Naturally Secure Windows Machine

How to utilize native Windows security features to get beyond all the tools in the market?!

Most of the times ‘extra tools’ are just for doing things in a different way, perhaps more convenient, but not necessary in a better way, or more effective, cheaper or faster way and Windows is not an exception. Speaking of Windows security features, all the features we need are already part of operating system, they are either initially included or later provided by Microsoft. There are exceptions, but only when we are looking for a totally different structure, a very unique extraordinary situation, and that is where what we want is behind the Windows native features and capabilities, so we have to add something to the kernel or expand the API.

Windows Firewall and power of Micro Segmentation, EFS and power of Windows native file-level encryption, basic Access Supervisory via powerful native to kernel, Windows Event Monitoring and Sysmon, Group Policy and world of unlimited capabilities, PowerShell and unexpected security administration possibilities… and many more unleashed Windows features are already there, you just need to utilize them before thinking of buying a new tool!

In following articles I will explain how to unleash Windows native security features before shopping for a tool. Even though tools might be free, why add anything to Windows when it is already packed with most of the necessities? Let’s get through the basics briefly:

Windows Firewall provides all you need as the cheapest and fastest host-based firewall for Windows. It does not matter if the target machine is part of a corporate network or small office or home computer. Most importantly, it is very easy to utilize it as part of your micro-segmentation and see how you can reach the effective filtering and totally eliminate lateral propagation of malware in a large scale network. But if you ask me why administrators ignore Windows Firewall, I have no explanation unless admitting that beauty of third-party firewalls totally blinds them!

Encrypting File System (EFS) is a powerful file encryption which surprisingly has been ignored among new generation of IT administrators. Perhaps ‘encryption’ is enough scarry for most of IT staff to deal with so they decide to rely on third-party colorful tools, but I will show you later how to use EFS as the integral part of ACL and take your access supervision to next level!

We will deep dive into one of the most effective monitoring extensions of Windows, Sysmon, and see how a couple of extra megabytes can change the scope of Windows Event audit trial, needless to say Windows event log is a quiet piece of intelligence where all those shinny system and network monitoring tools are relying on, and if we add a little bit of AI to it how a free SIEM could evolve from it!

The point is, Windows has enough native tools to touch almost anything you want in terms of security, and for some hidden tiny tweaks we could always get into Registry, at least we won’t be worried about extra security vulnerabilities result of introducing new tools to environment, so why not get more familiar with the operating system and get maximum benefit from its native security features and capabilities? Then some day if you had a very specific requirement which Windows was not capable of providing it, you could consider using third-party tools or even switching to a whole new operating system!

Security Program: How To Thrive?

From struggling or hardly surviving, to a fully supervised and manageable security program…

Most companies are struggling with running an smooth security program. No matter how much they are spending on that, the difference is really not that much. From zero budget to million dollars security budgets, they still do not have enough trust in their security program. Regardless of how much they are spending on security initiatives, they never really have confidence and are not expected to see positive and reliable result of their investment.

Adversaries are finding new ways to hurt online businesses every single minutes while tech gurus are creating “solutions” to address today’s challenges within months, years and sometimes decades after the fact!

We simply are only trying to survive in cyberspace, but what could we do better to thrive, in a stronger position, where the security is not a hassle anymore, and it should not be the heart of the matter too. Let’s look at some practical countermeasures:

* stick to a management system

For a moment forget about technology and tools and get back to basics. A management system could totally fulfill whatever you need in terms of handling processes and not being worried about base of your operation. You can invent the wheel again or you can choose from thousands of management systems, but first ask experts which system fits your needs or bring professional on-board to implement a system fully customized to your work flow from scratch, also believe me, without a management system of any kind and approach, you will be still at the first step after years spending your precious time, which is that “surviving” approach.

* set objectives

any project has a set of goals which are measurable and achievable. Objectives are neither like: having a more secure network…or, setup RDP filtering on firewalls…there are more like reducing current number of entry points to network…or, assessing current remote protocol insecurities…

objectives help you better understand what are trying to get from your management system, and where resources have to be focused. This topic is also related to Risk approach which I think is the fundamental and background of the management system.

