Friday, April 7, 2017

Don Rickles (and my childhood)

I am saddened to hear of the passing of Don Rickles.  Don was a frequent comedian in my younger years, appearing many times on the Johnny Carson show as well as roasts of others.  I used to cry if my parents wouldn't allow me to stay up to watch Johnny Carson.

Anyways....  Don Rickles was a dominant force in those years.  He was ruthless in his honest comedy.  I particulary enjoyed his portraying of deference (comedic but also truthful) to Frank Sinatra.  I'd attended a local concert where Mr. Sinatra sang.  He actually seemed to be intrigued at this young boy so entranced by this songs he gave me a little cheek squeeze.

Mr. Rickles used truth to skewer his targets - but he was successful because his targets knew he loved them.  It was the truth surrounded by love and admiration of his targets that made Don Rickles so funny and successful.  He made us all understand that even the most successful, rich, and powerful had their faults.  

I laugh every time I recall one of his real (but actually planned) skits.  He taught us all a valuable lesson - don't take yourself so seriously.  Someone as brilliant as Mr. Rickles can come along and skewer you.  We all have our faults - focus on your strengths but learn from your faults.  There will always be someone close to you that sees through your facade and can point out your deficiencies.  

Just remember that this is always done with love - Mr. Rickles proved that.

Rest in peace Don.

Saturday, December 12, 2015

What is Phishing?

We have probably heard of Phishing.  Phishing is a very big risk in today's world.  It is imperative that we understand what it is, and how to NOT fall for it.  

Phishing is basically when someone tries to get you to think that they are legitimate, and then tries to get you to do something detrimental to your own or your company's security.  An example of phishing is when you get an email that says it's from FedEx - it says there is a problem with your account and you must log in immediately to fix it.  There is a link in the email - when you click that link it may look like you're going to the FedEx site, but you're not.  You're going to a fake site, and then you put in your username and password.  You're giving your username and password to the hacker.

Another example is when you get a phone call - they say they are from technical support and are calling to help you fix your computer problem.  We've all had computer problems, so this call might be welcome.  The caller often has an Indian accent.  They want you to perform some actions.  When you connect to their website, you are compromised.  Or they convince you to type in your username and password, and then they have your login information.  

I recently connected a landline through my cable provider.  Within 2 days, I received a phishing phone call.  The caller was a female Indian (think Chennai, not teepees...)  she advised that I was having computer issues and said she was calling to help.  Of course I told her I appreciated the call and would cooperate.  She wanted me to open the Run line - she told me to type in iexplore followed by a website address (the address was 121usahelp - dot - com) - IF I had done so, the instant my browser hit their web server I would have been compromised by some sort of malware or rootkit.  OR, once I connected, I would have had to approve their remote access into my computer, and then I would have been compromised.

So instead of actually typing this in, I started asking about the company - WHO was I allowing to connect by typing this in.  She immediately suspected that I was on to her, and she began cussing me!  She called me a "bloody F#$KER" and told me to "F$@K OFF" and then hung up.  Once I stopped laughing, I told my wife that the call was a fake tech support scam, and my wife, the wife of a computer security guy, said "how did you know?"  So I knew right then that I had to publish something to raise the level of awareness.

These people are looking for non-savvy people - people who may really need the help, people who may in fact be having a lot of computer problems.  The first thing to do is:

1. Think - did I request assistance?  
2. Can I verify that this caller is in fact from a company I trust?
3. Will my company ever call me and ask for my password?

When in doubt, don't give them any information, and DON'T connect to them with your computer.  There are several ways they can get you to connect:

1. Browser - if they ask you to open your browser and connect to a website - DON'T!  The instant you hit enter, you may be compromised.
2. Open/Run - if they ask you to go to the Windows button and then type in iexplore followed by a website, DON'T do it.  This is the same thing as opening up your browser and typing in a URL.  It calls the Internet Explorer program with their website address.
3. Giving them your username and password - this is the most obvious phishing attack.  Your employer, Microsoft or any other vendor will NOT ask you to divulge your username and password.  Anyone who does is likely trying to steal your credentials.  No legitimate technical support or service provider needs this.  

