Computerworld - You've just completed an extensive vulnerability assessment and have compiled the results. You give the report to the appropriate manager, who decides not to implement some of the corrective actions associated with a discovered threat. You want to be diplomatic about getting the discrepancies fixed, but you don't want to alienate anyone or create enemies. What do you do? I recently faced this very problem. Here's what happened and how I resolved it.
A Problem Appears
As part of a recent virtual private network (VPN) initiative, I performed a vulnerability assessment of about 1,500 remote laptops that will soon be loaded with the VPN client software. The laptops are all configured using the same software image, so by assessing one, I should be assessing them all—assuming that users haven't changed anything on their laptops.
I used automated tools for the assessment, including Internet Scanner from Atlanta-based Internet Security Systems Inc. and Nessus, the open-source vulnerability scanning software. The combination should address 95% of potential vulnerabilities. I also conducted a manual review of some of the permissions and other security-related settings available in the operating system.
My assessment revealed a serious vulnerability in Windows NT. The configuration allowed the creation of a null session, which a hacker could exploit to connect to the laptops and read files without authentication.
As I mulled these results at my desk one evening, I heard a knock at my door. Standing in the doorway with his arms crossed was the CIO. He wanted to know the status of a recent virus attack that had plagued our network. Unfortunately, I couldn't give him the details he wanted. My security architecture position doesn't include ongoing virus-detection responsibilities, so I referred him to the operations group.
The message, however, was clear. When a security event occurs and the CIO gets involved, he will immediately turn to the security manager for answers and, in some cases, accountability. If an incident like this occurs only infrequently, I can live with it. However, if it were a weekly occurrence, the CIO might start to question my effectiveness. In other words, I could end up paying for mistakes made by the operations group.
With that episode fresh in my mind, I went to a meeting with operations group managers to discuss server and workstation baseline image issues. I asked the security department to scrutinize all baseline configurations prior to release and that subsequent changes to the baseline images also be submitted for reassessment.
If a modification caused a departure from the previously secured baseline, then a retrofit of the existing infrastructure would need to be explored and executed to ensure that all installations remain within security best practices.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
