Maksim Kabakou - Fotolia
This month, I open my closet door and pick out three of my favorite soap boxes: patching, backup and access control. These three areas of IT, if implemented with a thought through and sensible set of configurations and associated operational policies and procedures, will go a long way in ensuring IT operations are robust and resilient.
These three areas are key cyber defenses, but are often overlooked in favour of whizzy software or appliances. I have nothing against whizzy software or appliances as some are quite necessary, such as a firewall or email scanning appliances, but given the range of threats against an organisation’s IT, defence in depth should be the mantra.
Modern IT systems have a lot of in-built functionality that is often not exploited to its full potential, or only exploited minimally due to a lack of knowledge.
Maintaining a good security patching regime will help in reducing the vulnerability footprint of an IT system. Exploiting the in-built access and authentication features of Active Directory through the sensible use of roles and permissions will limit the spread of malware or limit the impact of a successful ransomware attack, and will also be a key element in achieving General Data Protection Regulation (GDPR) compliance. Equally, a well-tested set of backups will save the day should a malware or ransomware attack be successful.
Good regular backups, besides being a “get out of jail card” should something go wrong, can also assist with patching in that you can employ a “patch and be dammed” approach to patching and use backups to recover should a patch upset a legacy or in-house developed application. But should that happen, you will need to apply pressure on your application supplier to fix their product, because, in combination with an unpatched OS, it leaves the IT system with an unnecessary vulnerability.
Active Directory roles and permissions can be used to limit what a user can access on the network and limit their actions. For example, only HR people need to see HR files, and in HR highly sensitive information might need to be restricted to manager-level access.
Create and write access might also be restricted to a limited group of people. For this example, you might have roles defined as HR-Read, HR-Create, HR-Sensitive and HR-Manager.
It goes without saying that absolutely no-one should have read/write access to a company’s whole file system – not even the managing director. File access and file permissions should be based on job function and not a person’s seniority. If a group of files (in a specific folder, for example) only need to be read by a specific group, assign that group a role that allows only read access to that group of files or folder.
There are many other things a company can do to improve IT resilience, such as ensuring key or critical data is held in resilient memory (e.g. RAID’ed arrays of disk drives) so that servers have sufficient resources to perform their function (memory, CPU) and have their in-built firewalls turned on (and correctly configured). Furthermore, ensure infrastructure devices, such as Wi-Fi units, printers and Ethernet switches, all have the latest firmware.
All of this is basic good practice, but often not practiced well enough.