Remember, you are likely using the same username and password for multiple accounts, including your bank, credit cards, etc.  Although this is a bad habit, if you at least don't divulge your username and password in these scenarios, you're ok.  If you DO divulge it, you are divulging the login to multiple accounts.

The only reason Phishing is such a lucrative criminal business is that the victims do not suspect that they are being phished.  If everyone would ask the 3 questions above and be very suspicious of any caller or email asking for information, Phishing would be almost impossible to do.  

For those companies wondering how to address the risk of Phishing, there are a few things you can do:

1. Ensure your security awareness program covers the risks of phishing, how to spot it and how to prevent it.
2.  Use a tool which checks any links in email and quarantines potential phishing attempts.
3.  Use a phishing program - there are vendors out there who can perform phishing attempts on your users - if they actually click the links in an email they are re-directed to a security awareness training link and you can gather metrics on what percentage of users actually fell for the phishing.

Technical controls combined with user security awareness training can greatly limit the effectiveness of phishing.  There will always be ways to compromise our computer systems.  Phishing can be prevented through awareness - if you just realize there are people out there looking to take advantage of your lack of awareness, and always be suspicious of any caller or email asking you to do something like divulge your username and password, we can put the Phishers out of business.

Sunday, September 13, 2015

Personal Threat Preparedness

If you're reading this blog, it's likely that you're involved or interested in security.  Security comes in many forms - Information Security, physical security, personal protection, etc.  This article will deal with what we need to do to be safe as we move through our daily lives.  With all the recent violence, it is important that we both understand the risks and have a threat preparedness mindset.

I know our special agents and law enforcement personnel are given some training on assessing threats, but where does that leave the average citizen?  I've searched "the Google" extensively but guidance for the private citizen on assessing and dealing with threats is very limited.  As a former law enforcement officer, hopefully I can share some important tips as we go through our daily lives.

If I go to the grocery store, I expect to go through each aisle, finding the items I need to complete my grocery list.  But how many of us keep an eye out for potential threats?  Do you really believe no active shooters, homicides or assaults happen at the grocery store, mall, theater or other public gathering?

If you are a law enforcement officer, a federal agent or a military operator, you're trained in threat assessment.  But what does that mean?  This article will deal with assessing and dealing with threats for the average citizen.

We are most likely not deployed to a foreign country - kicking down doors and looking for terrorists.  However, we do frequently enter rooms, situations where the unknown and surprise situation may happen.  If we are walking through life unaware of possible dangers, we will certainly miss the advance clues and most probably will be just another statistic.  If we are aware of both the possibilities of danger and the best ways to prepare, we may be able to spot things out of place.  We can develop a habit of identifying possible escape routes, improvised weapons, as well as spotting potential dangers.

So let's say I'm at the grocery store or gas station at 10 PM.  I can, 99.999999% of the time, just get my groceries or gas, oblivious to danger.  But that .00000001% of the time, danger will strike.  That danger will manifest in a robbery in progress, a deranged, suicidal maniac, even a drive-by shooting.  What habits should I develop to ensure that I am as prepared as I can be, without being paranoid?

The best plan is to avoid danger altogether.  The first thing I do is to look through the windows.  Is anything out of place?  Are people acting normally, or are they afraid, stressed, focused on one area?  Think about a scenario with a robbery in progress.  Everyone inside would be afraid and focused on one point - the robber.  Make sure you look first before entering, and if you spot the likelihood of a robbery in progress, don't go in.  DON'T be a hero...  call 911.. Give a description, location and direction of travel.  Those are the most critical things law enforcement needs.  Move away from the danger and ensure law enforcement has the most correct and up-to-date information.

