INSIGHT: 23 network security mistakes that could get you fired
- 08 February, 2015 22:51
People are people, and we all make mistakes.
In most cases, it’s how we own up to these mistakes, learn from them and avoid repeating them that counts. Life is full of such learning opportunities.
However, depending on your boss, the impact to your organisation or its customers and the seriousness of the mistake, some can be career-limiting or, even worse, send you back to the job market before you even know it.
David Kelleher, Director of Communications, GFI Software, takes a look at those network security mistakes that could get you fired.
1. IP Any
Setting up a firewall rule that includes IP ANY is basically the same as removing the firewall. Yes, there will be times when this is actually required, but doing it by default is a really bad way to find out how secure your systems are.
It could lead to some interesting opportunities to evaluate your Internet bandwidth, disk storage, backups, and server (re)install capabilities.
2. Anonymous FTP write
Never allow anonymous FTP write. And yet, some of you reading this, someday, probably will. It will be a mistake. You might not even realise that server is Internet accessible.
But someone else will, probably within a couple of minutes of you clicking OK, and the next thing you know you’re hosting current release movies in interesting languages, cracked software and worse.
The only question is which comes first – does your FTP server run out of disk space or does someone send you a cease and desist notice for serving up copyrighted material?
3. Everyone – Full Control
Windows no longer makes this the default permissions applied when sharing data, but far too many admins still grant that permission because they think it reduces support issues or makes it easier for others, or maybe just because they don’t know any better.
Whether it’s inappropriate access or data is deleted, giving everyone full control is being generous to a fault.
4. Unpatched systems
The really scary thing is that most systems are compromised because they are misconfigured or unpatched. Unless it’s a zero-day issue, if one of your systems is compromised due to a missing patch, you’d better have your resume up to date.
If a business lead or your boss tells you that you cannot apply a patch, do two things. Get it in writing and get a date when you can patch, because without the former, you’re going to be the scapegoat should the worst occur.
Without the latter, that system may never get patched and then it’s just a ticking time bomb waiting to go off. And do automate the process with a patch management solution.
5. No antivirus
All systems should have up-to-date antivirus – 100% compliance, 100% of the time. Any admin who shuts off their antivirus and lets malware spread throughout the network should be taught a lesson and serve as a warning to the rest.
6. Expiring certificates
Nothing can wreck your day quite like a certificate expiring on a secure system and it happens too many times. The average time between a certificate expiring and a critical customer noticing it is 234 milliseconds, and the average time it takes the CIO to hear about this is under five minutes.
Most certificate authorities can renew current certificates in under an hour, but for some reason once the certificate expires it takes them a day and a half. You should regularly check every cert on every system, set calendar reminders for at least two weeks out for any expiring certificate, and renew them before they expire.
Almost all CAs will let you renew early and extend the new cert’s date out to give you more than the block of time. If yours does not, you need to get a new CA.
7. Open relay
You don’t have to turn off your email server to stop outbound mail flow. Just configure an open relay and watch as the entire Internet moves to ban you.
Once shunned like a diseased water buffalo, it can take days or even weeks to return things to normal and remove the stain on your company’s reputation. If your organisation cannot send out email they probably cannot conduct business, and someone will be held responsible for that. Don’t be that person.
8. Using default passwords
Search for the phrase “default password list” and see why leaving any system with a default password is asking for trouble – big trouble. You’re not tempting fate, you’re daring fate. Change all default passwords immediately.
9. Using weak passwords
Right behind using default passwords comes using weak ones that can be easily guessed or cracked using dictionary lists. And here’s some food for thought.
If you are using the same password on more than one system or for more than one account, it should be considered weak. Oh, and create different passwords for different systems and accounts.
10. Allowing stale accounts to remain active
Former employees, unneeded service accounts, temp accounts for consultants, contractors or auditors… all of those accounts sitting on your network with privileges to data and systems make tempting targets for attackers.
Inside jobs in particular can take advantage of these because they may already know the account names, perhaps even the passwords and what privileges they have.
Make it policy to review service accounts at least annually, to set expirations on all temporary users and to disable all accounts for every user the moment their employment ends, whether voluntary or involuntary. Leaving accounts live is similar to leaving the door open and waiting for very bad things to happen.
11. Letting servers run out of disk space
What happens when a server runs out of disk space? Nothing. As in, the server no longer does anything. It shuts down. Operating systems log events when they start to run low on space, so even if you aren’t checking your servers, you should be monitoring for events.
