socalgal
07-30-2000, 06:24 PM
Thought I'd share some of my email from W2Knews[tm].
THE FIVE WORST SECURITY MISTAKES END USERS MAKE:
1) Opening unsolicited email attachments without verifying their source and checking their content first.
2) Failing to install security patches, especially MS Office, IE and Netscape.
3) Installing Screen Savers or games without safety guarantees.
4) Not making and testing backups.
5) Connecting a modem to a phone line while the same computer is connected to a LAN.
THE SEVEN WORST SECURITY MISTAKES SENIOR EXECUTIVES MAKE:
1) Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job.
2) Failing to understand the relationship of information security to the business problem - they understand physical security but do not see the consequences of poor information security.
3) Failing to deal with the operational aspects of security: making a few fixes and then not allowing the follow through necessary to ensure that problems stay fixed.
4) Relying primarily on a firewall.
5) Failing to realize how much money their information and organizational reputations are worth.
6) Authorizing reactive, short term fixes so problems re-emerge rapidly.
7) Pretending the problem will go away if they ignore it.
THE TEN WORST SECURITY MISTAKES INFORMATION TECHNOLOGY PEOPLE MAKE:
1) Connecting systems to the Internet before hardening them (removing unnecessary devices and patching necessary ones).
2) Connecting test systems to the Internet with default accounts and passwords.
3) Failing to update systems when security vulnerabilities are found and patches or upgrades are available.
4) Using telnet and other unencrypted protocols for managing systems, routers, firewalls and PKI (Public Key Infrastructure).
5) Giving users passwords over the phone, or changing passwords in response to telephone or personal request when the requester is not authenticated.
6) Failing to maintain and test backups.
7) Running unnecessary services,especially ftpd, telnetd, finger, rpc, mail, rservices (some of these are Unix specific).
8) Implementing firewalls with rules that allow malicious or dangerous traffic - incoming or outgoing.
9) Failing to implement or update virus detection software.
10) Failing to educate users on that to look for and what to do when they see a potential security problem.
From:
To join this list, send a blank message to the following address:
join-w2knews@lyris.sunbelt-software.com
THE FIVE WORST SECURITY MISTAKES END USERS MAKE:
1) Opening unsolicited email attachments without verifying their source and checking their content first.
2) Failing to install security patches, especially MS Office, IE and Netscape.
3) Installing Screen Savers or games without safety guarantees.
4) Not making and testing backups.
5) Connecting a modem to a phone line while the same computer is connected to a LAN.
THE SEVEN WORST SECURITY MISTAKES SENIOR EXECUTIVES MAKE:
1) Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job.
2) Failing to understand the relationship of information security to the business problem - they understand physical security but do not see the consequences of poor information security.
3) Failing to deal with the operational aspects of security: making a few fixes and then not allowing the follow through necessary to ensure that problems stay fixed.
4) Relying primarily on a firewall.
5) Failing to realize how much money their information and organizational reputations are worth.
6) Authorizing reactive, short term fixes so problems re-emerge rapidly.
7) Pretending the problem will go away if they ignore it.
THE TEN WORST SECURITY MISTAKES INFORMATION TECHNOLOGY PEOPLE MAKE:
1) Connecting systems to the Internet before hardening them (removing unnecessary devices and patching necessary ones).
2) Connecting test systems to the Internet with default accounts and passwords.
3) Failing to update systems when security vulnerabilities are found and patches or upgrades are available.
4) Using telnet and other unencrypted protocols for managing systems, routers, firewalls and PKI (Public Key Infrastructure).
5) Giving users passwords over the phone, or changing passwords in response to telephone or personal request when the requester is not authenticated.
6) Failing to maintain and test backups.
7) Running unnecessary services,especially ftpd, telnetd, finger, rpc, mail, rservices (some of these are Unix specific).
8) Implementing firewalls with rules that allow malicious or dangerous traffic - incoming or outgoing.
9) Failing to implement or update virus detection software.
10) Failing to educate users on that to look for and what to do when they see a potential security problem.
From:
To join this list, send a blank message to the following address:
join-w2knews@lyris.sunbelt-software.com