Assuming no obvious threat exists, you enter the establishment.  Just because no obvious clue of threat was present doesn't mean a threat isn't there.  As you enter the establishment, do three things:
  1. Identify the location and description of all persons
  2. Identify all escape routes
  3. Identify all potential improvised weapons
When you enter the location, look around.  Note any persons present - note their demeanor.  Are they behaving normally or do they appear to be stressed?  Note the persons gender, approximate age, race, height, weight, hair color...  These things are difficult or impossible to change.  Additional factors to notice will be the clothes they are wearing - the color - any distinguishing marks like hairstyle, tattoos, scars...  Also if they leave the scene in a car, note the car's color, approximate age, make, model and license plate number and State, if you can.

If you walk in a room, take note of any persons present.  Certainly a person with a gun would stand out, but someone overly stressed should catch your attention.  Is the person wearing a heavy coat in the summer?  Do they appear to be under the influence of some substance?  Do they seem to be acting weird?  Mentally gauge each person's state - mental/physical.  Most times, you will assess the threat of each individual and determine that they are not a threat.  It's a quick mental exercise but worth the effort.

Occasionally you will encounter someone who appears out of place - who seems suspicious to you.  Note that person and if there are no further threats, proceed with your business while keeping an eye on that person, as well as #2 and #3 above.  Listen to your instinct - if you have a bad feeling, don't ignore it.  Head for the door and get the bread, milk and eggs tomorrow.  Get to a safe place and call the Police if needed.  Better to be safe and mistake the situation, than to be a victim.

As you enter any room, make sure you are aware of all possible escape routes.  Do they have fire escapes?  Are there exit signs posted?  If danger in any form manifests, can you get yourself and others out?  Or will you simply panic and freeze?

If that suspicious person pulls a gun or starts causing an issue, what will you do?  The purpose of the exercise is to think through all likely scenarios.  The truth is that, in a crisis, you will do whatever you've trained to do - even if that's just thinking through possibilities and at least having a game plan (however unlikely it is that you'll use it.)  If you haven't trained yourself in this way, you will again do exactly what you've trained to do - nothing.  You will panic and freeze.

If a danger arises, you will have already already identified escape routes and improvised weapons - move to exit the scene and call 911 with description and direction of travel, identifying marks, etc.  If you find yourself unable to leave or are directly engaged with the danger, you must act quickly and with certainty.

We have heard of several active shooter incidents over the last few years.  The police have targeted training for civilians, especially teachers - the core of this training is "run, hide, fight."  If you realize you're in such a situation, the best thing to do is run.  If you're responsible for your family or students, gather them together and run.  If you find that you cannot run without increasing the danger, or find yourself in a locked room or otherwise unable to get away from the danger, hide.  Hide everyone behind a locked door.  Get on the phone with 911 immediately.  And if the danger comes to you and you are unable to escape, you must fight.

If you cannot run and must hide, you must be prepared to fight should the shooter find you.  If that active shooter comes in the room, obviously intent to mow down everyone, you have little choice.  Get in a position where you can surprise the shooter - when he comes through the door, ambush him.  If you don't act, you're likely going to be shot anyway.  Grab the gun and point it away from everyone, then shove your fingers in the attacker's eye sockets as hard as you can.  Have a letter opener or scissors - shove that into the attacker with every ounce of strength and bravery you have.  You must mentally prepare yourself and decide that you'd be willing to do this, faced with such a situation.  It isn't a nice thing to think about but if you don't mentally prepare yourself, you will just be a victim.

If we have this mindset and diligence, we will be prepared should an attack occur.  Unless we're deployed to a wartime situation, the likelihood of occurrence is low.  However, the impact of this occurrence is so high that we must prepare ourselves both mentally and physically.

Be safe out there - keep your eyes open.  The most important thing we can do is to always be situationally-aware - be aware of our surroundings and don't walk into a dangerous situation.  Quickly identify and assess each person - note all possible escape routes.  If you find yourself in the midst of danger, run.  If you cannot run, hide.  And if you cannot run or hide, be prepared to identify anything that can help you fight and win.

Our agents of national security are trained to assess and deal with potential threats.  We can utilize this basic set of principles to ensure that we are prepared to spot a threat and, if needed, to properly deal with the threat.  A proper mindset and preparedness may avoid our being just another statistic.  If you have questions or comments, please let me know.

