1. User Access Control
Findings: The presence of inactive accounts that should have been closed is a major risk because if such accounts are compromised, no one will notice the abnormality. This often results from a lack of synchronization between HR and IT processes, or forgetting to delete accounts in subsystems.
Risks: Data theft by internal personnel or malicious former employees.
Solutions:
1) Conduct user access reviews every 3 months, 6 months, or 1 year, with supervisors confirming that employees still need to use the system.
2) Integrate HR and IT systems to automatically revoke access when employees leave.
3) Implement the Least Privilege principle (granting only necessary access for work).
2. Password Policy
Findings: Using easily guessable passwords or relying solely on single-factor authentication is extremely dangerous today. Employees often use simple passwords like 1234 or the same password as their user ID.
Risks: If a password is short and does not contain special characters, modern computers can crack it within seconds.
Solutions: 1) Enforce Multi-Factor Authentication (e.g., App Authenticator or Token) for external access (VPN) and critical systems.
2) Focus on password length and difficulty rather than frequently changing passwords (following the new NIST password creation guidelines).
3) Configure the system to “lock the account” immediately after an incorrect password entry exceeding a specified number of attempts (e.g., 3-5 times) to prevent continuous brute-force password attacks.
3. Backup & Recovery
Findings: Daily backups are performed with auto-backup enabled, but logs are never checked, and data restoration tests are never conducted. When a ransomware attack occurred, this results in data recovery being impossible or the recovered data being too outdated, requiring lengthy re-entering of existing data.
Risks: Excessive business downtime in the event of a ransomware attack or system failure.
Solutions: 1) Implement the 3-2-1 Rule: Create three backup copies, store them on two different media, and keep one copy off-site or on the Cloud.
2) Perform restore tests at least 1-2 times per year and maintain verifiable records.
4. Patch Management
Findings: Windows Server has not been updated for a long time. There’s a fear that an update will cause the system to freeze or old programs to become unusable, so the user has opted not to update for years.
Risks: Hackers can exploit vulnerabilities that have been publicly announced by software manufacturers for a long time (known vulnerabilities).
Solutions:
1) Create an inventory list of all software and hardware.
2) Schedule monthly patch updates, updating patches on test machines 7-14 days before deploying them to production to reduce the risk of system failure.
3) Regularly use vulnerability scanning tools to identify weaknesses.
5. Physical Security
Findings: Even with the most expensive security system, if anyone can access and remove hard drives from the server room due to an unlocked door, left keys, or lack of access logs, everything is compromised.
Risks: Theft and business disruption can result from negligence or intentional acts, such as tripping over power cords, accidentally pressing the shutdown button, or spilling water on the racks, leading to system downtime that impacts revenue and organizational credibility.
Solutions:
1) Implement a locked server room with authentication systems, such as employee ID cards, fingerprint scanning, or facial recognition, restricting access to only those with essential needs.
2) Install CCTV cameras capable of clearly recording access and maintain access logs to identify who entered and at what time for at least 90 days for retrospective review.
In short: Good IT Security is about “Closed-Protect-Repair-Practice.”
- Closed: The address accounts of employees who resigned immediately.
- Protect: Use MFA and securely lock server room.
- Repair: Update patches regularly, don’t let them unpatched for years.
- Practice: Try restoring the backups to ensure it works.
Ultimately, investing in expensive security systems is meaningless if we neglect these five fundamental security steps. IT Audit aren’t about catching mistakes, but about discovering vulnerabilities before malicious actors find them. In the cyber world, a single mistake can lead to massive damage. Regularly checking access rights, updating systems, and practicing emergency response will help businesses move forward securely and stably.
Author: Chadapa Suksamai,
IT Audit – Dharmniti Auditing Co., Ltd.
