With all the worry about budgets and all the marketing hype over some of these fancy vendor security solutions, I still see so many simple/silly/stupid things related to IT that need to be fixed before a penny is ever spent or a single new technology is ever deployed. Things like:
–Network shares sharing out entire drives full of sensitive files – accessible by anyone with just a basic network login and no business need
–Firewalls with default configurations and no passwords
–VoIP phones sitting in unmonitored lobbies that can be unplugged and the Ethernet connection used instead for direct network access by strangers
–Smartphones without a trace of security enabled – not even a power-on password
–Laptops with supposedly “nothing of value” that end up having thousands of credit card, SSN, and related records and don’t have their hard drives encrypted
–Database servers without passwords, or with default passwords that are easily looked up
–Backups stored onsite in fireproof safes that aren’t rated for computer media
–Physical security CCTV and data center control systems without default passwords that anyone on the network can play with
–Operating systems running patch management software that are *still* missing critical patches that can be exploited using free tools and provide full admin access to the system without the attacker ever having to log in
–Web sites with spreadsheets containing Social Security numbers protected by really short and really easy-to-guess passwords
–Web apps with multi-factor authentication controls that are easily overridden, even disabled
Want to be in compliance with all the nasty regulations we’re up against? Want to save some good money by not having to purchase expensive products? If so, start fixing the obvious stuff first. You already have the tools and the means. It’s just a matter of doing it.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”