Friday, March 27, 2015

The Umbrella of IT Risk Management

We are getting ready to go out.  We've showered, dressed, and are getting ready to leave.
 The forecast indicated a chance of rain.  Should we take that umbrella or not?  What is the likelihood it will rain, and what would the impact be, if we get caught without an umbrella in a downpour.  This eventuality may dampen our evening.  This decision is not unlike the decisions we make in Information Technology.
If we work in Information Technology, our job is to design, implement, test, support, upgrade or replace technology in some way.  This technology exists to support the business mission.  But we can get so involved with the execution of our job that we forget a critical fact - the infrastructure we work with is part of the foundation of our business.  Without that foundation, our business could not continue to operate as efficiently - it would not operate as profitably - it would not operate as securely.  Technology brings business some amazing capabilities, but if that foundation is not stable and secure, our business cannot continue to grow and strive toward its mission.  The business must have confidence in its technology foundation.  It does not want to get caught out in the rain.  We are confident in going out, knowing that umbrella is with us in the car.  Businesses must have that same confidence in the IT infrastructure.
IT Risk Management helps to provide the business with that confidence so critical for organizations today.  They must know that the money, time and resources they are investing is being properly managed.  A big part of that management is the management of IT risk.  IT risk management is all about ensuring that we have properly identified all the assets and data within our IT infrastructure.  Once identified, we classify that data in terms of sensitivity and importance to the business - how critical is that asset or data to keep the business going.  Then we assess those assets in order of criticality, against potential threats to the confidentiality, integrity and availability of the assets.  
Once we have identified the risks and the severity of those risks, we can document those risks in terms of the likelihood the risks will become a reality, and the impact to the business should those risks be manifested.  This methodology is detailed in the NIST Risk Management special publication 800-30.  Those two measurements allow the organization to rate the risk in terms of severity - from that rating the organization can derive a cost-benefit from efforts to remediate risks, as well as prioritize risk remediation efforts.  We can get as deep as needed into this process of defining risks - but we don't need to calculate the Annual Loss Expectancy of everything.  We start simply by seeing that many IT processes or functions fall under the umbrella of IT Risk Management.
IT Risk Management is like an umbrella for other IT security activities.  Vulnerability management is under this umbrella.  Vulnerability management allows the organization to identify and manage vulnerabilities - vulnerabilities are weaknesses or potential openings in the defenses protecting the infrastructure.  Those vulnerabilities are risks - the remediation of those vulnerabilities is a risk management activity.  And often the remediation of a vulnerability involves applying an operating system patch to a system.  Therefore patch management is a subset of vulnerability management.
This hierarchical relationship extends into other IT areas.  Configuration management is an important component of risk management.  In configuration management, we are identifying the configurations as they currently are on our devices, then having a process in place to review, approve and monitor those configurations going forward.  If a configuration changes and we aren't aware of that change, this issue directly impacts the integrity of our infrastructure - the configuration is different than it was before.  The business must be able to know what the configurations are, and that they can trust that this state won't change unless it is approved.  That change could potentially open up a weakness on that device.  Configuration management allows us to control and monitor those changes, thereby limiting the additional risk due to unapproved changes.
Since the changes to configurations can add risk, we can derive that any IT change can add additional risk to our enterprise.  A modified switch or router configuration can be a security issue.  A website change can bring in vulnerabilities.  The installation of an application on the network can open us up for malware.  If you've been working in IT for any length of time, it is likely you know of situations where a change caused an outage or another security issue.  Change Management is the process of documenting, reviewing and approving all changes to the infrastructure.  Proper change management allows us to vet the requested change to determine if it will add additional risk.  It allows us to make sure the change doesn't increase the possibility that the confidentiality of data can be violated.  It allows us to ensure that the change is documented, so that we maintain the integrity of the network.  And it also allows us to ensure that the change won't cause an unintended downtime (lack of availability) or outage in our infrastructure.  
As we can see, configuration management, change management, patch management, and vulnerability management are all under the umbrella of IT risk management.  Other areas under this umbrella are account management, vendor management, incident management, and many other IT general and IT security processes.  When desktop support installs antivirus on a PC, that's managing the risk of malware.  When helpdesk requires user validation for a password reset, that is a risk management activity.  When a developer tests code, he's not only validating functionality and error-free operation, he's also managing risk due to bugs or vulnerabilities.  
From this insight, we can start to see that just about everything we do is either a direct risk management activity, or could affect the IT risk within the organization.  As stewards of our business technical infrastructure, we must be able to see this hierarchical relationship and our part in contributing to the overall risk posture of the organization.  We are entrusted with a particular responsibility within the IT function - we must be sure we always keep the effort to minimize risks as a core part of our job, no matter what IT function we do.  This effort, if taken to heart as a critical component of our activity, allows the business to have confidence in the technology platform upon which they can grow the business and continue to strive toward fulfilling the mission of the organization.
Whether you know it or not, you help to hold up that IT risk management umbrella.  Make sure you always have a good grip in understanding your part - your business counts on it to protect itself against the rain.

