What unique challenges does a “bring your own device” policy introduce to a corporate network? What steps can security professionals take to enhance host security on personal computers used for business?
Data theft and malware are key concerns. If it’s a personal device, they’re potentially checking personal emails and clicking potentially unsafe links. Stolen or lost devices could be a larger issue. You’re leaving it up to the employee to follow corporate policy, such as using their fingerprint to unlock. If the employee doesn’t implement proper password protection on their personal device and it gets stolen, it’s reasonable to assume that data has been harvested.
When companies implement Bring your own device. It’s important to remember That employee owns the hardware and the Company own the Corporate Data on the device. It’s required for addition security mechanism to be in place when having company data on a bring your own device. Many BYOD, security mechanisms involve Password Policies. In efforts to protect the data stored on the device. Employees are required to change their easy to remember 4-6 Digit Pin Number to their Phone to a Password with Strict Requirements. The standard Password Policy requires 8-14 Character, With a Combination of Special Characters, Numbers and Capital Letters. Employees way have to implement dual factor authentication on certain application. Most companies utilize MS Outlook for email. There may be a requirement to set up Dual Factor Authentication on the BYOD to gain access to email.
In order to secure operating systems and sever applications, the NIST 800-123 article suggests to secure, installing, and configuring the underlying operating system and server software. Additionally, to maintain the secure configuration through the application of appropriate patches and upgrades, security testing, monitoring of logs, and backups of data and operating system files.
Other steps in order to secure an operating system would be to utilize a VPN, password protection the software and lock the device, and enable a firewall.
Remove unnecessary services, set permissions and privileges, monitor server logs, and automate backups are other steps to secure server applications.
A system security plan is to provide an overview of the security requirements of the system and describe the controls in place, or planned, for meeting those requirements. However, the plan should include the descriptions of managerial policies, operational procedures, and technical components that the company plans to implement to meet the requirement of each control.
Things that should be included in the SSP:
SSP Should sum up the security posture of a system.
– Should include the boundaries of the system
– The characteristics of the system
– The security controls on the system and how they are implemented
Hey Victoria, with every user having an account, adding security measures to these accounts is crucial to host hardening. Often it is easier to assign users to groups, then assigning measures to those groups. This requires less labor and reduces errors.
Hi Victoria,
Security is essential in any digital environment, so to make it easier for users to manage permissions and other user accounts, Windows and Linux offer a useful feature called user groups that enable to manage them properly.
Great Question Victoria, The purpose of managing groups and users is to apply access controls and implement separation of duties. Access control is the process of granting or denying specific request to obtain and use information. Separation of duties is the concept of having more than one person required to complete a task. Everyone in the organization should have limited access. This limited access is the bare minimum access need to complete their job tasking. Access and Permissions reviews should be reviewed periodically because there are many changes that can occur. For example an employee may need access to the developers group to complete a specific project. When that project is complete that user should no longer have access to that group.
Hello Madalyn,
The things that should be considered while setting up the organizations logging policy should be if the server or application that need to be logged are being monitored properly or not and if it is logging the sufficient detail required or not.
Great question. If the VMs are deployed by the organization, then a greater granularity of control is afforded in terms of software installed, patching (if they regularly patch) and general visibility by enrolling the VM into a monitoring solution. If a VM becomes corrupted, it can easily be blown away and a new golden image or non-corrupted backup can be restored with little downtime. VMs can also be easily segmented wthin the network.
Hello kofi,
The one of the ways to ensure the systems are properly hardened or not is by having an effective policy in place. Which would include the details like the default credential should be changed and other related information. Also, auditing the system would ensure the appropriate controls are in place an working effectively or not.
A good place to start is by addressing the defense in depth strategy. This means setting up controls at all layers – perimeter security, network security, data security, application security, endpoint security, and monitoring. This should all be supported by your policy.
One question that I would like to ask my classmates this week is :
Why should organizations carefully plan and address the security aspects of the deployment of the server, and what would happen if they failed to do so (ie. pushing the deployment of a server “just to get it out there” and added security aspects later?).
Hey Antonio, NIST SP 800-123 defines Least Common Mechanism as when providing a feature for the system, it is best to have a single process or service gain some function without granting that same function to other parts of the system.
How can businesses prevent users or those with access to their accounts from navigating to sensitive information by controlling access and permissions?
Through an identity access management tool like AD, you can set up groups such as “accounting,” and then allow that group access to accounting information and systems required to do their jobs. If it’s a large company, you can further segment this by geography. You can have a Boston Accounting team and a New York Accounting team, each of which only have access to their respective region’s data and resources.
What is the most effective way to view and manage all the operating systems used within an entire network? What about services? (For example, if client hosts use Windows operating systems but some servers use Linux.)
Password creation guidelines are constantly changing; what do you think is the strongest possible password credential requirements? (within reason, of course)
As an IT Security Analyst, in the interest of Incident Response, would you instead recommend system hardening or reconfiguration/development of the system from scratch?
Kelly Sharadin says
What unique challenges does a “bring your own device” policy introduce to a corporate network? What steps can security professionals take to enhance host security on personal computers used for business?
Madalyn Stiverson says
Data theft and malware are key concerns. If it’s a personal device, they’re potentially checking personal emails and clicking potentially unsafe links. Stolen or lost devices could be a larger issue. You’re leaving it up to the employee to follow corporate policy, such as using their fingerprint to unlock. If the employee doesn’t implement proper password protection on their personal device and it gets stolen, it’s reasonable to assume that data has been harvested.
