Technology‎ > ‎Best Practices‎ > ‎

Rebels and Vulnerabilities

posted Dec 19, 2015, 9:02 PM by GamerDadster Video Gaming   [ updated Dec 23, 2015, 9:35 PM ]
Star Wars and IT Security - The Force Awakens
I had the distinct pleasure of seeing #StarWars Thursday night at an advanced screening presented by several IT companies including #OPTIV [f1] and #Checkpoint [f2]. I came away with a smile knowing that I am part of the Rebel Alliance that is in a never ending fight against the Galactic Empire and the Dark Internet fighting their scourge, the likes of Darth Vader [f3], Dark Avenger [f4] and so many other forms of vulnerabilities and viruses.
Helping the Alliance...
In all my years of IT and IT Security there has always been many weak links just like the infamous thermal exhaust port [f5] that can bring down any system. I have long concluded that our largest weakness has always been not properly training our front-line people on the war, our users. Further to that, we are always trying to combine too many systems, or not using system zoning or proper 
placement in order to save a few bucks. In many cases this leads to short term gains which is intended to make someone look good, or to get that needed check box on their list.  Inevitably this results in problems, and everything eventually comes crashing down.

Creating a new weapon in the war!
When a home is an easy mark it will be taken advantage of, made more difficult, a criminal will move on to an easier target. Same applies to IT, there will always be a better mousetrap, a smarter virus, and better hacker, but there are so many ways to mitigate many of the problems. The first place to start is with user education, followed by updating poorly written software with top notch Open-source software [f6] or commercial applications. Below are my top ten wishes that I'd like to implement in an ideal work environment that had tons-o-funding available.

There always has to be a starting point, so why not today? Plan on getting it done, and if you are so close to completing your goal, sometimes all it takes is that extra 10% to arrive at that milestone. Remember that what you achieve today can make tomorrow all that better, easier, and more productive.

Take that first step. Let me know how it goes.

Top ten IT wish list
Most organizations when engaging new IT hires places those new resources to work as immediately as possible. In many circumstances that may be fine, however, when those new hires have access to systems that are mission critical, or systems that have access to those same systems, it should give rise to pause.

A new hire always introduces additional security risks, and despite what is on the hire's resume, you really have no idea of their true IT abilities or intentions. Ideally these new hires need to be properly supervised until they fully understand their role in the new organization. What might have been deemed an acceptable or learned IT process at some organizations, might be a risk in other organisations and would need mitigation. Give your rebels the proper tools to help the fight.

It never seems to amaze me the number of IT experts there are out there among our families, friends, and colleagues. More interestingly, most of these people have never studied, trained, or practiced IT as a profession. Pay close attention to those new hires, they can be even more dangerous...a little knowledge is a dangerous thing. Then there is the other side, people who have no IT experience, that will unknowingly open an infected email and create a problem. IT admins will then have to clean it up, only to have that same person open a similar infected message the next day. Is it not easier to teach what is best done and not done before it is needed?

3) Properly allocated budgets to keep the alliance running!
It is rare that you can do more with less, automation in many cases can help with this, but rarely can there be an additional gains on systems that have already been automated. Replacing old systems with new ones can be perceived as a savings, but there are always additional costs that are almost always never factored into the equation. Additional training for users, administrators, and customers in some cases will result in those undocumented costs. In some cases there are no options but to upgrade systems for many reasons including obsolescence, and this might be the time to look at alternatives such as FOSS (Free Open Source Software [f7]), but again, remember that even though it is free to get, that does not mean it is free to operate properly.

4) Appropriate levels of staff to research, maintain, monitor, and action alerts
In all my years of IT in both the private and public sector I have never heard any organization asking IT managers to hire more staff to make sure that all systems are properly monitored and maintained, and while that process is underway, hire a few extra just to make sure that all alerts are read, and actioned. IT staffing has always been problematic in my mind, savings at one end is always offset at the other end.

5) Properly Zoned and Classified Systems
There is so much that can be said and done in this area, but in a nut shell it is important that data you are attempting to protect is properly classified. This applies to both the Private and Public sector. Once you have an idea of what is of value, and what needs to be protected, then the appropriate safeguards can be put in place. If the data is of such important value, does it need encryption? Is that information connected to the Internet? Do the servers in your organization have access to the Internet? Why? Do they really need access? Do you use a proxy and URL system to limit user and systems access to the Internet? White listing, black listing? UTM? IDS/IPS? There are so many options and permutations that can help you reach your goals if you clearly understand what it is you are trying achieve and the value of the respective data.

6) Best in class
There are times that you can save, and there are times that the need is for best in class. Yes, you can save money by using an alternative in some cases instead of first class products from the likes of #Checkpoint [f2], #Cisco [f8], #Fortigate [f9]#Sophos [f10]and a few others, but it is up to you to determine the risk, comfort level, and availability of the system. Cost of the system is not always key, if it is a mission critical system, availability of support might be key, and that normally does not come for free. Support on a 24/7 basis for all suppliers costs money, and is therefore reflected in the cost of the systems. The Open Source movement does create best in class products too, but just remember that support is usually a trade off at 1:30AM during a system crisis.

7) Software updates
I don't think I need to go into many details here. Patching is a top priority, and upgrading to the latest versions of operating code when possible while ensuring that the systems are still meeting the needs of the organization is key. I will take a moment here to make reference to item #4 on this list, patching of systems usually is the first thing to go when staffing levels are low, and although the systems might be stable, and patched as much as possible, they might still be vulnerable.

8) Sandboxed users
Do your users really need Internet access from the corporate network? No, then restrict Internet access, or use whitelists and blacklists. Perhaps instituting a browsing system that can allow your user community to access the Internet, but be far more secure by using technologies such as a terminal server, a browser appliance [f13], Citrix [f14], or proxy server in a restricted zone. Just remember that at one time it was necessary to allow personal calls on the corporate phone system so that families can communicate and have peace of mind, at this time it happens over the Internet through instant messaging, VOIP, and video calls. BYOD might be part of that solution.

9) BYOD [f11], [f12]
Bring your own device is a growing trend. In my opinion if your organization's policy is against this benefit, they are wrong. Lets face it, these days you can isolate BYOD traffic to a segregated network and still allow the user community to receive family updates. DIY types will not need to think twice before trying to plug in a wireless access point. Will they still need to use their desktops to connect to external email systems and other types of services with this benefit? In my opinion this must be clearly communicated as a benefit, and have similar safeguards, responsibilities, and limitations similar to the corporate network.

10) CANI - Constant and Never-ending Improvement [f15], [f16]
When we learn something as an organization, we need to document it, and make it part of the organization's culture and processes. Make sure that that same information is communicated to new hires. Apply the same philosophy to those in the know, and to the systems that support the organization.

  1. Linkedin alternative: Optiv
  2. Linkedin alternative: Checkpoint
  3. (Darth Vader)
  4. (Dark Avenger)