Security: Stop ignoring the obvious mistakes

The law enforcement agency, best known for its Most Wanted list and inept use of information technology, is hoping to build awareness about cybersecurity and promote good security hygiene.

In his recent ZDNet News commentary on keeping hackers at bay, Arvind Krishna, vice president of security products for Tivoli Software at IBM, quoted from the FBI's list of five common mistakes that leave company and employee data vulnerable:

• Default installation of operating systems and applications;
• Weak passwords - some 40 percent of us use "password";
• Incomplete back-up of data;
• Unneeded ports left open;
• Data packets not filtered for correct incoming and outgoing addresses.

While the FBI list seems to state the obvious, it's scary to read that these mistakes are still being made. When are companies and people going to learn?

If you haven't already addressed these problems, what are you waiting for?

If you have these on your to-do list, I've got a few more action items that should be top priorities and that are relatively simple to address

First: start thinking about encryption--now. It may not be an issue for you today, but it will be later. Draw up a timeline that targets a date when anyone who surreptitiously accesses your bits and bytes will end up getting only garbage. This project starts with identifying all the potential vulnerability gaps. List all the data that deserves encryption, figure out where it resides and how it moves, and then design your encryption umbrella. The obvious places to look are your networks, databases, central and remote e-mail stores, desktops, handhelds, and servers.

Once you've discovered the areas of weakness, decide how you're going to solve the problem. Consider the directions that infrastructure standards are taking, such as IPv6 and its mandatory support for security. Determine how far they go in addressing your needs, and what you need to do to go the extra mile.

Second: Don't fool yourself about the single-factor security that most companies have in place. It's not enough. Whether or not some large number of your users' passwords are the word "password," employing a form of security based on what people know and nothing more is like sticking your head in the sand.

My poster child for this issue is online banking. If I did my banking at Netherlands-based ABN Ambro, I'd need a credit card-sized device that issues me a new key for every new banking session. In addition to what I know, ABN is double-checking a second factor: what I have. No device, no entry. But my bank in the U.S. doesn't have that level of security. Why not?

This isn't just about protecting a company's assets or the money I have in the bank. Increasing the required number of factors for authentication is also about minimizing identity theft, which the FBI and other agencies have identified as a critical issue in the war on terrorism.

Consider what FBI Terrorist Financial Review Group chief Dennis M. Lormel has to say about identity theft. "These violations include bank fraud, credit card fraud, wire fraud, mail fraud, money laundering, bankruptcy fraud, computer crimes, and fugitive cases. These crimes carried out using a stolen identity makes the investigation of the offenses much more complicated. The use of a stolen identity enhances the chances of success in the commission of almost all financial crimes. The stolen identity provides a cloak of anonymity for the subject while the groundwork is laid to carry out the crime. This includes the rental of mail drops, post office boxes, apartments, office space, vehicles, and storage lockers as well as the activation of pagers, cellular telephones, and various utility services."

This identity theft thing is a nasty business. Increasing the required factors of security from one (what you know) to two (what you have) or even three (who you are, aka biometrics) can help close the identity gaps.

The action items are the same. Where are the gaps? What are the solutions? Set up a timeline and get it done.

While you're at it, figure out how you're going to centralize identity management within your systems. As long as there are multiple identity and access control systems such as Liberty and Passport for the foreseeable future, you need some way to make sure that identities and access control across your entire infrastructure can be managed virtually. Otherwise, you risk leaving openings when managing your constituents' access. One company that pops to mind is Netegrity (stay tuned for an interview with Netegrity CEO Barry Bycoff).

The final item on my short list is the most troubling and tiresome. Vendor X issues warning about vulnerability in product Y and issues patch. Three months later, a hacker whips up worm Z that targets the vulnerability in product Y and wipes out a few thousands systems and costs some companies a few more millions of dollars. C'mon! How many times does this cycle have to repeat itself before we wake up and smell the coffee? One of your top priorities is to identify all the software that gets targeted for these kinds of intrusions and assign a warm body to the task of making sure they're patched within hours of the vulnerability alert. If that body falls asleep on the job (which must be the case), contact human resources.

We've been overlooking these common vulnerabilities for too long. It's time to take action. Oh, and if your CFO resists, go back to him or her with a printed stack of congressional Homeland Security testimony and his or her instant messenger password (which is piece of cake to get) handwritten on a piece of paper. That might get some attention (or you fired).

What did I miss? Has 20/20 hindsight pushed you into action? Share your horror stories with your fellow readers. Talkback to me below and chime in with your list and do your part to make the world a more secure place. Or write to me at david.berlind@cnet.com.