The Ten Worst Security Mistakes Information
Technology People Make...
1. Connecting systems to the Internet before hardening
them(removing unnecessary services and patching necessary ones).
2. Connecting test systems to the Internet with default
3. Failing to update systems when security vulnerabilities are
found and patches or upgrades are available.
4. Using telnet and other unencrypted protocols for managing
systems, routers, firewalls, and PKI.
5. Giving users passwords over the phone or changing user passwords
in response to telephone or personal requests when the requester is
6. Failing to maintain and test backups.
7. Running unnecessary services, especially ftpd, telnetd, finger,
rpc, mail, rservices.
8. Implementing firewalls with rules that allow malicious or
dangerous traffic - incoming or outgoing.
9. Failing to implement or update virus detection software.
10. Failing to educate users on what to look for and what to do
when they see a potential security problem.
--according to the SANS Institute