First Things First - Content Filtering
Firewall configuration should have been a single post, but I realized that I do quite a lot of configuration without even thinking about it. With that said, I decided to break this up into small but progressively more complicated tasks.
One of the things I see disabled almost immediately by most firewall admins is content filtering. Yes it is overbearing, annoying, and raises concerns over censorship. What it can do is protect your workstations from crap floating around the internet embedded in sites they really had no reason to be on in the first place. Here are some tips for keeping your job, and keeping people on your side:
1. Go slowly: If you don't have content filtering turned on, configure the policy to only block sites in categories such as freeware or malware. Then enable content filtering and see if anything breaks.
Next, print off the list of categories that are available in your platform, and take it to the leadership of your organization to get approval on which categories you can block and which are off limits. Establish a process for white listing sites that are miscategorized or are necessary for business. I like to set up a system where I can email the decision maker and only white list a site with their approval in an email.
Once you have your marching orders, enable one category per day and wait for the calls to come in.
2. Explain the change in advance, and let leadership take the heat for the decision.
3. Work with users, don't make them feel like you're working against them.
Advanced Categories and Custom Configs:
I will shout it out on top of a mountain: "I HATE ADS"
I also have found that it's very easy to block them by loading the frame in a seperate window and grabbing the URL. I then add it to my blacklist and say goodbye to the Russian Brides and the free games. If the Zedo issue from earlier this week taught us anything, it's that no good comes from ads.
The other category that I really like but that breaks a lot of sites is the "Uncategorized" category. Be advised, your life will be hell for a while. But after some tweaking and some grumbling, our Malware infections at customer sites that have allowed me to implement this had plummeted. One customer had 5 infections in a week, and since we put the work into this category it's dropped to one in 9 months.
Finally, stick to your guns. This will likely be a painful change for a lot of users but it will be worth it in the long run.
Friday, October 3, 2014
Thursday, October 2, 2014
SMB Infosec -Diamonds from Dust Part 1
This is the first blog in what I expect will become a series of blogs on methods I have come up with for securing the SMB company with limited resources.
Diamonds from Dust will be written primarily from an MSP's point of view. I firmly believe that every small business needs a partner with some technical resources in order to remain secure. This isn't about an onsite person's technical abilities at all, it's about economies of scale.
This post is about selecting a vendor. This will be the only post written from a customer's perspective.
Here we go!
The 5 things your MSP must have:
1. Technical Certification: Any MSP that has been around a while will have certified engineers on hand. This is to meet requirements for vendor recognition programs. Vendor recognition drives prices down and service up. You want that ability in your MSP.
2. A Monitoring Solution (with custom rules): Monitoring is critical, and a robust monitoring solution is critical for insight. A well tuned monitoring solution is key to your success and security.
3. A Security Focus: Your MSP must be interested and immersed in security. It must care and it must respond to threats.
4. A Customer Notification System: You need to be kept in the loop when things are bad and a way to rapidly notify customers is critical.
5. A Solid BCDR Solution: This will be the subject of at least 2 more posts in the coming weeks and months.
Next Post: Minimum Firewall Settings
Other Topics Coming:
BCDR
Monitoring Rules
Managing AV
Incident Response
Planning
Diamonds from Dust will be written primarily from an MSP's point of view. I firmly believe that every small business needs a partner with some technical resources in order to remain secure. This isn't about an onsite person's technical abilities at all, it's about economies of scale.
This post is about selecting a vendor. This will be the only post written from a customer's perspective.
Here we go!
The 5 things your MSP must have:
1. Technical Certification: Any MSP that has been around a while will have certified engineers on hand. This is to meet requirements for vendor recognition programs. Vendor recognition drives prices down and service up. You want that ability in your MSP.
2. A Monitoring Solution (with custom rules): Monitoring is critical, and a robust monitoring solution is critical for insight. A well tuned monitoring solution is key to your success and security.
3. A Security Focus: Your MSP must be interested and immersed in security. It must care and it must respond to threats.
4. A Customer Notification System: You need to be kept in the loop when things are bad and a way to rapidly notify customers is critical.
5. A Solid BCDR Solution: This will be the subject of at least 2 more posts in the coming weeks and months.
Next Post: Minimum Firewall Settings
Other Topics Coming:
BCDR
Monitoring Rules
Managing AV
Incident Response
Planning
Tuesday, September 30, 2014
InfoSec Leadership - Creating a culture and avoiding gimmicks
Intro:
An organization's identity and culture is the source of pride for many, and a source of many problems for others. I have been studying Organizational Leadership for quite a while now, and have come to realize that IT in general, and Infosec in particular is mostly getting it wrong.
Why?
In general, IT has been promoting the best technical people into roles of leadership. Apart from the C-level positions, your average IT organization ignores leadership skills and rewards those who perform technically well. This generates a great deal of referent power, but ignores the personality characteristics that must come with a position of leadership.
