Telecom and Logistics Associates 

Security NEWs Service: TLAnews
publication: Christian ALT  new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  Save Time and Money 

 8.6.2000 SecurityMistakes People Make that Lead to Security Breaches
Technological holes account for a great number of the successful break-ins, but people do their share, as well. Here are the SANS Institute's lists of silly things people do that enable attackers to succeed.

En français: Les erreurs que commettent les gens qui conduisent à des brèches de sécurité
Les trous technologiques expliquent pour une grande partie les intrusions  réussies , mais les individus ont aussi leurs part. Voici la liste de l'institut SANS  des sottises que font les gens, et qui permettent aux attaquants de réussir.

 
English version
The Five Worst Security Mistakes End Users Make

The Seven Worst Security Mistakes Senior Executives Make

The Ten Worst Security Mistakes Information Technology People Make

Résumé en français
Les cinq pires erreurs des utilisateurs     :-)))

Les sept pires erreurs des membres de la direction :-))

Les dix pires erreurs des informaticiens   :-(((

The Five Worst Security Mistakes End Users Make

1.Opening unsolicited e-mail attachments without verifying their source and checking their content first. 
2.Failing to install security patches-especially for Microsoft Office, Microsoft Internet Explorer, and
Netscape. 
3.Installing screen savers or games from unknown sources. 
4.Not making and testing backups. 
5.Using a modem while connected through a local area network. 

The Seven Worst Security Mistakes Senior Executives Make

1.Assigning untrained people to maintain security and providing neither the training nor the time to make it
possible to learn and do the job. 
2.Failing to understand the relationship of information security to the business problem-they understand
physical security but do not see the consequences of poor information security. 
3.Failing to deal with the operational aspects of security: making a few fixes and then not allowing the
follow through necessary to ensure the problems stay fixed 
4.Relying primarily on a firewall. 
5.Failing to realize how much money their information and organizational reputations are worth. 
6.Authorizing reactive, short-term fixes so problems re-emerge rapidly. 
7.Pretending the problem will go away if they ignore it. 

 The Ten Worst Security Mistakes Information Technology People Make

1.Connecting systems to the Internet before hardening them. 
2.Connecting test systems to the Internet with default accounts/passwords 
3.Failing to update systems when security holes are found. 
4.Using telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI. 
5.Giving users passwords over the phone or changing user passwords in response to telephone or
personal requests when the requester is not authenticated. 
6.Failing to maintain and test backups. 
7.Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, rservices 
8.Implementing firewalls with rules that don't stop malicious or dangerous traffic-incoming or outgoing. 
9.Failing to implement or update virus detection software 
10.Failing to educate users on what to look for and what to do when they see a potential security problem. 

And a bonus, number 11: 

Allowing untrained, uncertified people to take responsibility for securing important systems.

 

 
Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: June 07, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.