weekly it stream of consciousness ramble: relics and creep

Posted on by michael

HostGator was apparently not alone. At least two other companies had reportedly also been hit with the attack, an exploit for a previously unknown–or “zero-day”–vulnerability in a popular Web-site management application known as cPanel. (SecurityFocus)

One thing that scares me about many companies is their propensity to have what becomes a highly heterogeneous environment with lots of little things purchased and installed or freely downloaded and implemented in their environments, sometimes circumventing IT involvement. And one little thing like a third-party web-based app can cause an entire server or network to become owned and jeopardize a company’s existence.
I had more of a purpose for this post, but I ended up turning myself in circles. Homogenous environments vs heterogeneous environments, simplicity vs defense in depth, all-in-one devices vs separation of duties…
In the end, companies simpy have to keep control of what they install and run in their networks, especially Internet-facing exposures, and maintain a process (with proper staff devoted to it) to keep up to date with patches and alerts for those exposures. While OS patches and “big” apps like Apache and OWA are typically tracked, far too many little things that slowly seep into the network landscape get overlooked. That ticket management system that was put in 2 years ago, or that survey “engine” on the corporate web site, or how about that php bulletin board that isn’t hasn’t had an update in 12 months. What about that port that was demanded to be opened 3 years ago to allow a temporary FTP server that was never cleaned up? Does marketing really need that nifty new tool on the web site, or WebDav turned on because that’s the only way their contracted, at-home employee knows how to update websites?
While I like to call some of those things “network relics,” I think I will also start applying a term, “network creep,” to all the various little things that slowly make their way onto or into the systems and network that IT manages. This creep slowly expands the exposure for a company and unless there is strong change management, follow-up, and staffhours to devote, these creeps turn into relics.
Policy and processes (retirement of systems and apps…). Inventory and documentation. Standards. Logging and monitoring. Staff. Change management.
I’ll stop now before I get to rambling too much more.