Last week was a real eye opener.
A small outfit near me does security audits of companies' IT
infrastructure. That's all they do. And they have plenty of business.
These experienced experts continually find security breaches that never
cease to amaze. The bottom line: beg, plead and urge your clients to
have their own operations audited.
I'm now advising my clients to spend the bucks for a security audit of
their own. If I can endure a colonoscopy, why not a similarly deep probe
of my clients' networks?
To gain a better understanding, I sat through part of an audit for a
company that shall remain nameless. (Identifying the company would make
it a target for hackers.) The auditor's tools were simple: one PC and
some specialized, though commercially available software designed for
this specific purpose. Performed at night when business activity was
low, the audit checked about 30 servers and other assorted devices with
a contiguous block of IP addresses, just a portion of the total. Most of
these should not be visible via the Internet, or "Internet facing," as
the auditor put it. But many were.
I couldn't believe what I was seeing, especially since the company being
audited had supreme confidence that its systems were more secure than
envelopes, hermetically sealed and kept in a #2 mayonnaise jar on Funk &
Wagnall's front porch since noon today.
As it turns out, the auditor, in his divine and mystical way, found
holes. Holes through which you could drive a Mack truck. Plenty of them.
Holes that weren't supposed to exist.
The first step in the audit was getting past the firewall. Four minutes,
maybe five. It didn't take long to figure out the brand, the model, the
operating system and version, and, oh yeah, the password.
Doesn't anyone understand that the first thing you do with a default
password is change it?
We discovered the server used to manage all of the company's printers -
dozens and dozens of them. The auditor was able to drill down to
individual printers, viewing their control panel status, toner status,
model, firmware revision, and more. He could have changed the language
on the control panels. Or he could have sent print jobs to any or all.
Someone more mischievous could have disabled the server, shutting down
all the printers.
The audit found several minicomputers from computer companies that
haven't existed in years. Other servers were woefully out of date in
terms of upgrading operating systems or applying service packs. And
there were systems that were connected, running, and available - though
no actual software seemed to be running on them. Do you think the IT
director even knows they're there? Not likely. There was more, but you
get the point.
In audits of other companies, servers have been found performing a
variety of, shall we say, unusual activities, including hosting personal
or pornographic Web sites, sharing MP3 and video files, making
unauthorized backups of sensitive data sets, and providing secret access
to the network.
Some of these devices could have been there for years, installed by
people who don't even work there anymore. It's a brilliant scheme: when
no one on the current IT staff can figure out what a particular server
is doing, the safest course of action is to just leave it alone. How
perfect is that?
At the subject company, admin services of other servers were easily
accessed via default passwords (like "admin") or easily guessed
combinations relating to the company's name. Granted, most of the
servers could not be broken into, but the auditor didn't spend days or
weeks trying to, as someone bent on criminal activity or the thrill of
victory might. And though the scope of the audit was limited to the
servers whose contiguous IP addresses were provided, it's a no-brainer
for a hacker to extend the scope to additional contiguous addresses.
Keep in mind that an auditor is a good guy, not some malicious deviant
who breaks in and posts the results on hacker-frequented Web sites for
all to see and share. We didn't access any sensitive data; indeed, we
didn't try. We didn't reboot any systems, didn't shut down any hubs or
switches, and didn't disable the firewall (which is obviously the last
thing you'd be able to do from the outside world).
With the "breaking and entering" phase of the audit complete, the
auditor is now preparing a report that will be presented to the client
company. The report will contain recommendations for immediate action,
and suggestions that should be addressed, but need not be done right
away. The out-of-date and unused servers will be identified. Closing
down a variety of ports - open for no apparent reason - will be an
additional recommendation. Implementation of a password policy will be
suggested. Getting rid of dial-up remote access and replacing it with a
virtual private network will also be recommended. And, of course, the
client will want to make that printer-management server no longer
I sure hope that this IT director is duly and completely mortified when
the report is present.
So, I've got to ask: When was the last security audit done for each of
your clients? (And of your own network?) And of the breaches found,
which have actually been corrected? Is a follow-up audit in order?
A full-blown security audit isn't cheap, but it's an absolute necessity.
Performing such an audit is specialized skill; if you don't provide this
service, it's time that you partnered with someone who does. Today. Now.