The IT Guys Blog

Most IT Guys sit down and think about security in terms of firewalls and service packs and all the geeky stuff that they learned in that neat seminar on arp cache poisoning. So it’s no surprise that from a purely digital stand point, most companies are fairly secure

The little followed rule in enterprise is that security must scale evenly across all fronts. Think about it in terms of a mansion you just bought with your lottery winnings. You buy the best security system in the world. It features infrared cameras and perimeter sensors capable of detecting a pin drop. Only you know the code to the alarm. But you don’t even bother to lock your front door. The alarm may go off but it’s probably too late. You may even have video of the thieves but a lot of times they don’t care. In security just like in a fight the most committed wins. There is always somebody more committed to breaking in than you are to keeping them out. The trick is to put enough hurdles in front of these people that they move on to easier prey.

IT Guy’s 4 Step Process to a secure enterprise

Step 1: Create a policy for EVERYTHING. Pretend you are writing policies a fourth grader would understand. That word you learned in your SAT prep class has no place in a security policy. If somebody off the street can’t understand it than you can bet that Betty in accounts receivable can’t either. (Sorry Betty) At least have a policy for internet usage, phones, faxes, devices brought in from home, e-mail. In any given industry you will probably have about 10 more policies to add to that list. It’s also very important that your policies don’t just state what not to do. Make an acceptable usage policy as well. Many time it’s easier for people to understand when you tell them what they are allowed to do rather than what they aren’t. The best place to start is to buy or browse some cookie cutter policies and then tweak them to your companies needs.

Step2: Educate employees on the security policy! This step is the number one problem with most companies security. If you think that making your employees sign some sheet when they are hired that says “I read and understand the security policy” is enough, you are NUTS. Don’t think the HR dept will handle this one either. I’ve seen it too many times, HR becomes complacent in educating employees on the issues because many times HR doesn’t even understand the issues. Make sure you include continued education for new employees and be sure you don’t miss anybody. Your CEO and CFO are more likely to make a mistake and divulge sensitive info that could lead to a compromise than Joe in the mail room. Most likely Joe doesn’t even have any sensitive info to give. This leads me to the number one offender, The Administrative Assistant. Administrative Assistants, Personal Assistants, Secretary’s, what ever your company may call them. They are usually busy and have too much going on to spend ample time thinking about security. They make tasty targets to bad guys because they handle information of the highest level. Lastly don’t forget to make some way for employees to note when strange people call them and ask for info. It can be as simple as an Excel spreadsheet that they write it down in. There is no built in correlation for humans like firewalls and routers use to alert you to a problem. One weird phone call doesn’t seem like much until you realize 15 other people got the same weird phone call.

Step 3: Do all the digital security stuff you already know about. Service patches, firewalls, IDS, IPS, syslog everything, setup a warning system that will alert you to an attack when you are out of office. One thing IT Guy’s miss is to TEST these things. Just because you have the latest and greatest firewall and Cisco says it rocks, don’t take their word for it! Find out for yourself. Better yet if you can afford it, have a third party do a penetration test. You are not very good at testing your own security. You are likely to only notice the strong points that you yourself implemented. Banging away at a ten thousand dollar firewall isn’t going to get you too far but that little port forward to the DNS server running BIND, you know the one you never think about because it hasn’t been updated in ten years, it just became a man in the middle attackers dream.

Step 4: Test everything! Test in the order that you secured. First test your employees. Don’t test the employees by giving them a freaking written test. Everybody loves to test people by giving them a written test where it’s usually multiple guess choice and half the employees break out in hives. When a thief (notice I don’t use the word hacker) tests your employees he won’t use a written test either. He’ll call up Nicki the Administrative Assistant and tell her he’s a new client and he wants to send her boss a gift but he doesn’t know what to get because he doesn’t know what the boss likes. She’ll start talking about how he loves to play golf and is an avid fly fisher. To the average person that doesn’t look too bad. Except she just gave them a great starting point to guessing his password to his e-mail account. You need to test these things as if you were trying to steal the info yourself. Lastly test your digital security. Some tips are listed in Step 3. More often than not you are weaker somewhere other than your digital security.

If anybody starts hitting you up about how much this is “costing” in both time and money. Just remind them how much it could cost if they ignore it. Better yet ask TJ Maxx they are looking to lose around a billion dollars for their unsecured wireless networks that got broken into.