Here's a list of five worst practices that I'd like to share with you:
1. Using Wired Equivalent Privacy (WEP) encryption
If you're still running WEP encryption in your organization, it's time to face the facts: the simplistic encryption techniques used by WEP may be broken in seconds using freely available tools.
2. Practicing "security theatre"
"Security theatre" is the practice of implementing complex, expensive security measures solely for the sake of making people notice that you're spending a lot of time and energy on security, despite the fact that your controls are easily defeated and largely ineffective.
3. Encrypting email attachments only to include the encryption key in the message
Someone sends a sensitive document by email and, meaning well, uses the encryption feature of Microsoft Office to preserve the confidentiality of the document while in transit. The person then proceeds to praise himself in the body of the message saying something like, "Mike, I know you're always telling me about the security problems with email, so I encrypted this confidential file. The password is football." The simple solution is to use an out-of-band transmission method for the password. For example, send the email and then pick up the phone and call the recipient to provide the password. The likelihood of the same individual intercepting both your email and telephone call is remote.
4. Failing to patch
Sometimes warning of such dire consequences as "a severe flaw…[that] could lead to system crashes, remote execution of code and privilege escalation". Remember, hackers read the same security patch announcements that we do. Leaving networks, databases and third-party applications unpatched is asking for trouble.
5. Failing to encrypt laptops
Fortunately, there's an easy way to avoid this altogether: use disk encryption products to render mobile data unusable if a device is stolen.
No comments:
Post a Comment