[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] 7 Ways Security Pros DON'T Practice What They Preach
From: InfoSec News <alerts () infosecnews ! org>
Date: 2009-09-23 5:52:53
Message-ID: Pine.LNX.4.61.0909230052440.25211 () conundrum ! infosecnews ! org
[Download RAW message or body]
http://www.csoonline.com/article/502914/7_Ways_Security_Pros_DON_T_Practice_What_They_Preach
By Bill Brenner
Senior Editor
CSO
September 22, 2009
IT security pros are often driven to drink -- literally -- over the
daily battles of their job: bosses unwilling to accept the rationale for
some new security investment, employees who regularly infect their
computers by doing things that have nothing to do with their jobs, and
vendors who don't understand the company's needs. [The latter example is
examined in 8 Dirty Secrets of the IT Security industry.]
But in a recent, unscientific and informal poll CSOonline conducted over
such social networks as Twitter and LinkedIn, many IT security pros
admitted they've often looked the enemy in the eye only to find
themselves staring back in the mirror. Or, they've seen carelessness in
well-meaning professionals who should know better.
Paul V de Souza, a former chief security engineer at AT&T and owner of
the CYBER WARFARE Forum Initiative (CWFI), has seen many an example
where IT security pros fail to practice what they preach. "I have
noticed that many security professionals do not encrypt their hard
drive," he said. "I also see a lack of two-factor authentication
deployment. Many of us security professionals rely only on passwords."
Based on the poll and a list provided by Andy Willingham, former network
security engineer at EBFC, information security engineer at MARTA and
founder/owner of AndyITGuy Consulting, here are seven examples of how
security pros cut corners:
1.) Using URL shortening services
URL shortening services have become immensely popular in recent years,
especially among security pros who use such forums as Twitter to share
content. The problem is that URL-shortening services are sometimes
insecure and unstable. For examples, see New Spam Trick: Shortened URLs
and 5 More Facebook, Twitter Scams to Avoid.
In the latter example, Graham Cluley, senior technology consultant with
U.K.-based security firm Sophos, noted in a recent interview that some
URL-shortening services have begun to try filtering out bad sites by
checking URLs against known black lists, but that the issue is far from
resolved, particularly because despite increased efforts to block
malicious links, Twitter and Facebook do not have a filtering mechanism
for bad shortened URLs.
[...]
________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic