http://www.csoonline.com/article/502914/7_Ways_Security_Pros_DON_T_Practice_What_They_Preach By Bill Brenner Senior Editor CSO September 22, 2009 IT security pros are often driven to drink -- literally -- over the daily battles of their job: bosses unwilling to accept the rationale for some new security investment, employees who regularly infect their computers by doing things that have nothing to do with their jobs, and vendors who don't understand the company's needs. [The latter example is examined in 8 Dirty Secrets of the IT Security industry.] But in a recent, unscientific and informal poll CSOonline conducted over such social networks as Twitter and LinkedIn, many IT security pros admitted they've often looked the enemy in the eye only to find themselves staring back in the mirror. Or, they've seen carelessness in well-meaning professionals who should know better. Paul V de Souza, a former chief security engineer at AT&T and owner of the CYBER WARFARE Forum Initiative (CWFI), has seen many an example where IT security pros fail to practice what they preach. "I have noticed that many security professionals do not encrypt their hard drive," he said. "I also see a lack of two-factor authentication deployment. Many of us security professionals rely only on passwords." Based on the poll and a list provided by Andy Willingham, former network security engineer at EBFC, information security engineer at MARTA and founder/owner of AndyITGuy Consulting, here are seven examples of how security pros cut corners: 1.) Using URL shortening services URL shortening services have become immensely popular in recent years, especially among security pros who use such forums as Twitter to share content. The problem is that URL-shortening services are sometimes insecure and unstable. For examples, see New Spam Trick: Shortened URLs and 5 More Facebook, Twitter Scams to Avoid. In the latter example, Graham Cluley, senior technology consultant with U.K.-based security firm Sophos, noted in a recent interview that some URL-shortening services have begun to try filtering out bad sites by checking URLs against known black lists, but that the issue is far from resolved, particularly because despite increased efforts to block malicious links, Twitter and Facebook do not have a filtering mechanism for bad shortened URLs. [...] ________________________________________ Did a friend send you this? From now on, be the first to find out! Subscribe to InfoSec News http://www.infosecnews.orgReceived on Tue Sep 22 2009 - 22:52:53 PDT
This archive was generated by hypermail 2.2.0 : Tue Sep 22 2009 - 22:58:06 PDT