Hello, fellow IT admin.
I get it. I too have been the human crawling around on the floor, weaving my way through dust bunnies and coaxial cable, knees poked by zip tie ends, cursing my way to a power strip and knocking RJ45 plugs with snapped-off tabs out of ports while trying to find the one black cable out of 70 that leads to the dead monitor I’m replacing.
I know what it’s like to be the IT administrator for large and small organizations, and how much lies on the shoulders of those of us who provision and maintain devices and services for teams of people who often seem like they exist to be the subject of Reddit posts that start with “You’ll never believe my latest PEBKAC.”
When it comes to our executive’s priorities, security often takes a backseat to uptime and functioning devices. If your users have phones that work and a way to get into their databases, it’s very tempting to rely on device manufacturers and package maintainers to build in security features. Crossing your fingers and hoping that your device ecosystem is making good choices and your web services aren’t leaking PII isn’t a complete solution.
So, in the same vein as my last post on what we should expect out of our users, here’s what our users should expect of us.
If you provision devices for your users:
• You should have an answer and a clear policy for updating devices. If your users block updates and you can tell (via device management tools or otherwise), it’s time to discuss with your users why updates should be pushed out immediately.
• Make your users aware that phishing is up to three times more effective on mobile than on desktops due to the lack of antivirus software. Notifications that pop for problematic downloads or file attachments on a laptop don’t appear on some kinds of mobile devices. Run your users through basic phishing and malware training such as that provided for free by public institutions.
• Force mobile passcode adoption and whole device encryption. Period.
• App ecosystems often provide cloud storage outside your organization’s file system. On iOS, it’s iCloud, and many Android devices provide Google Drive by default. You should have a simple policy letting your users know whether they are allowed to use cloud storage for sensitive internal documents.
• Choose and pre-provision a password manager for your users that is web-based ,so that it automatically syncs between their mobile device and their browser profile for their desktops.
If you provision services for users:
• Check on all your servers to make sure a basic firewall is enabled and that all ports are default-deny. This is the simplest possible way to deny most of the hostile traffic access to your servers. Specify the ports you’ll allow traffic to enter/exit.
• Every website you serve should be default HTTPS. Get and install TLS certificates from a WebTrust-audited provider and ensure no errors pop on any of the major browsers when your users access your sites. No excuses and no old certificates on this one: the first SHA-1 collision was reported on Feb. 23, 2017. Get SHA256 certs and have a plan for maintaining them or have them automatically managed.
• The simplest protection for your services and data versus SQL injection is form validation. Find out if form validation has been implemented on any field that connects to your data or services. If it hasn’t, learn how your developers like their coffee and ask very nicely that they get this fixed ASAP.
• It’s Wednesday night. Do you know where your update scripts are? Maintain and update scripts that run automatically so that you don’t have to touch a box to ensure that package maintenance and cleanup is happening on a schedule that’s convenient for your organization.
• It’s less scientific, but sit down with three of your users and watch them use your services. If you see them stumbling over or avoiding security measures, find out why and mitigate.
• If you’re the one implementing a password policy, make it a not-stupid password policy. Here’s a good example. Use it.
Additionally, physical security should always be in the back of your mind. If you spend days on creating safe devices and smoothly running services behind sufficient protections, but your server cage is behind a $5 lock from Home Depot, I don’t need to be a 1337 haX0r to own your system. Discuss physical security with your facilities people and consider having your facility penetration-tested by an outfit that specializes in information security.
These are some basic security provisions that your users should expect you to understand and implement to the best of your ability. Each of them is easily implemented by an information technology generalist, not a security specialist. All you need is an open mind…and a bit of search-fu.
Tarah Wheeler is Principal Security Advocate for Symantec Corp. and contributor to CyberScoop.