Wednesday, January 14, 2015

What Condition Are You In?

The military and police are trained to be ready - their jobs inherently put them in circumstances which are dangerous.  But as we constantly see in the news, just going to the gas station can be dangerous today.  I see people all the time with their head in the clouds, their eyes on their smartphone - oblivious to their surroundings.  

A few years back, I knew someone who lived in a very upscale area of town.  His wife went to the gas station to fill up.  She was just filling up her tank - some guy in the next row of pumps came up behind her and shot her in the head.  He then went back in his car and shot himself.  She didn't do anything to him - he was just crazy and woke up that morning determined to die and take someone with him.  

We never know what the dangers are - all we can do is be prepared.  Preparedness isn't paranoia - it is just common sense.  We must know what is going on around us.  If we are at the gas station, we look around and see what everyone else is doing - do they have anything in their hands - are they getting something out of the trunk?  When we go inside the station to buy a soda, before we walk in we look through the windows.  Are the people inside acting normally?  Are the clerks acting normally?  Do they have their hands in the air?  Are people running?  Shouldn't you look before you go walking in, just in case?  Has there ever been a hold-up before?  How do you know there isn't one happening now?

As you're driving down the street, are you aware of the other vehicles around you?  Are the occupants of the vehicles acting normally?  Is there anything up ahead or coming up quickly behind of concern?  At the workplace, are you keeping an ear open for anything out of place?  Would you spot someone acting strange?  Workplace shootings are happening more frequently - have you thought about what you would do if that scenario manifested in your place of work?

As you can see, it is very important to be in a condition of relaxed preparedness and alertness, even as we're going about our mundane activities.  Depending on what neighborhood you're in or line of work, the risk of an attack or other danger is relatively low - however the impact is very high.  In risk management, we quantify risk in terms of likelihood and impact.  A tornado hitting your datacenter is a very low likelihood, however the impact of that event would be catastrophic.  Therefore companies plan for that contingency by building alternate sites, standing up standby servers and syncing their data to that disaster recovery facility.  The business understands that, even though it is highly unlikely that the event will occur, the impact to the business would so disastrous that they had better spend the money just in case.

We must think of ours and our family's safety in the same way.  The likelihood that you will walk into a hold-up in progress is very low.  The possibility that someone will invade your home is also pretty unlikely.  However if that should occur and you are not prepared, the risk to you and your family is dire.  It is vital that we understand the risk, and understand what we can do to be better prepared.
The military and police have a set of codes or conditions based on the mindset and level of preparedness.  They are color codes - Condition White is basically when your head is in the clouds - you are oblivious to your surroundings.  This is the condition most people are in all the time - if someone had a gun and began walking in your direction, you would never see them coming.  This is a very dangerous state to be in, however it's the most common mental condition.

Condition Yellow is a state of relaxed preparedness.  In Condition Yellow you are aware of your surroundings - you recognize that danger can arise at any time in any place - although it is highly unlikely you understand the impact such an event would be.  You watch everyone around you - you know what they are doing, you know what they have in their hands.  You are, almost subconsciously, looking for anything out of place or any activity that is abnormal for the place and time.  If you spot something that looks out of the ordinary, you are already one step ahead.  If that situation appears to be dangerous, you go into Condition Red.

