Enterprise IT Watch Blog

Jun 30 2011   8:24AM GMT

Don’t pass the buck: Security policies straight from the community

Melanie Yarbrough Profile: MelanieYarbrough

It’s a rocky landscape lately, what with Sony taking over headlines and Lockheed Martin’s recent breach. We wanted to know how our members were setting up a strong offense against hacks and breaches at their own companies, as well as tips on setting up a sufficient defense in the case of a successful breach. We threw out the line, and the IT Knowledge Exchange community responded with some priceless opinions and advice. Does your company have a vague security policy or some recent red flags in your security log? Don’t waste any more time…

Batye suggests a more “proactive approach” to security, such as internal and external testing for security holes; a system for downloading, installing, and configuring updates and patches; and regular security hardware upgrades. Does your budget value security? It will show in your vulnerabilities…

Chippy088 makes a familiar point, which ErroneousGiant seconds: The weakest link is the user.

Because they think you have the system well protected, they don’t care where they browse, or what they download. They are, in the main, non technical, and think it’s covered, or have not been made aware of the dangers. The attitude being, I haven’t had a problem at home, so what harm can it do. I have seen many small companies who regard the user as a minor consideration when making security decisions.

He also warns against social networks, which often create a back door entry point into companies. His suggestion? “Aggressive methods.” Company policy should reflect possible vulnerabilities, and internal methods such as penetration testing could be done without too high a cost.

While ErroneousGiant agreed with Chippy on some things, he was willing to take responsibility, as an administrator, for either “preventing users from putting the company at more than accepted risks or to educate the users about the risk. The IT team are just as responsible for any breach by either not verify[ing] security properly, not having the correct security in place, or not shouting loudly enough if it’s not in place.”

Newer member Ekardris presents an interesting argument and plan of action:

We all know that users inside and outside the organization are going to attempt to breach security. (Whether they meant to or not) Therefore we have to plan that it will happen, and not be surprised afterwards that it did happen. Our job is to devise systems that will keep 98% of attempts made by amateurs and the ignorant from being effective.

Then plan contingencies for the 2% who we can’t stop from breaking through our security.

He says that most users assume they’ll be kept out of places they shouldn’t be, and so when they discover access to off-limits places, the blame for what happens next falls on IT. It doesn’t take a sophisticated hacker for the most part; there are gaping holes in enterprise security in most places. Some of the most obvious mistakes Ekardris finds:

  • Administrative accounts being used by multiple people
  • Common knowledge within the organization or IT department of the Admin password
  • Tracking turned off on corporate data files
  • Service accounts that are compromised or are the Administrator
  • No Security Policy documented
  • No documentation on security groups, policies and/or explicit rites
  • Inconsistent backups
  • Poor understanding of router and firewall ports
  • Only one security wall between the corporate data and the internet

In answer to these d’oh! moments, he included some tips for companies avoiding Sitting Duck syndrome:

  • Continuous auditing with the IT groups. Focusing specifically on corporate requirements, industry best practices, corporate policies and procedures.
  • Reviewing contingency plans in case of failure and security breaches.
  • Assigning a “security” role that focuses specifically on the organization’s security. This role would be responsible for reviewing corporate security policy, continually gathering security requirements from departmental stake holders, managing security audits within the organization, and maintaining a discussion around these issues within the entire business organization

For more from Ekardris and some of the red flags he’s come across during audits, check out his full response here.

How is your company handling the heightened awareness of security these days? Have you seen some of these vulnerabilities or implementations in your own industry? Let us know in the comments section or email me at Melanie@ITKnowledgeExchange.com.

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Featured Member: Ekardris - ITKE Community Blog
    [...] out James’s helpful insight into our recent Open IT Forum: Are you on hacking offense or defense? If he’s provided you with a solution in the community, be sure to approve his answer and pay [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: