When considering IT security, organizations should take a look at the websites for the National Institute of Standards and Technology, the Defense Information System Agency’s Security Technical Implementation Guides or the Center for Internet Security. There, they may find that understanding and translating their security recommendations to implementable practices can be overwhelming. While this is a worthwhile and important task, there are also more practical ways to ensure you are using IT security best practices in your business.

Separation of Duties

Make sure to separate duties within your IT organization. While this is a routine practice in finance, it is often overlooked in IT security. For example, make sure there is a designated person or team to verify system security settings for operating resource settings, such as file ownership, permissions and registry settings. This team should be able to obtain ad hoc reports of the system settings that need to be checked but should not have access to the servers on which the verification is being performed.

This provides a higher measure of IT security than simply trusting the server support teams to properly configure and enforce the appropriate settings. All deviations found by the security verification team should be documented and immediately corrected. Even more ideal is to have a separate team configure an endpoint management tool to immediately detect and remediate out-of-compliance conditions.

Least Privilege for Primary Controls

Apply the concept of least privilege to your primary controls. This means making sure the level of access to systems, tools and data in your IT environment is sufficient to enable all employees to perform their work — but no more than necessary. List and create profiles for each job category within your organization, then specify in detail the level of access needed in order to perform that job. Create detailed procedures with the level of access that must be granted to an employee in each profile. Be especially careful with the level of read/write access allowed.

For example, if you have a team that develops marketing materials, ensure it only has access to systems, applications and content containing information needed for this purpose. If some members of that team are responsible for publishing the materials, they may be allowed to have access to different systems and separate file and directory structures, or the type of access they are given may be write versus read. That way, there is accountability only with the publishing team for any changes made to these systems. This seems like an obvious practice, but many companies fail to thoroughly document profiles and associated work instructions. The next step is to automate ID creation using these profiles, which can further ensure correct access has been granted.

Secondary Controls for IT Security

Implement a secondary controls solution to supplement primary controls. When primary controls fail — and they will — secondary controls are essential. These are often overlooked due to cost and staffing pressures, which are almost always considered as overhead. Secondary controls activities should be executed on a regular schedule by employees who do not perform primary controls so they cannot be bypassed. Examples of secondary controls include verifying all user IDs are owned by active employees, verifying the correct level of system access and checking system and application logs for suspicious or unauthorized activities.

I hope this post has been helpful in providing some basic control points to focus on when securing your IT environment. Please tweet at me at @LisaChavez111 if you have comments or suggestions.

More from Endpoint

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…