Condition Red is a high suspicion of danger.  You see people in the gas station running - you spot someone pulling what looks like a rifle out of their trunk - you hear what sounded like a gunshot in your workplace or hear people screaming.  You go into a state of high alert - the hair on the back of your neck probably stands up - adrenaline begins pumping.  If unprepared, you will likely freeze and panic.  If prepared, you will do what you've trained yourself to do - picking up the phone to call 911, moving quickly to a safe location, exiting the building, stopping from going into the gas station, etc.  

Condition Black is confirmation of a threat - you see the active shooter in your workplace - you see the driver next to you pointing a gun.  All your training kicks in, or you are left unprepared and act from instinct and fear.  You will either die or you won't.  That depends both on luck and your state of alertness, preparedness and training.  The soldier and the police officer understand this - they have prepared for the worst and have a better chance of surviving.  There are many things we can do as well to be better prepared.

Think about the potential for danger as you go about your day - think about these mental states and conditions.  In future posts, I will go deeper into the things we can do to prepare - things we can do to train for possible threats in terms of your physical security and safety.  We don't have to walk around in a state of paranoia - we can operate in a way that allows us to be aware of our surroundings and potential dangers, and understand the things we can do if we find ourselves in Condition Red or Black.  Stay tuned!

Tuesday, October 21, 2014

Masters Progress

As I (may have) stated, I finished my BSIT at WGU last year.  The program was really awesome - at WGU you are able to "accelerate" - this basically means you don't have to sit through an entire semester and wait to take a final exam.  At WGU your entire course of study is available - you have the syllabus and read at your own pace.  You can take the assessments as soon as you feel you're able.  If you've developed the competence required by the course, you pass the assessments and once complete, the course is done.  If that takes you 6 months, fine.  If it takes you 6 days that's also fine.  With this program I was able to complete 83 credit units in 3 6-month terms.  I was also selected to speak at the commencement ceremony.
Yeah that's me...

Don't get me wrong - the courses were tough.  I was just very motivated and pushed most things aside to dedicate at least 25 hours a week to school work.  

So either I'm a glutton for punishment or just an overachiever - I recently enrolled in the WGU Masters of Science in Information Security and Assurance (MSISA).  This is a 2-year program with the option to "accelerate" if you're able.  Since I had flew through the BSIT program, I figured this would be a cake-walk - it's in my area of expertise and I'm highly motivated.

Unfortunately I have come to the realization that the Masters program is MUCH more difficult than the BSIT.  There are 11 courses to complete - each class has at least 3 papers to write.  I'm presently enrolled in 3 courses - Emerging Technology, Cyberlaw and Hacking-something-or-other.  The first course on Emerging Technology required me to write an RFP to a company to develop an information sharing portal across regional offices, do an evaluation of rural Internet connectivity methods, and writing up a proposal on virtualizing a small city's IT infrastructure.  Each paper has been 10-15 pages and each submitted paper has been returned for re-writing due to something missing or not fully covering the topic.  

"UMM is not an answer!"
My second course is on Cyberlaw - I just finished two papers - one was on developing policy statements for a healthcare organization - one on new users and one on passwords.  The other paper was an analysis of a healthcare breach - determining what policy statements could have prevented the breach.  The final two papers are rewriting an SLA to protect the organization and doing an analysis of fraud at a fake bank.   Writing the papers is not too bad - reading all the legal stuff - court opinions - case studies - this is really dry stuff!  Glad I'm not studying to be a lawyer (I love you Judge Judy!)

I will attempt to write more as I progress through the program, for those who just don't have anything better to do, or for those who are considering attending WGU.  I think WGU is revolutionary in higher education - they offer a challenging program - they are an accredited school - all online - with the ability to accelerate through the program, which saves the student time and tuition costs.  I am so thankful for WGU - if you're as old as I am, you may have dreamed of such a school at some point.  Well I can tell you from experience that WGU is that school.  The student and course mentors are all great - the admissions process is not too bad.  They will turn you away if you don't match the criteria for the program.  If you want more information don't hesitate to reach out to me via the blog or LinkedIN.

