Kevin Beaver's Security Blog

The 21 Best Ways to Lose Your Information, revisited

With all the crazy incidents and breaches brought about by so many unfortunate “glitches” combined with how I continually harp on the importance of mastering the information security basics, I thought it’d be appropriate to re-post the content of an article I wrote for Computerworld back in 2002…

This piece was the second article I ever wrote. Little did I know that, nearly two decades later, every single one of these 21 items would still apply this very day! In fact, it’s usually one or more of these very weaknesses that lead to virtually all security incidents and breaches happening right now. Still, people choose to chase down the latest and greatest security technologies, get distracted by “hunting” threats, and waste time on fine-tuning their security documentation. What will it take to see meaningful improvements!?

Information security is never as difficult as many make it out to be (often in the process of selling more stuff or looking busy to justify a job function). Let this serve as a set of best practices of what not to do in IT. Focus on and master these areas alone and you’ll be waaaaaay ahead of the pack and not nearly as big – or as easy – a target as everyone else.

Have you ever wondered what the best ways are to get hacked, be adversely affected by disasters, or otherwise lose information stored on your computer systems? Here, in no particular order, are the 21 best ways to not secure your systems:

1. Don’t pay attention to or even bother to understand what you’re trying to protect.
2. Leave your databases, especially those containing credit card or other confidential information, unencrypted. And be sure to store them on publicly accessible servers.
3. Don’t patch your software or update your virus signatures, and never, ever run vulnerability assessments to detect newly discovered software flaws and system misconfigurations. It’s just too time-consuming.
4. When an employee quits or is let go, leave his network ID and e-mail account enabled. You never know when he might want to check back in on things.
5. Don’t create any security policies and procedures that document what and how you’re safeguarding your information to protect your organization and clients from information disasters and legal liabilities.
6. If you do happen to have security policies, never refer to them, enforce them, update them, or do what they say.
7. Completely outsource your information security initiatives. There’s no need for anyone inside your organization to worry about such matters.
8. By all means, don’t take an inventory of your information systems or document your network.
9. Apply the principle of greatest privilege. Give all users the greatest amount of access to your information systems. Everyone should have access to everything — it’s only fair, right?
10. Rely solely on technology. Firewalls, encryption, and antivirus software are all you need to protect your information.
11. Run your business without business continuity and security incident response plans. After all, you can think clearly and make critical decisions under pressure, right?
12. Don’t monitor your systems. They’ll be fine running by themselves, and if anything major happens with the integrity or availability of your information, you’ll be notified automatically, won’t you?
13. Don’t back up your data, but if you must, don’t test your backups. Also, leave your backup media on-site – preferably sitting on top of an uninterruptible power supply or computer monitor so their electromagnetic emissions can “massage” the data to keep it fresh and secure.
14. Leave your operating systems and software applications with the default settings. System hardening is for the birds.
15. Respond to hacker attacks, viruses, and other intrusions as they happen – don’t be proactive in dealing with them.
16. Use passwords that consist of your pet’s name, your name, your mom’s maiden name, or your birthday. That way, you won’t forget them. Better yet, just use “password” for your passwords. Also, don’t forget to write them down and post them on your monitor or keyboard.
17. Don’t subscribe to security bulletins and mailing lists, and never ever read information security trade magazines.
18. Leave your servers and network equipment in a room to which everyone, including outsiders off the street, has access.
19. Don’t train your users on your security policies and what to look out for, such as unsolicited email attachments and common hacker activities. Your users can’t be burdened with more training.
20. Ignore all known best practices and international information security standards from the International Standards Organization, Internet Engineering Task Force, SANS Institute and your local information security consultant, to name a few.

And finally…

21. Don’t, under any circumstances, get upper management involved in information security initiatives. They’re business-focused and shouldn’t be bothered or even care about technology or the liabilities associated with their information, right?

If you follow these practices, you’ll ensure that your computer systems will be a safe haven for hackers, viruses, disgruntled employees and the like. You’ll be able to go to work every day with a feeling of excitement knowing that there’s a good chance your company’s data will be gone when you get there. It’s only a matter of time – and yes, it’s really this easy.

The 21 Best Ways to Lose Your Information – originally published at https://www.computerworld.com/article/2587274/the-21-best-ways-to-lose-your-information.html – Copyright © 2002 IDG Communications, Inc.