It’s Never Too Late to Improve Your Personal Security Posture

Security is everyone’s responsibility.

That’s it. That’s the whole point.

(I may be spending too much time with Leon, but it had to be said.)

If you have a security team, or even just one person who is tasked with security, it’s easy for the rest of the team or department to fall into a trap, thinking there’s nothing more you need to do. You’re wrong. Every individual can do something to improve their own security posture which will, in turn, improve the company’s security posture. People are one of the greatest risks for any company due to negligence, human error, inefficiencies, etc.

That’s not me saying, “It’s the user’s fault.” Quite the opposite. That’s me saying, as IT practitioners within the organization, you—individually and collectively—have unprecedented levels of access and privilege. So, you’re a prime target. In fact, you live in the most fragile of glass houses when it comes to discussing responsibility for people-based security breaches. So, make sure that glass house is in order.

All personnel should be regularly trained, and many companies have a regularly required security training. As an individual, though, make sure you are practicing those techniques. Every person at a company presents some amount of risk to security from the custodial staff to the CEO. I can feel some people scoffing, but when you think about what people have access to—maybe even without them knowing it—you start to get an idea of risks involved. Which brings us to…

Step 1—Personal Risk Assessment

Since we’re talking about you as an individual, this would be an assessment of risk based on permissions you have, device access, building access, etc. Some of those things you won’t alter because you need them to perform your job, but you should be aware of the potential risk, so you can consciously ensure you’re taking steps to reduce risks in those areas.

Step 2—Least Privileged Access

Work with your coworkers to ensure you have the least amount of privileges you need to get your work done. Need more permissions for a specific one-off task? Request a temporary elevation of permissions and notify them when the task is complete, so the permissions can be reverted to the least required. I can see some friends of mine shaking their heads, cursing security, and saying they don’t have time for that and it’s a painful undertaking. To them, I say, “So, what?” Budget the time for the required permission changes into your tasks.

Step 3—Don’t Take It Home

Now, this I realize is unreasonable in the reality of working from home. What I mean, though, is don’t transfer work to your personal devices. Don’t take screenshots on your phone, don’t take a flash drive with secure documents home if you can help it, don’t click links in emails unless you’re positive they’re safe, don’t…don’t…don’t… I could go on. DO pay attention to those briefings on security and do your part. As I mentioned, this isn’t always something you can avoid. So, when you can’t avoid it, DO treat your home as a remote site. Look at the entirety of the security posture—internet router, firewall, etc.—through the same lens you’d evaluate a newly acquired site. Would YOU trust corporate data in your house? If not, start looking for ways to fill those gaps. I’m not saying buy a $300,000 rack of security gear. But there’s a lot that can be done for not a lot of money, especially in a home environment.

This is by no means a comprehensive list, but keep looking for ways to improve your own security posture. Raise awareness in others where you can.

I hinted about this earlier, but I want to be clear and direct because that’s what good security advice looks like. You may have sensed—or even heard about the heightened emphasis on security at SolarWinds. The catchphrase we’re using around the office is “Secure by Design” and what I’m writing about here is as much a part of that as any new patching cycle, certificate refresh, or code change we may do.

Secure by Design is something at SolarWinds which is both inward and outward facing. Outward, we’re more explicitly connecting our patches to CVEs and other risk assessments, so our customers understand the importance of hotfix or upgrade beyond “addresses outstanding bugfixes, implements performance improvements, and new features.” You can continue to expect updates from us on further improvements to our security stance as we can share them.

Meanwhile, inward facing actions include changes to both individual and group processes, so we can leverage everything we’ve learned since December 12.

But you, the individual, are critical to the success of this plan. You need to take security as seriously as we are, or none of our efforts are going to matter much.

Just like this pandemic, it’s important to do your part.

Anonymous
  • Thanks ! I think it's important to constantly keep the conversation going so we can continue to learn and improve. I look forward to meeting you in person when we are allowed again! Slight smile

  • And ... I said that we were friends!!! I do hope to meet you in person some day!   I am a true fan!  

  • Hope you don't mind, I shared your article with the staff of El Paso County 911 District, giving full credit to Chrystal Taylor, Head Geek @ Solarwinds!  A good read for all! 

  • Great solid advice!   It took a dedicated effort and cooperation by all, but thru training and sometimes coercion, I am pleased with our posture.   Understand, my organization is very small, so my mission was highly achievable.  I server up a application to over 600 users daily, but we don't allow Internet or e-mail on the device running the application!   There are only 15 users that can take us down on the Network, and about 400 physical threats or employees in the facility each day.   We all have admin and user accounts, and  I finally got a couple of knuckleheads to stop storing passwords in their browsers; I basically shamed 2 users in front of everyone so that the point got driven home.  KnowBe4 has some great tools, I ran the Browser Password Inspector against our users and was very impressed with the results!  I also run "targeted" phishing campaigns perpetually to keep my users on their toes; we laugh about some of the e-mails, which keeps the dialogue flowing about  protecting our organization from ourselves    I have had great success just by listening to the advice of my peers inside this community and outside of my business operations.   Security is a relentless job, and a pretty fun puzzle at times!  It is about layers of tools and educating the users.   Thanks for sharing I like the secure by design concept.  Solarwinds ROCKS!