Next week we have a security audit for 5 days on our local network; basically inside the company from the perspective of an insider or someone who has gained some sort of access to the inside (either on the network or physical access).
Will we pass? I truly think so, since we’re not morons about what is secure or not. I think companies that fail things like this are the ones who have a nonexistent or weak IT department. We, however, have enough of an IT department to more than provide the necessary baseline of defense and diligence.
Will it be pretty? I don’t think so. I know there are many issues that I could come up with with our local systems, but sometimes there is just no justification in devoting the time and the limiting of user “freedom” in order to make things much more secure. I think too many people have no idea about such technical things and what security means in terms of limiting usability in the process.
Some issues I could point out immediately:
– sniffing passwords would be trivial over our wire; FTP, HTTP, and POP3 are all over the place. Email is also obviously readable. Considering we are a web app technology provider, a few months of password harvesting in such a manner would gather a huge foothold into many things.
– employees have local administrator rights on their computers, which means they can install anything they want, including worms, keyloggers, and malicious tools. They also have unfettered access to local SAM files.
– wireless is in heavy, but non-critical use, which means less money is devoted to it than critical things like actual network access on the wired network, making the potential for wireless DDOS fairly high (recently released vulnerabilities inherent in 802.11b (and g I think) illustrate that once an AP drops under 20mbps, someone up to 2 km away can send traffic to the AP that basically closes it to all traffic indefinitely). I don’t like such unnecessary and widespread wireless activity.
– widespread laptop use means our effective network spreads to user home networks, which tend to be far less protected. Vulnerabilities in home networks suddenly pose a threat to our protected network when someone is infected with a worm at home and brings it into the work network.
I could go on, but I think the bottom line to any issue we have stems from two causes:
– lack of manpower to implement improvements and reearch. Our team spends most of its time dealing with actual open issues, and many things rarely get looked at until it rises to emergency level (or someone higher up gets whiff of the issue and applies pressure that basically makes it critical). This also means we all do only what we know, and any learning is done “while under fire” or on our own time.
– lack of knowledge and awareness (training) in the areas of personal computing and security.
Back to the security audit, I’m quite happily excited to be going through it. Not only do I get to see what people in such jobs do, but I finally get some third-party validation and insight into my network and my systems. Perhaps their feedback reports will help fuel reasons to pursue avenues of improvement in various areas. Who knows, maybe they will be more impressed than I expect, and we’ll all get a round of congrats…but honestly, I like constructive criticism on things that are wrong more than I do validation that everything is fine. I want something to be wrong, so to “keep it real” and improving.