What are the 12 most stupidest gaffes a network manager can make? More to the point, have you made one, or experienced one yourself? See if you recognize any of these clangers?

Data-security breaches are front-page news items now, and any company that finds their name on there is going to suffer. CIOs won’t tolerate their name emblazoned on these news stories – especially when the accountability lies on the head of the Network Manager. Here are twelve common, totally dumb mistakes that Network Managers should really know better than to allow on their systems.

The first ten of these mistakes I found on a great article by Carolyn Duffy Marsan on CIO.COM which is the result of research recently completed and published by Verizon , based from 285 Million compromised records.

Yes, that’s 285,000,000 compromised records . Wow.

I added another essential two (11 & 12) which I didn’t see in the original list, but I have to include them as these are equally disastrous based on my own experience.

1. Not changing the default passwords on all network devices – it’s gob-smacking that many devices are installed onto networks without having their admin passwords changed. Maybe vendors should not build in default passwords? Rather they, should should be setup as a mandatory installation activity, and won’t function until set?
2. Sharing a password across multiple network devices – this is just like the above, although the ‘default’ is that used across and within the organization. It’s used for convenience, but once a technician or hacker gets access to one device, then heck, they’ve got access to them all!
3. Failing to find SQL coding errors – the dreaded ‘SQL injection ‘ is the most common vulnerability where SQL code allows hackers to run their own queries on your database. Thing is, this is a long-known issue with well documented solutions. It’s unthinkable to leave your SQL database open to such attacks, but it is still prevalent. Any network manager who doesn’t close them down should be shot.
4. Misconfiguring your access control lists – often the result of lazy or inexperienced engineering. Network equipment should only be allowed to talk to each other if there is a business reason to do so.
5. Allowing nonsecure remote access and management software – in this age, nonsecure access is suicide!
6. Failing to test noncritical applications for basic vulnerabilities – your security is only as strong as the weakest component on the network. A lot of focus is placed on making the public-facing application, such as web, bullet-proof, but less attention is given to the noncritical applications. But in an inter-networked environment, any vulnerability will be exploited at some point. Network managers must insist that ALL components are tested for vulnerabilities, not just the critical ones. If the money-men don’t like it, then remind them about the cost of failure!
7. Not adequately protecting your servers from malware – intrusion-detection systems should run on all servers, not just those that contain data. Malware is smart, and often undetectable by anti-virus software.
8. Failing to configure your routers to prohibit unwanted outbound traffic – most of the attention is placed on preventing unwanted inbound traffic, but what about filtering outbound traffic ? If malware finds its way onto one of your servers, it can begin sending all sorts of traffic to harm your infrastructure, unless you prevent it. A mail server should send just mail traffic. So allow it only to do this.
9. Not knowing where credit card or other critical customer data is stored – if your data is spread across your network, and you don’t know exactly where, then you’re in for trouble. If you can’t locate the data, you can’t protect it!
10. Not following the Payment Card Industry Data Security Standards – if you’re the ‘standards-shmandards’ type, then you’re putting yourself at risk. Nobody has lossed their job for following standards (well, the right one, anyway). These standards exist because they are best practice. Why take an unecessary risk by ignoring them?
11. Not accounting for the human-factors - rigorous security measures often mean that your people have to do more to work with them, often at their inconvenience. Frequent password changes, for example, means that people must remember what their new password is. So what happens? People write them down, or do something equally as dumb. Remember, too much rigor too quickly can mean that people don’t cope with it and totally destroy your efforts by creating different vulnerabilities like this.
12. Assuming the threat is restricted to sources outside of your network boundary - especially when it’s been long-known that most hacks are done from the inside . Almost all human endeavor is based on trust, somewhere along the line, but too much trust in your people means too much risk. Smart network managers apply as much focus on internal security measures as they do on the external environment.

Made Any of These Mistakes?

If you have made any of these mistakes, how did you feel about it, and did you learn to put it right? What were the consequences to you? Share YOUR story…

©2012 SimonStapleton.com. All Rights Reserved.

Is Web2.0 a drain on your productivity?

