No matter how much effort we make, end users and even the IT department of the enterprise still ignore the security lapses that could have been easily corrected. This article will discuss 10 safety lapses that can be avoided and tell you how to correct this negligence.
1: Use a weak password
There was a time when some people were smart to use "password" as a password to fool hackers and other malicious elements who tried to guess the password. After all, many people do not use such an obvious word as the password. Today, many people realize that the security of using this password is fragile, but there are still a lot of people willing to use this simple and easy to guess password, especially in today's highly social network. For example, someone will use their initials and birthday as a password, and this information data can easily be obtained through Facebook or other channels, the intentional hacker will only have a small amount of information combined to break the password. And even in companies with strong password policies, there is a fragile password that exists whenever someone exists.
Solution: Do not set the password in obvious patterns. Mix various factors, such as using an exclamation mark instead of a digital 1,& to replace the number 8. The more complex the password is set, the less likely it is to be cracked. If you are setting a password policy for an enterprise, you should require multiple character sets in your password.
2: Never change the password
I've seen too much of this. Many people have not changed their passwords for years, and the password has been used on multiple sites. This is a very large security vulnerability. In the enterprise, even if there is a password modification strategy, but many employees can still find ways to circumvent this mandatory strategy. For example, my company once had an employee with domain administrator privileges who excluded his account from the password policy. I criticized him harshly and asked him to keep his account within the password policy (and then I felt that I really should fire this man because he abused his rights). Of course, I said the situation may be more special, but we can think about how many people are using the same or approximate password to visit different sites? And when it comes time to change the password, is there a lot of people who just get rid of one character to deal with the mandatory requirements of the password policy?
Solution: Train employees or users to know how important a strong password is and why to change the password regularly. As part of the password policy, you may also consider using Third-party software to prevent users from using a similar password to cope with the mandatory requirements of the password policy.
3: Do not install antivirus software
This omission is entirely avoidable. If anti-virus software is not installed in your working environment, you are really wrong. Even with the best firewalls, keep in mind the hierarchical concept of security barriers. Once the firewall does not successfully intercept the malicious code, the anti-virus software becomes the last barrier on the terminal system.
Solution: Install antivirus software immediately.
4: Do not use the firewall or set not rigorous
Firewall devices should be used both at home and in the enterprise IT environment. Although Windows and other operating systems now come with a built-in firewall, I still recommend that you buy a hardware firewall device, or a similar device, and that the hardware firewall is the best security solution to match the software firewall. In addition, if you are using a firewall, you need to set it up rigorously.
Solution: Firewall hardware devices are available at home or in an enterprise environment. Ensure that the firewall does not allow unnecessary data to flow from the outside into the intranet environment.
5: Never Patch the system
There are reasons why operating system developers and application developers regularly introduce patches. Although many upgrades or updates are meant to add new functionality, there are still a number of updates that are purely designed to make up for system and software security vulnerabilities. I've seen a lot of home computer systems where users turn off the system's Automatic Updates option. And in the enterprise environment, many times people feel that the network edge has a firewall, you do not need to install the system to upgrade patches. This is not correct, because many of the attack code through the firewall protection into the enterprise intranet.
Solution: Patching the System! Turn on the automatic updating of the system and software, and immediately establish a patch management strategy and implementation for the enterprise.
6: Unsafe data storage
How much sensitive data (such as personal information, company business data, etc.) are stored in your USB drive? Have you ever been out with a USB stick with sensitive information? I've seen a lot of people take a U disk as a key chain and walk around with it. Sometimes, the U disk and keys in the dining room table forgot to take away.
Now, how many more people will back up the enterprise data on tape? Will these tapes be removed from the backup site, and is the process under your control?
Unprotected data is a major security issue. A simple event that loses a USB stick, laptop, ipad, or backup tape can make the business face huge financial, judicial, and public-relations challenges.
Solution: Encrypt and save any removable Storage data. Most backup software supports encryption of backup data, such as BitLocker and Bitlockertogo can be used to protect notebook devices and USB drives. For other devices, such as the ipad, you can consider using mobile security management software to encrypt the data stored in it.
7: Too generous a privilege
In an enterprise environment, permissions determine what a user can do and what not to do. The easiest way to get employees to work smoothly is to give them administrator privileges so they can access all the content of the corporate network. But this approach will soon lead to confusion. As a result, most companies give them the right permissions based on their employee's working relationships. Unfortunately, even with this strategy, permission spreads can occur. For example, the employee is transferred from one position to another, and the previous permissions have not been removed.
Solution: Make ensures that the enterprise applies an explicit rights management policy. The Enterprise's authority management strategy and implementation method should be reviewed and adjusted periodically in order to adapt to the enterprise's current needs. Do not need permissions to be cleared in time.
8: Weak or no Wi-Fi security settings
Even though many people now know that open Wi-Fi networks are a big security risk, there are still many families or businesses that keep their wireless networks open and insecure. In addition, because of the popularity of WEP encryption, there are still many networks using this encryption authentication method, but this way is very insecure, or even four seconds to crack the WEP password. But even so, it's safer than a fully open wireless network.
Solution: Use WPA or more advanced WPA2 encryption verification measures. WPA2 is the current popular wireless network security standards, most operating systems support this standard. In addition, the adoption of WPA2 standards, but also to set a strong enough password, this password should not be easily guessed, or not easy to be violently cracked, otherwise good encryption Standard is a fake. WPA2 encryption can also be cracked, but cracking WPA2 is far more difficult than cracking WEP or WPA.
9: Ignoring simple mobile device safety measures
In the next few years, mobile devices will be a paradise for hackers. Many people carry mobile digital devices that store unencrypted personal information that can be captured in a short time by hackers. And the device is easily stolen or lost. As I mentioned earlier, you should be aware of what information is stored in your mobile device and remove or encrypt sensitive information. But access to corporate networks and theft of information from mobile devices can still occur.
Solution: Simple as it is, it is essential that when a mobile device attempts to access the corporate network, it requires a password to log on. While this approach does not keep up with the fact that mobile devices are stealing corporate network data, it will make those who occasionally get mobile devices recoil.
10: Never Check Backup
Let's assume a scenario where all the security mechanisms of the enterprise fail, and enterprise data and networks have been severely invaded and destroyed, and the system and data are no longer reliable. At this point, perhaps the only thing you can do is to back up your entire environment by backing up your data. However, if you encounter the following several situations, for the enterprise, it is really irreparable:
The backup data is corrupted.
Backup tapes are damaged.
Although every night the backup system is recording backup data to tape, no data is actually backed up.
Any one of these shows is a fatal blow to the business.
Solution: Immediately develop and implement appropriate policies and work procedures to regularly check backup data. In addition, consider adding additional backup systems to back up the backup data and storing it in a network-isolated environment to prevent backup data from being destroyed when the corporate network encounters a hacker attack.