An interesting conversation with our interim campus president at the college today brought back to mind a post from more than five years ago. A server crash this morning made her wonder if a former network administrator, who did not leave on good terms, still somehow had a hand in the incident. Apparently, this fellow had succeeded in planting a logic bomb in the network timed to go off on the date of each new term start. Today was a new term start; today the server crashed. Our president’s logic said that “[name withheld] was up to his old tricks.” It wasn’t that, fortunately. The power supply died.
What was revealing about that conversation is that management at the time failed to consider an internal threat. No doubt the other faux pas were also committed. I saw evidence of them when I first took on the role of network administrator and have since corrected things. So, here’s a reminder of how NOT to do things.
Here are my Top Five Security Faux Pas beginning with number five:
- 5. Relying Solely on Software Security Updates–What, you’ve never heard of a zero-day exploit? C’mon, we professionals know that the bad guys are usually first to discover the security flaws and they’re the first to exploit them.
- 4. Altering the Firewall–Oh! There’s a threat? Let’s add a rule to the firewall. You have a Cisco Certified CCIE-Security on staff? Good for you! If not, this isn’t a good option.
- 3. Failure to Monitor the Network–If you don’t analyze the firewall, IDS and server logs, you’re likely missing things that shouldn’t be. Buried among those thousands of failed attempts a finding an open port are those few that manage to attempt a connection and fail. Do you see them?
- 2. Failure to Consider Internal Threats–Your employees are all angels, right? They always follow the security guidelines, policies and procedures you set for them. Outright malice aside, what if that thumb drive they plugged in this morning picked up a trojan from their home computer last night? Oh, oh! You’re pwned.
- 1. Mistaking Technical Expertise for Security Savvy–So, the new “Sec Admin” can configure any router or firewall and knows all the commands to “protect” your network. So, what? Can he teach the receptionist how to detect and thwart a telephone phishing attempt? Does he even know how someone would go about that? If not, you’re doomed…
Not to sing my own praises, but to sing my own praises, they picked the right guy when they picked me; there have been no major security incidents since I took over.