Mistakes People Make that 
Lead to Security Breaches 
by the SANS Institute
Technological holes account for a great number of the successful 
break-ins, but people do their share, as well. Here are the SANS 
Institute's lists of silly things people do that enable attackers 
to succeed. 
The Five Worst Security Mistakes End Users Make 
-  Opening unsolicited e-mail attachments without verifying 
their source and checking their content first. 
- Failing to install security patches-especially for Microsoft 
Office, Microsoft Internet Explorer, and Netscape. 
- Installing screen savers or games from unknown sources. 
- Not making and testing backups. 
- Using a modem while connected through a local area network.  
The Seven Worst Security Mistakes Senior Executives Make
- Assigning untrained people to maintain security and providing 
neither the training nor the time to make it possible to learn and 
do the job. 
- Failing to understand the relationship of information security 
to the business problem-they understand physical security but do not 
see the consequences of poor information security. 
- Failing to deal with the operational aspects of security: 
making a few fixes and then not allowing the follow through 
necessary to ensure the problems stay fixed 
- Relying primarily on a firewall. 
- Failing to realize how much money their information and 
organizational reputations are worth. 
- Authorizing reactive, short-term fixes so problems re-emerge 
rapidly. 
- Pretending the problem will go away if they ignore it.  
The Ten Worst Security Mistakes Information 
Technology People Make
- Connecting systems to the Internet before hardening them. 
- Connecting test systems to the Internet with default 
accounts/passwords 
- Failing to update systems when security holes are found. 
- Using telnet and other unencrypted protocols for managing 
systems, routers, firewalls, and PKI. 
- Giving users passwords over the phone or changing user 
passwords in response to telephone or personal requests when 
the requester is not authenticated. 
- Failing to maintain and test backups. 
- Running unnecessary services, especially ftpd, telnetd, 
finger, rpc, mail, rservices 
- Implementing firewalls with rules that don't stop malicious 
or dangerous traffic-incoming or outgoing. 
- Failing to implement or update virus detection software 
- Failing to educate users on what to look for and what to do 
when they see a potential security problem. 
And a bonus, number 11: 
 
- Allowing untrained, uncertified people to take responsibility 
for securing important systems