Common Information Security Lapses

Mistakes made by common/end users

* Opening or downloading e-mail attachments without verifying their source and checking their content first.
* Not installing an Anti-Virus software or regular update for the same.
* Not having updated security patches for the Operating System or for any other application installed in the computer.
* Installing programs or games from unknown sources.
* Not keeping proper backups
* Using an unsecured modem while connected through a local area network.
* Using USB or other removal device without proper virus scanning
* Accessing Intranet or visiting important or secured websites from an unsecured computer from a remote location. Ex. Cyber café.
* Sharing passwords or important network information with friends or strangers on a very informal platform.


Mistakes made by Business owners / Senior Executives

* Hiring people without a proper background check on them.
* Assigning people with limited knowledge to maintain information assets
* Providing neither the training nor the time to make it possible to learn and do the job.
* Lack of IT domain understating for the top executive, resulting a very casual approach towards IT security.
* Failing to realize the impact of a security breach in terms of Money, Time and more over reputation at risk.


Mistakes made by Information Security Department/Team

* Underestimating the capability of others, namely Hackers.
* Implementing solutions without investigating known security threats or bugs of the same.
* Limited or no security Audits.
* Keeping easy physical access to information assets for end user or a stranger.
* Improper logging or backup of data for foot print record, in case of a security breach.
* Failing to update systems against new bugs/virus found.
* Concentrating on very few selected issues, rather than taking all of them seriously.
* Having a reactive approach than a proactive approach.
* Making a few fixes and then not performing the necessary action to ensure the problems stay fixed.
* Making servers live/production before securing them.
* Connecting servers to the Internet with default accounts/password or password provided by vendors during installation/implementation.
* Failing to update systems when security holes are found.
* Using telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI.
* Giving users passwords over the phone or configuration information
* Failing to maintain and test backups.
* Running unnecessary services on the live server. Keeping unnecessary ports available to the users.
* Implementing firewalls with faulty rules.
* Failing to educate users on what to look for and what to do when they see a potential security problem.
* Giving too much information or a very complex access system to an end user. Providing users with too many usernames & password and making things difficult for the user to manage the same.


Mistakes made by law enforcing / regulating authority

* A reactive approach rather than a proactive approach.
* Lack of knowledge / information about the cyber crime & the effect of the same.
* Judicial system: No or lack of domain knowledge on the information security system.
* Lack of infrastructural support & training to handle Cyber crime.
* Lack of co-ordination between Internet service providers & law enforcing agencies.
* Not much control over the internet usage & internet community at large.