Plus, users must be told never to click on unexpected links or run active content sent by anyone, including people they know. If the email contains a statement, "This email has been inspected and is 100 percent virus free," almost certainly what it contains is malicious. We need to teach our end users better about phishing and social engineering and what steps they can take to verify any suspected email or Web offer.
4. Neglecting to convey the right concerns to management
Often, security professionals fail to tell senior management about the biggest and most likely threats facing the organization. Most CIOs, CISOs, and CEOs can't tell you what the biggest threats are to their environments even though they are spending millions of dollars a year trying to defend it.
Once again, you can blame security professionals themselves. We don't collect the right metrics. We report on the number of computer malware programs detected and removed or on the number of unauthorized packets blocked by the firewall, but not on the number of malware programs that went undetected and for how long. We need to start figuring out what are the biggest and most likely threats to our environment, and how those threats are getting into our environment, and then send that information up the chain.
5. Failing to rebuild compromised computers
If a computer system has been compromised, you can no longer trust it. You have no idea what the unauthorized program did (even if it's identified as adware or some other nearly-harmless program). If a program gets by the computer's defenses, attacks by multiple programs or hackers may have occurred. Frequently, when an anti-malware scanner says you are now clean, there's some other undetected, false-negative, malware program left behind.
The hard truth is that if a computer has been exploited, it needs to be rebuilt. The data should already have been backed up. Format or reset the OS, reinstall programs, reconnect the network drives, and begin again. This assumes, of course, that you've corrected the problem that allowed the malware into the original compromised system in the first place.
6. Accepting conventional wisdom
The world is full of computer security people who repeat the same old tired lines -- such as "security by obscurity is no security at all" -- without really questioning whether they're true. The moral: Test things for yourself.
For example, I once accepted the conventional wisdom that a particular software vendor's programs are insecure. Everyone "knew" that the products were weak and easily hackable. Then I actually tried hacking them, and after days of attempts, I gave up -- and you're talking to a guy who has successfully broken into almost everything. It was a humbling experience.
If you can get past these six common misconceptions, you'll be a far better computer security defender than the person who did not. Don't believe me? Test it out.
Sign up for Computerworld eNewsletters.