Large enterprises and small companies have one thing in common when it comes to IT – vulnerable computer networks. Tests were applied to both small and large corporate networks using criteria based on industry best practices from CISCO Networks, the US National Security Agency and Payment Card Industry Data Security Standard (PCI DSS). They all failed with most of them failing a majority of the tests. As a result of not following basic configuration steps and best practices these networks were vulnerable and open to intrusion. Following is a short list made up of the most common errors.
If you are a small business owner and whether you have in-house IT staff or outsource, ask them about these five common mistakes. What’s really critical is that you ask them for proof that best practices are being followed. A penetration test and survey from a third party IT firm is not a bad idea either. Since they don’t know what they are looking at, they’re more likely to find vulnerabilities in systems that your own staff have overlooked.
1. Not changing the default passwords on all network devices.
It’s hard to believe that this happens but it does. A server, switch, router or network appliance with the default password – usually “password” or “admin” – still enabled usually happens when installation is performed by DIY users or unskilled IT techs but it also happens to pros. Why? Lack of familiarity with the equipment or lack of an installation checklist being in place or being followed. Things like, “I don’t have time to set it right now, so I’ll do it later”, but it never gets done since a lot of networks are a ‘set and forget’ project. More than half of all the records that were compromised last year were the result of using a default password on a network device, according to a Verizon Business study.
2. Sharing a password across multiple network devices.
For convenience sake, people often use the same password across multiple servers, and several people know the password. It might be a good password but once it’s shared among several systems, these systems are all at risk. You need a process to make sure that server passwords are not shared among multiple systems, are changed regularly, not shared beyond those people who require direct access and are kept secure. If the password is discovered by a hacker, the hacker can get into many servers and cause more damage.
3. Misconfiguration of your access control lists.
Segmenting your network using access control lists is the simplest way to make sure that systems communicate only with the systems that they should. Having properly configured access control lists would have protected 66 per cent of the records that were compromised last year, according to the Verizon report.
4. Allowing non-secure remote access and management software.
One of the most popular ways for hackers to get into your network is to use a remote access and management software package, such as PCAnywhere, Virtual Network Computing (VNC) or Secure Shell (SSH). Often, these software applications are lacking the most basic security measures, such as good passwords. This problem accounted for 27 per cent of the compromised records in the Verizon Business report
5. Not adequately protecting your servers from malware.
Most malware is installed by a remote attacker and is used to capture data. Typically, malware is customized, so it can’t be discovered by antivirus software. Lock down servers so that no new applications can run on them. Malware on servers accounts for 38 per cent of all security breaches, Verizon Business says.
If you accept credit cards as payment for products or services, here is a bonus mistake.
6. Not following the Payment Card Industry Data Security Standards.
Dubbed PCI DSS, this set of 12 controls for protecting cardholder information work but most companies don’t even try to meet the strict but basic PCI standards. Even though 98 per cent of all compromised records involve payment card data, only 19 per cent of organizations with security breaches followed the PCI standards, according to the Verizon Business report.
Strategic Online Marketing
Corporate Computer and Network Specialists