As an administrator, we know you’re only human. Like anyone else, you make mistakes. Thing is, if you don’t catch and address those mistakes in time, you could be left with egg on your face…and sensitive data on the web.
Not really a situation you want to find yourself in.
You need to make sure your security is ironclad (or at least as near as you can get to that). That’s why today, we’re going to go over a few rather serious (yet curiously common) server security blunders. If you recognize any of these flubs as something you’ve done yourself, maybe it’s time to start rethinking your approach to security.
Relying on Consumer-Grade Applications
Truth be told, it’s a little troubling that applications like Box and Dropbox have gained such prominence in enterprise. See, the thing is, even though they offer enterprise-tier offerings, consumer apps aren’t designed for business use. Their culture and security standards simply aren’t up to the same level as a purpose-built application.
What that means is that allowing – or worse, encouraging – their widespread use is like playing with fire.
Letting Everyone Access Everything
Repeat after me: not everyone needs to be an administrator. As a matter of fact, admin access should be restricted exclusively to an elite few. If you allow everyone permissions like root access or entry into sensitive data repositories, you end up with situations like the Panama Papers.
While it’s important to encourage a certain level of complexity and length in password (anyone who uses ‘password’ or ‘123456’ is just asking to be hacked), don’t go overboard. I’ve lost count of the number of organizations with ridiculously strict password requirements (exactly one letter, one number, one punctuation symbol, and the recipe for Borscht) – and admittedly, they kept their users’ accounts secure.
So secure even the users couldn’t remember how to access them.
That said, there’s really no ‘maximum’ mandated password length here. Just keep it reasonable. If it’s something a computer would have trouble remembering, your employees won’t be able to remember it either.
Failing To Shut Down Troubleshooting Tasks
You’re troubleshooting to fix an issue, and you manage to track down an errant app. You fix the problem, and move on to the next one. Then you fix that one, and move on to the next.
Tell me, what’s wrong with this picture?
The nature of troubleshooting tools and processes is to bypass security controls and the like. What that means is that for a savvy enough criminal, they’re an open door to your business’s data. It’s imperative that you keep track of your troubleshooting efforts as you go, so that you can reverse any potential security threats when you’re done.
Storing ANYTHING In Plaintext
Encryption is your friend. If you’re working with sensitive data, encrypt it. Passwords should be hashed and salted. Storing data in plaintext is like inviting a thief into your home. It’s better to assume that at some point, your network will be hacked. Using strong encryption for data, properly managing encryption keys, and hashing and salting passwords will make it practically impossible for an attacker to discover useful information, even if they have the encrypted data and hashes.