March 05, 2001, 11:31 AM — Eighteen months ago, my company, a large financial services organization, suffered a number of attacks that were stopped mostly by luck. With the awareness of security raised, management hired me as information security manager to secure their infrastructure and operations.
I manage a team of five people, with an annual budget of just under US$750,000. With these resources, I protect 4,315 IP-connected devices and 617 staffers from the real and imaginary threats of the New Economy -- and keep our regulators and customers convinced that we're a safe and trustworthy organization.
How do I know we have 4,315 connected devices? We have a vulnerability scanning system. That sounds terribly impressive, but really it consists of a ping sweep followed by the use of nmap freeware port scanner software and Internet Scanner software from Internet Security Systems Inc. in Atlanta. This would be easier if my company maintained an accurate inventory of the equipment it bought and deployed, but with the organization split between development and operations, there's no central tracking of computers.
I highly recommend checking the connected operating systems on your network. We mostly use Windows NT Workstation 4 on the desktop, some Windows NT 4 servers, Sun Solaris systems and a healthy wedge of back-office servers running OpenVMS. All these operating systems are linked by Cisco Systems Inc. routers and switches.
But we knew that before we ran the tests. The useful data is the strange other network stacks we detected:the printers, the developers trying out betas of Windows 2000 and Linux without permission, and even partner organizations, like those that manage the phone system, connecting firewalls and some non-Y2k-compliant versions of Windows 3.1.
And those 617 people? I wish I could say I knew them all. Like other financial services companies, we have many contractors and high staff turnover. Nonetheless, I must educate them all in the basics of information security.
To keep control of the staff changes, we've set up a system that takes a feed from the human resources database and matches it to all the user accounts across our infrastructure. For the past three months, we've been clearing up the discrepancies. With 28,652 accounts in our environment, that was a lot of work. I'm not convinced of the real value of this cleanup, because most of the accounts were expired before we deleted them. But this kind of work really delights internal and external audit, so that alone makes it worthwhile. This would be easier if the human resources database were correct, but at least we have eradicated some of the errors.