Tuesday, December 23, 2008
How to destroy your business 101 - network security
Throughout the course of my career, I've had opportunities to work with a range of companies both large and small. Along the way, I've seen some amazingly bad practices. The root cause of each of these scenarios is usually a mixture of inexperience and/or laziness. I'm not a network expert, but I know a bad idea when I see one. Here are some example of grievous holes in security that I've run into first hand.
Don't do it. I've seen this manifest itself in few different ways. At one shop, every member of the IT staff knew the password to the domain admin account. This is bad. The IT manager didn't realize that you could add accounts to the Domain Administrators Group. *sigh* The thing is, if a bunch of people have access to the same account, it's almost impossible to tell who screwed something up. Also, if it's hard to tell who dunnit, it's more likely that somebody is going to do it. In other words, if you have a disgruntled employee in house that has domain admin access and you have no way to audit access, he or she probably knows it and is free to wreak whatever havoc he or she wants to without much fear of getting caught.
More recently, I saw the same problem from a different angle. Instead of a bunch of people having the password to the domain admin account, everybody had the username / password to a test account that is part of the domain admin group. Oh snap. With these credentials, it would be possible to wreak devastation on the network with no trail. This isn't a good. The first thing I did was report this huge hole in security, so I'm hoping that somebody does something. It's not my responsiblity, but I'd rather not have to twiddle my thumbs as the IT team rebuilds the servers.
Easy passwords for sensitive accounts
This was a legendary scenario. Most companies use VPN to provide remote access to the corporate network. The passwords for these accounts are usually required to have strong passwords at the the very least. The robust solution should require certificates, SecureID fobs, etc. I stumbled onto this one night when I was bored at home and was curious if I could guess the password to one of the salepersons accounts. I fell out of my chair when I got it on my second guess. Oh yeah, it was "password".
Note that this was a large company, with over 300 employees that did many millions of dollars worth of business. Oh, and it was a medical supply company. Holy crap. That was a huge violation of HIPAA rules. I called the IT manager to fix the problem immediately. He was worried that he would get support calls from the sales staff in the middle of the night so he didn't want to deal with it until the morning. I knew that I would be the one fixing the problem if the network got comprimised, so I broke protocol and disabled the VPN server for the entire company. I don't like sidestepping procedure but in this case I felt I had no choice. The first thing in the morning I let the executive meeting what was happening. Fortunately, the exec team understood the gravity of the matter and we resolved the issue pretty quickly.
Wireless Access Points
In another case, I was walking around the building I worked in. While walking by the office of the IT manager, I noticed that there was a wireless router plugged into the network. Snap. I asked him what it was for and he stated that we was playing with it, but it was no big deal because it didn't have a big range.
This was at the same company (and yes, the same IT manager). Did I mention the gobs of patient data that we were responsible for? I advised him that he probably should not be plugging that into the network. He eventually saw my point, but I was amazed at the complete lack of forethought.
There are ways to safely incorporate wireless networking into an enterprise architecture, but the right solution usually involves several layers of security including encryption, access control and firewalls. Just plugging a cheap consumer wireless router into your office wall with default settings (wide open access) is a recipe for disaster.
At one post, I noticed there were several servers that were hanging out in the corner of the server room. They weren't labeled and nobody had any idea what they did. Better yet, nobody had the root password to the machines. Holy crap!
Basically, an intern had set up some servers for the company a while back, but never shared the passwords. Out of fear, the IT manager refused to turn off the machine. Later, when I became responsible for the network, the first thing I did was unplug those machines. It turned out they were service some utility, but weren't critical. I instructed the IT staff to recycle the machines with a fresh OS install so that we knew exactly what was installed.
There are many subtle ways in which network security can be comprimsed. These were some gaping holes that were just asking for trouble. Take an inventory, if you're doing any of the above - stop!