* constantly measure

These are checkpoints where you can tell precisely and by evidence if you are on the track, and the more you measure and automate the process, the more you get close to a proactive system and faster accomplishing each of objectives. Through measurement you can tell of direction is write or wrong, or what is wrong or right.

* plan for corrective and preventive actions

with each measurement you need to define corrective actions if the result is not expected or the pace is slow, and the plan to enforce these corrective actions is the key to a smooth security program, otherwise you will be struggling with past actions while new ones arrive.

* be responsive to facts not fictions

computer security industry is full of fictions, and we mostly spend time and money on things which are either not important or can be tackled from root, so let me give you an example:

taking Advil when
you catch flu is just a pain killer, only for passing time without
suffering from flu symptoms, just to survive, because we do not know
how to handle flu virus in 21st century (or maybe we know
but we don’t want to disclose?!), and that is similar to running a
virus scan on your network when you get a virus infection!

Cyber security facts have not been changed since the beginning of this subject in human history, so once you know about the facts you see how it is easy to address them without Advil!

Complexity: The Hidden Monster behind Insecurity

No doubt that companies struggle with information security these days. Today they spend hundreds of thousand dollars, some millions, tomorrow they realize they have done nothing! Security folks do not have peaceful night sleep, because they know what they have done during the day could easy be compromised!

Regardless of why we are spending money while we are not certain or confident to an expected outcome, why solutions really getting more and more useless and ineffective? The answer is the hidden monster behind all insecurities within information technology: the complexity beast!

Complex systems introduce complex work flows which are prone to intensive security flaws!

Complicated systems (which are also prone to insufficiency) introduce complex work flows and a model which is naturally prone to have more flaws, result of more surface for the attack and more attack vectors with combined magnitude and even unexpected new evolved way of attach. This is not fiction, this is the dynamic of today’s cyber security trend. You hire, you purchase, you train, you consult… you do your best and still you are not confident cause your neighbor company just had a breach and you will be more scared if you have pro visibility and see how malicious actors are already in-house!

Traditions have proven outcome already messaged, although market hesitate to listen, let alone to follow!

Fancy systems are more attractive to adversaries also, and there is reason behind it because they know how the chance of finding a flaw is exponentially higher when they see a fancy colorful IT infrastructure vs a clunky system out there. The worst part of this is that, customers of that fancy information system do not necessarily get better services or goods (products) even they pay more for it, they are also prone to lose more due to a complex system as back-end, but that is another story with its own sad ending.

Complex software and hardware build complex systems

Complex systems are built around complex software, hardware and literally a complex IT setup where a given goal is accomplished through a complicated workflow, and this is either result of poor design, or just excess resource assignment where it is not needed at all. There are millions of examples you look around, or better, start by your own business or department you are managing:

  • Do you think all businesses need Windows platform to run applications?
  • Do you think you use even 20% of Outlook features and capabilities?
  • Do you think most website owners need PHP vs simple HTML?
  • Have you ever walked to your company server room and ask your IT guy why things are setup like that?
  • Have you ever tried simpler software vs the one with more features?
  • Have you ever shopped based on what you need vs what has higher score reviews?

Those are just goofy questions just to fire up the real flame inside you which makes you as yourself: should I really totally trust people that are running my IT infrastructure, or I could use my common sense and just question why I need these complex system? What workflow my business really need and then what simple system is out there to support my workflow regardless of what market is pushing me to buy.

Complex system setup puts us in more trouble when we start securing it with the consistent complicated mindset, and that’s where we could end up having more insecurities after spending and relying on sophisticated security solutions. Experience has shown and proven that the simplest way to address security is designing and implementing a simple system, an straightforward workflow is naturally secure, or easier to secure with even free or cheap security solutions which are easier to maintain, manage and run, so the outcome is more secure and cheaper and more reliable and efficient.

