In today’s Internet, there is never a break from the constantly evolving threats of phishing, malware, ransomware, and hackers. It is critical that as these new I.T. security threats evolve, IT and information security also evolves with them.
In many organizations, I.T. (or the Information Technology) engineers manage the systems, getting them set up and functioning, in addition to supporting end users. In these organizations, it comes down to a separate group of people ‒ the network and information security engineers ‒ to secure the network against attackers, and threats. I.T. does servers; Information security does the firewall. Unfortunately, this separation of security and systems management can cause systems to remain insecure, and make security harder overall.
The mindset, therefore, must change from systems and security, to a single-baked idea of systems with security. I.T. engineers must now work to secure these systems as they are set up. Information security, or InfoSec, must now be a part of the daily I.T. process. How does this change how I.T. managers and engineers work? Well, instead of just the set-up and general maintenance of these systems, I.T. engineers must look beyond that, looking to build the best secured systems, both on a singular workstation/server level, but also on a grand network scale.
Through this mixed-lens approach, new best practices can be established. With the wide spreading of ransomware, it has become imperative to think in terms of “least needed privileges.” Let me give you a real-life scenario from two companies we’ve worked with.
Two companies each have their own file server. This server allows employees to access data across the network, share files, and store data.
Company One, citing that they trust their employees and their honesty, sets up broad security rules across all file shares. Rules such as, everyone can access everything, other than Human Resources (HR), which can be only accessed by management and HR. This shouldn’t be an issue, as they work to hire trustworthy people, and therefore, the engineers should stick to working with their files, and sales should stick to working with theirs. This sounds fair enough.
Unfortunately, someone in sales receives a lead, which turns out to be a Word document that contains a ransomware payload. What happens? The ransomware encrypts everything on that user’s computer, as well as everything that user has access to on the network which, in this case, is most everything short of HR documents. The real-world conclusion to this was a full file restore for that file server, which took hours to complete (this is also an important reminder to have good back-ups).
But let’s take a step back, and take a look at Company Two. Company Two also has trustworthy employees, and they trust their employee’s honesty and morality. But Company Two, with the help of their I.T. partner, also understands the perils of network security. Company Two, therefore, has in place strict security groups and policies that allow employees access only to the files and resources they need to do their job. Engineers who work in production have access to production files, and the production printer. Engineers who work in support have access to the documents and resources related to providing customer-facing support. Sales has access to price lists and a printer, but their needs for network access are fairly low. So what happens when someone in sales at Company Two accidentally opens a piece of ransomware? Well, their workstation is affected. And those couple of price lists are affected. The end result is a file restore of those price lists that take seconds to minutes, instead of hours. Other employees in engineering, customer service, HR, and the like, are not even affected by this ransomware outbreak.
This example perfectly illustrates how I.T. can no longer just build the systems. Security groups such as the ones at Company Two are something that I.T. engineers and architects must be thinking about when architecting new servers, networks, and domains. These implementations and best practices must be something that becomes part of the I.T. and company flow, instead of an afterthought.
Check out our recorded webinar on ransomware, and call us if you have any questions.