According to the SANS Institute, the answer to the preceding question is “Yes!” SANs has developed the following three lists of mistakes people make that enable attackers.

End Users: The Five Worst Security Mistakes

1. Opening unsolicited e-mail attachments from unreliable sources

2. Forgetting to install security patches, including ones for Microsoft Office, Microsoft Internet Explorer, and Netscape

3. Downloading screen savers or games from unreliable sources

4. Not creating or testing backups

5. Using a modem while connected through a local area network

Corporate Management: The Seven Top Errors That Lead to Computer Security Vulnerabilities

1. Not providing training to the assigned people who maintain security within the company

2. Only acknowledging physical security issues while neglecting the need to secure information

3. Making a few fixes to security problems and not taking the necessary measures to ensure the problems are fixed

4. Relying mainly on a firewall

5. Failing to realize how much money intellectual property and business reputations are worth

6. Authorizing only short-term fixes so problems reemerge rapidly

7. Pretending the problem will go away if ignored

IT Professionals: The Ten Worst Security Mistakes

1. Connecting systems to the Internet before hardening them

2. Connecting test systems to the Internet with default accounts/passwords

3. Failing to update systems when security holes are found

4. Using unencrypted protocols for managing systems, routers, firewalls, and PKI

5. Giving users passwords over the phone or changing them when the requester is not authenticated

6. Failing to maintain and test backups

7. Running unnecessary services

8. Implementing firewalls with rules that do not prevent dangerous incoming or outgoing traffic

9. Failing to implement or update virus detection software

10. Failing to educate users on what to do when they see a potential security problem