Let a server die because there is no more storage space and someone is going to ask what had you been doing since you obviously weren’t paying attention. That’s not entirely fair, since there are a number of bad things that can cause a server to run out of space very quickly.
.12. Losing drives
Drives store data. Drives sometimes need to be shipped from one data centre to another, or portable drives are used to transport large amounts of data from point to point, or sometimes you just want to take a little bit of data with you to work on at home on a thumb drive.
Whatever the reason, should that drive go missing, you could be exposing critically sensitive corporate data, or worse, customer data. Mistakes like that can end careers.
13. Losing tapes
Like drives, losing tapes can spell disaster for an organisation. The scary thing is that tapes go missing all the time. But it’s not data leakage that is so worrying, it’s the fact that missing tapes are often not detected until someone needs to restore something from the backup. Then, you’re left without both the backup tape and the data that it was protecting.
.14. No encryption
Whether we’re talking drives or tapes, one of the best things you can do to protect from data leakage is to encrypt everything.
Drive encryption is straightforward, but many don’t want to encrypt tapes because it then takes longer to back up and to restore. Don’t make that mistake. The one thing that could save your job should a device go missing is that it’s encrypted, so whoever finds it won’t be able to get the goods.
15. Not having working backups
Even with encrypted backups and flawless tracking of tapes, backups that cannot be restored are worse than no backups at all, since you’re counting on them, rather than running with the knowledge that you have no backups.
Make sure you test your backups by doing restores on a regular basis to confirm that your backup solution actually works.
16. Losing customer NPI
Drives, tapes, compromised systems or insider jobs – when customer NPI (non-public personal information) is exposed, someone is going to be blamed. If your systems stored that data, and you missed any opportunity to protect that data, the finger will be pointed straight at you.
17. Using unlicensed software
Licensing is no joke and the fines for using unlicensed software can be astronomical. If you are supporting the use of unlicensed software, or are aware of it happening in your organisation without doing anything about it, odds are very good that you’ll be the one fired as part of a settlement with the Business Software Alliance.
Unlicensed software can often carry bonuses too, like malware and Remote Access Trojans (RATs).
18. Email outages
Whether it’s a corrupt database or a failed server, when there’s an email outage, you’re in for a very bad day. Accidents happen and hardware fails, but if you left an open relay and wound up getting your entire company banned by a DNSBL, your days in your current role may well be numbered.
19. No redundancy
The security triad includes confidentiality, integrity and availability. If you have a critical system without redundancy and that system goes down, the service is unavailable and you could well be without job security.
Make sure redundancy is built into everything you deploy, from dual NICs to separate switches, to redundant power supplies, RAID arrays, clustered servers and active/active routers to dual Internet circuits plus myriad other things that help you to dodge the bullets from any single point of failure.
Sure, the boss won’t want to pay for any of that, but if paying for it is cheaper than the costs of downtime it’s a bargain.
20. No disaster recovery plan
Failure to plan is planning for failure. At some point every company is going to experience a disaster. It could be a flood or a cyclone or a fire or a zombie outbreak.
Whatever the disaster, if you don’t have a tested and proven recovery plan, the biggest disaster may hit you even harder.
21. Undetected hacks
Recent studies indicate that the average network penetration occurred eight months before detection. Imagine that: an attacker sitting on your network for months before detection.
What could they find? What could they steal if they are on the network for all that time? With the prevalence of attacks it’s not that they went undetected that you should be concerned with, but what you may have missed.
Those log anomalies that you never followed up or knew about (because you failed to check the logs in the first place). The strange processes that you figured were probably just fine. If you had the opportunity and missed it, your time may be up.
22. Violating the AUP
The Acceptable Use Policy defines what is, and what is not considered appropriate behaviour on the network. As an IT professional you are responsible for knowing this policy and enforcing it.
There is no excuse for violating this policy and when violators are subject to termination, there’s no mitigating factors that will save your job if you cross the line.
23. Violating trust
As an IT professional, regardless of your role, your employer has placed their trust in you. You have access to data that includes customer information, intellectual property, trade secrets, NPI and more.
You also have custodial responsibilities for thousands or even millions of dollars’ worth of systems. Anything you do, whether intentional or just stupid that violates that trust is a sure way to end an otherwise promising career.
There is no technical solution or best practice here other than to not do anything stupid.
Think, twice before you act and avoid any of these face-palm mistakes that could push your career off the rails. There are some great products out there that you can depend on to save your skin when things go wrong.
By David Kelleher, Director of Communications, GFI Software