While some might argue that ignorance is bliss, when an organisation's security hangs in the balance remaining clueless isn't a viable option. In this article, Jane Grafton of Lieberman Software dispels five common security myths.
All too often people hide behind what they 'want' to believc is true. Unfortunately, your personal beliefs and opinions will not prevent a ruthless individual from ransacking your network's filing cabinets. The easy road is not necessarily the secure one so, rather than wait for a hacker or malicious insider to burst your bubble, here's what misguided individuals tell me far too frequently.
Myth One: We passed our regulatory compliance audit--so our network is safe
If I had a brick for every time I heard this one I could build a wall around the equator a mile thick and two miles high. Just because you passed an audit does not mean you are hack proof.--Far too many large organisations on both sides of the Atlantic are testament to this fact.
There are a number of reasons for this. The most common is that IT departments will pull out all the stops to hit a certain number of audits per year, and forget about compliance on all the days in between. Another big concern is auditors may not always know where to look for the holes so they can be steered in another direction.
I give you fair warning--hackers won't make an appointment to come 'check' your systems! Neither will they stumble accidentally across vulnerabilities in your enterprise. They know what they're looking for and will strike on their terms.
Myth Two: Our passwords change regularly in line with regulatory mandates--so our network is safe
I'm sorry to be the bearer of bad news but, in my experience, this is unlikely to be accurate.
While user login credentials might be automatically prompted for change, it is the highly privileged administrator accounts that fall outside most automated solutions and therefore rarely altered. Of course, some of you may be thinking that you've got that one covered because your IT staff secures these privileged identities manually. All too often that simply isn't possible. While not rocket science, the sheer magnitude of the task is to blame.
Someone physically connecting to machines, or even using scripts, to change passwords to comply with regulatory mandates is fraught with complications. Think of all the services running on machines with privileged credentials, including any interdependent services, which have to be...