So, there is a tendency in our industry to focus on the new, interesting and ultimately irrelevant - the boring-but-important tasks too often get neglected. Consider the following example. Lots of organisations focus on the potential risk of bringing new technologies, applications and infrastructure into the enterprise, overlooking the security of systems already in production - systems that represent the majority of real risk to the organisation.
This tendency can be seen in the infosec industry too. There are literally thousands of books on breaking security - spawned by the classic Hacking Exposed series. But, if you look for a book on boring-but-important security operations practices, there is just a handful!
To spur you into action, consider the following boring-but-important tasks that you may been overlooking:
• Obtain an up-to-date network diagram of systems you are tasked to protect
• Create a "worry list" containing all of the applications your organisation operates along with the criticality, business owners and supporting infrastructure for each. This sounds a lot easier than it is in practice! A tip - start with the critical processes of your organisation, they will help you identify the most critical applications.
A Business Impact Assessment completed by your Business Continuity Management program may be a useful resource, if you have one. If not, you may have bigger problems than information security!
• Check your security equipment is within comfortable maintenance agreements, not nearing end-of-life. Don’t forget to apply all applicable updates. These can take the form of engine updates, signature updates, operating system updates and so on.
• Check the logs on your security equipment to verify it’s operating correctly. The EICAR test virus file can be your friend, helping you determine if your anti-malware and content management systems are operating correctly. • Identify the internet footprint of your organisation, ensuring that relevant security patches and configuration changes are deployed to internet facing network services.
• Review privileged accounts for validity in critical applications and infrastructure. If you find unapproved administrative accounts, you may have a potential incident on your hands. • Check logs to see if privileged administrative accounts are being shared. Dedicated administrative accounts for administrators should be in use, separated from their normal user accounts. Built in default administrative accounts such as Local Administrator or Domain Administrator on the windows platform or root on UNIX platform should only be used for emergency purposes.
• Check that passwords assigned to service accounts, default Local Administrator accounts, and the Domain Administrator account are unique and strong. This helps to compartmentalises a security intrusion. • Work with the business to inventory and control third-party applications on the desktop fleet. Note that DSD's number one mitigation strategy is to patch third party applications like Adobe Flash.
• Work with business application owners to apply security patches. This sounds easy, but in practice, obtaining maintenance windows is actually very difficult. Internet-facing applications require 24/7/265 operation, so this can be a genuine challenge. • Check employees have completed security induction training and have had any appropriate police records checks.
• Check that a robust process is in place for removal of access to systems for soon-to-be ex-employees prior to dismissal. I hope this little list has inspired you to stop reading about esoteric attacks that will be mitigated by vendor security updates in the near future and take some pragmatic action on those boring-but-important tasks that can actually improve your organisation's security.
Post a Comment