If the passwords must be saved in plain text in a file -- such as database credentials for an application -- set up file permissions to restrict who can view the contents of the file. Also, make sure the database account is a service account stripped to the bare privileges.
Blunder 9: Leaving unused accounts lying around
Old, unused accounts are liabilities. Perhaps software was installed for evaluation, then removed -- and the accounts that were added as part of the installation are still on the system. Don’t leave them there. Attackers can exploit forgotten accounts like these, especially if they retain their default passwords.
For accounts that need to remain on the system but will not being used going forward, disable the account by editing the password file and replacing the account password with a string of characters. Obviously, when employees leave your organization, a process should be in place to deprovision their accounts immediately.
Blunder 10: Being lax about patches
The golden rule: Install security updates as soon as they are available (backing up the affected systems first, of course). Too many servers are compromised not because of a zero-day exploit, but because a year-old patch was never installed.
Even if it's a critical server, a little downtime as part of a scheduled maintenance window is far better than losing hours and days because attackers successfully compromised the box. Promptly test patches as they are released and create a schedule for rolling out updates.
Unfortunately, you may be thwarted in your efforts to patch right away -- usually because the patch will break a legacy app. In that case, don’t simply shrug and say “too bad.” Highlight the problem to the appropriate stakeholders. Escalate the issue. Maybe there are ways to quarantine the servers to minimize risk or to adopt new technologies and reduce dependencies on legacy products.
In real life, patching can be a political quagmire. If a manager who outranks you prevents a system from being patched, make sure everyone understands the risks of failing to do so.
Don’t skimp on security tech
As a general rule, security technology helps keep known bad actors out and can help surface problems when things go wonky. There may be good reasons for not running antivirus or firewall on a particular workstation or server, for example, but those situations are rare.
Consider that several types of DDoS malware are currently making the rounds, infecting Linux Web servers because they don’t have tools to keep the badness out. Security tech should be deployed on every endpoint to keep all users -- senior management, workers in the trenches, sys admins, and other individuals with special privileges -- safe from attack.