Allowing your users administrative rights under their Windows desktop certainly makes their life easier, but it can cause significant headaches for your sysadmins — and it also opens up a wide variety of vulnerabilities.
A recent study from security vendor Avecto found that 94% of critical vulnerabilities announced by Microsoft could be mitigated by simply removing administrative rights. These vulnerabilities range from phishing attacks that can hijack the system via applications like Microsoft Word to packets that are specially crafted to hit Windows Server. In most cases, they can be leveraged to remotely execute code and take control of the PC, potentially accessing sensitive data and applications deeper within the network.
Many modern workplaces allow users more leeway over the configuration of their workstations, as computer-savvy employees are often more productive when they have applications set up the way they want. But with shutting down admin rights proving to be a relatively easy and strong method of eliminating vulnerabilities, should you risk enabling them?
The answer is probably not…with some caveats.
While debt can be a useful tool for funding your organization (Green House Data is in fact currently leveraging debt as part of our expansion plans), you need to have a payment plan and carefully manage your debt in order to continue solvency. No business owner who wants to succeed would ignore debt and just hope it sorts itself out, or pay only the minimum required to avoid bankruptcy.
Technical debt shouldn’t be ignored, either. The term refers to the practice of putting off critical infrastructure or software upgrades. Out of date systems pile up — whether it’s your overall systems architecture, an aging switch that can’t handle new network speeds, or an application that only runs on 32-bit servers — and become a mess of band-aided solutions that are ready to fall apart at any moment.
Executives should take technical debt seriously. When your CTO or IT Manager tells you they need to focus budget and staff on reducing technical debt, it’s time to listen.
Focusing on cloud initiatives as a technology problem rather than business realignment can be a major mistake. Success in the cloud comes from more than just telling your CTO that you want your systems on a cloud platform. It requires a shift in overall business strategy and clear messaging from leadership on down.
You need to identify your business goals and work backwards from there to figure out how specific cloud technologies can help solve them. This may involve the creation of a cloud team or adjusting your organization to be an agile, “DevOps” style operation.
Ultimately the core technologies your team will use in the cloud aren’t much different than the old model of IT (at least if you were already virtualized), but they do require a shift in your business model to better use the flexible resources available from cloud computing, or the development of a plan that boosts efficiency, reduces costs, and thereby improves your bottom line.
Here are a few tips to keep cloud strategy front of mind.
Another week, another story about a major data center outage. This time it’s British Airways under public scrutiny as the company scrambles to discover the source of data center downtime that grounded hundreds of flights.
While the cause of that outage isn’t yet released, that hasn’t stopped some experts from suggesting human error as the cause. They aren’t likely to be off base, either: human error remains the leading cause of IT infrastructure outages. Therefore minimizing human error should be a primary focus of reliability efforts.
While we all make mistakes, when critical infrastructure is at stake — not to mention thousands of dollars in downtime related costs — it’s worth some investment to try and reduce the potential negative effects of people on IT systems. Here are some tips to help you avoid downtime stemming from human error.
While the goal of most infosec professionals is ostensibly to prevent data breaches and security incidents, the daily headlines about major hacks prove that no one is completely safe. If — or perhaps we should say “when” — you are breached, one of the first steps is to perform digital forensics to help locate the attack vector, identify compromised systems, and tag any stolen data.
Cloud environments further complicate the digital forensics process, especially in an increasingly multi-cloud world, where multi-tenant hosting environments and hybrid IT infrastructure is more and more common.
Preparing a cloud forensics protocol can help your organization reduce the overall cost of a security investigation and disclosure, quickly figure out how the attacker gained access, restore system operations faster, and even garner discounts on any cyberinsurance you may have.
While many organizations combine Security and Compliance under a single banner, and there is nothing inherently wrong with having a Chief Security and Compliance Officer or managing risk mitigation under a single umbrella, the fact is that compliance and security measures are two overlapping but inherently different practices of information security.
Compliance standards often change quickly and require quite a bit of work to ensure enforcement across an entire organization. Audit trails, regulator inspections, minimum mandates…they have to be tracked and adhered to 24/7. But meeting compliance standards often puts blinders on a security administrator.
Simply meeting a compliance measure — or even four or five — does not mean that your infrastructure is up to snuff with security best practices. Nor does following industry standards of security guarantee that you’ll meet your next compliance audit.
Cloud servers are easy to provision and configure. Maybe too easy. That’s why many organizations are finding their cloud spend spiraling out of control. If you have recently experienced shock and awe at your monthly cloud bill, you may need to examine your environment for optimization opportunities.
Here are four of the top areas to reduce your cloud sprawl, and by extension, your cloud spend.
While your admins might have virtualization experience, transitioning to a cloud-first IT strategy involves a real paradigm shift across your entire IT team. You’ve heard some of this before: you’ll be more agile, your team will be focused on service delivery instead of hardware, you’ll work on business issues rather than break/fix.
What you may not have considered are how the roles of your new cloud team may shift from previous responsibilities, or just how far reaching the culture change may be. Here are some tips to build a successful cloud service team within your organization.
If you’re like many modern organizations, you’re looking towards a “cloud-first” IT strategy, where new workloads are architected with cloud deployment in mind, and older infrastructure is redesigned for the cloud as time and requirements allow. But you may also face a common obstacle to these goals: a cloud skills gap among your IT staff.
An ISACA report claims that it takes three months months to fill 55% of information security vacancies, and six months or longer for an additional 32%. Intel security discovered that 36% of organizations lack cloud skills, but are still continuing on their adoption path. Only 15% of the 2,000 surveyed IT professionals claimed they had no cloud skill shortage.
It’s clear that many enterprises and midize businesses may require help managing these new cloud environments — especially when departments are adopting shadow cloud and shadow IT services at an increasing rate, as the Intel report corroborates.
In the past decade, alongside the increased importance of digital tools for business, a new category of insurance has sprung up to cover digital data breaches and liability. With the average total cost of data breaches reaching $4 million dollars and the average cost of each lost or stolen digital record increasing to $158, it is clear that experiencing a data breach is an expensive affair.
While dedicated security response teams and encryption do decrease these costs, and IPS/IDS systems and other security measures can help reduce the risk, many organizations will still experience a data breach at some point.
Cyberinsurance can help mitigate the cost of a data breach by reimbursing your company for legal fees, helping with the cost of crisis management and investigation, notification costs, extortion liability fees, and third party damages relating to network or system outages. But does every organization need cyberinsurance?