Posts Tagged ‘Security’

SSL Security Check

Wednesday, May 9th, 2012

Nice little wizard at https://www.ssllabs.com/ssltest/index.html if you want to check how secure you’re SSL protected web site is

Are you a Control Freak or a Freedom Fighter ?

Wednesday, November 3rd, 2010

I speak with a lot of people who work in IT run departments. Some of them even run the department. What I’ve noticed is that people involved in IT tend to fall into two distinct groups which can be labelled “Control Freaks” and “Freedom Fighters”. These guys are easy to distinguish between.

A typical conversation with a Control Freak will go something like this:

Me: Tell me, what are you hoping to get from this solution ?

Client: We need to stop our users from doing this, we have to prevent them from accessing that data and stop them from sending it out. They shouldn’t get to this site and we don’t want them able to do this.

By contrast a conversation with a Freedom Fighter will sound more like the following.

Me: Tell me, what are you hoping to get from this solution ?

Client: We need our users to be able to do what they have to do, we need to allow them to access data and let them to send it out. They should be able to get to web sites when they need to and we want them to able to do whatever it takes to succeed.

As you can see, the first example is a legacy view of IT about prevention and locking down of systems. The second has IT as an enabler to the business, allowing people to work whilst keeping the business secure. In truth achieving the correct result can be a fine balancing act between the two. If you lock down systems too much then clearly users will either try and work around your security (not good) or the best of the bunch will not want to work under such restrictions and will leave to go somewhere else that suits them better. Again, not good if the best of the talent leaves the business.

By contrast, if you ease up security too much in the hope that users will be productive than you face the risk of more downtime and being the target of malicious attacks which will also bring systems down, possibly destroy brand image, lead to loss of sales and, at the extreme end and depending on the attack could mean the failure of the organisation.

So, which is the right answer; Control Freak or Freedom Fighter ? Perhaps the answer is more Business Enabler.

Me: Tell me, what are you hoping to get from this solution ?

Client: We want to help our users to do what they have to do, we need to allow them to transparently access data they should have access to and no more and let them to send it out in an appropriate manner to the correct recipients for the right uses. They should be able to get to web sites they need to and we want them to be successful.

If you get the balance right then the organisation can work at speed, in a connected fashion with appropriate security controls. Staff will be happy with their systems and happiness leads to better motivation and increased success. It also leads to fewer support calls, an easier life for the helpdesk and more time to do better IT leading to even more improvements.

Redstone have a very good white paper that you can download if you would like a more in depth explanation of this philosophy and how the security decisions you take can help make or break your organisation. Download it here.

Configuring an internal Certificate Authority for lab environments

Wednesday, September 1st, 2010

Sometimes people write really excellent articles on the web. This is one of those occassions where an article needs nothing adding to it. If you set up labs to learn new technologies, study for exams or just to pre-flight technologies before you put them live and struggle to have certificates working “inside” and “outside” of your lab based environment, the article at http://www.windowsnetworking.com/articles_tutorials/Certificate-Revocation-Checking-Test-Labs.html walks you through publishing CRL’s (to an “external” server for example) or even turning off revocation checking so that its no longer an issue (only advisable in lab environments).

Audit Active Directory

Wednesday, November 18th, 2009

Want some free advice on what to audit in Active Directory ?

You could do worse than go to http://www.activedirsec.com/index.html – try out their free Gold Finger tool too.