Security mistake No. 3: Overlooking the anomalies
Although hackers can break in without being detected, it's hard for them to hack away without doing something anomalous. Hackers need to explore the network, connecting from one computer to other computers that never talk to each other. Basically, hackers perform tasks that regular end-users would almost never do.
Most IT admins do not have good baselines about what activities and activity levels are expected and normal. If you don't define what is normal, how can you detect the abnormal and send an alert? The Verizon Data Breach Investigations Report says year after year that almost every data breach would have been detected or prevented if the victims had implemented the controls they should have had in place all along.
Security mistake No. 4: Neglecting to ride herd on password policy
We all know that passwords should be strong (long and complex) and changed frequently. Every admin I talk to says their passwords are strong. But whenever I check, they aren't. Well, they might be strong in some areas, but in the places they really count, like enterprisewide service accounts, domain-wide accounts, and other super-user accounts, they are weak.
I've got an axiom: The more powerful the account, the weaker the password will be and the less likely it will ever be to be changed. Wanna find out how strong your password policy really is? Run a query to see how many days it's been since the last password change. I guarantee you'll find accounts that have gone without a password change for thousands of days.
Security mistake No. 5: Failing to educate users about the latest threats
This one befuddles me the most. We say end-users are our weakest links, but then we don't educate them about the latest threats. Regarding latest threats, I mean the big majority of attacks for the last five years. Most end-users are incredibly educated about email file attachment attacks -- you know, the attacks that used to be popular 10 years ago.
But ask end-users if they realize they are most likely to be infected by a website that they know, trust, and visit every day -- and you'll hear crickets. Most end-users have no idea about malicious ads on their favorite website orr the fact that popular Internet search engines may get them infected. They don't know that the cute little app being pushed their way by a friend in Facebook is most likely malicious. They don't know the difference between their antivirus software and the fake one that just popped up a window on the screen. They don't know because we don't teach them.
These five weaknesses are far from new. They've been around for over two decades. What I'm constantly surprised by is the complacency. They have checked off the item and are moving on to bigger tasks -- when in fact, their environment may be very broken. All they would have to do is ask a few questions or run a few queries.
To all those IT admins who realize this stuff is broken, I salute you. At least you know. That's the first step. You're ahead of the game.
This story, "5 big security mistakes you're probably making," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.