The 3 biggest mistakes made by security pros

Here's the flip side of last week's post on security missteps made by senior management. The takeaway? Know your priorities and work down the list -- now

Page 2 of 2

To put it bluntly, patching sucks in so many shops. I'm not talking just being a little tardy with patching, but being years out of date. In fact, the majority of exploited, unpatched software has had vendor updates freely available for one or two years.

How to fix it? Start by finding out if your patch management system even checks for all the patches. Most don't. You can prove it by going to any workstation or server and listing every program installed on it, then checking a CVE database to see what versions are vulnerable. You'll need to do this manually, because even my absolute favorite patch-checking program, Secunia CSI, doesn't list everything despite covering more than 10,000 programs.

The first few computers you check will require a few hours of homework. But pretty soon, you'll build a quick cheat sheet of the most common applications and their appropriate versions. Or start easy and make sure every computer in your environment running Java or Adobe Acrobat Reader has the latest version and enable auto-updates, if appropriate. At least get those patched (or removed altogether if not needed). Then you can move on to less popular programs.

Proactive monitoring
It's also very rare that any organization has deployed comprehensive event monitoring. Or it's enabled only on servers or domain controllers. Now remember, I just said that most attacks happen on the end-user desktop. So, uh, shouldn't those computers be among the most heavily monitored?

Event log management is horrible in most environments. The biggest threat is socially engineered Trojans, but most event log management programs are implemented so generally that there's hardly any value. They focus on dozens, if not hundreds, of other events that don't address the No. 1 problem.

Start by asking what needs to be monitored to detect malicious attacks. In many cases, that would be unexpected program execution, such as a Trojan horse program or a worm. For this sort of monitoring, I prefer to use whitelisting or application control programs. You can run most of them on one or more reference computers, and the software will usually do the software inventory and make the rules. Thereafter, the idea is to block unknown software, although that may be impractical in this day and age. Instead, you can use your whitelisting program to alert users to all the unrecognized executables.

The biggest problem in IT computer security isn't that the bad guys can attack us a thousand different ways, although that's inarguably true. No, the real problem is that we don't prioritize and focus appropriately. I hope this post and the one I wrote last week will be a wakeup call.

This story, "The 3 biggest mistakes made by security pros," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at For the latest business technology news, follow on Twitter.

| 1 2 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies