Minor vulnerabilities, poor user behavior, and outdated security software—they all add up to a big headache for IT and security professionals. Small errors on the part of computer users or their IT departments may not wreak havoc on their own, but in combination, they dramatically increase security challenges. Here’s a recipe for the “nightmare formula” that organizations need to avoid or mitigate.
- Easy-to-guess passwords and password reuse: Obvious strings of numbers (like “123456”), mothers’ maiden names, or simply using the word “password” as a password make it easier for criminals to break into accounts and to reset passwords. Even more problematic is the reuse of the same or similar pass-words, or the same answers to password recovery questions, from site to site.
- Inconsistent patching: Conficker, the big botnet of 2009, gained traction because computer users failed to download a patch that was readily available from Microsoft. Although most of today’s attacks are launched via social media networks, criminals still look for ways to exploit these old-style vulnerabilities.
- Getting too personal: By disclosing information, such as birth dates and hometowns, social media users make it far too easy for criminals to break into private accounts and gain control by resetting passwords. Corporate users are not immune to this trend, frequently using Twitter to discuss business projects.
- Overdose of trust: Social media users are placing too much trust in the safety and privacy of their networks, responding to messages, supposedly from their connections, with malware-laden links.
- Outdated virus protection: Computer users fail to update their anti-virus software or let subscriptions lapse, leaving their systems more vulnerable to attacks that might normally be easy to block. Worse, they may be running fake anti-virus software. In addition, individual users may fail to enable easily available security features built into their operating systems or web browsers, such as firewalls. Ensuring virus software is updated provides some protection, but criminals are now hiring services to test their malware and ensure that it is not flagged by anti-virus programs.
- Not using available security products: Users often assume anti-virus is all they need to be “safe.” Thus, they don’t take advantage of simple, tried-and-true security measures, such as personal firewalls and browser security features, which can provide an extra layer of protection.
- “It won’t happen to me” syndrome: This is perhaps the most potent ingredient in the Nightmare Formula. Users intentionally violate policies and knowingly engage in risky behavior online because they believe they won’t be the victim of a cyber attack or compromise their employer’s cybersecurity.
Excerpt from Cisco 2009 Annual Security Report: Highlighting global security threats and trends. Copyright © 2009 Cisco Systems, Inc. Download the complete report online.