IT Security Focusing On What’s Important

If you are like most in the information technology (IT) security field, you are inundated with alerts, systems that need patching and investigating bogus emails. To be successful, you need to have a hyper focus on what’s important.

Patching

When you perform vulnerability scans and you manage a large number of systems, you are not going to be able to patch all of the vulnerabilities that are discovered on the system. You need to review the list and focus and patch the most important vulnerabilities as not every vulnerability needs to be addressed right away. The most important vulnerabilities are ones that are being actively exploited in the wild, those certainly need to be patch as soon as possible. If a vulnerability on the list has a lower chance of being exploited, it should be addressed, but take care of the most critical vulnerabilities first.

I have seen to many people attempting to fix every vulnerability on the list, which can take time and resources away from more important tasks. I have also seen some that look at the vulnerability list, deem it daunting and do not make process on it.

Logging and Alerting

Logs and alerts needs to be tuned. If you have setup alerting and it just goes to a folder in outlook for you to review later, you have already lost. Alerts need to be tuned so that you can take action on the important alerts and not be inundated with false positive alerts. Purchasing a SIEM or a managed SIEM can help tame the alerts and make them somewhat useful to you.

When setting up logging you need to define what is important to log and send those logs to a central location. Those logs should at some point be put into a SIEM or some sort of syslog combined with a monitoring and alerting system to you can take action on them if you need to. This also allows you to avoid having to look at numerous locations for logs, saving valuable time.

Finally, appoint someone to be in charge of alerts as alerts by committee will not work.

Define what is important to protect

Any IT security professional will tell you that you are not going to be able to protect everything, but the security controls you put in place are critical to your success.

The first step in this process is to define which data and systems are critical or have a high value to protect. This then allows you to build the controls you need to protect the data and systems as needed.

For example. a file server that contains critical customer data is much more important than a file server that just contains IT software install files. You would design controls are the critical data, such as ACL’s, encrypting the data and software to record who has accessed the data and what they did with the data. You would not put the same controls on the data with the software installs.

You can not provide the same level of protection to all systems, so you need to divide and conquer.

Setup the proper firewall controls and rules

I have been working on firewall’s for over 20 years and what always amazes me is how poorly firewalls are setup.

The first item that always sticks out is how many old and unused rules and objects are still configured on the firewall. By allowing old rules to be enabled on a firewall, it could allow access to a system you did not intent to or open up a vulnerability you did not consider.

The second item I have seen is allowing any service and any network to go outbound. Typically, most servers do not need internet access, if they do, it should only be for the services and functions that are necessary. (For example, a DNS server allowed out to resolve names, smtp server outbound to send email).

You should also enable the threat capabilities on firewalls. If your firewall has the ability to setup Anti-Virus and IPS functions, do it. If it also has the ability to send files up to the Internet to be analyzed by a sandbox, do that also. About fifty percent or more of Internet traffic is being sent encrypted, so you might want to decrypt the SSL traffic so you can better detect incoming threats.

Geo-blocking is another feature that is very important to enable on the firewall. Blocking access to countries that contain known actors can better protect your network and is relatively easy to enable.

Final Thoughts

The list I have provided above is really just a start. A well-defined IT security program is developed over time and the business buying into the culture of security. If you do not have business buy in, and you users are bypassing your controls without consequences, you will be helpless in defending your network.

If is also important to be a bit flexible with your security approach, sometimes it makes sense to make exceptions to your IT security polices to fit a business need. A good way to fail and lose creditability is to say no just because you can or because you have a Napoleon power trip. You need to be part of the solution, not part or contribute to the problem. What I mean by that, it I have seen many IT professionals in general enforce polices just because they think they are right, but it they are ultimately wrong and costs the business and the users of IT systems valuable time and money.