Tips To Buy And Implement SIEM Solution

Use following checklist to make sure you are on the right track to choose your first or next SIEM solution. The whole process takes 1-4 weeks based on your dedication and vendor availability. Remember the worst thing is being in rush in five four steps:

  • Write a plan

Write down all the steps you anticipate and maintain documentation and progress during all stages. Put rough deadlines and start communicating to stakeholders.

  • Justify the need

This will help you have a better understanding of criteria later but generally, i would recommend this for any type of information security project. This step will assure you are not going to have SIEM just because it’s out there or even just because you have some spare money and other resources to spend.

You would ask yourself or your IT team, even your manager who has assigned you with the task: why we need SIEM? What type of problem is going to be resolved? What our world will look like after SIEM? Is this for sake of compliance, customer expectation, market urge, or as an enhancement to visibility of your environment.

  • Scope

Scoping gives you more understanding of the environment. Specifically with a concept like SIEM, the moment you start thinking about scope, you realize how much you might be behind the preparation of your environment.

  • Budget based on Risk

Budgeting based on your pocket is like overeating by intention when you know it’s bad for you. Budgeting without risk consideration will neutralize all the other steps. I consider this step so fundamental and ignoring it shows there is no understanding of the whole subject of information security within an organization.

A simple risk assessment can give you the right budget, but unfortunately that assessment most of the time does not exist so you have to create something from scratch just to support SIEM budgeting. We need to assess risk of not having enough visibility and detection in certain areas of IT operation and evaluate the risk factors. Once you start this process you will realize how most SIEM solutions in the market right now are naive and designed with a narrow vision.

  • Define criteria

During previous steps you should be able to compile criteria list. The more precise criteria, the easier to choose vendors initially. Without criteria there is no meaning to even browser a vendor website. With having criteria in hand, you easily check them in and out in next step.

You should compile a list of things like what is the primary objective, compliance, risk or threat management, architectural things like is it going to be managed or self, on-premises or cloud, interface and performance, type of log and data collection, integration considerations, correlation capabilities, intelligence feed, how about remediation and response and…

  • Identify targeted platforms

First you need to list SIEM vendors, there are tons of them out there and don’t think that good SIEM is a matter of how long a company has been doing this or how the brand is known, although this could be part of your criteria because vendor reputation is somehow a big factor, but do not confuse it with brand, not all know brands are necessarily better. Research and learn from vendors, we need to read all the white papers they provide and if they are not willing to share via website, it is not a good sign but don’ be discouraged and go for a meetup. Here is an staring list of vendors/solutions:

AlienVault, Cygilant, EventTracker, HP, IBM, LogRhythm, McAfee, NetIQ, Proficio, Rapid7, RSA, Solarwinds, Stratozen, Splunk…

…remember all are good and all are bad, it depends to your criteria.

  • Meetup with vendor

Nothing is better than a short call, if you get the signal, go for a video presentation and have them demo. Never direct vendor, let them manage the meeting and content, listen to their question and start your evaluation from first call. Most vendors do not reveal anything alerting with email or regular phone calls so insist to have a demo and meet their technical team. Ask about your criteria but in the meantime listen to what and how they reveal. Based on your situation you may be more focused on how they execute or help you setup and run on-premises.

  • Lunch trials

Trials are best time and tool for evaluation, also it’s a sign of how much a vendor is comfortable and confident. I personally would not even thinking a solution if they are not willing to give a chance to try. Trials are not just for finding glitches, they are mainly to refine your criteria and turn expectations to real world scenarios. Always let vendor know if you go for a different one, you will never know what is going to be the next time to call them so be professional and respect marketing manners.

  • Evaluate

Now it is time to evaluate. Materials, meetings and trials, most of the times you get the answer by first 3-4 days of trial. Justify if you need to compromised any predefined criteria and never hesitate to re-define and refine new one but never forget justification. You have to sometimes re-assess a risk if you need to revise your criteria.

