With all the worry about budgets and all the marketing hype over some of these fancy vendor security solutions, I still see so many simple/silly/stupid things related to IT that need to be fixed before a penny is ever spent or a single new technology is ever deployed. Things like:
–Network shares sharing out entire drives full of sensitive files – accessible by anyone with just a basic network login and no business need
–Firewalls with default configurations and no passwords
–VoIP phones sitting in unmonitored lobbies that can be unplugged and the Ethernet connection used instead for direct network access by strangers
–Smartphones without a trace of security enabled – not even a power-on password
–Laptops with supposedly “nothing of value” that end up having thousands of credit card, SSN, and related records and don’t have their hard drives encrypted
–Database servers without passwords, or with default passwords that are easily looked up
–Backups stored onsite in fireproof safes that aren’t rated for computer media
–Physical security CCTV and data center control systems without default passwords that anyone on the network can play with
–Operating systems running patch management software that are *still* missing critical patches that can be exploited using free tools and provide full admin access to the system without the attacker ever having to log in
–Web sites with spreadsheets containing Social Security numbers protected by really short and really easy-to-guess passwords
–Web apps with multi-factor authentication controls that are easily overridden, even disabled
Want to be in compliance with all the nasty regulations we’re up against? Want to save some good money by not having to purchase expensive products? If so, start fixing the obvious stuff first. You already have the tools and the means. It’s just a matter of doing it.