/build/static/layout/Breadcrumb_cap_w.png
06/04/2017 872 views
Hi All

I have recently moved to a new company 100 staff, I only have 3 years IT experience, and am kind of shocked by what i have discovered with this new IT environment that i will be working at. Can any of you give me some recommendations on how I could go about auditing it? so currently:

-All users have admin rights to their machines
-No internet firewall policy everyone can search anything and everything
-download and install as they please
-all machines are imaged individually 
and much much more...

So I am not sure in what order I should go about investigating the environment to find more issues that can be looked at. (so order like group policy first then active directory then the machine it self then anti virus etc..). 

Then when it comes to resolving what is most critical to lowest priority as i am sure money will need to be spent on getting things in place. I have IT support experience but not system admin experience. that is what the other guy im working with is  meant to be...but...yea.....

any help would greatly be appreciated  

2 Comments   [ + ] Show comments

Comments

  • First of all what is:
    - your duty in the company
    - your responsibility
    - your execution power
  • It is a culture issue. You need to start the discussion with your boss about what you see and what worries you about the state of IT in the company. Some companies do not care until after something happens. You may have to decide if you accept working in that type environment.
    To help with your discuss with your boss, here are a couple youtube videos show how easy it is to compromise a business.

    Watch this hacker break into a company (2 Minutes 55 Seconds)
    https://youtu.be/PWVN3Rq4gzw

    Spear Phishing - One Click
    https://www.youtube.com/watch?v=dy5i_Y4FV8M


Community Chosen Answer

4
>No internet firewall policy 
This seems a blindingly obvious place to start.

>auditing
Do you have SCCM or similar? Unlikely, i guess, for such a small business. Try Spiceworks. I've used that before and, the best bit, it's free!
Answered 06/06/2017 by: VBScab
Red Belt

All Answers

2

My first comment is "tread carefully". In my experience, if you are working in an environment where everyone has access to everything you can run into a lot of resistance if you start removing access.

I have come into similar environments and my biggest take away is that getting upper level buy in is critical. What you absolutely don't want is to remove something and then get immediately overruled from on high. That will set the tone that if you get the attention of the right person, the change can be undone. It setups a situation where every change you make is fought tooth and nail.

Honestly, would say It doesn't really matter even matter what change you start with. Doesn't matter if you pick a  "most critical security issue" or "tiny trivial security issue, but easy to remediate"... at the end of the day what you have is a culture issue not a technical one. You are working at a business where security principles are not "part of what we do". That is a war you win one battle at a time, more importantly it is a war you CANNOT win by yourself.

Get buy in from the highest levels on something specific that the believe "this is absolutely something we need to change". Research and plan it carefully so that you make SURE no one can kick back with "I can't do my job because...". At the end of the day, you need the people who are resistant to change to break their teeth on upper management and get "no this needs to happen"...

If you do that repeatedly at the start, the complainers will use up all of their credit after the first 2-3 changes... then you can establish a culture of security and sound practices. 


As for specifics... it sounds to me as if you are walking into the wild west. I wouldn't worry about identifying every possible issue that needs correcting. You already have a list long enough to last you a long time with cultural resistance. I would start on getting a feel for what sort of changes you can make that give you "bang for your buck". Either things that help "you" do your job easier (like standardized imaging or implementing management tools, centralized AV console) or changes where a single small change affects the security of your whole business (like a change to internet access or firewall for the business). Don't get caught up in the minutia up front, with system by system changes...

Answered 09/06/2017 by: Thorvin
Senior White Belt

  • "you have is a culture issue not a technical one". So true!!
1
Firstly i will apologize for giving such a generalized reply.

This question could be as little or as big of an issue depending on what assumptions we make on your/your businesses behalf.

My question would be, have you had enough time to understand the business and environment?
- Admin rights on machines - might be the best way to go in your business, dose the business have existing methods of limiting risk to only the local machine whilst protecting servers, and network, and is that the acceptable level for them?
- a SOP and standard image might not be the answer, i know many places where very few machines/roles are actually alike, and it's necessary to basically manage a large number individually, or not even bother with images.
- How I.T literate are your staff, do they rely more on policy and training rather than software or physical restrictions on their PC?
- what about your ISP, perhaps firewalling and some sort of security happens externally? perhaps trial a web content gateway or UTM firewall, and online threats are a big issue.?

You're on ITNinja, so i suppose you have at least some management and reporting capability, there must be some other tools/WSUS/AV consoles etc that can tell you more?
If you have an idea of what tools are at your disposal and understand the business and its users, then surely the priority of issues to address will become a lot clearer to you.


Answered 08/30/2017 by: jandsdk
White Belt

1
Agree with VBSCab on the firewall but make sure you get management buy in vs making changes without input as it would definitely upset users. If they have given you the green light already then yes start narrowing their access by first documenting what people are accessing, if you have that ability. Then take it to management so you have proof and looking to narrow user access. They ask departments heads if, access to Facebook is required, needed, Pandora...etc. Point out security issues with certain sites would aid in your justification. 

Laptops with admin rights: that may not be a fight you can win if they need it to access software on their machines or use. If not, then yes as that would greatly reduce the foot print of getting compromised and infecting other systems. 

I would focus on the security side of things first to get that under control. If you can do that, that gives you leverage to get other tools you might need for imaging, system management...etc

It also depends on the company and their willingness to "risk" security for the mighty $$$. 
Answered 06/08/2017 by: nshah
Red Belt