Top 5 Worst Security Practices
1. Antivirus scanners will not uncover actual attackers
Hackers put out millions of new malware programs each month, far too many for any single antivirus program to reliably detect. This persists despite claims from nearly every antivirus vendor that they reliably detect 100 percent of the common malware submitted to them. They can show you their multiple awards attesting to their incredible accuracy, but this is just simply not pragmatic.
2. Firewalls are not effective
Businesses often put a unrealistic sense of criticality on firewalls but they are actually becoming less relevant than antivirus software. The vast majority of compromises and breaches don’t start at the firewall but originate from deceiving end-users into running a forbidden program or circumventing a security practice on their systems, thus invalidating firewall protection. Moreover, most malware reaches back to their command and control servers using using port 80 or 443, which is always open outbound on the firewall.
3. Patch management isn’t happening
Today the top security advice you could give anyone is to patch their systems and applications. All software has multiple vulnerabilities and must be patched. Despite the existence of more than a dozen patch management systems that promise perfect updates, for whatever reason, it appears it can’t be done. Don’t get me wrong patch management isn’t easy and it is especially hard for large enterprises but that doesn’t discard its importance. The time and money invested in developing a robust patch management solution and process is a magnitude cheaper compared to a breach.
4. The bulk of end-user security awareness sucks
If security awareness training was working then the growing demand for security professionals wouldn’t be nearly as high. Social engineering, which trick end-users into running malicious programs, are the biggest threat by far. Most end-users readily give up all privacy to any application or social media portal, and they do it without any thought of the fallout, which includes greatly increasing their likelihood of becoming a target and succumbing to social engineering. We have a lot of room for improvement in the area of security awareness.
5. Password strength isn’t enough
Create a strong password, one that is long, complex, and frequently changed. Wrong and taxing. Users should be educated to create a passphrase as they are much stronger and proven to be far easier to remember (e.g. The password “Youstilloweme$15forthatDolphin” is just the phrase “You still owe me $15 for that Dolphin”). The traditional motto for strong passwords is often ignored by users and the bigger problem now is that most hackers don’t care now either. They trick an end-user into running a malicious program, get admin access, harvest the password hashes, then reuse them. A password hash is a password hash, and one from a strong password looks and feels no different than one from a weak password.
The basics work. Good security doesn’t stop with just an anti-virus client and a perimeter firewall. It must encompass a solid knowledge of your environment, your users and the threats arrayed against them. By using a layered approach, organizations are able to better manage security threats.
Looking for more information?
Fill out the form below to contact us.