10 security mistakes that will get you fired

From killing critical business systems to ignoring a critical security event, these colossal slip-ups will get your career in deep water quick

1 2 Page 2
Page 2 of 2

This is even more interesting because almost all firewalls begin with the least permissive, deny-by-default permissions, then somewhere along the way an application doesn’t work. After much troubleshooting, someone suspects the firewall is causing the problem, so they create an “allow ANY ANY” rule. This rule essentially tells the firewall to allow all traffic and to block nothing. Whoever requests or creates this rule usually wants it only for a short while to figure out what role the firewall might play in the problem. At least, that's the initial thinking.

Somehow these rules get left in place for a long time. Most environments I audit has at least one major router with "ANY ANY" enabled. Usually the firewall administrators and IT security people are shocked to learn that the “temporary” rule is still in effect. These accidentally permanent "ANY ANY" holes are usually discovered by auditors (like me) or by hackers. Unfortunately, discovery by the latter can lead to the unemployment line.

Lesson learned: Don’t ever allow "ANY ANY" rules to be deployed.

Colossal security mistake No. 9: Not changing passwords

One of the most common mistakes that can put your job on the line is not changing your admin passwords for a very long time. My auditing experience has made this very clear. Almost all companies have multiple unexpired, years-old admin passwords. In fact, it’s the norm.

Every computer security configuration guide recommends changing all passwords on a reasonable, periodic basis, which translates to every 45 to 90 days in practice. Admin and elevated passwords should be stronger and changed more frequently than user passwords. At most companies, admin passwords are long and complex, but almost never changed.

The work of changing these passwords doesn’t have to be onerous. Lots of corporate software is available for automating the process of changing admin passwords, even creating temporary one-time passwords. Still, even in companies using this software, I find a ton of unchanged passwords.

What’s the rationale behind this lackadaisical password practice? Consider the first mistake mentioned at the beginning of this article: interrupting critical business functionality. A software system can easily change passwords for admin accounts, but what happens when those same accounts and passwords are used within other applications and systems across the corporate network? If you change one, but not the other, you will often get a service disruption for as long as the two stay out of sync. Even if you change the password in both the account and the application, it may take a restart or reboot for the change to take place.

This operational complexity ends up pressuring admins and application owners to exempt their accounts from forced password changes. Fear of interrupting critical business systems begets foolhardy password practice.

Worse, admin passwords are often shared around the network, known by many people. These passwords should not be shared in the first place, but if they are, they need to be changed immediately anytime someone who knows the password leaves the company. Failure to follow this policy is the first step in enabling a fired, disgruntled employee to get back into the network to cause great harm.

Lessons learned: Periodically change all passwords, especially admin and service accounts. And always change passwords immediately upon separation of employment. Plus, don’t use admin accounts and passwords to power your applications.

Colossal security mistake No. 10: Treating every vulnerability like “the big one”

One of the worst things you can do for your career is to cry wolf too often. Every year, a few of the thousands of newly discovered vulnerabilities become “the big one.” This year, Heartbleed and Shellshock fit the bill, rightly deserving your attention and remediation.

But there will always be a significant number of vulnerabilities that colleagues and the media tout as the critical hole that will cripple your network and systems. It takes experience and skill to recognize what you really need to be worried about. If you run around panicking at every last “big” vulnerability, you risk being seen as someone who doesn’t know their job, can’t discern the real threats to your business, and shouldn’t be taken seriously, even when your alarm coincides with a vulnerability your company should definitely pay attention to. Granted, crying wolf likely won’t get you fired, but it can certainly cause roadblocks to your long-term upward mobility.

Lesson learned: Correctly prioritize vulnerabilities, and be careful not to undermine your credibility with colleagues by wasting their time with false alarms.

Related articles

1 2 Page 2
Page 2 of 2