7 Ways Security Pros DON’T Practice What They Preach

IT security pros are often driven to drink — literally — over the daily battles of their job: bosses unwilling to accept the rationale for some new security investment, employees who regularly infect their computers by doing things that have nothing to do with their jobs, and vendors who don’t understand the company’s needs. [The latter example is examined in 8 Dirty Secrets of the IT Security industry.]

But in a recent, unscientific and informal poll CSOonline conducted over such social networks as Twitter and LinkedIn, many IT security pros admitted they’ve often looked the enemy in the eye only to find themselves staring back in the mirror. Or, they’ve seen carelessness in well-meaning professionals who should know better.

SEE ALSO: Ouch! Security Pros’ Worst Mistakes

Paul V de Souza, a former chief security engineer at AT&T and owner of the CYBER WARFARE Forum Initiative (CWFI), has seen many an example where IT security pros fail to practice what they preach. “I have noticed that many security professionals do not encrypt their hard drive,” he said. “I also see a lack of two-factor authentication deployment. Many of us security professionals rely only on passwords.”

Based on the poll and a list provided by Andy Willingham, former network security engineer at EBFC, information security engineer at MARTA and founder/owner of AndyITGuy Consulting, here are seven examples of how security pros cut corners:

Using URL shortening servicesNew Spam Trick: Shortened URLs and 5 More Facebook, Twitter Scams to Avoid.

URL shortening services have become immensely popular in recent years, especially among security pros who use such forums as Twitter to share content. The problem is that URL-shortening services are sometimes insecure and unstable. For examples, see

In the latter example, Graham Cluley, senior technology consultant with U.K.-based security firm Sophos, noted in a recent interview that some URL-shortening services have begun to try filtering out bad sites by checking URLs against known black lists, but that the issue is far from resolved, particularly because despite increased efforts to block malicious links, Twitter and Facebook do not have a filtering mechanism for bad shortened URLs.

Granting themselves exemptions in the firewall/Web proxy/content filter

Willingham noted that it’s not uncommon for security pros to bypass the very security mechanisms they enforce on other employees, often because those mechanisms get in the way or because they are in a hurry to get a particular task done.

One, senior system engineer, who isn’t named due to the sensitive nature of the topic, admitted he has run several development and test systems without an active firewall or antivirus out of necessity.

“I preach security every day, and I know I’m guilty of many of the worst offenses I warn people to avoid,” he said. “As a field employee, I am very much my own system administrator. I know in an office environment I could, and probably would, have many more restrictions in place, but working from home and customer locations, as well as the occasional coffee shop, I just can’t take the time to follow all the rules I tell others to follow.”

Snooping into files/folders that they don’t own

Nobody admitted outright that they have done this themselves, but Willingham and others polled said they know of cases where fellow security practitioners have gone into someone else’s files. Sometimes it was because of an investigation into a security incident. Other times, it was simply a matter of having the access and being nosy.

Using default or easy passwordseasy-to-remember passwords such as the name of their city or town, a pet’s name or a favorite beverage. This, of course, flies in the face of everything we’ve heard about using complex passwords or nixing passwords altogether in favor of a more secure method of authentication.

Willingham noted that IT security practitioners are often guilty of giving themselves

Failure to patch7 Deadly Sins of Networking Security] The reasons range from underdeveloped patch management systems to the simple belief that fast patching isn’t the imperative some make it out to be. “I don’t always keep my own systems patched/updated,” said the anonymous security practitioner first mentioned in Example 2.

The second Tuesday of each month, e-mail inboxes are crushed beneath the weight of advisories from vendors, analysts and others regarding the security patches Microsoft almost always releases on that day. But security practitioners say they don’t always keep their systems fully patched or that they have seen others make do without some critical fixes. [See Example 5 in

“While professing a defense-in-depth strategy, many security pros leave their own systems unpatched and with the default settings untouched because ‘I know what I am doing,'” said Tomas Palmer, a partner at SkyCipher, former senior security program manager at Microsoft and former director at Spacelabs Healthcare.

Using open wireless access pointsnot always safe to latch onto the wireless network at an airport, coffee shop or conference (including Black Hat and Defcon, where wi-fi hacks have become legendary), but when one needs to get online to get some crucial e-mail, check on problems with a Web page or simply stave off boredom, the nearest wi-fi is often good enough.

IT security practitioners know it’s

Misuse of USB sticks and other removable storage devices

Security practitioners often complain that employees lose removable storage devices containing sensitive data on airplanes, buses and curbsides. But Willingham said security pros are often just as guilty.

Admitted the anonymous security practitioner first mentioned in Example 2: “I use USB sticks often, frequently not cleaned of other customer data, or confidential proprietary data.”