As I said in my commencement speech, at WGU not only are you learning the subject matter, you are demonstrating and developing your skills in setting goals, getting things done,  multitasking, critical thinking, and self-motivation..  these are all crucial to success at WGU but even more so in the business world.  Any employer wants someone who can demonstrate that, without guidance, you can pick up a large task, organize it and work through to completion.  These are the characteristics of the leaders and executive managers, the positions we are all shooting for as we pursue a Master's Degree.  Of course having a Master's level foundation in all the subjects is also very helpful.

Along the way, I may try to relate my studies to some real world topics, just for entertainment or educational purposes.  It is a good way to take a break from all the reading and writing - or I could just play Angry Birds.... 

Wednesday, September 3, 2014

Guarding the Castle

Our network is our castle - we can never become complacent when trusted to protect our corporate assets, customer data or sensitive information.  All too often, we find ourselves asleep at the wheel, relying on all the security controls and processes we have implemented.  We must have a strong monitoring and auditing function built into our Information Security program.  Heathens are in the woods, watching our every move, waiting for the chance to storm the castle, slipping through a crack or blowing down the main gate, to invade, loot and pillage.

You have passed out administrative credentials to many employees.  How do you know those employees are not deviating from the expected and approved tasks?  This deviation could be malicious, or it could simply be a mistake.  Either way we face many risks when we allow employees to operate as an administrator on any system - we must have some oversight in place to detect and report on anomalous activity.  

How do you know your webserver is not under attack, right this very instant?  Webservers are notorious for being a primary target of attack while also being one area we find with the weakest security controls.  What if someone dropped some malicious code on your Linux webserver?  How would you know?

I suggest that, along with requirements definition around that latest firewall or antivirus platform, the coolest new email security product or the best-rated web filter, we include security monitoring, some form of configuration change detection, and the ability to capture, consolidate and filter logs from all our devices.  Many ways exist to do this properly, instead of just plugging in that shiny new firewall and then going back to sleep, we must remain diligent and on-guard - part of that is proper monitoring and mechanisms in place to quickly detect potential attacks.

If we utilize a Security Information and Event Monitoring solution, we can employ resources to review these logs, respond to alerts, and have some chance of catching an attack in progress, before it becomes a major emergency.  Those teams should be trained to know exactly what is suspicious and what is just noise.  The secops teams should be good enough to quickly scan the logs and anything out of place will catch their eye.  

In addition to active monitoring and review of logs, we must capture our configurations, whether that's a web server or a router, and then detect when that configuration has changed.  I've been in companies where they haven't made any updates or checked the configuration for years.  There are mechanisms or scripts you can write that will take a hash of the configuration of the router or the web server /var/www once a day.  The script does a compare of the hash from one day to the next.  If the hash value changes, something has changed in your config, or something has been modified in your web server.  

Once we've detected a change, we can inquire as to whether there was an approved change within the last 24 hours.  If there was, then the alert is simply a confirmation.  If there was no approved change, we must find out if an unapproved change was made, or if we've been compromised.  If the admin just forgot to send in a change control and added a line to the .conf file, then we just remind him of the policy and move on.  If no one knows of any internal change, we must suspect that we've been compromised in some way.  We must now go into Incident Response mode and try to find out what was changed and what that means.  From there, if we were compromised, we can quickly find it and kick them out of our server or our router.

Maintaining a secure network isn't rocket science but it does require expertise and diligence.  We must ensure we have the right tools, the right processes, and the right expertise to utilize those tools to the greatest effect.  The Information Security professional needs to understand how a router works, what a config looks like, what goes in the /var/www folder, how a Perl script works.  We must be able to quickly review logs and know what is normal and what is not.  It takes a while to get up to speed on all this, however your employer trusts that, in giving you the keys to the kingdom, that you have all the ports and moats covered properly.