10 Stupid Moves That Threaten Your Company's Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
10 Stupid Moves That Threaten Your Company's Security
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 4 / 5   >   >>
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
1/26/2016 | 2:10:04 PM
Re: Backup
@Joe: Encryption systems can be bought. Technologies that use multiple and multilevel security keys are more sought after but are costly. Moreover these encryption can only work on some domains and not all, so if currently some readily bought system hasn't been applied thoroughly on a backup system, it probably cannot.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
1/26/2016 | 2:06:49 PM
Re: Even Password Management tools can cause problems.
@Joe: Most companies now have various degrees of securities. Not just employee verification through biometrics but also tracking how And when they use a particular company resource which is in the form of information.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
1/26/2016 | 1:58:19 PM
Re: Even Password Management tools can cause problems.
@TerryB: But what if it indeed is someone from your help desk? My manager had a "code" that would be propagated and changed every week that could be said over the phone to identify who is who. Too bad that didnt work out.
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/26/2016 | 1:39:12 PM
Re: Even Password Management tools can cause problems.
@Joe, don't be giving away my system! :-)  Seriously, that is only thing that works, is manageable. Our email/Active Directory remembers the last 32 password changes, requires a number and either a Caps or special char, and must be 8 char long. So I cycle a base password from 1 to 32 and then reuse again. What else are you going to do?

Now, even using system of appending number to base word, it is still somewhat secure when combined with disabling AD account after 5 or 6 guesses. It is pain in rear managing that for all users but I get it, renders brute force impossible.

Spear phishing renders password complexity a moot point. Doesn't matter how complex if you willing give it up to someone you think is from your "help desk". That's where training comes in and can work.

Then you're only stuck with "you can't fix stupid", people who are so clueless they can't be taught.

I am also a believer in two factor as ultimate solution. What you know and what you have, however you want to implement that. Only pure stupidity defeats that.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Author
1/26/2016 | 11:26:29 AM
Re: Even Password Management tools can cause problems.
It is axiomatic that if your security interferes too much with your accessibility (i.e., your ability to "just make it work"), then your users/employees will resent your security measures and try to undermine it and find ways around it.

Good security isn't just having a big lock.  It's also having a lock that people WANT to use and WILL use.  The lock does no good if it's so burdensome to use that people would rather just leave it unused and collecting dust.

Case in point: Policies that make you change your password every three months (if not more frequently).  This is how you get passwords like "mypassword1" "mypassword2" "mypassword3" and so on.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/26/2016 | 11:23:38 AM
Backup
Another issue with lazy encryption is failing to encrypt backup systems.  This was one of the big facepalms from the Adobe hack of a couple of years ago, when the operational systems were properly encrypted by the backup systems were not.
MarkA187
50%
50%
MarkA187,
User Rank: Apprentice
1/26/2016 | 10:22:55 AM
I'd love to share this with the organization but it's too snarky
Calling employees clueless boneheads doesn't help get the message out to the organization. I'd love to share this information but it's an immediate turn off to employees and has the exact opposite affect.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/26/2016 | 9:26:19 AM
Re: Even Password Management tools can cause problems.
Broadway,

Frankly speaking there is a limit about how much you can train employees today(Yes its true).

I rather prefer providing them with better and easier to use tools which achieve the Job which is providing users with Better Security Protections.

They are all like-"Show me something simple and easy and I will do it."

"I don't want to think how it works-Just make it work and work securely for me!"

In such a sceanrio ,Multi-Factor Authentication Tools work better then simple tools to achieve Genuine authentication needs of Enterprise Users today.

 
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
1/26/2016 | 8:43:59 AM
Re: Even Password Management tools can cause problems.
Right, Ashu. I think it's time we stop blaming the employees and focus on better tech and better training. If so many companies are training employers about cyber risk, if it worked you would be seeing the results. In other words, the training is not working
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/26/2016 | 5:38:47 AM
How does Government Agency Diktats play out in the whole debate over Encryption?
I was recently reading/reviewing more details on the Debate currently on between the FBI(which is batting for encryption with Government approved Backdoors) and ironically the NSA which is batting for Strong Encryption currently-theintercept.com/2016/01/21/nsa-chief-stakes-out-pro-encryption-position-in-contrast-to-fbi

Given the well-known past history of the NSA and especially their track record

theintercept.com/2016/01/04/a-redaction-re-visited-nsa-targeted-the-two-leading-encryption-chips & theintercept.com/2015/12/23/juniper-firewalls-successfully-targeted-by-nsa-and-gchq &

theintercept.com/2015/11/28/snowden-effect-in-action-nsa-authority-to-collect-bulk-phone-metadata-expires &

theintercept.com/2015/12/30/spying-on-congress-and-israel-nsa-cheerleaders-discover-value-of-privacy-only-when-their-own-is-violated

I found it hard to take anything the NSA says at face-value.Still it was interesting to note that various Government agencies are not always on the same page here.


I for one won't trust anything any of these Government Goons tell us at face-value!

 

 

 
<<   <   Page 4 / 5   >   >>


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Slideshows
10 Top Cloud Computing Startups
Cynthia Harvey, Freelance Journalist, InformationWeek,  8/3/2020
Commentary
How Enterprises Can Adopt Video Game Cloud Strategy
Joao-Pierre S. Ruth, Senior Writer,  7/28/2020
Commentary
Conversational AI Comes of Age
Guest Commentary, Guest Commentary,  8/7/2020
Register for InformationWeek Newsletters
Video
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll