Consumerisation of IT

There’s been a lot in the press during the last week about IT consumerisation, and how IT departments might become extinct if they continue a line of ‘command and control’.

In an ideal world, we’d let users buy whatever hardware and software they see fit to do their jobs. In certain environments this may actually work, but I imagine that for the most part, this would be a costly nightmare for the average IT department.

Is there a compromise? I think for the time being, allowing users to choose which software to use to process company data is something only the big players are likely to be able to achieve. If we let users buy their own hardware, you could consider providing a list of authorized devices.

If you don’t want to remove admin rights from a user’s PC, consider deploying a virtual desktop where you can comply with regulations and business needs for securing data. This way, you get the best of both worlds. It doesn’t have to be all or nothing.

A Strong Password Isn’t the Strongest Security

Great article over a the New York Times on password security.

“Keeping a keylogger off your machine is about a trillion times more important than the strength of any one of your passwords,” says Cormac Herley, a principal researcher at Microsoft Research who specializes in security-related topics.

Least Privilege Security, as part of a defence-in-depth security strategy, can help to keep keyloggers and other malware off users’ systems.

Herley continues by adding:

Security advice simply offers a bad cost-benefit tradeoff to users.

And according to the research:

“If an account is locked for 24 hours after three unsuccessful attempts,” they write, “a six-digit PIN can withstand 100 years of sustained attack.”

3 IT mistakes that helped bring down Russian spy ring

An interesting article over at IT Manager Daily that describes some of the basic security mistakes made by the Russian spy ring. One thing’s for sure, they weren’t using least privilege security…

In addition to clear and enforced security policies, the spy ring could have used some better help desk support. Some laptops took months to troubleshoot, and one spy was so frustrated with her computer that she turned it over to an undercover U.S. agent who promised he could repair it.

All these mistakes go to show that the spies’ targets may not have much to worry about — and that, once again, everybody needs IT.

Book review at TaoSecurity

Another review for Least Privilege Security for Windows 7, Vista and XP has just been published over at TaoSecurity by Richard Bejtlich, Director of Incident Response at General Electric.

Very focused and timely book on an important security topic.

Least Privilege Security book at Avecto

Least Privilege Security for Windows 7, Vista and XP now has it’s own page over at Avecto’s website: http://www.avecto.com/ebook/index.html

Antivirus is not enough

Psst: Can You Keep A Secret? over at Biztech Magazine tells the story of a SME that seemed to be relying solely on their antivirus software to provide protection and as a result suffered a devastating virus outbreak.

“Small businesses are definitely more at risk than large businesses with respect to security because if they are attacked and their information is compromised, they can go out of business quickly,” observes Dr. Sushil Jajodia, director of the Center for Secure Information Systems at George Mason University. “As such, there is very little margin for error.”

While there’s no mention of Least Privilege Security, there are some encouraging signs:

MobiTV also customizes domain policies to enforce and lock down different aspects of its Windows and Linux machines and uses monitoring agents that not only report back performance and health statistics but also monitor for security events and patch management gaps.

Two more book reviews

Another short review of Least Privilege Security for Windows 7, Vista and XP at Ward Vissers:

I have read already some chapters. I think it is a great book to have on your collection.
You have always not enough time thinking about security. This book does it for you.

And here at Anything about IT:

I haven’t read the entire book yet, but from what i have seen thus far, it’s definitely a must have for any IT Pro who working within the Client Desktop management space. I’ll submit further feedback when I have completed the review.