http://www.zdnetasia.com/news/security/0,39044215,62020417,00.htm
By Lynn Tan
ZDNet Asia
June 11 2007
Organizations should not rely on its staff to ensure its network is
secured as employees are not infallible and one slip is all it takes for
cyber criminals to launch a vicious attack.
"If you are an organization that is relying on your employees to do the
right thing with respect to security, you've already made a number of
mistakes," said Scott Montgomery, global vice president for product
management at Secure Computing, in a phone interview with ZDNet Asia.
Montgomery noted that end users are typically the "least educated" of
proper corporate security practices and are "most prone to doing things"
that do not adhere to the company's security policy.
He highlighted four most damaging security habits that are commonplace
among organizations in this region and around the world, and underscored
the need for IT administrators to closely monitor these areas.
1. Fixed passwords
The Sans Institute, over the last decade, has identified passwords as
one of top 10 most damaging security practices, Montgomery said.
Unlike token-generated or one-time passwords, he noted that fixed
passwords do not change and some users may even write them down to avoid
forgetting the sequence. As such, fixed passwords are "dangerous"
because any person who knows the right password can log into the network
and cannot be identified as an imposter, he said.
"Everybody knows that fixed passwords are weak and a problem. It's been
the same way for 10 to 15 years, but it doesn't change organizations
from investing in it," Montgomery said.
In contrast, the use of one-time passwords has been found to
"dramatically increase the security profile of organizations" because
the perpetrator would not be able to compromise the user's credentials,
he said.
"Even the use of one-time password on an application-by-application
basis dramatically increases your security profile because you can't
do…password guessing," Montgomery said. He added that the use of a
hardware token for one-time password deployment--whether it is
time-based or event-based--is a good way to prevent systems from being
compromised.
2. Neglecting inbound threats from e-mail, the Web and instant messaging
When end-users receive a spam message in their e-mail inbox, their
administrators have already "lost the battle", Montgomery said. "At that
point, you're expecting the users to do the right thing [but] they
won't... They don't have any perception of the greater risk of their
activities." He noted that e-mail, Web mail and IM (instant messaging)
are among the high-risk areas and IT administrators need to ensure data
received via these platforms are safe and protected.
3. Forgetting that data traffic is two-way
When keeping the organization's network secure, IT administrators should
keep in mind that data traffic is bidirectional and consider
possibilities of outbound data leakage.
Montgomery noted that organizations often forget that their traffic is
bidirectional and many spent the last several years protecting only the
data that enters their networks. "Organizations have been very slow to
look at what's leaving their network, in terms of data leakage, due to
malicious and criminal intent or that are simply [the result of
employee] mistakes," he said.
4. Not encrypting data
Without encryption, data sent and received via email is literally "like
putting an ad out in the paper" and for anyone in the public to view,
said Montgomery. He added that some users wrongly assume the data they
send is private and cannot be seen by the public.
"People who want to read your e-mail will have to look for it to find
it, but they can find it if they want to," he said.
"There is a level of protection only if people use encryption in their
e-mail, [but] most people don't," Montgomery said.
Received on Wed Jun 13 01:02:13 2007