Risk Management: Inventory of Assets

Newcomers to the field of IT get so enthralled with having fun implementing new technologies that they neglect some of the most important details to keep from getting fired.  IT is a fun career but most IT employees should remember they theoretically hold the keys to the kingdom.  This kind of knowledge requires planning for unexpected situations.

For instance, let’s assume you are in an office of 15 to 30 people and only have a few servers.  You should try playing the ‘what if’ game.  What if someone stole servers after-hours?  Would you know the details of those servers, the amount of RAM, the number of cores, the applications installed?  If you were gone on vacation when the servers were stolen, how would your co-workers carry on?  Would they have enough details documented to order new servers without having to bother you?  This is just one scenario with a very limited risk factor, but it shows the possibilities involved and how the IT department of one or two would need backup.  Factor in worst case scenarios too.  Imagine what you would do if the building burned down and you had no knowledge of your servers.  You would literally be starting from scratch.

portsec_assetsampleThe first and most important step to detailing a backup plan is identifying your equipment (aka: assets in the accounting world).  There is no need to waste time starting from scratch.  Choose a template like the “Minimum Information Inventory Template” found at the following link:

http://www.colorado.edu/oit/node/1988

Detail your servers and other pertinent information which is requested in this spreadsheet template.  But remember, that is only the first step.  Step two:  store the spreadsheet on a secured file share that is backed up to the cloud or some form of remote storage.  These are important details and should only be shared amongst you and your backup employee.  Step three: cross-train with your co-worker.  In the case you are an IT department of one person, this is the time where you either delegate backup duties to a non-IT person or have an outside contractor on standby.  Someone else needs to be available so you are not bombarded with requests.  Communication between staff will make your job a lot easier.

 

*Originally posted through the PortSec blogger.

Set One and Done

Windows based systems use a security measure known as Discretionary Access Control or DAC for short.  By default, the DAC method puts the user 100% in control of the system making him or her able to set security controls on folder and file permissions.  Windows 7 is an example of a DAC system that makes the first user who boots the PC an administrative user out of the box.  It is very common for the network administrator of many small offices to give the data owner, PC user in many cases, full access to the computer by making him a computer administrator through the Manage Computer snap-in.  The problem with this change comes when a user accidentally or intentionally deletes or changes computer files without the knowledge of the true network administrator.  Even more problematic is when the local drive is shared to other computers leaving the network users to delete or change data on a network drive without knowledge of other computer users or PC administrator.

portsec_gpThe answer to these problems requires research and planning of ways to lock down computers, but the effort can save the network administrator of a small office a lot of time on the backend.  For one, it is safer to control the DAC permissions at a parent level through use of group policies which affect the organization at a global level.  The overview of policies involves setting restrictions for one PC in one place then copying those same restrictions to all computers that log on the domain.  This requires a Windows Server serving as a domain controller and a few internet searches related to group policies.  The domain controller administrator will need to ensure that all network computers are logging on to the domain controller where restrictions are added.  He’ll also need to ensure the restrictions are passed on to, or applied, to the PC through group policy changes.

DAC permissions can be enforced by group policy, but users will still need access to the internet.  A secured PC with full internet access is a contradiction since most viruses and malware are spread using the internet.  This can be fixed through group policy tightening of internet access restrictions in addition to other safety tools like antivirus and real-time access scanning of internet traffic.  If internet security is extremely important, use a proxy server to allow only certain website access.

*pic reference: http://obieosobalu.files.wordpress.com/2011/04/grouppolicy.jpg

 

*Originally posted through the PortSec blogger.

Do as I say, Not as I do

Imagine that your boss tells you to secure your work network and make sure nobody uses the internet unless the boss knows exactly what website was viewed and when.  Before the conversation ends, the boss says “…but make sure I’m excluded from the policy”.  That is comparable to what the NSA is being accused of in relation to the Heartbleed bug exposed last week.  Details are still sketchy based on denial by the NSA and secrecy behind who knew what, but documents released by former NSA contractor Edward Snowden show what may have happened.  Even more confusing is a loophole approved by President Obama which gives authority of hiding the flaws “for national security” according to senior administration officials.

portsec_scanThis CNet article exposes where the NSA supposedly spent millions of dollars acquiring and abusing the nature of flaws like the OpenSSL flaw reported last week.  NSA also was documented as spending ten million dollars paying the encryption company known as RSA to implement flaws in its security technologies.  RSA denied a back door was given while NSA declined to comment.  The question should be raised: If you can’t trust your government, who can you trust?  And what should be your approach to training IT and non-IT staff when it comes to trusting websites.

Trust No One.  First, ensure all work computers are locked down through group policy and limited user restrictions.  The days of allowing users to install anything they want are gone.  Smartphones allow the employee to do anything they want for entertainment such as streaming music, sending emails or playing games during their breaks.  This new freedom via phone means the work computer is strictly for work.  For this reason, internet traffic should be completely locked to work purposes only ensuring no random internet traffic initiated by an employee exposes the entire workforce to a software bug.  Moreover, all internal network traffic should be even more secured by blocking any external sources from entering your network across all ports with exception of those required to do business.  Remember, you cannot trust NSA to stay off your network which means you should trust no one.

*picture credit:

http://artinfo.com

 

*Originally posted through the PortSec blogger.

You look tired. Can I get you something? A data breach maybe?

We spend so much time learning how software can attack a network, but there is a completely different element to hacking that many times goes ignored – humans.  The common criminal will never ask if he can hack, but you can bet he is looking for the best way to get in your network without be noticed.  The most obvious expectation of social engineering is to take advantage of untrained employees.  As an example, a new employee could be tricked into giving unauthorized information or non-observant over the phone or employees could be tricked into escalating security access.  But information technology employees are trained to avoid these types of trickery.  They have years of experience and real-life on-the-job scenarios that help them avoid these problems, right?  Think again.

portsec_aThere are different levels of training for IT staff to avoid security pitfalls, but what happens when well trained employees are manipulated?  The smartest technology in the world can still be dependent on a person acting under every day human nature.  The 2013 Neiman Marcus data breach exposed what almost every network security office in America deals with on a daily basis.  Security events were triggered to give security analysts a chance to catch the would-be criminals, but those events were overlooked by Neiman Marcus employees.  The security system logged over 60,000 ignored alerts.

Possibilities include these alerts being ignored because they came through the same channel as maintenance alerts.  The maintenance alerts, which normally create a large volume of false alarms, could have become white noise to many security employees.  Standards and policies should be constructed to direct staff through proper channels when securing data.  Guidelines should be very specifically defined so no questions arise during implementation.  Hackers with enough patience can trigger alerts on a regular basis to the point these types of alerts begin looking normal to security staff, in essence, become ignored to the human eye.  Careless implementation of security mitigation techniques can be as bad as having no protection at all.

Picture Credit:

http://www.euronews.com/2014/04/07/opisrael-strikes-again-anonymous-hacks-israeli-websites/

 

*Originally posted through the PortSec blogger.