With a higher position comes reward power, coercive power, and several other sources of power that a leader has at their disposal. Gaining these tools in leadership can be an issue for those not prepared to lead.
In working with many IT people over many years, I see a lot of "Power Drunk" senior staff wielding coercive power around and mentally beating down junior staff for simple, and honest mistakes.
This is not how we lead.
This is how to alienate people.
This breeds more destructive behavior.
On the other end, when dealing with users many companies implement reward programs, which reinforce good behavior. Unfortunately, it only works on people who want the rewards, and only until they have gained the rewards. Reward, or bounty systems have a severely limited shelf life and are challenged by limited efficiency.
How does this apply outside of IT?
Infosec is typically the most important policy surrounding the IT department for a company to enforce. As we saw above, we have oversimplified leadership into two types of programs:
Coercive - Don't screw up or you're fired. Even 2 strike policies don't work.
Reward - The gamification of Infosec suffers the problems i outlined above.
Infosec lacks true leadership:
As tech people we should know that there's no simple way to solve a complex problem. So why do we oversimplify leadership across internal organizations? It's simple, they don't like us. We lack the personal power, which would serve as a source of balance in our leadership practices.
Avoiding Leadership Gaps:
1. Hire personable people within your Infosec group - Also, make sure they are visible within the organization and are likable when dealing with users. People are more likely to listen to people they like.
2. Be transparent - Give the organization a sense of what you're doing to help protect them and to make their jobs easier. Make sure that you reinforce that it is an organizational effort, and get users to buy in through a sense of working together.
3. Build a comprehensive game plan - If you want to be a true leader in your organization, go to leadership with a way to build rapport. You do not need to spend money, you just need to show you can blend sources of power into a change in culture, not just a policy.
Finally:
Work with what you have at your disposal. Some people will be above policy, but no one is above culture. Some people will get away with things they shouldn't, and there is nothing you can do to change that. If all you have is policy, you have a finite tool that will never be applied evenly. Culture has a strange way of weeding out those who don't fit in. They lose support from those who see them as an outlier, and eventually fall out of favor with leadership.
More to come about leading an Infosec team next time.
An organization's identity and culture is the source of pride for many, and a source of many problems for others. I have been studying Organizational Leadership for quite a while now, and have come to realize that IT in general, and Infosec in particular is mostly getting it wrong.
Why?
In general, IT has been promoting the best technical people into roles of leadership. Apart from the C-level positions, your average IT organization ignores leadership skills and rewards those who perform technically well. This generates a great deal of referent power, but ignores the personality characteristics that must come with a position of leadership.
With a higher position comes reward power, coercive power, and several other sources of power that a leader has at their disposal. Gaining these tools in leadership can be an issue for those not prepared to lead.
In working with many IT people over many years, I see a lot of "Power Drunk" senior staff wielding coercive power around and mentally beating down junior staff for simple, and honest mistakes.
This is not how we lead.
This is how to alienate people.
This breeds more destructive behavior.
On the other end, when dealing with users many companies implement reward programs, which reinforce good behavior. Unfortunately, it only works on people who want the rewards, and only until they have gained the rewards. Reward, or bounty systems have a severely limited shelf life and are challenged by limited efficiency.
How does this apply outside of IT?
Infosec is typically the most important policy surrounding the IT department for a company to enforce. As we saw above, we have oversimplified leadership into two types of programs:
Coercive - Don't screw up or you're fired. Even 2 strike policies don't work.
Reward - The gamification of Infosec suffers the problems i outlined above.
Infosec lacks true leadership:
As tech people we should know that there's no simple way to solve a complex problem. So why do we oversimplify leadership across internal organizations? It's simple, they don't like us. We lack the personal power, which would serve as a source of balance in our leadership practices.
Avoiding Leadership Gaps:
1. Hire personable people within your Infosec group - Also, make sure they are visible within the organization and are likable when dealing with users. People are more likely to listen to people they like.
2. Be transparent - Give the organization a sense of what you're doing to help protect them and to make their jobs easier. Make sure that you reinforce that it is an organizational effort, and get users to buy in through a sense of working together.
3. Build a comprehensive game plan - If you want to be a true leader in your organization, go to leadership with a way to build rapport. You do not need to spend money, you just need to show you can blend sources of power into a change in culture, not just a policy.
Finally:
Work with what you have at your disposal. Some people will be above policy, but no one is above culture. Some people will get away with things they shouldn't, and there is nothing you can do to change that. If all you have is policy, you have a finite tool that will never be applied evenly. Culture has a strange way of weeding out those who don't fit in. They lose support from those who see them as an outlier, and eventually fall out of favor with leadership.
More to come about leading an Infosec team next time.
Subscribe to:
Posts (Atom)