This is not a rant or a complaint. Just some observations based on several frustrating weeks recently.
A few weeks ago the staff member responsible who maintained the sysadmin functions around the church house alongside of his primary duties left for a new ministry position elsewhere.
Things like that do occur and best wishes were shared all around.
The week after the staff member left, through a cascading coincidence of events, the church network lost all network connectivity, the church website domain was taken off line, and the in-house Exchange mail-service/server appears to have gone belly up.
We actually do (it appears) have a computer and network services committee. Who knew?! And I’ve been working with the staff and committee leadership to try to make some recommendations and help get a handle on things. It seems that’s what I do.
So in the space of a few minutes…I shot what can best be described as a stream-of-consciousness email with IT/Sysadmin recommendations to that leadership last week as they were preparing to meet with a potential IT consultant to help get a handle on things.
Note the order was just how things came out as I composed and based on site specific issues and the (non-technical) audience. It definitely wouldn’t apply this same wall to all organizations. Likewise, you will need to prioritize the items based on your particular situation.
Here is the main body of that email.
If nothing else, it might help with putting together a technology "roadmap" for the church operations to prioritize and plan out how to cover these items at some point.
In my line of work...if it isn't documented...then it doesn't exist...and cannot be effectively, efficiently, and securely supported. And in IT operations...unknowns are terrifying because the potential impact of an event cannot be measured or mitigated.
- Start with a network mapping survey.
- come up with a mapping of all your physical connectivity runs and points.
- start with the incoming cable, what it connects to,
- the switches and what they connect to and split off, and
- where each of the switch ports is connected (physical room jacks/etc.).
- Continue with a connected device survey. Move on to document all the,
- network printers,
- PC's, laptops, smart-devices,
- WiFi access points,
- the server(s),
- physical backup storage units,
- any network appliances (perimeter firewalls, etc.),
- routers,
- switches, etc.
- Note: the documentation for all items would include:
- their make/model/serial # information,
- warranty information,
- OS versions running, etc.
- Move on to audit/document the account/user levels
- what accounts are active on the domain and which ones are not.
- which accounts have what permissions? Who are administrators and who are standard users?
- any accounts need to be disabled?
- are all accounts appropriate? (do the security/access levels fit the job descriptions/functions?)
- Get a handle on the domain environment.
- what is the domain structure?
- does the domain organization/structure make sense?
- what group policy rules are in effect? Do they make sense?
- is file/folder access appropriate for the users/guests?
- how is the domain environment actually administrated?
- Audit and understand access and administration of the switches and other network appliances.
- are the switches "managed" or not? If so, who does & how? If not, why not?
- are unused network connections/ports disabled if not in use?
- what account(s) exist for the switches/router/network perimeter appliances?
- VPN access and accounts?
- Wi-Fi accounts?
- for staff only?
- member guest accounts?
- password rotation/aging?
- what parts of the network could be accessed or seen by a guest on the WiFi network (devices/storage/etc.)?
- Backups and storage; what is being backed up & at what frequency?
- are backups being done automatically? to where? taken/kept off site? Validation you actually got a good backup!
- does the backup storage remain attached to the network at all times? If so what is the risk if a virus/Cryptolocker malware strikes? Could it attack and lock up the backup files as well?
- are the backup routines and recovery methods documented so anyone can perform a safe and controlled restoration in a disaster recovery?
- Applications
- are all software applications maintained in a "library" setting?
- copies of media kept centralized & logged for who has what installed/when?
- license/registration keys physically printed and stored digitally in a central place?
- are operating systems kept patched/updated? How?
- are critical applications kept patched frequently?
- does the current critical application licensing model fit the needs and operational requirements of the church staff and workers?
- Security
- what physical controls are in place to restrict access to critical infrastructure? locks on doors? access logs to rooms? etc.
- are systems all running/current on Anti-virus/Anti-Malware protection software and data files?
- are server/system log files periodically reviewed?
- are periodic scans done of the entire network to look for unauthorized/rouge devices? (IP scans/port scans/NMAP/random traffic capture and analysis/etc.)
- how is PII/HIPPA/financial/etc. information kept restricted, and secured from hackers or unauthorized users?
- is file/whole-disk encryption (Bitlocker) used on the server, laptops, desktops? If not, what would be the loss/risk if a staff member laptop was lost/stolen or if the church office was broken into and desktop(s) stolen? what information would the thief potentially have access to?
- are all Windows desktop/laptop systems inoculated against CryptoLocker type threats? if not, why not?
- an assessment must be performed to balance risk of threats to consequences of damage if security compromised....not just about inconvenience, but impact of loss of financial or personal data information of members, staff, etc. It would look really bad to have data leak (hack/breach) of member information out in public.
- Remote access into the network?
- can staff remotely log into the network? workstations? server?
- how is that remote access managed/audited?
- risk vs. convenience evaluation?
- Auditing
- who is responsible for auditing laptops/desktops to ensure compliance standards are met?
- how are the audits done? What specific checkpoints must be reviewed?
- is the server(s) audited to ensure group policy or folder rights access have not been changed, compromised, and they meet security expectations?
- software license audits? Is software installed & licensed appropriately?
- Church website; aside from the site itself being kept up to date and accessible...
- is it secure?
- is is audited to make sure it isn't hosting malware or off-site links to compromised sites?
- is it accessible and viewable on mobile devices?
- does it contain items (schedules/forms/downloadable materials) that some members of the church might consider private or personal information?
- does "meta-data" information exist in downloadable files/forms/photos/etc. that could present security or privacy issues? Are all such items reviewed and "scrubbed" before being posted/uploaded?
Thoughts? Additional recommendations?
Please remember that while this isn’t exactly an “enterprise” operation, if it is large enough to have multiple switches, some servers, WiFi access points, etc. then there should be some sysadmin organization to the operation. And I am well aware that church networks should offer no safe-haven or sanctuary to all the threats in the “secular” IT space.
Cheers!
--Claus Valca
PS: While I still love Windows Live Writer for a blogging platform, the way it handles only the most basic “outlining” formatting leaves me super-frustrated.
What I did to generate this particular outlined list is to reformat it first in KompoZer Portable then copy and paste the source-code for the content back into WLW.
For the website: I would recommend to register it Google Webmaster Tools / Bing Webmaster tools. The nice thing is that they alert you if they find malware on the site.
ReplyDelete