Computerworld - This week, I conducted a quick, routine vulnerability assessment of a sample of our production environment. I wasn't pleased with the results.
Ongoing vulnerability assessments are critical in determining my company's security posture at any given time.
My methodology is fairly straightforward. I use a combination of three scanning tools: Internet Scanner from Internet Security Systems Inc. in Atlanta, Retina Network Scanner from eEye Digital Security in Aliso Viejo, Calif., and Nessus, a free network scanner available at www.nessus.org. With these powerful tools, I can get a comprehensive view of our IT infrastructure's vulnerabilities. I'm not suggesting that this method discovers 100% of all possible problems, but it gets close. And our other activities, such as application-level assessments, architecture reviews and code reviews, get us even closer.
All three tools are simple to use and can scan from a preconfigured list of IP addresses. For my assessment, I selected a sample from each functional area. For example, I picked Web servers, database servers, application servers, e-mail servers, Domain Name System servers, Lightweight Directory Access Protocol servers, domain controllers and a few firewalls, routers and network switches. I used the Windows Notepad applet to create a host file and entered about 40 IP addresses into the list.
We have more than 300 servers in our production environment, but I scanned only 40 of them. I don't have time to assess and review every server, and I shouldn't have to do so, since all servers for a given function are identically configured. Or so I thought.
To achieve consistency, server administrators are supposed to use a standard jump-start image and then run postinstall scripts that install additional software and make security modifications, depending on the server's function. Our administrators are supposed to maintain and use these images whenever they build a new system, so an assessment of one type of resource should yield the same result for every server.
My assessment included five Oracle database servers, three of which had serious security holes. For example, one server was running a vulnerable version of the Secure Shell (SSH) program. Our current baseline includes the most current version of SSH, so unless someone had downgraded the current version, that Oracle server hadn't been built using the standard baseline image. To my surprise, many other servers weren't built with the jump-start image either. Instead, administrators had built them using a full install of the Solaris 2.8 operating system. That includes more than 600 programs, of which we use only a small number.
Alarmed, I called
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
