The Most Common Mistakes in IT Security

Proper management of a company's IT systems must consider hundreds of variables, and it is important to make the right choices for each of them.

Below is a list of the most common mistakes in IT security.

Security Policies and Regulations:

• Ignoring regulatory compliance requirements;
• Assuming employees and managers will read regulations, policies and memos simply because they were asked to;
• Using protection templates without customizing them;
• Adopting frameworks such as ISO 27001/27002 without being ready for the required changes;
• Creating security policies that cannot be enforced;
• Applying policies that have not yet been approved;
• Creating security policies only to tick a checkbox among “things to do for the company”;
• Hiring someone to create security policies without that person knowing the business or processes;
• In a multilingual environment it may be necessary to translate security policies into different languages. The mistake may be inconsistency among translations;
• Considering security policies excellent only because they worked the previous year;
• Thinking that having established a security policy means being truly secure;
• Thinking that policies do not apply to executives;
• Hiding from auditors.

• Deploying a security product without first tuning and testing it;
• Setting the IDS (Intrusion Detection System) to be too selective, or not selective enough;
• Buying security products without considering maintenance and implementation costs;
• Buying security products while thinking they have no security issues and introduce none;
• Relying only on antivirus and firewall, without carrying out further checks;
• Installing security products without configuring them;
• Running regular vulnerability scans but not considering the results;
• Letting security software/hardware work in automatic mode;
• Using different technologies without understanding their security implications;
• Buying an expensive product when a cheaper one could have solved the problem, only because it was sold by “IBM”.

• Using the same security policy for all IT assets and all company divisions, without considering each one's risk profile;
• Hiring a security manager without giving them decision-making power;
• Thinking your company is too small and insignificant to protect;
• Not worrying because you have not been breached recently;
• Being paranoid without considering the asset value or its exposure factor;
• Classifying all data as top secret.

• Not performing periodic checks on systems, appliances, network devices, applications and databases;
• Locking infrastructures down so tightly that getting work done becomes difficult or impossible;
• Answering “no” whenever a request is made;
• Imposing security conditions without providing the necessary tools and training;
• Focusing on prevention mechanisms while ignoring periodic checks;
• Not having a DMZ (Demilitarized Zone) for Internet-accessible servers;
• Assuming your patch manager is working, and therefore not checking it;
• Deleting log files because they are too large to read;
• Believing SSL solves every web-application security problem;
• Banning USB drives without limiting Internet access;
• Overriding network, systems and development team managers with your decisions;
• Not staying updated on new technologies and attack methods;
• Adopting new technologies before they mature;
• Hiring someone only because they have many certifications;
• Not informing other managers about the security problems your efforts prevented;
• Not training IT staff, personnel and managers on IT security issues.

• Requiring users to change passwords too frequently;
• Expecting users to remember passwords without writing them down;
• Imposing unrealistic password policies;
• Using the same password on different systems;
• Imposing password requirements without considering how easily a password can be reset.

EasyAudit WEB is the ideal entry-level solution for checking websites, portals, web applications and reserved areas.

EasyAudit NET lets you check the security of your Internet-exposed network.