8. Using default passwords
Search for the phrase “default password list” and see why leaving any system with a default password is asking for trouble – big trouble. You’re not tempting fate, you’re daring fate. Change all default passwords immediately.
9. Using weak passwords
Right behind using default passwords comes using weak ones that can be easily guessed or cracked using dictionary lists. And here’s some food for thought.
If you are using the same password on more than one system or for more than one account, it should be considered weak. Oh, and create different passwords for different systems and accounts.
10. Allowing stale accounts to remain active
Former employees, unneeded service accounts, temp accounts for consultants, contractors or auditors… all of those accounts sitting on your network with privileges to data and systems make tempting targets for attackers.
Inside jobs in particular can take advantage of these because they may already know the account names, perhaps even the passwords and what privileges they have.
Make it policy to review service accounts at least annually, to set expirations on all temporary users and to disable all accounts for every user the moment their employment ends, whether voluntary or involuntary. Leaving accounts live is similar to leaving the door open and waiting for very bad things to happen.
11. Letting servers run out of disk space
What happens when a server runs out of disk space? Nothing. As in, the server no longer does anything. It shuts down. Operating systems log events when they start to run low on space, so even if you aren’t checking your servers, you should be monitoring for events.
Let a server die because there is no more storage space and someone is going to ask what had you been doing since you obviously weren’t paying attention. That’s not entirely fair, since there are a number of bad things that can cause a server to run out of space very quickly.
.12. Losing drives
Drives store data. Drives sometimes need to be shipped from one data centre to another, or portable drives are used to transport large amounts of data from point to point, or sometimes you just want to take a little bit of data with you to work on at home on a thumb drive.
Whatever the reason, should that drive go missing, you could be exposing critically sensitive corporate data, or worse, customer data. Mistakes like that can end careers.
13. Losing tapes
Like drives, losing tapes can spell disaster for an organisation. The scary thing is that tapes go missing all the time. But it’s not data leakage that is so worrying, it’s the fact that missing tapes are often not detected until someone needs to restore something from the backup. Then, you’re left without both the backup tape and the data that it was protecting.
.14. No encryption
Whether we’re talking drives or tapes, one of the best things you can do to protect from data leakage is to encrypt everything.
Drive encryption is straightforward, but many don’t want to encrypt tapes because it then takes longer to back up and to restore. Don’t make that mistake. The one thing that could save your job should a device go missing is that it’s encrypted, so whoever finds it won’t be able to get the goods.
15. Not having working backups
Even with encrypted backups and flawless tracking of tapes, backups that cannot be restored are worse than no backups at all, since you’re counting on them, rather than running with the knowledge that you have no backups.
Make sure you test your backups by doing restores on a regular basis to confirm that your backup solution actually works.
16. Losing customer NPI
Drives, tapes, compromised systems or insider jobs – when customer NPI (non-public personal information) is exposed, someone is going to be blamed. If your systems stored that data, and you missed any opportunity to protect that data, the finger will be pointed straight at you.