Kyuande Johnson says
When companies implement Bring your own device. It’s important to remember That employee owns the hardware and the Company own the Corporate Data on the device. It’s required for addition security mechanism to be in place when having company data on a bring your own device. Many BYOD, security mechanisms involve Password Policies. In efforts to protect the data stored on the device. Employees are required to change their easy to remember 4-6 Digit Pin Number to their Phone to a Password with Strict Requirements. The standard Password Policy requires 8-14 Character, With a Combination of Special Characters, Numbers and Capital Letters. Employees way have to implement dual factor authentication on certain application. Most companies utilize MS Outlook for email. There may be a requirement to set up Dual Factor Authentication on the BYOD to gain access to email.
Patrick Jurgelewicz says
What are some common steps to secure operating systems and server applications?
Victoria Zak says
Hi Patrick,
In order to secure operating systems and sever applications, the NIST 800-123 article suggests to secure, installing, and configuring the underlying operating system and server software. Additionally, to maintain the secure configuration through the application of appropriate patches and upgrades, security testing, monitoring of logs, and backups of data and operating system files.
Other steps in order to secure an operating system would be to utilize a VPN, password protection the software and lock the device, and enable a firewall.
Remove unnecessary services, set permissions and privileges, monitor server logs, and automate backups are other steps to secure server applications.
zijian ou says
In general, what an effective system security plan should include?
Victoria Zak says
Hi Zijian,
A system security plan is to provide an overview of the security requirements of the system and describe the controls in place, or planned, for meeting those requirements. However, the plan should include the descriptions of managerial policies, operational procedures, and technical components that the company plans to implement to meet the requirement of each control.
Kyuande Johnson says
Things that should be included in the SSP:
SSP Should sum up the security posture of a system.
– Should include the boundaries of the system
– The characteristics of the system
– The security controls on the system and how they are implemented
Victoria Zak says
What is the point of managing groups and users? Why is it important?
Patrick Jurgelewicz says
Hey Victoria, with every user having an account, adding security measures to these accounts is crucial to host hardening. Often it is easier to assign users to groups, then assigning measures to those groups. This requires less labor and reduces errors.
kofi bonsu says
Hi Victoria,
Security is essential in any digital environment, so to make it easier for users to manage permissions and other user accounts, Windows and Linux offer a useful feature called user groups that enable to manage them properly.
Kyuande Johnson says
Great Question Victoria, The purpose of managing groups and users is to apply access controls and implement separation of duties. Access control is the process of granting or denying specific request to obtain and use information. Separation of duties is the concept of having more than one person required to complete a task. Everyone in the organization should have limited access. This limited access is the bare minimum access need to complete their job tasking. Access and Permissions reviews should be reviewed periodically because there are many changes that can occur. For example an employee may need access to the developers group to complete a specific project. When that project is complete that user should no longer have access to that group.
Madalyn Stiverson says
What considerations should be made when setting up an organizations logging policy?
Vraj Patel says
Hello Madalyn,
The things that should be considered while setting up the organizations logging policy should be if the server or application that need to be logged are being monitored properly or not and if it is logging the sufficient detail required or not.
Dhaval Patel says
Are VMs considered any more or less safe than local systems?
Kelly Sharadin says
Hi Dhaval,
Great question. If the VMs are deployed by the organization, then a greater granularity of control is afforded in terms of software installed, patching (if they regularly patch) and general visibility by enrolling the VM into a monitoring solution. If a VM becomes corrupted, it can easily be blown away and a new golden image or non-corrupted backup can be restored with little downtime. VMs can also be easily segmented wthin the network.
Kelly
kofi bonsu says
The question I would discuss with my classmates is how do you ensure your systems are hardened properly?
Vraj Patel says
Hello kofi,
The one of the ways to ensure the systems are properly hardened or not is by having an effective policy in place. Which would include the details like the default credential should be changed and other related information. Also, auditing the system would ensure the appropriate controls are in place an working effectively or not.
Madalyn Stiverson says
Hi Kofi,
A good place to start is by addressing the defense in depth strategy. This means setting up controls at all layers – perimeter security, network security, data security, application security, endpoint security, and monitoring. This should all be supported by your policy.
Andrew Nguyen says
One question that I would like to ask my classmates this week is :
Why should organizations carefully plan and address the security aspects of the deployment of the server, and what would happen if they failed to do so (ie. pushing the deployment of a server “just to get it out there” and added security aspects later?).
Antonio Cozza says
How does the concept of a “Least Common Mechanism” work?
Patrick Jurgelewicz says
Hey Antonio, NIST SP 800-123 defines Least Common Mechanism as when providing a feature for the system, it is best to have a single process or service gain some function without granting that same function to other parts of the system.
Dan Xu says
How can businesses prevent users or those with access to their accounts from navigating to sensitive information by controlling access and permissions?
Madalyn Stiverson says
Through an identity access management tool like AD, you can set up groups such as “accounting,” and then allow that group access to accounting information and systems required to do their jobs. If it’s a large company, you can further segment this by geography. You can have a Boston Accounting team and a New York Accounting team, each of which only have access to their respective region’s data and resources.
Michael Jordan says
What is the most effective way to view and manage all the operating systems used within an entire network? What about services? (For example, if client hosts use Windows operating systems but some servers use Linux.)
Vraj Patel says
How often should the Group Policy Objects (GPOs) be reviewed for the accuracy of its included policies?
Lauren Deinhardt says
Password creation guidelines are constantly changing; what do you think is the strongest possible password credential requirements? (within reason, of course)
Kyuande Johnson says
What are three types of patch Management?
Olayinka Lucas says
As an IT Security Analyst, in the interest of Incident Response, would you instead recommend system hardening or reconfiguration/development of the system from scratch?