"For the overwhelming majority of attacks exploiting known vulnerabilities, the patch had been available for months prior to the breach," Verizon says on page 15 of its 2008 Data Breach Investigations Report. "Also worthy of mention is that no breaches were caused by exploits of vulnerabilities patched within a month or less of the attack."
The bad guys know a lot of companies are slow to patch, and so they continue to cook up exploits for the older vulnerabilities, experts say. In fact, security experts say, worms like Blaster and Sasser -- launched four to five years ago against vulnerabilities for which patches were made available around the same period -- are still in wide circulation today.
Dan Ward, an IT security analyst at Acxiom, cites this as one of the major sins on his personal list. This problem, he says, extends not just to poor operating system patching, but also middleware, application and even device driver security updates.
6. Lax logging, monitoring
The final item on the list involves the failure of many organizations to keep an eye on all the activity logs coming out of the various devices on the network. As McGann points out, a company must know what's going on in the network in order to secure it.
Ward agrees. "Log management is one of those issues that no one really likes to deal with," he says. "But since we're security professionals, we really need to dig into our log data and understand what's happening at all levels of the end-user chain."
7. Spurning the K.I.S.S.
It has been said that in the art of network security one must observe the K.I.S.S. principle -- "keep it simple, stupid," or "keep it simple for security." Unfortunately, networks are getting increasingly complex as companies bolt one device onto the next, often configuring things badly along the way.
Add the failure to segment certain parts of the network from other parts and you have a recipe for disaster.
"What can I say? Complexity is bad, very bad," Brush says.
Nick Puetz, director of data security at FishNet Security, says trusted networking is one of the founding concepts of IT security. However, while most companies will spend millions of dollars to secure their perimeter, "they don't take any time to segment their internal network."
As a result, it becomes impossible to get a grip on where sensitive data is flowing from one part of the network to the next. If you can't be certain where all the data is on the network, protecting it is exceedingly difficult. It's also the type of thing compliance auditors frown upon.