Common mistakes done in safeguarding the IT structure in an organisation

By: Rafe Zetasci

Most IT experts and security professionals try to safeguard their organisational framework as securely as possible. Sometimes, no matter how secure the IT structure is in an organisation, more often than not there is some kind of a loophole wherein data theft can occur. Here are some of the common mistakes that most security professionals keep getting wrong. Look out for these four persistent faults and take immediate action against them.

1. Assuming that all software is updated and patched
Almost every organisation has some form of un-patched software or the other. Although, this is an area of concern, what is deeply unnerving is that the personal computers used by most IT professionals and security experts themselves are at risk. When enquired whether the software in the entire organisation is patched, most security professionals point out to the results of the recent scan in their Windows Update program. Some others point out to their preferred autonomous patch-analysing program. Unfortunately, security professionals are not aware how faulty and dangerous some of these programs might be. Most independent patch-analysing programs look out for popular and widely available updates but tend to miss customised or tailored security software. Some others do not look into the BIOS versions or firmware, as updated versions can help in plugging serious security traps. It is important to conduct a manual survey and search for software programs that the patch-analysing program might have missed. All installed software must be scanned; glancing at the Operating System's installed applications list is not helpful, rather all the folders and directories must be checked, the date of executables and DLLs must be looked into, as well a record of all the software versions must be maintained. Once the check has been done, the CVE database should be opened and the list should be compared with what is listed in the CVE database. In almost every case, unpatched software is usually discovered in this manner.

2. Spending sleepless nights over unnecessary threats
Most IT experts tend to worry about vague threats that might be far lower in risk than the really big dangers that they are facing head-on. On a theoretical note, it is important to address the most likely threats and prepare a robust security defence plan. But sometimes, basic things such as patching the software and updating critical programs can be a huge boon, rather than planning an expensive and elaborate defence strategy. For example, IT professionals in an organisation may debate with the management on the advantages of biometric identities vis-à-vis smartcards, but in reality cutting down the total number of full-time administrator accounts within the IT environment can sometimes be a better security strategy than going in for expensive installs.

3. Archaic education to users
The run-of-the-mill advice that is imparted in every organisation is thus: employees should not visit untrusted websites while e-mail attachments from unknown people should not be opened.
Advice 2.0 states thus: Do not install software from the web unless there is a guarantee that it is coming from a legitimate vendor as websites visited each day are likely to be compromised. In addition, users must be advised never to click on any unknown link or install/run active content and by strangers, even by people known to them. For example, if an e-mail contains a line, "this e-mail has been analysed and is 100% virus free," is a sure-shot sign that the attachment is malicious. End-users need to be taught the next round of safeguarding their own terminals; they must be imparted guidelines on social engineering and phishing and the steps that they can undertake to confirm any dubious e-mail or web offer.

4. Failing to inform the management about the right concerns.
It has been seen that senior management are usually not aware nor told about the biggest and most impactful threats facing the organisation. In spite of spending thousands of dollars every year to defend an organisation's environment, most CIOs and CTOs are unable to spell out exactly what are the biggest threats to their organisation. If security professionals themselves do not collect the right metrics, it is not possible to gauge the danger facing the organisation. Almost every IT security professional reports on the number of malicious programs exposed and eliminated or the number of un-authorised messages barricaded by the firewall, but do not report on the number of malware programs that go undiscovered and for how long. It is important to start assessing the largest and most likely threats to every organisation; how such threats are entering the environment, and transmit this crucial data up the management line. Simple yet highly effective and powerful software can save millions of dollars while at the same time ensure complete peace of mind from hackers and data thieves.

###
Rafe Zetasci is a web analyst and avid blogger.