I’m a security professional, and it pains me to admit that in my line of work, mistakes are made. Multiple times. In almost every organization. With alarming frequency.
Here are the six most persistent screw-ups I’ve seen during my many years of consulting. If none sound familiar, I hate to tell you, but … you may be in denial.
1. Believing you’re fully patched
We all know that just about every organization contains unpatched software. I’m not talking about that. I’m talking about the personal computers that security professionals use themselves.
The majority of security professionals, when asked if they are fully patched, show me the results of their Windows Update scan. Almost all the remaining ones show me the results of their favorite independent patch-checking program.
Apparently they don’t realize how inaccurate even the best of those programs are. They catch the popular, most exploited stuff, but they all miss things. Most don’t check firmware or BIOS versions, for example, even though they easily could — and new versions often plug serious security holes.
When I do a manual survey, I always find software programs the patch-checking program didn’t look for. How? I look for every installed program, not just by checking the OS’s installed applications list, but also by clicking my way through folders and directories. Along the way, I record the software versions. Some are not so obvious, so you have to look at the date of executables and DLLs.
Then I open up my favorite CVE (Common Vulnerabilities and Exposures) database — I like the one hosted on Secunia — and I compare my list with what’s listed in the CVE database. I always find unpatched software.