SMEs often manage without one, and larger companies have it in their staff handbooks, but an IT security policy without the controls to enforce it is of little value, and only useful for assigning blame when something inevitably goes awry.
IT departments often bring users’ attention to security policy by running training courses on induction day and at regular intervals throughout the year. And while there’s some value in security training, it’s acknowledged by many professionals to have limited affect. There will always be users who put their own interests before company policy, or simply fall prey to social engineering. Security training should be placed in the same camp as antivirus, something that is beneficial but ultimately has limited impact in securing endpoints. It may be more productive to place greater emphasis on security training for IT personnel, who frequently fail to understand the basics of the Windows security model, in turn leading to security failures.
The SANS institute has recently updated its 20 Critical Controls document and is a useful starting point for any business that’s looking to reduce risk by deploying controls to enforce policy, or can be used to improve or shape an IT policy if you don’t already have one in place. While SANS lists the controls in no particular order of importance, Control 8: Controlled Use of Administrative Privileges, stands out as one that can bring many quick wins to an organization. SANS states ‘The misuse of administrator privileges is a primary method for attackers to spread inside a target enterprise’ and continues by highlighting the basic principle of least privilege in that administrator accounts should not be used for everyday work activities, such as browsing the web and reading emails. Control 8 can be used to limit the damage caused by users who install malware on endpoints and reduce the risk of compromise from unpatched software vulnerabilities.
SANS also refers to Configuration/Hygiene, where IT staff should use a non-administrative account for support tasks on endpoints and only elevate to privileges as required using the Windows Run as command. And importantly, this should also apply to outside service providers that have access to internal endpoints for support purposes. Control 8 can also be implemented to partially achieve successful deployment of some of the remaining critical controls listed by SANS, including:
Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Control 7: Application Software Security
Control 12: Malware Defenses
Control 15: Data Loss Prevention
Remember when looking through the list of 20 Critical Controls, those that address the root causes of security problems, such as malware getting installed on endpoints, will bring greater initial benefits than soft controls, such as Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps. Once you’ve identified the risks that are most likely to affect your company and forged suitable policies, don’t rely on user awareness training and antivirus software to ensure policy is adhered to. Employ suitable technologies, such as Windows 7 AppLocker; or 3rd-party utilities, like Avecto , to control the use of administrative privileges and for application allow listing.
Russell Smith, IT Consultant & Security MVP
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.
Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.
