I'm a security professional, and it pains me to admit that in my line of work, mistakes are made. Multiple times. In almost every organization. With alarming frequency.
Here are the six most persistent screw-ups I've seen during my many years of consulting. If none sound familiar, I hate to tell you, but ... you may be in denial.
[ InfoWorld's expert guide: How to rethink security for the new world of IT. | Get smarter about security with InfoWorld's Deep Dive series of special reports. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
1. Believing you're fully patched
We all know that just about every organization contains unpatched software. I'm not talking about that. I'm talking about the personal computers that security professionals use themselves.
The majority of security professionals, when asked if they are fully patched, show me the results of their Windows Update scan. Almost all the remaining ones show me the results of their favorite independent patch-checking program.
Apparently they don't realize how inaccurate even the best of those programs are. They catch the popular, most exploited stuff, but they all miss things. Most don't check firmware or BIOS versions, for example, even though they easily could -- and new versions often plug serious security holes.
When I do a manual survey, I always find software programs the patch-checking program didn't look for. How? I look for every installed program, not just by checking the OS's installed applications list, but also by clicking my way through folders and directories. Along the way, I record the software versions. Some are not so obvious, so you have to look at the date of executables and DLLs.
Then I open up my favorite CVE (Common Vulnerabilities and Exposures) database -- I like the one hosted on Secunia -- and I compare my list with what's listed in the CVE database. I always find unpatched software.
2. Worrying about the wrong threats
Many of my fellow computer security professionals seem overly worried about obscure threats that are far lower risk in their environments than the really big threats they are facing. I love talking about theoretical exploits as much as the next guy, but when planning a security defense, you need to address the most likely threats.
We can talk about the threat that cryptographic hash function SHA-1 may be susceptible to versus SHA-2, but your defense would be better if we talked about how to improve your patching. We can discuss the benefits of biometric identities over smartcards if you want, but decreasing the number of full-time administrator accounts in your environment would do wonders. And so on.