10 most foolish mistakes of IT pros
Deb Shinder
Published: 31 Aug 2006 16:05 BST
… for too long can cost you even more, especially in terms of security. There are a couple of reasons for that, as follows:
- New software usually has more security mechanisms built in. There is a much greater focus on writing secure code today than in years past.
- Vendors generally retire support for older software after a while. That means they stop releasing security patches for it, so if you're running the old stuff, you may not be protected against new vulnerabilities.
If upgrading all the systems in your organisation isn't feasible, do the upgrade in stages, concentrating on the most exposed systems first.
#7: Manage passwords sloppily
Although multifactor authentication (for example, smart cards and biometrics) is becoming more popular, most organisations still depend on user names and passwords to log on to the network. Bad password policies and sloppy password management create a weak link that can allow attackers to invade your systems with little technical skill needed.
Lengthy, complex passwords (or better, passphrases), require users to change them frequently, and don't allow reuse of the same passwords over and over. Enforce password policies through Windows group policy or third-party products. Ensure that users are educated about the necessity to keep passwords confidential and are forewarned about the techniques social engineers may use to discover their passwords.
If at all possible, implement a second authentication method (something you have or something you are) in addition to the password or PIN (something you know).
#8: Try to please all the people all of the time
Network administration isn't the job for someone who needs to be liked by everyone. You'll often be setting down and enforcing rules users don't like. Resist the temptation to make exceptions ("Okay, we'll configure the firewall to allow you to use instant messaging since you asked so nicely").
It's your job to see that users have the access they need to do their jobs — and no more.
#9: Don't try to please any of the people any of the time
Just as it's important to stand your ground when the security or integrity of the network is at stake, it's also important to listen to management and your users, find out what they do need to do their jobs, and make it as easy for them as you can — within the parameters of your mission (a secure and reliable network).
Don't lose sight of the reason the network exists in the first place: so users can share files and devices, send and receive mail, access the Internet, and so on. If you make those tasks unnecessarily difficult for them, they'll just look for ways to circumvent your security measures, possibly introducing even worse threats.
#10: Make themselves indispensable by not training anyone else to do their job
This is a common mistake throughout the business world, not just in IT. You think if you're the only one who knows how the mail server is configured or where all the switches are, your job will be secure. This is another reason some administrators fail to document the network configuration and changes.
The sad fact is: no one is indispensable. If you got hit by a truck tomorrow, the company would go on. Your secrecy might make things a lot more difficult for your successor, but eventually he or she will figure it out.
In the meantime, by failing to train others to do your tasks, you may lock yourself into a position that makes it harder to get a promotion... or even take a vacation.
Previous
Did you find this article useful?
583 out of 727 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
1 comment
