One particular group has hacked many of the world's biggest and best companies using the same attack. (I won't mention the group's name because I don't want to give it additional exposure.) The hacker group has access to reams of confidential information and has purposely embarrassed the compromised companies by taking over their websites and social media accounts to make humiliating posts.
I know of several companies that proactively examine publicly accessible hacked password databases for names similar to their employees. (Some readers may be surprised to learn that hackers often place breached password databases in public places, then invite others to access them.) In every instance, the companies have been able to find at least a few shared passwords (or password hashes) and track them back to their now compromised employees. In some cases the employees were given additional education about password use. In others, where an existing "don't share your password" policy existed, the employees were reprimanded or let go.
Lesson learned: Make sure all employees understand the risk of sharing passwords between nonwork websites and security domains.
Colossal security mistake No. 8: Opening big "ANY ANY" holes
You'd be surprised at how many firewalls are configured to allow all traffic indiscriminately into the network and out.
This is even more interesting because almost all firewalls begin with the least permissive, deny-by-default permissions, then somewhere along the way an application doesn't work. After much troubleshooting, someone suspects the firewall is causing the problem, so they create an "allow ANY ANY" rule. This rule essentially tells the firewall to allow all traffic and to block nothing. Whoever requests or creates this rule usually wants it only for a short while to figure out what role the firewall might play in the problem. At least, that's the initial thinking.
Somehow these rules get left in place for a long time. Most environments I audit has at least one major router with "ANY ANY" enabled. Usually the firewall administrators and IT security people are shocked to learn that the "temporary" rule is still in effect. These accidentally permanent "ANY ANY" holes are usually discovered by auditors (like me) or by hackers. Unfortunately, discovery by the latter can lead to the unemployment line.
Lesson learned: Don't ever allow "ANY ANY" rules to be deployed.
Colossal security mistake No. 9: Not changing passwords
One of the most common mistakes that can put your job on the line is not changing your admin passwords for a very long time. My auditing experience has made this very clear. Almost all companies have multiple unexpired, years-old admin passwords. In fact, it's the norm.
Every computer security configuration guide recommends changing all passwords on a reasonable, periodic basis, which translates to every 45 to 90 days in practice. Admin and elevated passwords should be stronger and changed more frequently than user passwords. At most companies, admin passwords are long and complex, but almost never changed.
Sign up for Computerworld eNewsletters.