3. Miseducating end users
In most workplaces, users get the same stale old advice: Avoid visiting untrusted Web sites, and don't open email attachments from people you don't know.
Here's what you should be telling them: The websites you visit every day are likely to be compromised, so never install software offered to you over the Web unless you're 100 percent sure that it's from a legitimate vendor.
Plus, users must be told never to click on unexpected links or run active content sent by anyone, including people they know. If the email contains a statement, "This email has been inspected and is 100 percent virus free," almost certainly what it contains is malicious. We need to teach our end users better about phishing and social engineering and what steps they can take to verify any suspected email or Web offer.
4. Neglecting to convey the right concerns to management
Often, security professionals fail to tell senior management about the biggest and most likely threats facing the organization. Most CIOs, CISOs, and CEOs can't tell you what the biggest threats are to their environments even though they are spending millions of dollars a year trying to defend it.
Once again, you can blame security professionals themselves. We don't collect the right metrics. We report on the number of computer malware programs detected and removed or on the number of unauthorized packets blocked by the firewall, but not on the number of malware programs that went undetected and for how long. We need to start figuring out what are the biggest and most likely threats to our environment, and how those threats are getting into our environment, and then send that information up the chain.
5. Failing to rebuild compromised computers
If a computer system has been compromised, you can no longer trust it. You have no idea what the unauthorized program did (even if it's identified as adware or some other nearly-harmless program). If a program gets by the computer's defenses, attacks by multiple programs or hackers may have occurred. Frequently, when an anti-malware scanner says you are now clean, there's some other undetected, false-negative, malware program left behind.
The hard truth is that if a computer has been exploited, it needs to be rebuilt. The data should already have been backed up. Format or reset the OS, reinstall programs, reconnect the network drives, and begin again. This assumes, of course, that you've corrected the problem that allowed the malware into the original compromised system in the first place.
6. Accepting conventional wisdom
The world is full of computer security people who repeat the same old tired lines -- such as "security by obscurity is no security at all" -- without really questioning whether they're true. The moral: Test things for yourself.
For example, I once accepted the conventional wisdom that a particular software vendor's programs are insecure. Everyone "knew" that the products were weak and easily hackable. Then I actually tried hacking them, and after days of attempts, I gave up -- and you're talking to a guy who has successfully broken into almost everything. It was a humbling experience.
If you can get past these six common misconceptions, you'll be a far better computer security defender than the person who did not. Don't believe me? Test it out.
This story, "6 things security pros keep getting wrong," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.