BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Don’t say “Lockdown”!

Posted October 15, 2012    Peter McCalister

Here at BeyondTrust, we have been fortunate to be able to speak with thousands of security professionals in dozens of industries, and it is astonishing how differently organizations assess risk and approach computer security. Some organizations are very strict about security and are able to completely lock down desktops. Others are significantly more lax about the security of their desktop computers, and place a bigger emphasis on servers and backend infrastructure. What is interesting about these two ends of the spectrum is how the organization ends up where they are. When we speak to IT professionals who have loosely managed desktops, they universally cite the fact that it is difficult to change the culture of the organization to implement the controls to better manage those desktops and improve security. For folks who have very locked down environments, we find that they did, in fact, have to change the culture in order to improve security. Here are a few things that you can do to help smooth the transition to a new and improved security position.

  • Don’t use words like “Locked Down Desktop.”  The end users will freak out if you say this.  Even though the end user doesn’t own the desktop, they still think it is theirs.  It’s better to brand any project to improve desktop security as “Trusted Desktop Initiative” or “Secure Desktop” instead of using the words “lock down.”
  • Do explain to the end users why improving security is good for them.  More security means fewer viruses and malware.  A well-managed desktop means fewer application conflicts.  Following security best practices like removing admin rights from users, means less configuration drift and more stability, reliability and speed in the long run.
  • Don’t try to do too much.  Many organization want to roll out too much security, all at the same time.  Some organizations want to deploy more control at the same time they roll out a new operating system.  The most successful organizations that we have worked with set the foundation first.  By implementing security best practice (Anti-virus, Least Privilege, Vulnerability Scanning, etc.) and then layering on additional tools (Application Whitelisting, Device Control, etc.), you will end up with a more robust implementation in the long run.
  • Do get executive buy-in.  Everything goes much more smoothly when the boss sponsors what you are trying to do.
  • Don’t go it alone.  As we learn more about our industry and what is available, we realize just how much we don’t know.  Technology is constantly changing, and no one person can keep up with all of the knowledge, so seek out advice from others.  Talk with your vendors, peers at other organizations and your colleagues.  They can be a huge asset when undertaking a project to improve security.
  • Don’t forget to communicate.  End users hate surprises.  All they want to do is get their job done.  That’s how their performance is measured.  If they are surprised by some new security restriction that slows them down, they are going to kick and scream, but if you’ve communicated appropriately, your chances of headaches are lessened.
Tags:
, ,

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,