At the beginning of this month, the twitterverse was atwitter about a published paper where researchers using stickers made a self-driving auto’s vision system believe a stop sign was a 45 MPH sign. All the researchers did was strategically place some short sticky strips on a stop sign. A duct tape hack! Sometimes it is hard to get clarity in what is really important, what is a true IT security risk, and what is an IT professional’s role in protecting their customers. How can we protect our world when someone can take something as simple as duct tape and crash it?
That is when we go back to IT fundamentals: provision, protection, proactivity.
Provision: knowing what you have, where it is, and who has access to it. Portable devices are only a problem if you do not have automation to support them when they, at long last, do again show up on your subnet. If you have to manually patch a laptop that has been in the field for three months before letting it on the network we have a problem (and you do too).
But what about user provision? It’s also important you always have the business owner authorize access via eform, email, signature … to any access to anything … always. IT provides the access to a service, IT does not authorize it.
Protection: this week 185 software patches were released by Adobe, Microsoft, Mozilla for Firefox, Ubuntu, VMWARE NSX. Security patching is the basic protection, but so is measurement of the protections. Echoing once more this is why automation of the tools are so important. Let automation identify those exceptions that arise for numerous reasons that did not accept a security patch. IT Security not only recommends you apply all Critical, High, Urgent, and Important patches (some vendors are not following the agreed upon vulnerability model) but in this day and age you must use an automated process. The patch links are below
But what about user protection? An applied computer policy/profile is key to insuring the most basic protection of all to a user: the password. Security would recommend if you find a device on the wired network that is not using central authentication and does not have a password meeting the Password Authentication SAP, then – unless an approved written exception exists for that device – that you have the user immediately change the password to meet the SAP or take the device off the network.
Proactivity: the key to being proactive is knowing both our risks and our threats. When our gas/charge on our automobile hovers near “E” we know what to do – pull into/plug into a service station. The same is true of IT resources. Raise the flag within your department if you do not have the time to meet the most basic functions of the job – one of those is security. One of the greatest risks to a well run and protected IT operation is to stay silent when an IT professional knows there are not enough hours in the day to do all the work. Silence is a large risk to IT all over the world today. Many XP devices were not deprecated from NotPetya sites because they did not have the IT human resource to upgrade. Not having automation to insure there is time to work on a wide variety of duties is not an excuse to forego performing those duties. Doing nothing about a losing proposition is not a strategy — it is a failure.
But what about user proactivity? To be proactive with customers is simple … communicate with your customers. Book an appointment on your calendar for one hour a week to do nothing more than communicate with your customers: email them them hot IT topics, tell them your expectations, or use part of that weekly hour appointment to visit the most demanding customers by phone or in person.
Provide, protect, and be proactive. Stick with the fundamentals and don’t let anyone duct tape your daily hard-won efforts! The Security Team sincerely appreciates it.