July 31, 2003, 12:00 AM — Last week was a real eye opener.
A small outfit near me does security audits of companies' IT
infrastructure. That's all they do. And they have plenty of business.
These experienced experts continually find security breaches that never
cease to amaze. The bottom line: beg, plead and urge your clients to
have their own operations audited.
I'm now advising my clients to spend the bucks for a security audit of
their own. If I can endure a colonoscopy, why not a similarly deep probe
of my clients' networks?
To gain a better understanding, I sat through part of an audit for a
company that shall remain nameless. (Identifying the company would make
it a target for hackers.) The auditor's tools were simple: one PC and
some specialized, though commercially available software designed for
this specific purpose. Performed at night when business activity was
low, the audit checked about 30 servers and other assorted devices with
a contiguous block of IP addresses, just a portion of the total. Most of
these should not be visible via the Internet, or "Internet facing," as
the auditor put it. But many were.
I couldn't believe what I was seeing, especially since the company being
audited had supreme confidence that its systems were more secure than
envelopes, hermetically sealed and kept in a #2 mayonnaise jar on Funk &
Wagnall's front porch since noon today.
As it turns out, the auditor, in his divine and mystical way, found
holes. Holes through which you could drive a Mack truck. Plenty of them.
Holes that weren't supposed to exist.
The first step in the audit was getting past the firewall. Four minutes,
maybe five. It didn't take long to figure out the brand, the model, the
operating system and version, and, oh yeah, the password.
Doesn't anyone understand that the first thing you do with a default
password is change it?
We discovered the server used to manage all of the company's printers -
dozens and dozens of them. The auditor was able to drill down to
individual printers, viewing their control panel status, toner status,
model, firmware revision, and more. He could have changed the language
on the control panels. Or he could have sent print jobs to any or all.
Someone more mischievous could have disabled the server, shutting down
all the printers.
The audit found several minicomputers from computer companies that
haven't existed in years. Other servers were woefully out of date in
terms of upgrading operating systems or applying service packs. And
there were systems that were connected, running, and available - though
no actual software seemed to be running on them. Do you think the IT
director even knows they're there? Not likely.