Estimated reading time: 4 mins
What are the 12 most stupidest gaffes a network manager can make? More to the point, have you made one, or experienced one yourself? See if you recognize any of these clangers?
Data-security breaches are front-page news items now, and any company that finds their name on there is going to suffer. CIOs won’t tolerate their name emblazoned on these news stories – especially when the accountability lies on the head of the Network Manager. Here are twelve common, totally dumb mistakes that Network Managers should really know better than to allow on their systems.
The first ten of these mistakes I found on a great article by Carolyn Duffy Marsan on CIO.COM which is the result of research recently completed and published by Verizon , based from 285 Million compromised records.
Yes, that’s 285,000,000 compromised records . Wow.
I added another essential two (11 & 12) which I didn’t see in the original list, but I have to include them as these are equally disastrous based on my own experience.
- Not changing the default passwords on all network devices – it’s gob-smacking that many devices are installed onto networks without having their admin passwords changed. Maybe vendors should not build in default passwords? Rather they, should should be setup as a mandatory installation activity, and won’t function until set?
- Sharing a password across multiple network devices – this is just like the above, although the ‘default’ is that used across and within the organization. It’s used for convenience, but once a technician or hacker gets access to one device, then heck, they’ve got access to them all!
- Failing to find SQL coding errors – the dreaded ‘SQL injection ‘ is the most common vulnerability where SQL code allows hackers to run their own queries on your database. Thing is, this is a long-known issue with well documented solutions. It’s unthinkable to leave your SQL database open to such attacks, but it is still prevalent. Any network manager who doesn’t close them down should be shot.
- Misconfiguring your access control lists – often the result of lazy or inexperienced engineering. Network equipment should only be allowed to talk to each other if there is a business reason to do so.
- Allowing nonsecure remote access and management software – in this age, nonsecure access is suicide!
- Failing to test noncritical applications for basic vulnerabilities – your security is only as strong as the weakest component on the network. A lot of focus is placed on making the public-facing application, such as web, bullet-proof, but less attention is given to the noncritical applications. But in an inter-networked environment, any vulnerability will be exploited at some point. Network managers must insist that ALL components are tested for vulnerabilities, not just the critical ones. If the money-men don’t like it, then remind them about the cost of failure!
- Not adequately protecting your servers from malware – intrusion-detection systems should run on all servers, not just those that contain data. Malware is smart, and often undetectable by anti-virus software.
- Failing to configure your routers to prohibit unwanted outbound traffic – most of the attention is placed on preventing unwanted inbound traffic, but what about filtering outbound traffic ? If malware finds its way onto one of your servers, it can begin sending all sorts of traffic to harm your infrastructure, unless you prevent it. A mail server should send just mail traffic. So allow it only to do this.
- Not knowing where credit card or other critical customer data is stored – if your data is spread across your network, and you don’t know exactly where, then you’re in for trouble. If you can’t locate the data, you can’t protect it!
- Not following the Payment Card Industry Data Security Standards – if you’re the ‘standards-shmandards’ type, then you’re putting yourself at risk. Nobody has lossed their job for following standards (well, the right one, anyway). These standards exist because they are best practice. Why take an unecessary risk by ignoring them?
- Not accounting for the human-factors – rigorous security measures often mean that your people have to do more to work with them, often at their inconvenience. Frequent password changes, for example, means that people must remember what their new password is. So what happens? People write them down, or do something equally as dumb. Remember, too much rigor too quickly can mean that people don’t cope with it and totally destroy your efforts by creating different vulnerabilities like this.
- Assuming the threat is restricted to sources outside of your network boundary – especially when it’s been long-known that most hacks are done from the inside . Almost all human endeavor is based on trust, somewhere along the line, but too much trust in your people means too much risk. Smart network managers apply as much focus on internal security measures as they do on the external environment.
Made Any of These Mistakes?
If you have made any of these mistakes, how did you feel about it, and did you learn to put it right? What were the consequences to you? Share YOUR story…