CASUAL conversation with a fellow information security professional over early breakfast:
InfosecGuy101: If the government opens a Chief Information Security Officer (CISO) position and the President nominates you, what will be your priority action items?
Me: Uh, Um, Ah… Decline? I’d rather be a consultant! (Hysterical laughter.)
InfosecGuy101: Now that you have gotten that out of your system, seriously?
Me: (10-second silence, then gulped a large amount of lukewarm paper-tasting coffee, hoping to find immediate stimulation for my 8:30a.m. brain). Ah Got it! Fire every government employee who still uses Yahoo! To all of you out there. Yahoo has been severely compromised to a point that there are no more takers who would buy them. Be a self-respecting computer user and delete your Yahoo account now! Parang awa na ninyo!
InfosecGuy101: Hokeyyy! Sige then what? Teka, ganito na lang, how about—the Top 5 immediate security tasks that the government should do?
Me: (Finally, some caffeine kicking in) One – conduct a hardware and software inventory (read: IT Asset Management). No way of knowing what’s broken if you don’t know what you have. Seriously, with all the mobile phones, and pocket Wifi’s out there, do you even know who’s connecting to your network and leeching off the Internet that the taxpayers paid for? We have a term for this and it’s called “Rogue IT” – that parallel universe inside the organization’s network that no one knows exist. Let’s face it, with the way networks and computers grow organically, I will bet my leather bags that your spreadsheet is anything but complete (or accurate for that matter), so yeah, inventory time!
InfosecGuy101: Are you kidding me? That’s a lot of IT assets!
Me: Sorry, but you got to start somewhere, and besides along with your (dated) list you can use automated inventory software like Belarc, Kaseya, Solarwinds, etc. or if you’re on a budget, get Spiceworks and other open source options. Not enough manpower? Outsource! There are companies who would happily do that for you!
InfosecGuy101: Ok, next?
Me: Create a collection of known good configurations for: first – critical IT assets like routers, switches, servers, and the like; and second – PCs or workstations based on who uses them and what tasks they are doing. (read: Configuration Management). This way if anything breaks down or gets compromised you have a clean backup to resort to.
InfosecGuy101: And number three?
Me: Deep dive on the possible security holes. Conduct a vulnerability assessment (VA), and if permissible and practical, a penetration test (PT) on critical IT asset and move on to the workstations. Please have professionals do this and not just run a tool and read the reports. The recommendations/results will be your guide in crafting your remediation strategy because it should give you the critical vulnerabilities. As a matter of fact, you should do a VA/PT at regular intervals and whenever a new system is installed. (read: Continuous Vulnerability Assessment and Remediation)
Me: Establish control of all administrative/root privileges in IT systems (read: Privilege Access Management), most especially to servers, network and security devices as well as applications. Yes, there will be people in power that will exert influence on you so that you will allow them (and their next of kin) to install any software (and malware) they want – this is in government anyways, right? Well, put your foot down! If they use force and coercion, refer them to the nearest Sandiganbayan or if you are not the suing kind, ask for their immediate superior’s (undisputable) consent. (That way if there will be a computer virus or ransomware outbreak you can pin the blame on him afterwards. Save your Bitcoins for future use. By the way, we call this ‘risk transference’ in audit lingo). Just like automated inventory, there are excellent software applications to help you do this – they will even report compliance!
InfosecGuy101: Okay, last (for now). Five!
Me: If the crap hits the fan, check the logs! But if you didn’t have a properly configured log server or didn’t turn on the logging auditing or your critical IT assets then, you are on your own. You will absolutely have no clue as to what happened and who did what. Oh yeah, take time to know how to read them all right? Else you are just wasting hard disk space. Try to have one centralized log server (with backup) and apply ample protection so no one can get to it and alter it.
Me: I know you only asked for five, but now that the caffeine has fully kecked in and that waffle and bacon combo was outstanding, I’m going to give you two more.
InfosecGuy101: Awesome. You’re hired!
Me: Uh. No thanks, ‘Pro-bono’ na lang – my contribution to society, a free consult.
Six – Patch, patch, and patch. Old software is the root of all (malware) evil. Remember, if there are no vulnerabilities even if there are numerous threats, the risks will always be zero. (read: Patch Management) Bonus. Libre and Microsoft WSUS (Windows Server Update Services) for Microsoft workstations.
Me: Parting tip. Awareness. There is no cost to make end users aware of the dangers and the things they can do to protect themselves and the organization’s IT assets. An educated user is worth more than a million pesos of anti-virus software. Ok, I take that back – there is a cost. Pa-merienda. Ok na siopao saka 3-in-1. Solb.