IT | Security

7 Deadly Sins of Network Security

By: Absolute Team | 2/5/2009

Bill Brenner of CSO Online shares "The Seven Deadly Sins of Network Security", sins which he links with nearly all serious data breaches. Bill notes and asks, "Companies that suffer serious security breaches have almost always committed one (or all) of 7 deadly security sins. Is your company guilty?"

Just as Absolute Software recommends a multi-layered security solution, Bill Brenner notes that any solid security defense plan is built upon a multi-layered approach involving technology, policy and practice. The technology layers are just one piece there, but only account for part of the network security sins listed here:

  1. Not measuring risk - failing to identify and protect important information assets, while doing so within the parameters of business needs and requirements
  2. Thinking compliance equals security - regulations like HIPAA and PCI DSS are only a starting point for strong (and evolving) data security practices
  3. Overlooking the people - the 'people problem' is a common thread on this blog. People who access data & technology pose a large risk to it - losing laptops, falling for phishing attacks, downloading rogue software, etc
  4. Too much access for too many - having access controls set in both policy and in management technology
  5. Lax patching procedures - the latest Verizon report showing that 90% of known vulnerabilities exploited in hack attempts had patches available for at least six months prior to the breach
  6. Lax logging, monitoring - like with the first item, one must know what's going on in the network prior to security it
  7. Spurning the K.I.S.S. - 'keep it simple, stupid' or 'keep it simple for security' is often overlooked if security is approached without planning and 'solutions' are tacked on one after the other.

The article looks at common issues that have led these seven items to becoming "sins" in network security terms. This can include, in the case of the first sin, a lack of understanding of business needs and requirements that results in end users circumventing security protocols and risking data even further. Continue reading it here.