Come the turn of the year, many people draw up list of predictions for the next. This list is slightly different, instead of focusing on what new threats, vulnerabilities or attacks we'll see, this is a list of some things that, if not already handled should be in your security strategy for this year. Some organisations are further along than others, and this list is targeted at the average ZA organization based on my observations. (Full disclosure, some of the items relate to services my employer offers, that's just because I believe in them).
- Get a handle of what you have online. Many orgs have a much larger Internet presence than what's sitting in their hosting center. Cheap hosting, elastic hosting, service providers with their own infrastructure (particularly those catering directly to business units), half forgotten subsidiaries & business partners all put services online that tend to get overlooked. But expose your company to brand damage or access to your network. Best of all, this is cheap & quick to do. Consolidating the results into controlled hosting areas and applying consistent security standards isn't unfortunately.
- Check up on exceptions to the basics. By now most have at least a
basic patch, virus, change & configuration management process for
servers. If you don't, start. If you do, start checking on exceptions
such as;
- How many servers don't we know about & why?
- How many servers don't have AV & patches up to date?
- How many changes that didn't go through change control were made?
- How many servers don't we know about & why?
- Third party patches. Microsoft did some good work in sorting out their patch release cycles and it's fairly easy to get those patches applied regularly. Unfortunately the attacks have moved to the harder to patch, less secure software on machines operated by less savvy users. This means you need to start managing non-MS patches, and you need to do it on more than just servers. Worse still, each third party software provider has their own update mechanism which is hard to centrally manage (in a Window environment at least). Big ticket patch management tools have long had this capability but they also come with the price tag. Cheaper tools such as Secunia CSI or even the right vulnerability scanner can alert on what needs doing.
- Mobile security *processes* - People have hyped mobile security for years and we're at a point where there's a reasonable expectation that a majority of information workers have at least company email & calendar data on their phones. The most likely threat is of the device being lost or trivially accessed. Figure out what controls you can push to the most number of devices (e.g. MS ActiveSync allows passwords and lock times to be enforced & iDevices or RIM devices have an extended set of controls). More importantly however, is to implement processes for using these. They don't need to be perfect, but at a minimum employees should be able to report lost or stolen phones and have a remote wipe command sent & passwords reset.
- Physical Access Management - It's 2011 and there are still wildly
inconsistent ways in which this is managed. Make sure there is proper
equipment sign in/out, that guards actually check bags & that
legitimate data is entered (or go for the Ricardo Semler approach,
but don't pay for an awkward middle ground). I still regularly sign in
as Osama Bin Laden and walk in/out with laptops hidden in my bag. There
are some nice advances in tech in ZA too; electronic sign in devices
that look up ID numbers OTA and take copies of fingerprints. Next up
make sure there's adequate camera coverage of your offices & that
suspicious behavior is actually queried. A guy in a suit should not be an untested edge case.
Trackbacks
Trackback specific URI for this entry
No Trackbacks