4. Document administrative passwords are stored insecurely — and can easily be found
Eighty three per cent of the time, the documented administrative passwords were not stored securely. The KPMG team found passwords written on the whiteboard of the IT area, in the drawer of the IT manager. They also found administrative passwords on documents in which everyone had access to.
5. Weak physical controls over their premises and IT systems
The testers were able to gain unauthorised access in all of the organisations, and 89 per cent of the time they gained access into sensitive areas "through relatively simple means".
Whitmore said of the doors that had punch code locks, the typical time they could get through this was 60 seconds. "In fact, the average time to get through any locked door is 60 seconds," he said.
The doors of one building were locked by 5.30 pm, and can be opened only by a sensor from inside. But at around 6 pm, they put a paper in between the sliding door and waved it to trigger the sensor and open it.
6. Insecure Web based applications
Most web based applications are not as secure as they appear to be, he said. "System developers struggle with security."
The team found 61 per cent of the Web apps did not appropriately validate user input and 42 per cent of the apps did not properly check a user's authority to undertake an action.
7. Caching of passwords
The default behaviour of Windows is to store copies of the network password on the desktop or laptop when users log on. Whitmore said all organisations tested still cached their network passwords on these devices.
8. Password reset procedures typically do not confirm who is making the request for a password to be reset
Whitmore said in 86 per cent of the cases, passwords were set upon first request. In 14 per cent of the case, they were challenged, like being asked by the person on the other line to call them from the work desk. People, he said, want to be helpful, and when you "pressure them a little bit, they will do what you ask them".
9.Insufficient security awareness
One hundred per cent of the organisations struggled to instil sufficient security awareness, he said. Insufficient security awareness among staff will often undermine the efforts made to stop security, he said, as he noted people putting passwords on Post It notes. "Strong technology controls are in place, but people undermine it."
10. Patches are not applied on a timely basis
This leaves systems exposed to the vulnerabilities the patches were intended to address, he stated.
Sign up for Computerworld eNewsletters.