Commonly overlooked security hazards |
 |
| 18 May 2005 | by Dave Piscitello |
|
|
Security expert Dave Piscitello offers tried-and-true practices for identifying and alleviating security risks, and implementing guidelines that will protect your company from the next nasty threat. Here, Dave covers the ten most commonly overlooked security hazards and easy ways to prevent them from placing your network at risk.
- Lax policy definition and enforcement – You cannot determine
compliance to, enforce, or demand accountability to a policy if you
don't have and maintain one.
- Overly permissive access policies – Access is one example where
more is not better.
- Single line of defense - Does your security resemble a soft-boiled egg?
- Default installations of software - These are among the most common
flaws, and often lead to escalated privilege attacks.
- Default and vulnerable configurations - Under most default
conditions, devices join networks, even when this is not good for
security.
- Weak authentication methods - You must apply two or more credentialing
criteria.
- Inadequate auditing, logging, analysis - Auditing is not an in-
depth activity in most organizations, but it should be.
- Flawed security processes, unsecured workflows - Mis-configurations commonly expose assets to attack.
- Weak security testing and auditing methodologies - Testing and policy changes are related events.
- Weak incident response and business continuity plans - Chicken Little is not a role model for a CSO.
Check out Dave's full-length presentation here.
Dave Piscitello is an authority on network security with more than 30 years experience in data networking and telecommunications. Dave is President of Core Competence Inc., founder and program manager of The Internet Security Conference, and chairman of Networld+Interop's Security Conference. Dave has authored books on internetworking and remote access, and regularly publishes articles on a variety of subjects including switched internetworking, ATM and Gigabit Ethernet, Internet security, and virtual private networking.
|
|
|
|
