ELITECISOs - BAD Security Advice

Today ELITECISOs - Delhi/NCR Chapter member had Fun Friday, and we collected some BAD SECURITY ADVICE; everyone shares best practices - but hardly anyone follows. So we decided to prepare some BAD ADVICE. It might trigger some thoughts and readers may correct what they're doing wrong. This is raw list of BAD ADVICE that members have contributed. Pls expand and add comments of more such bad advices..

1. Keep Default Passwords

2. Sab Chalta Hai

3. Keep all ports opened, inbound/outbound

4. No patching

5. No MFA

6. Share passwords

7. No Security training to employees

8. No separation of duties/roles

9. Keep Simple Passwords

10. Never try restore

11. Never check security and compliance desh boards

12. Never share risk to management

13. Don't test BCP

14. No need to patch Linux

15. No AV required for Linux

16. Mac is virus proof

17. Never get VAPT done

18. Boss to have admin rights

19. Avoid HA

20. Never update firmware

21. No backups of data

22. Never record audit logs.

24. Default configuration of open source tools

25. Never harden OS

26. Don't monitor logs.

27. Considering Cyber Security as ONE TIME PROJECT

28. Avoid communication with management

29. Considering infosec as cost center with no ROI

30. Keep wifi ssid open without password

31. Miss weekly webinar

32. Never get audit done

33. Don’t use encryption

34. Information security is exempted to Senior management

35. Reassignment of laptops without reimagining

38. Take action after incident only.

39. No classification of data

40. No vulnerability management process

41. Avoid pro active approach

42. Avoid password change policy

43. Use cracked softwares

44 give everyone local Admin rights

45. Become billionaire over email.

46. Using expired SSL

47. Don't provide trainings to IT team

48. Allow visitors to use corporate wifi

49. Never adhere to compliance

50. USB ports are not disabled

51. Avoid latest technology and products

52. Using EOL products

53.Aoid business risks

54.Avoid 24x7 monitoring

55. Avoid maintenance

56. Policies are not meant for seniors leaders

57. Storing secret keys/Password in code

58. Avoid best practices

59. Using Official assets like laptops for recreational purpose

60 avoid asseets management

61. Give money to get decryption key in case if ransomware attack

62. Information Security is NOT responsibility for all employees

63. Encrypted text and Key in same DB

64. Make private keys available to public

65. Use unencrypted ports on web servers

66. Keep admin passwords in text file on desktop

67. We have ISO and are super secure

68. Shhh...don’t record incidents

69. Don't fix code, mitigate on WAF

70. input filtering 100% defeats XSS

71. Cyber security is cost centre only spend if driven through compliance’s

72. Shared OTP and passwords on a form since I just got billionaire

73. Open Internet for all staff

74. No Anti Phishing Solution

75. Lets focus on Detection - Prevention is not required.

76. Let's focus on Prevention - Detection is not required

77. Lets just fix Critical/High only

78.avoid monitoring all controls

79.Hum Amar hai. Can't get hacked

80. Enable powershell/psexec in all domain systems.

81.IDS/IPs on cloud not needed

82. Nothing Confidential, All Social

83. Don't use mac filtering on switces

84. Put everything in same network

85.keep all switch ports opened

86.dont use DHCP snooping on switches

87. DLP without data classification

88. Avoid ether channels

89. Avoid locking system when away

90.disable firewall in local systems

91.Avoid internet content security policies

92. Use open DNS servers

93. Download free songs from pakistani sites

94. Don't monitor which applications are installed on systems

95. Avoid use of multiple vlans

96. Avoid application based control over which use internet.

97. Download torrents without vpn

98.dont call me in case you have role for me ??

99. Allow all kind of vpns

100. Allow open proxies/proxy chains

101. Open any attachment

102. Cybersecurity is myth

103. Cracked softwares are the best.

104. I trust 3rd party vendors/partners.

105. Keep password as Spouse or GF name

106. You can throw your identity card anywhere

107. Keep passwords which are easy to remember and are dictionary words

108. Avoid Zero trust

109. I am Information Security professional , no one can fool me in this field

110. Avoid multi layer security approach

111. IT professionals don’t fall for cyberattacks

112. Only infosec group is responsible for security in organization

113. Office laptop is safest to do All banking and financial transactions for personal use

114. My password is Welcome123

115. Security what , Group4??

116. Avoid physical and environmental control in data centres

117. Management will be with you in case of any Cyber Incident happens

118. I do not take backup

119. Owing to business, install any application used by competitors!

120. Mere paas CEO ka approval hai

121. Raise exception for everything

122. Write the password on whiteboard so that all can see

123 . Avoid data degaussing post life cycle is over

124 . Avoid all type of honeypots

125 . Compliance = Security

126. Allow internet access to all servers

127. Save ID/ passwords in browsers

128. Use same local Administrator password of servers and workstations

129. Enable RDP on all servers

130. Don't set notifications on bad password attempts

131. Avoid privileged account activity monitoring

132. Avoid phishing email simulation attack

133. Avoid SSL VPN

134. Cyber attacks only happens to large businesses

135. Personal devices -laptops, mobiles are allowed for business agility

136. Vendors are given physical access cards without verification to maintain relationships.

137. FTP, wetransfer, sendspace, Dropbox etc are preferred modes of transfer being free and convenient to setup

138. Silver/Golden tickets attacks are myths

139. SMB inbound/outbound from Internet is okay

140. Open Source is must to run any business

141. Domain admin should be member of Domain Users

142. DNS traffic should not be analyzed, it's for domain resolution.

143. Domain privacy should not be enabled.

144. Local Admin password can be same across all workstations

145. Don’t use Microsoft LAPS

146. User Common / shared accounts to reduce load

147. Use same official passwords as you use for your personal accounts

148. Exception/ Risk acceptance takes care of vulnerability

149. I use many good security software/appliances from best OEMs , so I am safe

150 We should not give any credit to Vikas for this and no hats off to Vikas ??

151. CISO ‘s don’t understand business

152. NTDS.dit leave it on public FTP

153. Never keep inventory of Asset(HW and SW)

154. Make service account, part of enterprise admin group

155. Spend crores of rupees on implementing various security solutions and you struggle to get system for patch regularly, because application team is not giving downtime. Business is important.

156.. Bypass Firewall(just like the IPS) and keep life simple

157. Focus less on preventive controls and let Alert fatigue kick in. We need to keep people busy