Most companies believe that their computer systems are secure. But one of the only ways to determine whether this is actually true is by performing a thorough audit of computer systems. Jonathan Yarden explains why your company should make a point of auditing its security on a regular basis, and he spells out some of the particular challenges you may encounter.
In less than a decade, Internet security has evolved from an almost esoteric topic to become one of the more important facets of modern computing. And yet it's a rarity to find companies that actually consider information security to be an important job function for all workers—and not just the IT department's problem.
Unfortunately, it's the general opinion of most companies, particularly at the management level, that their computer systems are secure. However, one of the only ways to determine whether this is actually true is by performing a thorough audit of computer systems. But most companies don't make it a habit of performing regular security audits, if they perform them at all.
In my experience, many companies base their Internet and information security strategy entirely on assumptions. And we're all familiar with that old saying about making assumptions.
But I don't entirely blame companies for failing to conduct periodic computer security audits. Frankly, the complexity and variability of administering and interpreting a comprehensive computer systems audit is equal to the complexity and variability of the systems used in corporations.
Several dozen popular commercial network and computer security auditing programs are currently available. While I've used several myself, I've honestly found no favorites. These tools produce mountains of useful information, but understanding what to do with the data is no simple job.
Most computer network and system security audits begin the same way. An automated program gathers information about hosts on the corporate network, identifying the type of network device. If applicable, it also scans the TCP and UDP services that are present and "listening" on the host, and it might even determine the versions of the software supplying an Internet service.
In most cases, the process involves at least two automated scans—one of internal networks, which are generally behind a firewall, and one of the Internet subnet used by the corporation. If a security audit doesn't include both an interior and exterior scan, then you're not getting a complete picture of what hosts are on your organization's network.
In addition, I also recommend that companies perform their own auditing whenever possible. If not, it's vital that you select an Internet security vendor you don't currently do business with.
Security audits produce a huge amount of data, and you need to be prepared to review this information in order to truly benefit from the audit. It's also important to understand that a computer security audit may report potential problems where no real issue exists.
For example, an isolated switch from 1998 in an internal network could quite possibly be running firmware that's vulnerable to a denial-of-service flood. Should you replace it? Probably not. Nor should you be too concerned about the ancient Windows NT 4 system running outdated voice mail software that's subject to an obscure TCP sequence number exploit. It's not running anything other than a specialized application for voice mail services, and it's behind the firewall.
But some issues should concern you. For example, it's a good idea to disable guest accounts on dedicated Windows servers. Don't run IIS on Windows domain controllers, and DNS servers should not be running services other than DNS either.
However, a security audit may not always identify these issues, and one could debate whether it's actually a security problem. When there's doubt, disable unused services, or determine a secure solution.
The major problems with security audits are that they typically produce either too much data or not enough. A dearth or an excess of data can lead to misinterpretation and even exploitation of the information. Fear remains a very effective way to sell unnecessary equipment and services to companies that don't truly understand security.
For example, one company's recent Internet security audit completely ignored the security issue of direct VPN connections to the internal network and a dial pool, both of which completely bypassed the firewall. Coincidentally, while the same vendor that performed the audit was busy replacing functioning internal network equipment due to "vulnerable" firmware, one of the many recent Sober flavors was busy spreading internally, sourced from a remote office connected via a VPN.
Knowing what is and what isn't a significant issue goes to the very core of understanding Internet and information security. While assumptions can be correct, in many cases, they're dead wrong. Perform regular security audits on your organization's network to be sure. And if you're not using a particular TCP or UDP service, shut it off.
Miss an issue?
Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.
Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.