7 Ways Security Pros DON'T Practice What They Preach

IT security pros spend oodles of time trying to hammer best practices into the heads of fellow employees. But in an informal poll conducted by CSOonline, many admitted they don't always follow their own advice.

By , Senior Editor

September 22, 2009CSO

IT security pros are often driven to drink -- literally -- over the daily battles of their job: bosses unwilling to accept the rationale for some new security investment, employees who regularly infect their computers by doing things that have nothing to do with their jobs, and vendors who don't understand the company's needs. [The latter example is examined in 8 Dirty Secrets of the IT Security industry.]

But in a recent, unscientific and informal poll CSOonline conducted over such social networks as Twitter and LinkedIn, many IT security pros admitted they've often looked the enemy in the eye only to find themselves staring back in the mirror. Or, they've seen carelessness in well-meaning professionals who should know better.

SEE ALSO: Ouch! Security Pros' Worst Mistakes

Paul V de Souza, a former chief security engineer at AT&T and owner of the CYBER WARFARE Forum Initiative (CWFI), has seen many an example where IT security pros fail to practice what they preach. "I have noticed that many security professionals do not encrypt their hard drive," he said. "I also see a lack of two-factor authentication deployment. Many of us security professionals rely only on passwords."

Based on the poll and a list provided by Andy Willingham, former network security engineer at EBFC, information security engineer at MARTA and founder/owner of AndyITGuy Consulting, here are seven examples of how security pros cut corners:

not practicing what they preach: first reason

Using URL shortening services
URL shortening services have become immensely popular in recent years, especially among security pros who use such forums as Twitter to share content. The problem is that URL-shortening services are sometimes insecure and unstable. For examples, see New Spam Trick: Shortened URLs and 5 More Facebook, Twitter Scams to Avoid.

In the latter example, Graham Cluley, senior technology consultant with U.K.-based security firm Sophos, noted in a recent interview that some URL-shortening services have begun to try filtering out bad sites by checking URLs against known black lists, but that the issue is far from resolved, particularly because despite increased efforts to block malicious links, Twitter and Facebook do not have a filtering mechanism for bad shortened URLs.

not practicing what they preach: second reason

Granting themselves exemptions in the firewall/Web proxy/content filter
Willingham noted that it's not uncommon for security pros to bypass the very security mechanisms they enforce on other employees, often because those mechanisms get in the way or because they are in a hurry to get a particular task done.

One, senior system engineer, who isn't named due to the sensitive nature of the topic, admitted he has run several development and test systems without an active firewall or antivirus out of necessity.

RESOURCE CENTER