TO SUCK AT Run regular vulnerability scans, but don’t follow Assume your patch management process is working,
INFORMATION SECURITY through on the results. without checking on it.
This cheat sheet presents common information Let your anti‐virus, IDS, and other security tools run Delete logs because they get too big to read.
security mistakes, so you can avoid making them. on “auto‐pilot.” Expect SSL to address all security problems with your Employ multiple security technologies without web application. Security Policy and Compliance understanding how each of them contributes. Ban the use of external USB drives while not Ignore regulatory compliance requirements. Focus on widgets, while omitting to consider the restricting outbound access to the Internet. Assume the users will read the security policy importance of maintaining accountability. Act superior to your counterparts on the network, because you’ve asked them to. Buy expensive product when a simple and cheap fix system admin, and development teams. Use security templates without customizing them. may address 80% of the problem. Stop learning about technologies and attacks. Jump into a full‐blown adoption of frameworks such Risk Management Adopt hot new IT or security technologies before as ISO 27001/27002 before you’re ready. Attempt to apply the same security rigor to all IT they have had a chance to mature. Create security policies you cannot enforce. assets, regardless of their risk profiles. Hire somebody just because he or she has a lot of Enforce policies that are not properly approved. Make someone responsible for managing risk, but certifications. Blindly follow compliance requirements without don’t give the person any power to make decisions. Don’t apprise your manager of the security problems creating overall security architecture. Ignore the big picture while focusing on quantitative your efforts have avoided. Create a security policy just to mark a checkbox. risk analysis. Don’t cross‐train the IT and security staff. Pay someone to write your security policy without Assume you don’t have to worry about security, because your company is too small or insignificant. Password Management any knowledge of your business or processes. Require your users to change passwords too Translate policies in a multi‐language environment Assume you’re secure because you haven’t been frequently. without consistent meaning across the languages. compromised recently. Expect your users to remember passwords without Make sure none of the employees finds the policies. Be paranoid without considering the value of the writing them down. asset or its exposure factor. Assume that if the policies worked for you last year, Impose overly‐onerous password selection they’ll be valid for the next year. Classify all data assets as “top secret.” requirements. Assume that being compliant means you’re secure. Security Practices Use the same password on systems that differ in risk Don’t review system, application, and security logs. exposure or data criticality. Assume that policies don’t apply to executives. Expect users to forgo convenience in place of Impose password requirements without considering Hide from the auditors. security. the ease with which a password could be reset. Security Tools Lock down the infrastructure so tightly, that getting Deploy a security product out of the box without More Security Mistakes work done becomes very difficult. The 10 Dumbest Things People Do... tuning it. Say “no” whenever asked to approve a request. http://www.sans.org/newsletters/ouch... Tune the IDS to be too noisy, or too quiet. Impose security requirements without providing the 10 common security mistakes... Buy security products without considering the necessary tools and training. http://blogs.techrepublic.com.com/security/?p=542 maintenance and implementation costs. Focus on preventative mechanisms while ignoring Mistakes ... that Lead to Security Breaches Rely on anti‐virus and firewall products without detective controls. http://sans.org/resources/mistakes.php?ref=3816 having additional controls. Have no DMZ for Internet‐accessible servers.
Authored by Lenny Zeltser, with contributions from SANS Internet Storm Center handlers. Lenny leads a security consulting team at Savvis, helping customers avoid making information
security mistakes. He also teaches a malware analysis course at SANS Institute. Creative Commons v3 “Attribution” License for this cheat sheet version 1.2. More cheat sheets?