IT Security: Do As IT Say, Not as IT Do

No matter how sophisticated the technology, the proverbial “man in the middle” is still often the weakest link when it comes to security.
Below are sobering points about the importance of remembering the fundamentals: wash your hands, say you’re sorry, and change your password.
By Caron Carlson in FierceCIO and original article by Nathan Eddy in eWeek.
Emphasis in red added by me.
Brian Wood, VP Marketing
———

IT security pros: Odds of secure network are slim to none

More than 70 percent of IT security pros wouldn’t bet $100 that their companies will elude a data breach over the next six months, according to a new survey. (And that illustrates why this pack likes to gather in Las Vegas.) They understand the odds, and to them, there’s no escaping the reality that end users make their organizations vulnerable by ignoring security rules, reports Nathan Eddy at eWeek.
IT isn’t let off the hook in this survey, however. Many IT groups don’t change default passwords when implementing a new system, and nearly a third of the respondents said their organizations have no policy for changing them, the study found.
Most default passwords are publicly known and easily found online, meaning anyone with malicious intent can use these default credentials to gain anonymous access to systems and applications throughout the enterprise,” said Philip Lieberman, president and CEO of Lieberman Software.
Sounds to me like a case of the preachers not practicing what they preach. If we could understand why IT security pros don’t follow a simple best practice like changing default passwords on new systems, we could probably understand why end users ignore security rules too. Hmmm. I confess that I don’t always change passwords as recommended because it always seems like I have something more pressing to do. And here I don’t even work in IT.
http://www.fiercecio.com/story/it-security-pros-odds-secure-network-are-slim-none/2013-04-24
————

IT Professionals Say Employees Ignore Security Rules

There are best practices for securing access to critical systems and data that many organizations tend to ignore, the survey found.
The vast majority (81.4 percent) of IT security staff think that employees tend to ignore the rules that IT departments put in place, and more than half (52.2 percent) of the same respondents said they believe that employees would not listen more even if IT directives came from executive management, rather than IT, according to a survey by identity management and security management specialist Lieberman Software.
The survey, which was carried out in February at RSA Conference 2013, measured the attitudes of nearly 250 IT security professionals and the way their organizations manage cyber-security. Nearly 50 percent of the respondents work in organizations with more than 1,000 people.
More than 70 percent of IT security professionals would not be willing to bet $100 of their own money that their companies will not suffer a data breach in the next six months.
“These figures highlight the fact that IT security professionals realize that most organizations are woefully unprotected against cyber-attacks. While vendors of conventional security products—like firewalls and antivirus—are constantly updating their tools to reactively protect against the latest threats, hackers are looking for flaws and engineering new attacks to exploit them,” Philip Lieberman, president and CEO of Lieberman Software, said in a statement.
The reality is that 100 percent protection is nearly impossible to achieve, but there are still best practices for securing access to critical systems and data that many organizations tend to ignore.”
Just over three-quarters (75.8 percent) of IT personnel said they think that employees in their organization have access to information that they don’t necessarily need to perform their jobs, and while 38.3 percent of IT security personnel have witnessed a colleague access company information that he or she should not have access to, more than half (54.7 percent) of those respondents did not report their colleagues who accessed that information.
“This survey revealed the unfortunate fact that so many IT groups are still not changing default passwords when deploying new systems. This should be a standard practice. Default privileged passwords are, in a sense, hidden backdoors onto systems that are deployed on a network,” Lieberman said. “Most default passwords are publicly known and easily found online, meaning anyone with malicious intent can use these default credentials to gain anonymous access to systems and applications throughout the enterprise.”
The survey also found 32.3 percent of IT security professionals work in organizations that do not have a policy to change default passwords when deploying new hardware, applications and network appliances to the network. Overall, 64.7 percent of respondents said they think that they have more access to sensitive information than colleagues in other departments. “IT departments that do not have a solution in place to automatically detect, flag and change default privileged passwords on newly deployed systems are neglecting a very common security hole,” Lieberman concluded.
http://www.eweek.com/small-business/it-professionals-say-employees-ignore-security-rules/