IT ProductsServicesCipher-IT SolutionsAbout Cipher-ITContact us


10 Common Security Holes

Common security breaches by IT and business professionals - not just an attacker's expertise - contribute to the success of computer break-ins, the SANS Institute said 1 June 2000.

The security group released its Top 10 lists of Internet threats and mistakes made by information technology professionals and company executives.

SANS is a think tank that works with system and network administrators and security professionals in government, business and academia to share security information and solutions.

SANS found the 10 worst security mistakes IT people make are:

1.         Connecting systems to the Internet before hardening them

2.         Connecting test systems to the Internet with default accounts/passwords

3.         Failing to update systems when security holes are found

4.         Using telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI

5.         Giving passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated

6.         Failing to maintain and test backups

7.         Running unnecessary services, especially ftpd, telnetd, finger, rpc mail, rservices

8.         Implementing firewalls with rules that don't stop malicious or dangerous traffic -- incoming or outgoing

9.         Failing to implement or update virus-detection software

10.        Failing to educate users on what to look for and what to do when they see a potential security problem

Mistakes by senior executives also add to security vulnerabilities, SANS said, including:

  1. Assigning untrained people to maintain security and providing neither the training nor the time to learn and do the job.

  2. Failing to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security

  3. Failing to deal with the operational aspects of security -- making a few fixes and then not allowing the follow-through necessary to ensure the problems stay fixed

  4. Relying primarily on a firewall

  5. Failing to realize how much money their information and organizational reputations are worth

  6. Authorizing reactive, short-term fixes so problems re-emerge rapidly

  7. Pretending the problem will go away if ignored

IT security is not just a technological issue it should be a key business objective. With the growth in e-commerce security may provide real competitive advantage.

Back to top

Please feel free to email us - support@cipher-it.co.uk

Images and content are copyright to Cipher-IT Ltd

Site designed by Cipher-IT Ltd