Over the years I've published a lot on security best practices. In fact, our SkyView Risk Assessor product is based on all of those recommendations. But today I feel a bit contrarian so I've decided to post a few "worst practices." And like my "best practices" these are based on my years of experience in the security world.

Worst practice #1 - when asked how all users ended up with *ALLOBJ special authority, the answer was, "I didn't want to take calls in the middle of the night - so I just gave everyone *ALLOBJ."

Worst practice #2 - No auditing. No joblogs. History log cleared. The reason - lack of storage. Also meant that there was a significant lack of evidence when we were called in to investigate a breach that had occurred on their network!

These are just two of the many "worst practices" I've experienced. What are some of your "worst practices?"