Sometimes it’s fun to look at the various ways that we’ve seen where people think they are helping improve the security of their organization but, in fact, are making things far worse. Some are funny, some are tragic, and some are just plain dumb. So, just for a little light hearted laugh on this Friday morning, here’s what I think are the Top 10 Dumbest Ways to Improve Security.
- Don’t do it at all – My son just came in and read what I was writing and laughed. As he walked out of the room, he says to me “#1 way would be to not do it at all”. He’s 13 but, god, he got it spot on because I can’t tell you how many times I’ve seen absolutely no security put into place. From the mouth of babes!
- Patching poorly written code – We all know of projects where custom code has been written. And, at the end, well meaning PMs will arrange for Vulnerability Scan on the end result, after it’s been installed. But the code is soooo buggy that there are so many patches have to be written. Sometimes, it just better to start from scratch all over again.
- Using Code off the Internet – Sometimes the code isn’t written by your Programmers. Sometimes they are too lazy to write the code themselves and they download the code from some open source site and NEVER CHECK IT.
- Hacking is Cool! – Everyone wants to be a hacker. Seriously! They think that they see an issue in their company’s environment and they are determined to show the hole. So they down load some hacking software and attempt to exploit the hole. The end result is that they’ve often actually downloaded a piece of software that has malware built into it or, worse, they manage to bring down the environment they were actually trying to show was a problem. Well meaning but dumb!
- Action is better than Inaction – Sometimes, well meaning security people sooo want to improve their security that they start implementing technologies for the sake of implementing technologies. What ends up happening is that the technology is hardly implemented, only 20% of the capabilities are used, and you’ve just spent tens of thousands of dollars implementing a technology that isn’t going to do anything anyway.
- Security through Obscurity – Really? You thought no one would find out? In this day and age of automated tools, someone out there is just going to run an a bot to do discover potential targets and then focus on it. So don’t assume that no one will find you.
- Using a Firewall with an Any/Any Rule – Okay, in all seriousness, I had a client once that had put in a front end firewall. But there was a project team that was having problems putting a solution in place for communication with an external client. So just put in an Any/Any Rule and the solution worked. But so much for that company’s security.
- Going into Production before Securing – How many times have we seen a project being rushed to put something into production. They cut corners and then say that they will put in security once the project is working. Then they wonder why there’s an intrusion. Well, duh!!!
- Hard Coded Passwords – *Sigh* Okay, after all these years, Programmers STILL put hard coded passwords into their code or scripts. I mean, really?!?
- Making the Test/Dev Environment Open to the Internet – Okay, the proper way to build a solution is to first have a Test/Dev environment and figure out how the components are going to work. But if the solution is going to externally facing, it’s kinda important to make sure the environment can’t be used as a launching point to inside the company. But do you know how many times I’ve seen a Test/Dev environment that hasn’t been secured?
How about you? What are some of the dumbest things you’ve seen implemented with regards to Cyber Security? Bet there are some really funny, “palm to face” stories out there.
Hope this helps …