The explosive use of LinkedIn, Facebook and MySpace has urged some companies to reevaluate their electronic-use policies. Some organizations have banned social-networking tools completely over concerns about a drop in productivity as well as data-security.

Has this happened in your workplace?

Let’s be honest, there is something inherently addictive about social-networking. CIO.COM report that (according to IT Director of Lee Michaels Fine Jewelry, Mark Lappin) some employees were spending 4-5 hours per day on it – quite possibly an exaggerated or worse-case claim, but I believe it possible. Even if it’s a half or quarter of that, this still creates a massive drag on an organization’s output.

Even if its use was kept to a minimum, it still presents a potential data-security risk. Hackers have refocused their energies toward spreading their crap across these services, resulting in compromized workstations and networks. Also reported on CIO.COM, David Lavenda, (a vice president at WorkLight) claims that email is in a steady state in the context of hacking, but social-networking tools present real opportunities to the villains out there, assumingly because the maturity of hack-prevention tools is low.

This presents a dilemma for CIOs and employees. How do organizations allow their employees to connect and communicate for genuine business purposes without opening the floodgates to loafing and abuse, securely?

One answer is a solution that each and every one of us takes responsibility for. That is, we use these tools responsibly: we limit our use to genuine business activities, including building relationships, and ensure that we comply with acceptable use policies as well as employ savvy practices to avoid malware penetration. Easier said than done. But if we take that responsibility seriously then we create the best opportunity to avoid a management backlash of shutting these tools down.

I have encouraged the adoption of these tools many times over. They enable genuine business advantage as well as for personal benefit (use for job-hunting), yet I have to encourage responsible use as we all do.

If we don’t, then it will be taken away!

So do you web-two-o too much? And more importantly, would your boss agree?

©2012 SimonStapleton.com. All Rights Reserved.

Cloud Computing, where the architecture of your technology estate is based upon the integration of third-party technologies and services, is gaining momentum in the industry.

It’s a natural extension of outsourcing where an organization uses technology within it’s own physical boundary (i.e. its data-center) but the technology is owned and operated by the vendor. The reason why organization’s take this up is because they believe that it has economical benefits, and the reason for this is that the technology is ‘metered’, i.e. used on-demand. It also means your organization doesn’t have to hold assets and worry about capital. You just pay for what you use. It’s also based around the service catalog so it integrates with the philosophy of ITIL too. Cool.

Maybe not-so-cool. One of the big downside is data-protection. With this model, it’s really tough to keep control of your data. Not only is this a risk from the perspective that third-parties can access it and potentially use for reasons outside of your knowledge and control, it does create a headache with regulation. Currently, protection is on contractual grounds. But is this enough? Security standards haven’t kept up with this trend and in my experience, they are woefully out of date.

So the question is if you can really afford the cloud if you can’t prevent unauthorized access to your data – which will be far more expensive to your business in terms of regulatory breach or reputational damage in the long-run. The panacea is to separate the application and technology from the data.

There are vendors who have clocked this and are developing products to capture the market against the conceptual solution. One vendor is Vormetric who offer a product suite that secures the data separately from the security of data access. The principle is that your cloud-computing partners can supply and manage the application yet the data is secured and encrypted so that only your employees can use it. Now this is cool.

But it won’t just be about encrypting data thank-you-very-much. I expect IT organizations will have to take a serious look at their software methodologies and development life-cycle to ensure the concept beds in. It needs to be principle-based and considered at the start of a development, not bolted onto the end. The Vormetric product, however, does allow you to leverage off existing applications and infrastructure.

The other issue with cloud computing is with version control. Well, version control if implicit in its model but it is all or nothing. You can’t give some people one version of a service and others a different version easily, or at least meet cloud computing’s economic objectives. However one benefit is that security patches are deployed to everyone once in this model. You shouldn’t find rogue PCs with insecure versions of software lying around, undiscovered.

Cloud computing will come of age when the traditional model of information security changes. As IT professionals and leaders, it makes sense to push beyond and within boundaries in your organization. Don’t let the trend take hold before you have the capability to support it! Or else you really can’t afford it.

©2012 SimonStapleton.com. All Rights Reserved.