The Register reports on the 'new' marching orders from the WH to gov't IT.
"In response to this week's data breach at the US Office of Personnel Management, the White House has ordered federal agencies to immediately deploy state-of-the-art anti-hacker defenses - things like installing security patches, and not giving everyone the admin password."
I shake my head.
- Install software patches for critical vulnerabilities "without delay."
- Use antivirus and check log files for "indicators" of malware infection or intrusion.
- Start using two-factor authentication.
- Slash the number of people with administrator-level access and limit what they can do and for how long per-login-session, and "ensure that privileged user activities are logged and that such logs are reviewed regularly."
Can anyone in IT tell me why 1,2 and 4 are not standard operating procedure?
I'll give them a break on 3, because 2 factor id is a tough nut. User + machine, user + user, user + IP, user + BYOD, etc can be difficult to integrate into a system.
I have some sympathy, though. You know how this happens? Every title needs a local wireless printer, cause, status. Then the users complain cause they can't send email from their iPhone. And, "why can't I use my Samsung tablet instead of that dirty old desktop?" "What do you mean the systems are going down for a restart? We can't do that!" And pretty soon IT is just saying, "Screw it, I'm not going to bother fighting with senior management over what they see as nothing." And you have a zillion holes in your perimeter.
How's your networks perimeter? Have you chosen convenience over security?