Sadik Al-Abdulla leads a team that spends its days assessing and cracking into systems to find weaknesses. As director of security solutions for CDW, Al-Abdulla’s team has conducted more than 5,000 network, malware and data loss prevention assessments.
Now, based on assessments done in the past two years, here are what Al-Abdulla calls the five "highest-risk, easiest things to fix":
1. Risk: Gaps in configuration and gaps in patch discipline
The Fix: Document, remediate, automate, review and repeat.
2. Risk: Bad passwords
The Fix: Educate users and test, test, test.
3. Risk: Phishing attacks
The Fix: Teach users what to avoid and to report attacks.
4. Risk: Arbitrary trusts between systems
The Fix: Make sure systems don’t allow unintended access that would let an intruder crack one and then gain unguarded access to more critical systems.
5. Risk: Interconnected end-user systems
The Fix: Ensure that there’s effective internal network segmentation; other than for IP communications and instant messaging protocols, user systems do not need to talk to one another.
In addition, Al-Abdulla noted five complex challenges organizations must confront and that require IT, security and management teams to work together to focus on the triad of policy, education and technology enforcement:
6. Risk: Exploitable sensitive data
For Starters: Create a distinct infrastructure for mission-critical systems.
7. Risk: Malware egress points
For Starters: Hunt for the malware, removing it, repair the infrastructure — repeat.
8. Risk: Data leakage
For Starters: Identify data traveling where it’s not supposed to, plug the leak — repeat.
9. Risk: Poor data policies
For starters: Assess the network, fix leaks, rewrite policies and enforce them.
10. Risk: Email gaffes
For starters: Educate users about data that is sacrosanct and should never be gathered, shared or stored in email systems.
Read additional security tips from state and local CISOs here.