A Business Technology Place

The Yin and Yang of Security Patching

 

My computer is working, don’t change anything.

As an IT manager I observe this behavior regularly with end-users and product managers of eCommerce applications. It’s understandable. When a computer system is working and doing its job then “updates” are sources for creating failure. Updates change code. Updates rock the boat.

If a computer security update hasn’t bitten you yet, then it’s probably just a matter of time. My experience is the number of system issues related to operating system updates is growing.  It’s hard to test all the dependencies of code updates against every combination of hardware and software that exists on computing equipment. A couple of examples I can point to in 2017 are Microsoft Edge no longer working after installing the Windows 10 Creators Update.  Then there was the issue of Microsoft Outlook unable to open attachments which was later resolved with another hot fix.  

But we all know security updates are necessary. Why would we risk our personal data to thieves? In a business setting, why would put our customer’s data at risk? Why would we put the reputation of our business at risk?

Therein we find the yin and yang of security updates. We don’t want to upset the balance of a stable system, but we need to update the system so that it can remain stable in the future.

In the name of audit controls and security principles.

In the business environment, audit standards require staying up-to-date with security patches. ISO 27001/ISO 27002 and SOC2 have controls specifically addressing vulnerability patch management policies and procedures. To meet the requirements of the controls, a discipline in process and procedure is required.  These standards are there to help nudge all of us to change because we all know we resist change.

Plug those security gaps or face the consequences.

The consequences of not installing security patches can be devastating. In the worst case of cyber theft reported thus far, Equifax was robbed of information for 143 million individuals. The attackers found a weakness because Equifax failed to patch a known security vulnerability in website code they use.

Now hundreds of millions of people are exposed to the whims of criminals. The reputation of a large credit bureau is blown. The two highest ranking security officials within Equifax are out of a job. Patching known security vulnerabilities is serious business.

Complementary forces at play.

The next time someone schedules a security update for a system or application, understand the potential consequences fully. Intruders are at the gates. They make a living on our resistance to change.  But if we support the change and work with administrators to report any malfunctions, we can all help to build a safer tomorrow.  That’s how another yin and yang can make a more complete whole.

Onward and upward!

How to use SharePoint to create audit trails

Show me the evidence.

I think auditors chuckle inside when they say “show me the evidence.” It’s part of their craft to seek and inspect. Over the past several years I’ve been giving documentation and evidence to auditors for various IT controls. With regard to policies, procedures, and standard practices auditors want to see more than a one-time pieces of evidence. They want to see proof that the behavior is happening on a regular basis. It’s the classic audit trail.

SharePoint – Love it. Hate it.

I’ve had my moments with SharePoint on a few items related to workflow. But one valuable attribute I’ve found with the tool is the ability to version documents and lists. This capability creates the perfect audit trail and evidence proof.

Example 1 – Annual Policy Updates

I keep version information in two places for policy documents. The first is in the document header. This shows the date of the policy, the last review date, and a version number. You can do this part without SharePoint.

 

 

The second place is in the version of the SharePoint document. First make sure that versioning is turned on for the document repository (one-time setup). Go to the library settings and select versioning settings. Then fill-in the specifics for how you want the versions to be incremented and how many versions to keep.

 

 

Each time I edit a document I use the check-out for editing feature. Then I apply my changes and when I check the document back-in SharePoint prompts for a summary of the updates. Each time this happens a new version of the document is created and logged.

 

To see the previous versions and comments select the version history from the document selection menu.

 

Example 2 – Production Change Updates

I use a SharePoint list to track requests and approvals for production change updates. As with documents, make sure the list has version control turned on by going to the list settings and enabling versioning.

 

The version history for a list shows the dates of the field updates and which specific fields were updated. It also keeps the name of the person who updated the fields (redacted in my example).

 

 

This is a simple way to keep history of policies, procedures, and updates. Having this available and ready to show an auditor makes the audit process a little easier.

Onward and upward!

 

Becoming desensitized to security breaches

Are you there yet?

Does news of the latest corporate data breach resulting in thousands of stolen identity records no longer shock or distress you? Today when I looked my news feed I found not one, not two, but three reports of hackers breaking through corporate firewalls to steal data. No offense to Scottrade, Patreon, and Experian, but when I glanced through the list of breaches my first thought was that this was just a normal week. It wasn’t too long ago that I felt both outrage and worry after personal information was stolen from Target, Home Depot, and Anthem. But now it feels like this is the new norm. I don’t like the new normal. Why can’t all these thieves channel their energy and intelligence to do good for the world?

Invisible theft.

Stealing data is not your father’s crime drama. It’s invisible theft. Maybe that’s the paradox of cyber-theft. Data that is stolen still resides where it was stolen from. The game is played by looking for evidence that someone was in data store room. Combine this with the fact that most high tech theft takes place through methods and procedures that the vast majority of people don’t understand (and don’t care to understand). In a word, it’s highly sophisticated and complicated. Breaches often involve complex mathematical calculations used in cryptography and coding algorithms. Intelligent criminals, but not smart criminals.

The data breach economy.

Look around. An entire economy exists to establish, audit, monitor, and teach security standards and best practices. In 2013 Forbes reported that the IT security industry traded around $60 billion dollars in products and services. It was expected to grow tenfold in ten years. I see the effect of this industry every day in my seat managing an IT group. We are expected to comply with a dizzying-array of security controls. We buy software and hardware appliances that will protect us from theft or at least make it more difficult. Salesmen cold call me each week selling security products. “The cloud” is touted by marketers as the safest place to put data (really??). People are employed full time to audit security controls and force compliance. It’s a lucrative business riding the coat-tails of criminals! For the rest of us we have no choice. Non-compliance with security controls means you lose a seat at the table to compete for customer contracts and business.

Yet here we are.

Despite all the people and investment thrown at making us more secure, it feels like our data and personal information has never been more unsecure. The bad guys have access to see all the controls and best practices too. Some of them prey on that list by taking advantage of those of us who fail to do the basics. Other more sophisticated criminals invent new ways to go around our defenses. We know the merchants that we shop, the financial institutions that hold our money, and the medical providers that keep us healthy are not 100% secure. But we shop, bank, and receive medical services anyway.

Like I said. I’ve noticed that I’ve become desensitized to all this theft. But I don’t like it. Discipline and vigilance are necessary actions. Keep your guard.