  • Prepare environment

Jumping in implementation without preparing your environment is not a good idea. Now it is time to go for all details and technical requirements which you should have planned for during scoping. Prepare VMs, Cloud apps and smallest things like SNMP and Windows Event Forwarding, this is the time for your technical team to show off. You should not have any problem if scoping was rational, but most companies have multiple issues in this stage because of lack of scoping in early stage.

  • Implement

Meet the deadline and kick off, this is going to be a big milestone with your IT Security operation.

  • Tune

Noise is the nature of SIEM so consider tune up based on size of the company and/or scope of system. This should be part of your baselining process anyway (if you have), without proper baselines your team will be confused and stresses for a longer time.

  • Leverage

What is going to happen after this is what you should have seen and anticipated during your planning phase. Whether your team is going to tackle other tasks by adding SIEM, or it is going to be independent or… all depends on your plan. Never accept something from a solution/vendor as a ‘want’ or good to have, unless there is an actual ‘need’ for it.

Stay tuned for explanation of a fully native free SIEM, security information and event management system, a solution for 80% of environments!

Commitment: The Sole Reason Behind Hackers Supremacy

the mechanic and dynamic of hacking is blurry to typical IT guru…

  • Are Hackers ahead of entire IT security industry?
  • Why the balance between two parties of has been shifted a long ago?
  • What made a big gap when there was not such a huge difference in 90’s?

it’s a false hope believing that sunny side of the cyberspace is controlling the cyber-planet! Malicious hackers are way ahead and that’s why we spend so much time on safety rather than focusing on legitimate needs of cyber-society!

Many factors are involved in Hackers Supremacy: knowledge (original or fake), intelligence, team work with genuine sense of community, nature of operation, goal and its outcome (destructive or constructive), originality of source code… but I have noticed there is only one effective factor as the most significant to matter, something that took hackers’ community to a totally different level of control, and changed the balance between Jedi and Sith forever: Commitment! Hackers are simply more committed to do their job!

We send our top IT talents to learn hands-on hacking techniques, encourage IT administration to deep dive into dark web, and all company crew to learn security essentials, and still it takes one man to bring the entire company technology infrastructure down to knees, all because the mechanic and dynamic of hacking is blurry to typical IT guru. Here is an analogy to human body: consuming more and more vitamins and hope to have a healthier cells physiologically, while body is creating cancerous cells. That is ignoring root cause and going after fixing the issue without considering symptoms! But result would be misleading because even with cancer, still vitamin C has a positive effect on the patient!

focusing on defining more complex firewall rules, versus Not setting up vulnerable nodes with default insecure configuration!

Software with every piece of code is the foundation of any modern computerized system (basic ha?) and that’s where we have problem: creating vulnerable code at the first place, and that’s where “Commitment” comes to equation: software community wants to release, in rush, with limited to zero knowledge of security, dealing with very high-level and complex API, no test, immature or illogical software development process, no code review…but hackers are committed to review developers code for them, and they find those cancerous cells inside body of the software!

Even worse, while hackers are committed to find and Exploit those software flaws, developers are committed to release newer versions with more focus on functionality rather than fixing the foundation. No doubt it is tedious and sometimes impossible, because if the flaw is within the design, there is no time for developer to step back and fix something natively insecure, to the point that sometimes developers prefer to completely leave the insecure code behind and go for a brand new baby code, where they fall into same illogical development process, or even they may use some boilerplate codes from previous practice (more likely insecure artifacts).

focusing on setting up numerous security tools in an environment, versus stop adding insecure nodes to the same environment!

Code Review is the best way to get ahead of hackers and of course that’s software developers’ mission to culturize and popularize the practice in earliest stage of coding, and for IT administration, they need to fully understand the mechanic of software they are using. Remember that today’s IT crew are more like software operators, so it is reasonable to have operators fully aware of the machine they are driving.

