Show me the baby!
Lightening the lockdown, Mark Norris, IT Security Manager at Focus Group, details the importance of having monitoring and alerting systems in place to make sure everyone adheres to a firm’s security policies and guidelines…
By Sonia Older
16 April 2020, UK
If you had read my previous blogs, you will have realised that I am old. Some may say experienced or seasoned, but I know the truth. I can remember when our first PC arrived at work, an IBM model 5150 (look it up if you have no idea what it looked like). A few years later still playing with DOS I had to learn how to edit the config.sys or authexec.bat to make use of the full 1MB of memory that became available. I loved the config.sys used by OS/2 – if the order was not perfect then your computer would not start.
I recently found in the cupboard in my man cave/office a set of MS DOS 6.3 3.5-inch diskettes. They were at the bottom of the box of cables I have been keeping. Why have I still got a 9 pin to 25 pin connector cable? Or 25 pin switch boxes? In my many roles at IBM, I worked with an auditor whose common phrase was “Show me the baby”. He didn’t care if people said they were doing X or the system was up to date or “Yes, the firewall rules were examined last March”. All he was interested in was the physical evidence and during an audit I would hear his Irish tones dolling out the phrase “Show me the baby”.
As I get more seasoned my list of things that annoy me seems to increase exponentially. But switching hats (I have lots of hats as I tend to sunburn my head due to a lack of hair) back to my IT security hat, companies quite often impose policies that they have no means of policing or monitoring. Companies create these great IT Security policies where it states “Thou shalt not access social media sites from a company computer” or “Thou shalt not plug in a USB storage device into your work computer”. The times I have seen or heard of these great policies and then you ask the questions “How are they enforced?” or “How are they monitored?”.
For example, James in Accounts keeps bringing in his USB pen device to copy an Excel file onto. He plugs it into his computer, and it does not work. He tries Emma’s next to him and it does not work. All in all, he tries all six PCs from Accounts and two from other departments with no success. It is great that the company have a policy that blocks access, but who is looking at the logs to check whether someone is trying to breach the policy? Or, where are the alerts sent that would warn of such behaviour? Where are the alerts if people try to connect to Facebook for example? (If your policy dictates that this access is prohibited).
Maintaining policies and guidelines
There is of course, a level of trust given to employees. And I will add that most employees if told that they cannot do something will follow those policies or guidelines. Though looking at the pictures from this weekend of people gathering at national parks or beaches I do question whether we have common sense at times. But reverting to the phrase “Show me the baby”, how does a company demonstrate that trust from employees without any evidence? Then what about data loss protection? How do you stop a disgruntled employee taking your customer database details away with them when they leave?
Companies need in place some sort of monitoring and alerting system that supports their policies. If the policy states, no Facebook access then some sort of monitoring software or system is needed to provide the evidence that no one is accessing Facebook. If USB ports are blocked it reports and alerts when an attempt is made. There needs to be some physical evidence provided that demonstrates compliance. With the increase in phishing and malicious emails, alerting and monitoring is a key requirement. It demonstrates controls are in place for the polices that have been defined. It also shows that staff are abiding by the rules, either put in place by the company or imposed via legislation.
A handle on homeworkers
And then suddenly we are all at home working away and though the same polices apply to workers how does a company know? What happens when Steve in Accounts now gets a problem with his Excel file and needs help with that pivot table? The answer is, a software solution that would allow Steve’s manager to connect to his laptop and see what the problem is. But equally something that lets you monitor your staff as they work from home. Are they really working or watching YouTube videos against your policy? Not that staff cannot be trusted but “Show me the baby”. There will be times when you need that evidence that staff are logged in, how long they were working on a system, how long they were browsing the web, when did they log off, was any DLP data downloaded against policy. The list can be as generic or relaxed as necessary, but it should match your IT security policy.
I appreciate I am not a salesperson only a humble IT Security Manager, but something like Teramind would be a good place to start if you are looking for a monitoring solution.