WindowSecurity.com Newsletter of March 2011 Sponsored by: Entrust
Welcome to the WindowsSecurity.com newsletter by George Chetcuti, BSc in Computing & IS (Honors), CISA, MCP, HP Certified. Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
1. Discovering IT Risks
Welcome to the third edition of the WindowSecurity.com monthly newsletter. This month I will be talking about some of the most common IT risks we may encounter from internal and external entities. The generic risks and suggested resolutions were actually experienced personally and I am sharing them with you so as to instigate the discussion of real IT risks within your IT teams.
The failure of an IT resource can damage the organizationís reputation or it can bring loss of revenue and stressful times for all employees, especially the IT staff handling the recovery of the failed resources. However, the outcome of a failure incident can wreak havoc in an IT department if the cause of the failure is found to be due to negligence by the IT staff. In such instances negligence may be defined as not following procedures, not protecting assets, not updating services and so on and so forth. By understanding the risks surrounding your IT infrastructure you can plan accordingly to avoid unexpected surprises and allow senior management to understand the risks and decide whether to mitigate them or just accept them.
The classification of risks is one of the most important steps when assessing risks. Without going into much detail, a good approach would be to divide IT risks into two - External and Internal risks. External IT risks in general are fairly common to all organizations operating within the same business sector. These are sometimes called generic risks and include virus and malware attacks, hacking, DDOS, natural disasters, etc. Conversely, Internal IT risks are unique, to a certain extent, to each and every organization. These are sometimes called specific risks and the major threat is considered to be internal staff.
External IT Risks
Discovering the external IT risks is a simple process of listing all resources that are available to external entities such as web services including web servers and frontend and backend applications. One simple mistake we tend to make is to ignore services which may be hosted internally but interface with external entities such as, remote connections through VPNs or remote desktop solutions. These services or assets must be part of your external risk assessment exercise.
Apart from the classification of assets, a risk assessment exercise involves other steps and I do recommend that organizations perform a thorough exercise so as to quantify the likelihood and impact risks may have on their businesses. Nonetheless, there are some basic rules that would help smaller organizations limit the risks even if they have never performed a risk assessment exercise. These include the regular education and training of IT staff (especially in security governance), the investment in top notch security software, keeping all software updated with the latest security patches and making sure that any running software is configured correctly. Itís better to be safe than sorry, therefore, ask third-party consultants to configure advanced security software and get someone to test your environment.
Try to separate external services from internal ones as much as possible as overlapping boundaries make risk mitigation more difficult. Although this is not always possible, an organization can, for example, go for a hosted solution so as to reduce internal risks if an organization finds that its major threat is the email server. Remember that email services impose both internal and external risks!
Internal IT Risks
As with external assets, internal assets need to be identified but pay attention for the risks identification as they are exclusively different from the external ones. Nowadays end users may have full physical or logical access to resources. Discovering internal IT risks is not a by the book exercise as they are unique to each business environment. However, I would like to share with you some common risks that most organization may be experiencing at the moment. Undoubtedly, organizations are facing an invasion of smart phones and portable devices such as netbooks, fancy laptops and flash drives. These devices may carry sensitive data outside of an organization and this data may end up in the hands of external entities if such mobile devices are not properly secured. A typical scenario is where a laptop can bridge an internal secure network to the Internet through the inbuilt Wi-Fi or ad hoc networks. Therefore, the so much needed portability technology has brought a new wave of threats!
As mentioned previously, internal employees are the biggest risk, let alone disgruntled ones! Security awareness and education programs need to be in place and IT staff should adhere to IT policies and best practices. If an organization manages to put practical policies in place and ascertains that these policies are being followed then this means that the organization has reached an adequate maturity level as regards to security governance. I do recommend that internal employees are tested against these policies from time to time. As is the case with white hat hackers in which a security expert is called in to hack the environment, I suggest that IT staff are tested against social engineering practices and IT policies adherence. Speaking about IT policies brings to my mind the practice used by some organizations where they use generic templates which are published on the Web.
When IT policies are too strict or not relevant to the environment they hinder the business. Some business processes may be affected by badly planned procedures while employees may become demotivated. One of the best practices I find to mitigate IT risks related to IT staff is the segregation of IT duties and, where this is not possible, the use of role switching. Segregation of duties would reduce the potential damage from the actions of one person such as, a web developer attempting to upload a fix to a production machine without testing it on a staging environment. In small IT teams where segregation of duties is not completely possible, role switching would discover weaknesses in the support and maintenance procedures. For instance, a new IT staff may find difficulties or is unable to maintain a system because the previous system administrator did not follow the organizationís standards or rules.
While to err is human, well developed software is definitely less prone to error. Therefore, where possible, automate repetitive tasks as software code never gets bored and never tries to takes shortcuts. I suggest you visit WindowSecurity.comís software section for a comprehensive list of security and monitoring software. Enjoy :)
Should you have any ideas for content in future editions of the WindowSecurity.com newsletter or would like to ask questions, youíre more than welcome to e-mail me at email@example.com
See you next month! - George
2. WindowSecurity.com Articles of Interest
3. Tip of the Month
Windows Portqry Version 2
PortqryV2 is a command-line tool that helps you troubleshoot TCP/IP connectivity issues. It is similar to Telnet Client but it supports UDP ports as well whereas Telnet supports only TCP ports. PortQry would become very useful when testing connectivity for DNS and other UDP ports. Another important advantage of PortQry is that you can specify a source port when testing. This is very useful when testing firewall rules that filter ports based on their source ports.
For example, the command syntax for testing a remote host using an initial source port would be:
portqry -n destination -e 25 -sp 25
For more information about PortQry visit Testing Service Connectivity with PortQry
4. Latest Security Exploits and Concerns
5. Ask a Question
I would like to share a forum post for this monthís Ask a question section. Our WindowSecurity.com message boards are a great source of information where you get free support services and exchange of brilliant ideas. I urge you to participate!!!
One of my colleagues sent me a link to their website and I know that this site is safe. But Norton came up and said the website was not safe. Any ideas what may cause a website to come up as not safe in Norton Internet Security?
Does a box pop open which reads, "Norton Site Safety, Site is Unsafe" and then it goes away? If so, it is caused by "Norton Safe Web"
Have your colleague read and follow the directions in this link.