Skip to main content

Maintain business domain name intact

There is one thing that organizations must do. They have to register their own domain name, make it final, and afterwards be certain that they are managing it on their own. Digital reputation is increasingly becoming one of, if not there already, the criteria to assess how sound a business fundamental is. Really? Imagine if you caused, or a business keep, changing its own domain name. It is more likely that customers will have a hard time finding what they want to know about how to do business with you. There is much more than just learning the how regardless if a strictly or shabbily regulated business and industry is taken into account. And if the domain name has to be changed, don't totally abandon it. Make a redirect to the new domain name you intend to use and keep it that way for years to come. Until such time that every customer has learned about it already, and that the internet including search engines has been pointing and crawling to the new one directly and automaticall

Super privilege accounts, an IT double bind

IT organization must be able to demonstrate that even Windows administrator and Unix root and related super privilege accounts can be controlled. It must be emphasized very strongly that it is inviolable to business to make mistake induced by IT in a surprising manner.

Inadvertent use and access to these accounts can be devastating to business and its reputation to stakeholders.

Meaning all systems are being used by everyone, authorized, without the IT people having to look, tinker and update configuration from time to time. Everything is final in the production systems except for regular software including firmware updates that must be applied, still they must be approved first. Though there are chokepoints (software are released but will require regular update, and stability, if any, is achieved that way only) where a system malfunctions, they are only temporary and can be fixed easily by focusing on an affected account or process. They don’t impact business system or whole IT operations. With monitoring and regular maintenance work 99.999% uptime in all business systems are achievable.

The use of such super privilege accounts must be managed according to IT necessities. It must be approved by the company management or assigned officer-in-charge before it can be used indicating, say, what specific need i.e. application or access to certain resource and why the use of it; where will it be used: which computer or server? If approved and as soon as it is used, even when system monitoring and alert has been provisioned for such activities, anybody who use it must still take note of their login time; and logout time—and any further proof there is if any. It’s better to be sure in everything especially supporting business operations or production systems.

IT team can also exhibit a strong measure along with approved environmental and logical controls and that employees as well as primary stakeholders’ data and documents, especially containing personal and privilege information therein are assured. That relevant mechanisms are in place to protect organizational and enterprise computing systems and information.

And for the customers service's sake, IT personalities should be able to accommodate promptly any request made by anyone who inquire about their IT resource(s), credentials and data. Where they are stored, when they are processed, and how they are managed and secured. It is a good way to show technical facilities to the the stakeholders or colleagues that their own resource is accessible and can be manipulated only by their respective owner. However, this haven’t been a normal activity within IT and mostly not being done due to limitation of allocated IT resource. Worst without an able technical facilities.

Organization can emphasize that IT is for business purposes as they would state in their business conduct and practices. These texts must be visited by IT practitioners and adjust them if senior management overlook it. And be open to their activities and have them understood by everyone or colleagues. Then apply them technically across the enterprise or business systems. Without these, we have the normal IT that loiter with a trigger happy fingers where business people doesn't understand or have no say at all even when their production is being affected, worst business is performing bad.

Say, senior management cannot be bothered form time to time for the super privilege account. Would they rather give it away and cross-fingers that everything will be okay? This is laxity and accident may just be waiting to be unleased.

Super privilege account usage can be monitored but would not prevent deliberate and harmful execution of commands. It can be, however, secured by another layer, say the account better stays with systems and/or security administrators, but it requires an authentication including the so-called M|2FA, voicecall, SMS, push notification, FIDO, Symantec VIP, RSA security key including maybe digital certificates, to get through. Systems, application and data related commands must be approved before they are executed, too, and if a platform has no capability for it then at least it must be stated in a policy and must be known very clearly by concerned technical staff.


Administer with the super privilege accounts once with finality and after that use them only for system maintenance purposes and probably when there is a need to dig a little bit deeper on suspicious activities.

Comments

Popular posts from this blog

Philippine telcos blocking entire SMS text with internet addresses in it

If you are sending SMS texts to your friends, family or colleagues and they contain internet or web address including IP and email addresses, and even a period or dot separating, regardless of, your words and numbers, they are automatically blocked and not going to be received by your waiting recipient. Cooler heads must prevail here especially if an important message is urgently being expected. IP version 6 address is fine. However, an IPv4 including localhost address (given automatically to every computers and network interfaces as their own alone designed for troubleshooting purposes), and your money in the billion figure using dot as separators would be blocked.  If you send "local.business, naman.naman etcetera" or any words that made you use dot in between them, as part of the text, they will be blocked. There are some, that isn't blocked in this category. Like check.iclassed, some.ent, whatever.local etcetera, that is because they do not form any domain name at all

Philippine cyber campaign

Are Philippine institutions being targeted or simply being probed? We don't know for certain. It could be either or both. Whichever comes first? What we can understand, with the success of such attacks, is that they have found their way. Really.   How hard or easy? The attacker knows, but probably, also, those being attacked. Inclination should be there no matter how sophisticated our security systems are. In cybersecurity, we do a very focused job. Making sure we disappoint whoever is trying to gain access to any resource without permission and authority regardless of the environment we are in. What happened is that every asset deemed to have every variant of resource built-in, operating, that makes up the entire system working whatever it is trying to employ, in that case the primary purpose. Meaning, we have to know if we are running our system in a manner that is really secure, provisioned properly during design stage and managed continuously afterwards, post-implementation. No

iclassed privacy policy, unbelievable at first sight

Those who, before engaging us and was reading our business conduct, alerts and notices , could not restrain themselves asking, "can you really do your job without keeping any data at all? At the end of the day, you should still be looking at those information and make sure you did, and will, do well. I am expecting a lot from you here, you said so yourself!" Now, that last sentence is so loud. We keep them, not in our premises, but yours. If you've been our clients, you'll know how persistent we are when it comes to the reliability and security of your systems, data and credentials. That's our responsibility, as is made popular by cloud computing, and we don't need to be in a cloud.