Take this probe and shove it

Last week was a real eye opener.

A small outfit near me does security audits of companies' IT

infrastructure. That's all they do. And they have plenty of business.

These experienced experts continually find security breaches that never

cease to amaze. The bottom line: beg, plead and urge your clients to

have their own operations audited.

I'm now advising my clients to spend the bucks for a security audit of

their own. If I can endure a colonoscopy, why not a similarly deep probe

of my clients' networks?

To gain a better understanding, I sat through part of an audit for a

company that shall remain nameless. (Identifying the company would make

it a target for hackers.) The auditor's tools were simple: one PC and

some specialized, though commercially available software designed for

this specific purpose. Performed at night when business activity was

low, the audit checked about 30 servers and other assorted devices with

a contiguous block of IP addresses, just a portion of the total. Most of

these should not be visible via the Internet, or "Internet facing," as

the auditor put it. But many were.

I couldn't believe what I was seeing, especially since the company being

audited had supreme confidence that its systems were more secure than

envelopes, hermetically sealed and kept in a #2 mayonnaise jar on Funk &

Wagnall's front porch since noon today.

As it turns out, the auditor, in his divine and mystical way, found

holes. Holes through which you could drive a Mack truck. Plenty of them.

Holes that weren't supposed to exist.

The first step in the audit was getting past the firewall. Four minutes,

maybe five. It didn't take long to figure out the brand, the model, the

operating system and version, and, oh yeah, the password.

Doesn't anyone understand that the first thing you do with a default

password is change it?

We discovered the server used to manage all of the company's printers -

dozens and dozens of them. The auditor was able to drill down to

individual printers, viewing their control panel status, toner status,

model, firmware revision, and more. He could have changed the language

on the control panels. Or he could have sent print jobs to any or all.

Someone more mischievous could have disabled the server, shutting down

all the printers.

The audit found several minicomputers from computer companies that

haven't existed in years. Other servers were woefully out of date in

terms of upgrading operating systems or applying service packs. And

there were systems that were connected, running, and available - though

no actual software seemed to be running on them. Do you think the IT

director even knows they're there? Not likely. There was more, but you

get the point.

In audits of other companies, servers have been found performing a

variety of, shall we say, unusual activities, including hosting personal

or pornographic Web sites, sharing MP3 and video files, making

unauthorized backups of sensitive data sets, and providing secret access

to the network.

Some of these devices could have been there for years, installed by

people who don't even work there anymore. It's a brilliant scheme: when

no one on the current IT staff can figure out what a particular server

is doing, the safest course of action is to just leave it alone. How

perfect is that?

At the subject company, admin services of other servers were easily

accessed via default passwords (like "admin") or easily guessed

combinations relating to the company's name. Granted, most of the

servers could not be broken into, but the auditor didn't spend days or

weeks trying to, as someone bent on criminal activity or the thrill of

victory might. And though the scope of the audit was limited to the

servers whose contiguous IP addresses were provided, it's a no-brainer

for a hacker to extend the scope to additional contiguous addresses.

Keep in mind that an auditor is a good guy, not some malicious deviant

who breaks in and posts the results on hacker-frequented Web sites for

all to see and share. We didn't access any sensitive data; indeed, we

didn't try. We didn't reboot any systems, didn't shut down any hubs or

switches, and didn't disable the firewall (which is obviously the last

thing you'd be able to do from the outside world).

With the "breaking and entering" phase of the audit complete, the

auditor is now preparing a report that will be presented to the client

company. The report will contain recommendations for immediate action,

and suggestions that should be addressed, but need not be done right

away. The out-of-date and unused servers will be identified. Closing

down a variety of ports - open for no apparent reason - will be an

additional recommendation. Implementation of a password policy will be

suggested. Getting rid of dial-up remote access and replacing it with a

virtual private network will also be recommended. And, of course, the

client will want to make that printer-management server no longer

Internet facing.

I sure hope that this IT director is duly and completely mortified when

the report is present.

So, I've got to ask: When was the last security audit done for each of

your clients? (And of your own network?) And of the breaches found,

which have actually been corrected? Is a follow-up audit in order?

A full-blown security audit isn't cheap, but it's an absolute necessity.

Performing such an audit is specialized skill; if you don't provide this

service, it's time that you partnered with someone who does. Today. Now.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon