5 big security mistakes you’re probably making

How vulnerable are most companies to hacking? So vulnerable that hackers claim they can point their systems at pretty much any target and be guaranteed of breaking in fairly quickly. Most run-of-the-mill vulnerability testers I know can break into a company in a few hours or less. It must be child’s play for professional criminals.

It doesn’t have to be this way. The problem is that most IT admins are making the same huge mistakes over and over.

[ InfoWorld’s Malware Deep Dive special report tells you how to identify and stop online attacks. Download it today! | Roger A. Grimes offers a guided tour of the latest threats in InfoWorld’s Shop Talk video, “Fighting today’s malware.” | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Security mistake No. 1: Assuming that patching is good enough Every company I’ve ever audited tells me it has patching under control. What the company means is that the operating systems running on most of its computers have been patched. The most popular and most attacked applications? Not so much.

For example, when I find an Apache Web server running, it’s never fully patched. If the computer has Adobe Acrobat Reader, Adobe Flash, or Java, the same is true. They’re almost never patched. It’s not a coincidence that they’re also the most successfully exploited applications. This huge disconnect has been true for years.

IT admins think they have patching under control because they bought a comprehensive patching program, assigned someone to oversee it, got better patching than before, and checked it off their to-do list. Never mind that the patching was never perfect, never patched all computers, and didn’t patch every piece of vulnerable software. Somehow all that was glassed over and quickly forgotten.

On top of that, many departments won’t patch many of the applications they want to patch because of real (or perceived) application compatibility problems. For example, they update Java one day, hear that it caused some random error to appear in one department’s application, and by default are forbidden to update Java — forever. Or they have to keep a bazillion versions of Java around because updating it could possibly cause problems.

Years pass while most computers aren’t fully patched. Management goes along happily thinking that the patching problem is solved, whereas it’s just as bad as ever. Hackers have a field day.

Security mistake No. 2: Failing to understand what apps are running Most IT departments have no clue about the programs running on their computers. New computers come preloaded with dozens of utilities and programs the user doesn’t need, then users routinely add more. It’s not unusual for a normal PC to be running hundreds of programs and utilities at startup.

How can you manage what you don’t even know you have? Lots of these programs have huge, known vulnerabilities or vendor-implemented backdoors that anyone can take advantage of. If you want to secure your environment, you have to inventory what programs are running, get rid of what you don’t need, and secure the rest.

Security mistake No. 3: Overlooking the anomalies Although hackers can break in without being detected, it’s hard for them to hack away without doing something anomalous. Hackers need to explore the network, connecting from one computer to other computers that never talk to each other. Basically, hackers perform tasks that regular end-users would almost never do.

Most IT admins do not have good baselines about what activities and activity levels are expected and normal. If you don’t define what is normal, how can you detect the abnormal and send an alert? The Verizon Data Breach Investigations Report says year after year that almost every data breach would have been detected or prevented if the victims had implemented the controls they should have had in place all along.

Security mistake No. 4: Neglecting to ride herd on password policy We all know that passwords should be strong (long and complex) and changed frequently. Every admin I talk to says their passwords are strong. But whenever I check, they aren’t. Well, they might be strong in some areas, but in the places they really count, like enterprisewide service accounts, domain-wide accounts, and other super-user accounts, they are weak.

I’ve got an axiom: The more powerful the account, the weaker the password will be and the less likely it will ever be to be changed. Wanna find out how strong your password policy really is? Run a query to see how many days it’s been since the last password change. I guarantee you’ll find accounts that have gone without a password change for thousands of days.

Security mistake No. 5: Failing to educate users about the latest threats This one befuddles me the most. We say end-users are our weakest links, but then we don’t educate them about the latest threats. Regarding latest threats, I mean the big majority of attacks for the last five years. Most end-users are incredibly educated about email file attachment attacks — you know, the attacks that used to be popular 10 years ago.

But ask end-users if they realize they are most likely to be infected by a website that they know, trust, and visit every day — and you’ll hear crickets. Most end-users have no idea about malicious ads on their favorite website orr the fact that popular Internet search engines may get them infected. They don’t know that the cute little app being pushed their way by a friend in Facebook is most likely malicious. They don’t know the difference between their antivirus software and the fake one that just popped up a window on the screen. They don’t know because we don’t teach them.

These five weaknesses are far from new. They’ve been around for over two decades. What I’m constantly surprised by is the complacency. They have checked off the item and are moving on to bigger tasks — when in fact, their environment may be very broken. All they would have to do is ask a few questions or run a few queries.

To all those IT admins who realize this stuff is broken, I salute you. At least you know. That’s the first step. You’re ahead of the game.

This story, “5 big security mistakes you’re probably making,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.