Five signs IT is overwhelmed with operations

There are signs before your IT department faces a disaster or worse, jeopardize your business by affecting tech operations in different departments. Those are signs of an overwhelmed IT so let’s take a look at common signs and symptoms:

1) Lack of resources
Whenever your IT staff are always talking about lack of resources be aware that lack of resourcefulness is the main case. IT supposed to create and generate virtual resources, right? We do not use shovel with help of our muscles to search within a haystack of zeros and ones, IT does not touch 0s and 1s anymore. IT creates or simple buys solutions so what is this lack of resources concept? IT does talk about lack of resources because they are overwhelmed with time and resource management, that’s a sign of being unfamiliar with tools and technique so they got frustrated and that’s not good for your business operations.

2) Tool oriented
Tools are good but tools obsession and jumping from one tool to another is a sign of overwhelmed IT. Of course IT uses tools with almost every piece of tech operation and regardless of how they are ignoring native accessible tools and always asking for more and more commercial tools, the fact that they jump from one solution to another without fully understand it, or even shopping with no clue at the first place, is totally a sign of unorganized IT which finally ends up with overwhelming and frustration.

3) Deadlines
No deadline is met, no surprise? You are not alone but imaging the most logical, supposedly organized people in a company become the most unreliable people in terms of meeting deadlines and project management. Regardless of the reason which is IT typical helplessness to time management, not being able to meet multiple, sometime any of deadlines is a sign of overwhelming by subjects which are either unknown to IT, or just out of the scope of their expertise. So what is happening is that they push and push and push to the moment that you are overwhelmed and give up.

4) Fading real IT mission
This has been a global issue within almost all non-tech companies’ IT department. IT main mission is supposed to be supportive to business and for that reason IT needs to understand business needs and flow, but they ignore this and main mission simply fades away from list to-dos.
You could eliminate all these overwhelming factors from IT operations with very simple techniques which I am going to explain later in a different article.

Five Reasons to Start Your SIEM Initiative Today

Regardless of how SIEM in today’s cybersecurity marketing campaign is driven mainly by Compliance, which solutions is the best, and whether it should be managed or on-premises, Security Information and Event Management is conceptually accepted among security professionals so here’s my top reasons to consider SIEM implementation as one of your cybersecurity initiatives:

  1. Another tool for Management
    Seems obvious but not many realize SIEM is a management tool at the first place. It means it does not have and does not need to have active o pro-active capabilities. All it has to be capable of, is ability to deliver right Security Information from the right Security Event to the management, even not necessarily security management.
  2. It is all about visibility
    Remember SIEM itself does not provide visibility but it is a technique to take “Visibility” to a different level. So if you already do have Visibility over your network and systems, then SIEM is like an interface to enhance the way you see events, not really more revealing facts about security of your systems.
  3. Correlation is heart of the matter
    The main purpose behind a functional SIEM is ability to correlate events, otherwise the main purpose is ignored by solution designer or you. any security program knows in real word, there is no meaning behind each security event unless being correlated and overlapped with other events, and for that matter, SIEM is where you should be able to harmonize your flow of security information; needless to say, it is the job of SIEM solution provider to make sure system is capable to direct you.
  4. Combining older systems
    Not all users of the SIEM are genuinely looking for this management system just because of its native features. One of the main drivers to upgrade to SIEM has been presence of older SIM and SEM. So whether you are forced or just want to combine two management systems, SIEM is the most popular way of SIM and SEM integration.
  5. Intrusion comprehension
    This is totally different than intrusion Detection, Response or Correlation capability and it is about origination of incident and the level of intelligence behind root causes and indirect role of systems to shape the final tangible incident. This is absolutely one of the hidden benefits of a well-designed SIEM within a well-managed security operation.
    There are other benefits like Auditing, Policy enforcement validation, security certification…which could be addressed potentially and based on how you are going to execute your SIEM. But remember the main essence of your SIEM is in the details of operation, and none of the benefits would come out of the box with any solution in the market.

Privacy: Does Cyberspace Leave Any For Us?!

What does ‘Privacy’ exactly mean to you, and is there anything left for us in cyberspace?

‘Privacy’, ain’t mean anything to you? Actually you are lucky if you are young enough to accept that Cyberspace is an integral part of our living (perhaps you might even believe it is the main part of living!), but imagine one day you wake up and you are part of the Cyberspace with old definition of Privacy”, then you would be shocked and even paranoid about private aspects of your life, I bet you already are!

