ELITECISOs - BAD Security Advice
Today ELITECISOs - Delhi/NCR Chapter member had Fun Friday, and we collected some BAD SECURITY ADVICE; everyone shares best practices - but hardly anyone follows. So we decided to prepare some BAD ADVICE. It might trigger some thoughts and readers may correct what they're doing wrong. This is raw list of BAD ADVICE that members have contributed. Pls expand and add comments of more such bad advices..
1. Keep Default Passwords
2. Sab Chalta Hai
3. Keep all ports opened, inbound/outbound
4. No patching
5. No MFA
6. Share passwords
7. No Security training to employees
8. No separation of duties/roles
9. Keep Simple Passwords
10. Never try restore
11. Never check security and compliance desh boards
12. Never share risk to management
13. Don't test BCP
14. No need to patch Linux
15. No AV required for Linux
16. Mac is virus proof
17. Never get VAPT done
18. Boss to have admin rights
19. Avoid HA
20. Never update firmware
21. No backups of data
22. Never record audit logs.
24. Default configuration of open source tools
25. Never harden OS
26. Don't monitor logs.
27. Considering Cyber Security as ONE TIME PROJECT
28. Avoid communication with management
29. Considering infosec as cost center with no ROI
30. Keep wifi ssid open without password
31. Miss weekly webinar
32. Never get audit done
33. Don’t use encryption
34. Information security is exempted to Senior management
35. Reassignment of laptops without reimagining
38. Take action after incident only.
39. No classification of data
40. No vulnerability management process
41. Avoid pro active approach
42. Avoid password change policy
43. Use cracked softwares
44 give everyone local Admin rights
45. Become billionaire over email.
46. Using expired SSL
47. Don't provide trainings to IT team
48. Allow visitors to use corporate wifi
49. Never adhere to compliance
50. USB ports are not disabled
51. Avoid latest technology and products
52. Using EOL products
53.Aoid business risks
54.Avoid 24x7 monitoring
55. Avoid maintenance
56. Policies are not meant for seniors leaders
57. Storing secret keys/Password in code
58. Avoid best practices
59. Using Official assets like laptops for recreational purpose
60 avoid asseets management
61. Give money to get decryption key in case if ransomware attack
62. Information Security is NOT responsibility for all employees
63. Encrypted text and Key in same DB
64. Make private keys available to public
65. Use unencrypted ports on web servers
66. Keep admin passwords in text file on desktop
67. We have ISO and are super secure
68. Shhh...don’t record incidents
69. Don't fix code, mitigate on WAF
70. input filtering 100% defeats XSS
71. Cyber security is cost centre only spend if driven through compliance’s
72. Shared OTP and passwords on a form since I just got billionaire
73. Open Internet for all staff
74. No Anti Phishing Solution
75. Lets focus on Detection - Prevention is not required.
76. Let's focus on Prevention - Detection is not required
77. Lets just fix Critical/High only
78.avoid monitoring all controls
79.Hum Amar hai. Can't get hacked
80. Enable powershell/psexec in all domain systems.
81.IDS/IPs on cloud not needed
82. Nothing Confidential, All Social
83. Don't use mac filtering on switces
84. Put everything in same network
85.keep all switch ports opened
86.dont use DHCP snooping on switches
87. DLP without data classification
88. Avoid ether channels
89. Avoid locking system when away
90.disable firewall in local systems
91.Avoid internet content security policies
92. Use open DNS servers
93. Download free songs from pakistani sites
94. Don't monitor which applications are installed on systems
95. Avoid use of multiple vlans
96. Avoid application based control over which use internet.
97. Download torrents without vpn
98.dont call me in case you have role for me ??
99. Allow all kind of vpns
100. Allow open proxies/proxy chains
101. Open any attachment
102. Cybersecurity is myth
103. Cracked softwares are the best.
104. I trust 3rd party vendors/partners.
105. Keep password as Spouse or GF name
106. You can throw your identity card anywhere
107. Keep passwords which are easy to remember and are dictionary words
108. Avoid Zero trust
109. I am Information Security professional , no one can fool me in this field
110. Avoid multi layer security approach
111. IT professionals don’t fall for cyberattacks
112. Only infosec group is responsible for security in organization
113. Office laptop is safest to do All banking and financial transactions for personal use
114. My password is Welcome123
115. Security what , Group4??
116. Avoid physical and environmental control in data centres
117. Management will be with you in case of any Cyber Incident happens
118. I do not take backup
119. Owing to business, install any application used by competitors!
120. Mere paas CEO ka approval hai
121. Raise exception for everything
122. Write the password on whiteboard so that all can see
123 . Avoid data degaussing post life cycle is over
124 . Avoid all type of honeypots
125 . Compliance = Security
126. Allow internet access to all servers
127. Save ID/ passwords in browsers
128. Use same local Administrator password of servers and workstations
129. Enable RDP on all servers
130. Don't set notifications on bad password attempts
131. Avoid privileged account activity monitoring
132. Avoid phishing email simulation attack
133. Avoid SSL VPN
134. Cyber attacks only happens to large businesses
135. Personal devices -laptops, mobiles are allowed for business agility
136. Vendors are given physical access cards without verification to maintain relationships.
137. FTP, wetransfer, sendspace, Dropbox etc are preferred modes of transfer being free and convenient to setup
138. Silver/Golden tickets attacks are myths
139. SMB inbound/outbound from Internet is okay
140. Open Source is must to run any business
141. Domain admin should be member of Domain Users
142. DNS traffic should not be analyzed, it's for domain resolution.
143. Domain privacy should not be enabled.
144. Local Admin password can be same across all workstations
145. Don’t use Microsoft LAPS
146. User Common / shared accounts to reduce load
147. Use same official passwords as you use for your personal accounts
148. Exception/ Risk acceptance takes care of vulnerability
149. I use many good security software/appliances from best OEMs , so I am safe
150 We should not give any credit to Vikas for this and no hats off to Vikas ??
151. CISO ‘s don’t understand business
152. NTDS.dit leave it on public FTP
153. Never keep inventory of Asset(HW and SW)
154. Make service account, part of enterprise admin group
155. Spend crores of rupees on implementing various security solutions and you struggle to get system for patch regularly, because application team is not giving downtime. Business is important.
156.. Bypass Firewall(just like the IPS) and keep life simple
157. Focus less on preventive controls and let Alert fatigue kick in. We need to keep people busy
VP & CIO
3 个月Security systems are waste as they are not 100% safe and guaranteed
I help IT Teams optimize IT Asset Management Costs & Improve Security | Founder at DigitoWork | Ex-GE | Certified MBB| ITAM/ITSM/IT Security | Cost Out
1 年Security testing is not needed, our developers has taken care of Security
Cyber Security Program | CISSP, CISM, CRISC
1 年No security incident happened till now, so no need to implement any new solution now.
Chief Technology Officer at Sbicap Securities Limited
3 年Keep the admin password simple and share with user and the support engineer says “whenever you have a usb requirement, just login using admin credentials and stop the AV service as well and do not call me as I am busy with other calls”
Chief Information Technology Officer at Everon Energy Systems Pvt. Ltd. - Delhi, India
3 年HaHa..., us IT people - trying to find utility even in humor...