The other day I was thinking about how I miss David Lettermen’s “Stupid Human” and “Stupid Pet Tricks” segments.
Then I got to thinking about some of the bad security habits I continue to run into at IT shops. It occurred to me that humans don’t restrict their stupid tricks to entertaining each other. We employ them in nearly every aspect of our lives.
So – you guessed it – I started my own list of “Stupid IT Security Tricks.”
Why stupid? Well…. some of these little tricks set you up to never know if data confidentiality or integrity has breached… until it has caused serious damage to your organization.
Some mean that you won’t know if an advanced, persistent threat existed on your system – unless, of course, it eventually was used to steal the business blind, or bring the electric grid down, or prevent a water treatment system from actually treating the water. Think: the rash of persistent hacking successes by the Chinese lately.
Others set you up to be totally unaware if someone is using your system to attack other systems internally or on the internet. And still others prevent you from determining who did what on your system.
Now for the list. Drum roll please……
- Not forcing password changes.
- PUBLIC authority *USE, *CHANGE or *ALL for all data.
- PUBLIC authority *USE, *CHANGE or *ALL for all programs.
- Fixing authority failures by granting *ALLOBJ to the user profile encountering the error.
- Fixing authority failures by granting PUBLIC *ALL to objects which have authority failures.
- FTP not limited to specific libraries/directories.
- Guest user allowed for NetServer.
- NetServer root “/” share instead of sharing specific subdirectories.
- REXEC server started by default.
- Sharing QSECOFR user profile among multiple people.
- Using SSO but not setting user profiles to password *NONE wherever possible
- Programmer access to production system 24X7X12 instead of only when needed
- No auditing turned on.
- Audit journal not used for debugging authority failures
- No documentation for security configuration
- Not checking if the system is configured as documented.
- “/” directory authorities set to “rwx” (i.e. *ALL)
- “/www” and subdirectories set to “rwx” on system running Apache Web Server
- “/www” and subdirectories set to “rwx” on system running PHP.
- Running all (or any for that matter) web applications under QTMHHTTP.
Of course, my favorite Stupid IT Security Trick is this:
- No explicit, written, and communicated security policies.
This Stupid IT Security Trick is the granddaddy of them all because it allows ALL of the other Stupid IT Security Tricks to exist.
If any of these tricks are in use at your shop, it’s time to attack the root cause. If you are uncertain how to go about developing security policies, contact me.
But DON’T just bury your head in the sand. Do something about it…. before it’s too late.