10 Information Security Mistakes: A False Sense of Security

Ten practices that create false security: capturing logs without sufficient detail, policies no one follows, vulnerability scans without remediation processes, pen tests excluding workstations, controlling inbound only, relying solely on antivirus, weak encryption, untuned tools, powerless security officers, and assuming compliance equals security.

Technologies and processes often provide organizations with a false sense of security. The company goes through the motions of deploying a security tool or following an oversight procedure, but the benefit to the security posture might be negligible. Here’s my list of 10 information security mistakes that lead to this situation:

The organization captures event logs, but the auditing level lacks the details needed to identify security incidents or investigate intrusions.
The organization has an information security policy that no one actually follows.
The organization performs vulnerability scans, but does not have a consistent process for addressing the discovered security issues.
The organization conducts a penetration test without including employees’ workstations in the project’s scope.
The organization tightly controls traffic from the Internet without restricting and monitoring outbound network activities.
The organization relies solely on anti-virus software to address malware threats.
The organization encrypts password stored in the database, but uses a weak encryption algorithm.
The organization deploys a data security tool without customizing and tuning its configuration.
The organization hires an information security officer without empowering the person to critique IT decisions or to affect change.
The organization assumes its data is secure because it recently passed a compliance audit.

It’s unfortunate when organizations implement controls that provide a false sense of security. Sometimes they do this because they don’t know better. Sometimes they do this and try to pretend that they don’t know better.

For more thoughts on where an infosec program can go wrong, see my cheat sheet How to Suck at Information Security.

About the Author

Lenny Zeltser is a cybersecurity leader with deep technical roots and product management experience. He created REMnux, an open-source malware analysis toolkit, and the reverse-engineering course at SANS Institute. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He writes this blog to think out loud and share resources with the community.

Learn more →