10 Common Security Mistakes Businesses Make and How to Avoid Them

Donald E. HesterCISSP, MCT, MCSE, MCSA, MCDST, Security+, CTT+

DonaldH@MazeAssociates.com

Mistake # 1

Assuming nothing will happen or employees know what to do

Not having a security awareness program

How to avoid Don’t ignore security risks & noncompliance Security policy Security program

Mistake # 2

Not having Anti Virus software Not keeping it up-to-date

How to avoid Install Anti Virus Software on all machines Update Anti Virus signatures daily

Mistake # 3

Not keeping systems up-to-date Patch Management

How to avoid Vendor websites and notices Some vendors have automated tools

(e. g. Windows XP and Automatic Updates)

Mistake # 4

Be careful what you and your employees download Viruses and spyware System crashes, lost data, more spam, zombies,

illegal software and music

How to avoid Policies Training for employees Anti-Virus & Anti-Spyware software Technical Controls

Mistake # 5

Emailing confidential information unencrypted

How to avoid Policy and training for employees Don’t forget IM (Instant Messaging) Encrypt or don’t email confidential information

Mistake # 6

Not ensuring their network is secure

How to avoid Must have a firewall Training or certified installers & administrators Security Patches (Automatic Updates, Patch

Management) Harden your systems (Lock down the system) Give employees only needed access to do their jobs

Mistake # 7

Not securing wireless networks War-Walking or War-Driving

How to avoid NSA security guidelines for wireless If you use wireless ensure you have the highest

available security Get help, certified and trained installers

Mistake # 8

Not having a backup plan Disaster, destruction or hardware failure

How to avoid Backups & archiving Business continuity planning Document life cycle & retention policies Redundant systems, (includes UPS) SLA Service Level Agreements NIST SP 800-34

Mistake # 9

Not watching the information when it is out of your hands. Due diligence in 3rd party relationships

Vendors, Clients (HIPAA), Employees, Systems Integrators

How to avoid Disclosures due diligence Nondisclosure Agreements Check certifications & Back ground checks Remove confidential information when sending

computer in for repair or signed NDA

Mistake # 10

Forgetting about physical information Keeping confidential information on laptops, PDAs, and

removable media, Laptops stolen or destroyed

How to avoid No confidential client data on laptops that leave the building Encrypt files Keep backups of files while you are traveling Don’t forget physical security for laptops – most stolen item in

airports Shred client confidential information documents Consider the location of computers and environment they are in

Review

1. Start a security & loss prevention program

2. Keep up-to-date antivirus software

3. Keep systems & applications up-to-date

4. Be careful what you download

5. Be careful what you email and instant message

6. Secure your network with a firewall

7. Secure your wireless network

8. Make backups often & have redundancy

9. Be diligent with third parties

10. Remember physical security

General Guidance

If you need it, get help Find out what information needs to be confidential (Information

Asset Inventory) Make security a priority (security is part of loss prevention) Make security apart of every process Train every employee – have a security awareness program Keep up with new laws and regulations – vendors, trade

publications & insurance carriers Due diligence make sure the people who support your

information systems are certified Remember the technology industry is constantly changing

environment; security is a process not a goal

Reference Think Security First http://www.thinksecurityfirst.net/ Maze & Associates http://www.mazeassociates.com Donald Hester’s Site http://www.learnsecurity.org NIST Special Publications 800 Series http://csrc.nist.gov/publications/nistpubs/index.html ISO 17799 http://www.iso.org/ OECD Guidelines for Securing Information Systems AICPA / CCIA Trust Services Principles and Criteria (SysTrust and WebTrust) CNSS The Committee on National Security Systems http://www.nstissc.gov/html/library.html CobiT Management Guidelines http://www.isaca.org/ or http://www.itgi.org/ Information Security Management Handbook on CD-ROM, 2003 Edition NSA/CSS INFOSEC http://www.nsa.gov/isso/index.html Federal Financial Institutions Examination Council Guides and Catalogues

http://www.ffiec.gov/guides.htm Federal Trade Commission GLBA site http://www.ftc.gov/privacy/glbact/ &

http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm CA Civil Code §1798.29 Personal Information Privacy Breach Disclosure Act (SB 1386 Signed into

law 2-12-02) CA Civil Code §1798.85 Personal Information Confidentiality (SB 168 Signed into law 10-11-01) Sarbanes-Oxley RFC 2196 Site Security Handbook GASSP Generally Accepted System Security Principles US ARMY, FM 3-19.30 Physical Security

http://www.adtdl.army.mil/cgi-bin/atdl.dll/fm/3-19.30/toc.htm