Privacy does not have the same definition, or expectations of 50 years ago, or even 10 years ago. That type of privacy does not exist within boundary of the Net, it simply does not apply to cyberspace anymore and the main driver for that is the way internet applications are setup and utilized, which force us to forget about privacy otherwise we won’t get the expected experience of the Net Applications.

Today’s Privacy means adversaries shouldn’t be able to get into your private life, otherwise all Net application providers have and supposed to have access to most private part of your life. They require you to disclose as much as possible or either you would be denied completely, or you won’t get particular key services of an online application. Note that you cannot necessary blame software in this case, as applications are where the limitation to privacy natively appears. An example is any web software which takes care of your filing taxes, or credit score… the application requires you to disclose ALL information to software, otherwise there is no value to application when any piece is missing, so you have to trust and maximize disclosure.

How you are going to talk about privacy when they know you more than yourself!

Privacy is simply collective and relative, there is no absolute unless you decide not to have any online presence, which is impossible because at least your bank knows about you and their systems are online. Privacy is collective but not selective, means some people know you better than yourself and some SHOULD NOT (doesn’t mean that they DO NOT!) but you cannot select who is doing what with your data out there, unless totally being departed and detached from society!

Privacy nowadays is the state of being only worried about adversaries, hackers and criminals, but not concerned about how application providers are with our your information. remember, even with regulation like GDPR, we ‘may’ be able to reduce exposure of our data, but we never able to erase information about ourselves, we perhaps can ask a data processor to forget about our data inside a database (assuming data never got into hands of bad guys) but we cannot ask them to forget about intelligence behind our data.

An example is when the intelligence of how you shop and what you shop is created within “cloudy sky of numerous Net applications“, no matter if you personally delete every single record of your shopping transactions within a website. So relax and change your definition of Privacy, you also may want to totally ignore VPN and anonymous web browsing which I will explain later Why you usually do not need them.

Vulnerability Management Elements

Precise vulnerability management if one for the key to an agile security program.

Among non-technical but crucial elements like methodology, system and workflow behind your VM, there are some technical aspect which can totally change the outcome of VM. these easily turn your VM to a reliable management system.

being able to dynamically connect and correlate data to different part of a vulnerability management interface is crucial.

Interface!

Colorful interfaces for vulnerability management solutions are getting more and more common nowadays. Interfaces could simply distract us from main purpose of vulnerability management, or they could force their potentially lame “understanding of an standard VM process” to us and replace our very customized approach,. But regardless of their positive or negative impact on the process, they are the main element of a VM solution.

Penetration testers or operators of these VM software are solely relying on what is provided via user interface, and seeing what is happening in back-end is either impossible, or very limited. This is so different than first generation of vulnerability management solutions where operator was certainly who set the system up and configure and due to tools and techniques, s/he had to know what exactly is happening in back-end, as there was not any colorful front-end.

What we need to have in a VM interface and how it has to be linked to all aspect of the system are different stories, but for now just remember that interface to a VM is not like a normal user interface. If you cannot dynamically connect and correlate the data there then it is useless. Perhaps next generation has more AI involved but as of today you need to be able to change objects and their correlation, and be able to see what is happening behind the scene. Otherwise you better stick with a fully manual VM system.

Scoring

Everything is about scoring aka Ranking. It is considered ‘blind’ assessment If you do not rank based on a agreed scoring system. But does not mean CVSS is the solution.

Common Vulnerability Scoring System or CVSS has been playing the role of a defacto standard for ranking security vulnerabilities and version 3.0 has significantly better but far from a reasonable scoring methodology.

In practice, vulnerability assessment has to be done with very specific considerations of the target system. This includes the software slash client application, operating system, user privileges, network protocols and services… and dozen of other factors which all together affect the way a system can be exploited with presence of that specific vulnerability.

