SUBSCRIBE NOW
IN THIS ISSUE
PIPELINE RESOURCES

IT Security from Down Under


No account should have both administrative access and access to networks outside of the organization, including the Internet and email.

This is because the principle on which our security offerings are built is Windows privilege management — namely, the control over who has access to specific applications running on the corporate IT platform as well as the underlying data. This means, for example, that if the admin team only runs its control and security software from within the network perimeter on known PCs, then access to those applications can be locked down to specific on-network computers.

Then, even if a set of admin account credentials is compromised by hackers, they can’t use those credentials from the Internet — they would still have to gain physical access to the terminals used by the admin staff. There is a similar belt-and-braces approach being adopted by a growing number of banks for online account access: not only must users present the right credentials, they must also authenticate themselves using the appropriate hardware token.

Meanwhile, back in the land of securing Windows-based computers, it’s interesting to note that in a second report from Australia, “Implementing the DSD’s Top Four for Windows Environments” the conclusion is quite unequivocal:

“Minimizing administrative privileges is an exercise in the principle of least privilege. In a properly designed, administered and maintained environment there is no requirement for any user to have administrative privileges on their day-to-day account. In addition there should be no account which has both administrative privileges and access to networks outside of the organization, such as Internet or email services.”

The report adds, “When properly planned and executed, minimizing administrative privileges can have significant flow on benefits to the stability and consistency of the computing environment, simplifying administration and support of that environment.”

Does this sound vaguely familiar? It should — it’s effectively a summary of the reasoning and principles surrounding the use of SCADA-based computer systems that run our critical infrastructures.

And while I’m clearly not advocating the use of the inflexible embedded-operating-system approach seen on SCADA-based platforms, I think there is considerable scope for the Australian DSD’s report recommendations to be deployed in corporate IT departments in the U.S. and Europe. As well as reducing the risk profile of company IT systems, they would also greatly assist in the number of support calls needed in a typical major corporation, which is something that will make the bean counters happy.

And that’s not a bad thing when you think about it.



FEATURED SPONSOR:

Latest Updates





Subscribe to our YouTube Channel