A CVSS score 10 might be ranked so low or even not needed to deploy! And a CVSS score 2 might be a patch or mitigation your need to deploy right away! It all depends on the description of the vulnerabilities, attack vectors, details of exploit… you need to read and research about a vulnerability in depth before giving it a score. You could utilize CVSS in your own scoring system, but you should never rely solely on CVSS. There are practical ways to assess each individual vulnerability.

Mitigation

This is the hardest part and solutions in current market are either not capable of handling this phase of VM for you, or they are so expensive and not affordable. Most of the tools for VM are not even able to roll a patch and have follow-up scanning and reliable validation, let alone taking care of the workarounds and countermeasures which requires intensive scripting and cross platform API.

The whole purpose of a VM is to mitigate weaknesses so if you focus on this phase you will find your organization having a very smooth system quickly.

Developing an organic scoring system with documentation of logic will let to a smart and meaningful scoring system.

In other words, assess vulnerabilities based on specific situation related to the details of exploitation method. A single particular vulnerability might not be applicable to all layers of an organization, or all similar machines. Develop an organic scoring system and document the logic so you will have solid justification for future similar vulnerabilities. It takes not more than a few months to develop an smart meaningful assessment and scoring system.

Focus on mitigation and not to have same vulnerability repeating again and again, those are considered corrective actions which are preventive also. Remember companies still get hacked after mitigating weaknesses because they do not pay attention to vector and surface of the attack and how exploitation works. Most of the times patching is not enough, even though vendors always release updates and patches.

The interface to a VM is where you should be able to see and understand everything. If you have to ping a node from a different interface, or your VM is not linked to your asset management system, do not waste your time and money, you could utilize free tools with same manner.

Manage Numerous IT Projects With No Resource Constraints

IT resource management is crucial in chaotic environments where multiple projects collide… 

The most obvious challenge of IT managers is to make sure they meet deadlines and projects deliverables in a timely manner. This is more tangible in environments where tons of big and small projects overlap in shared resources. That is a sign of resource constraint. By resource, I mean IT staff and personnel. 

Regardless of why an IT team faces unexpected projects and ends up with a messy environment, or how IT manager job description and responsibilities are important at the first place, let’s focus on how to address IT project management disordering, and how to reach a smooth flow of projects mixed with daily IT tasks. 

One of the simplest techniques to handle resource allocation is aliening expected assignment(s) with factual capacity of resource; when and how a resource is free and what and when to assign them with, but there are many ways to do this. I prefer mapping the current state of resources (main aspects or features of them), plus identifying projects and their specifications and finally justify these together via any simple tool. 

Information Technology Project Management
Gain a strong understanding of IT project management as you learn to apply today’s most effective project management tools and techniques…

Once you master this very basic and easy technique, no matter what is your tool, you will be able to manage IT projects even in a very disordered and out-of-control department. That is one of the reasons why I do not believe in phrase “lack of resources”! The more we blame shortage of human resources, the more we put ourselves in a situation that is irreversible. A situation where it does not matter how many staff you add to your team, still you will not be able to meet deadline, and more important, have reasonable quality for you IT operations. 

Information Technology Project Management: Providing Measurable Organizational Value
how to create measurable organizational value through IT projects…

Back to the technique, list your resources and calculate their availability and capacity at a certain time. What are the factors in equation? It really depends on your very particular environment but universal factors are known to any project manager. Then list you projects and identify their specifications in detail. If you do not have time to do these basic steps then you better put more time and reputation on fixing a broken IT department and a dozen of overdue deadlines and unhappy c-suite. Allocation of resources is going to be so strait forward if you complete the 1st and 2nd step precisely. 

There are bunch of tools to execute such a simple idea, but some of them like Microsoft Project requires a dedicated trained professional just to use the tool and set it with right information. That is too complicated and is not reasonable where the task of project management is not the goal. In other words, tools like MS Project are good for those that are project managers and they do this for thousands of clients. 

I developed a simple smart Excel spreadsheet to handle this crucial task of managing IT projects with real scenarios. As simple as 123. Based on size of your staff and project, you might be eligible to use free of charge.