Our Sharky's "pilot fish" send him a lot of stories about network security for posting in the Shark Tank. Here's a sampling:
But full access to the network? That I can do
Field support pilot fish has just been hired at this big manufacturing company, and the first thing he needs to do is go to a field office to get an ID badge and the company's e-mail software.
So he drives to the nearest field office, walks in and tells the receptionist that he needs to pick up e-mail software and an ID badge.
"Are you an employee?" she asks.
"Yes," says fish.
"Oh, well then, you need to see our security officer," receptionist says.
Security comes out and introduces himself, then asks, "Are you an employee?"
"Yes," says fish.
"Well, come on in and I'll get you set up with an available desk near an active data port to download the e-mail client," security says. "You do have a Token Ring card with your laptop?"
"No, I only have Ethernet," says fish.
Security quickly produces the necessary card and cables, then leaves fish unsupervised for more than an hour on the company's internal network.
When he finally returns, fish asks about getting his ID badge.
"Do you have an authorization form from your manager to be given the badge?" security asks.
"No, I don't," says fish.
"Well," says security, "I just can't give an ID badge to anyone who walks in off the street and claims to be an employee!"
Top Secret
Company commissions an IT security audit and gets back a list of vulnerabilities from the outside security outfit. "It was a virtual road map for anyone wanting to crack our systems," says pilot fish. "My boss wanted to make it available to upper management -- so he posted the entire report on a network drive accessible to all 1,500 employees of the organization."
Aw, you didn't think we really meant it, didja?
"Security is Priority 1." That's the mandate this pilot fish and his team get, and they take it seriously. "We were given the right to refuse even the CEO if his request puts system security at risk," fish says.
So fish's team gets to work implementing some very pricey virtual private networks (VPN). And when they're done, they call in a hotshot security outfit to audit the new system -- and the hotshots give it a thumbs up.
These systems are an electronic Fort Knox.
"Then management purchases a service that requires a VPN from a completely insecure network," says fish. "And it's connected directly into our network.
"The result?" grumbles fish. "The entire world now has an incredibly secure channel with which to roam the entire corporate network."
Don't ask, don't tell
Saturday afternoon, and this help-desk pilot fish is having an unusually busy day when a user calls in to have his network account unlocked.
While the fish fixes the problem, the user tries to explain how it happened. Busy fish doesn't want to hear a long story, so he interrupts to tell user, "That's OK, you're unlocked now."
But the user insists on explaining.
Seems he needed a personal e-mail from his PC but didn't want to have to come in to work to retrieve it. So he gave a co-worker his network password, so he could get to the e-mail and forward it to the user's home account.
Unfortunately, his friend messed up and locked out the account, user says.
His friend isn't the only one who messed up, the fish groans. "Now, instead of finishing up the rest of my work, I have to fill out an incident report, find out who the user's supervisor and director are and re-lock the user's accounts -- so he STILL can't get into them -- until he can be coached on security procedures and using company resources for personal use."
Fish sighs, "Some people will never, ever learn when to keep their mouths shut."
There's nothing like security
This new hotshot security manager goes over everything on this company's network and locks it down hard, grumbles a pilot fish who has to deal with the new locks and keys.
"Plain-text passwords were outlawed on the LAN, so we deployed secure shell (SSH) on all our network hardware," fish says. "We set up a single jump-off node at each site that each network device trusted. We removed all network dial-up access except through VPNs. We set passwords to arcane strings.
"When it was all done, no one could remember how to log into the routers, switches, firewalls and SSH gateways, which each had a different multistep access procedure. Staffers started carrying around written cheat sheets complete with passwords."
What's worse, all the new security means that when something breaks down and the on-call network admin wants to fix it remotely, a lot of applications, protocols and services have to be working in order to connect and do problem resolution.
"Given that, by definition, stuff is BROKEN when he would need remote access, you were essentially guaranteed that he'd have to drive in," says fish.
So fish writes a report detailing the problem. And management admits -- grudgingly -- that it IS a problem, and turns it over to the security guru for a fix.
"The security guru buys a modem-equipped terminal server and connects a serial port to each piece of active network gear," fish says.
"Now, in the event of trouble, an off-site tech can fire up a native dial-up session to the terminal server and connect directly to the console ports of all our infrastructure."
Or to put it another way, there's now a complete set of back doors that effectively negates all the new security measures.
"Our network is today better protected from the IS staff sitting at their desks than from someone outside war-dialing for modems," says fish.
"The upside is that the techs in-house can now dial the terminal server, eliminating the need to carry the cheat sheets."
Now that's security!
So this Pilot fish swims up to a mondo aerospace defense contractor site to do a little consulting.
Before granting admittance, security puts him under the microscope - swears him to secrecy, makes him sign multiple non-disclosure agreements, stops just short of a body cavity search.
Mid-task, consultant has to install new software and needs root access on a server. He gives the system administrator a ring to get the juice to log on.
"I must have interrupted something important because he got bent out of shape and said, `Look, whatever you need is right there!'" reports the pilot fish.
Sure enough, right there, pinned to the cubicle wall, is a printout of all 56 system passwords, including root. What's national security compared to a little convienence, eh?
Security? Who needs security?
Network admin pilot fish is setting up the server for a new sales department application. "Boss," he says, "I need a small locked room to prevent unauthorized access to the server console."
Nonsense, scoffs the boss. "The new server is a sales department tool -- put it in the area where the other sales PCs are.
"Besides," he adds, "there isn't a room to spare just for the server."
"Since this will be the file and print server for the entire company, it really should be in a secure area," fish insists. "How about letting me put the server in my office?"
"No," reiterates boss. "The sales server goes with the rest of the sales PCs in the 'computer corner.'"
So fish gets the new server up and running, moves users over to the new system and gets past the biggest conversion and training speed bumps.
The system runs fine for a few weeks -- until, while he's at lunch one day, fish gets a panic page from one of the sales staff. "I got dumped off the system, and printing isn't working," sales guy says. "I need to print my proposals!"
Fish hustles back to the "computer corner" to find the sales manager playing a shoot-'em-up game at the server console.
What are you doing? asks horrified fish.
"Nobody ever uses this computer," shrugs manager. "So I re-installed DOS and loaded this really neat game..."
Hot Stuff
Newly hired IT pilot fish is shocked that his company's Web site has no firewall. He uses easily available scanning tools to demo the vulnerability to executives, who are impressed by the need: Get a firewall, they say, and fish gets it running fast. But the next morning, he gets a call from an unclear-on-the-concept marketing VP: "Can you check out your firewall? I think it's overheating. My room is unusually warm."
Aw c'mon, how bad could one little e-mail be?
Network security manager at this large transportation company claims he can find any security leak in his network, reports a pilot fish who works there.
"Of course, the whole security shop is really run by a few techies who know how things work," fish says.
So on this fateful Friday afternoon, the security manager gets a call from a customer who claims to have a very small e-mail bomb that can bring down the whole company's e-mail system.
"There IS no such thing," security manager decides, and tells the customer to send him the so-called e-mail bomb -- BY E-MAIL.
One techie who overhears the conversation objects strenuously to the boss -- but he's wasting his breath. So he beats it back to the other security techs and brings them up to speed on what's about to arrive.
"They all decide that this is the right time to start the weekend and head for home," says fish.
So the customer sends the e-mail. And the moment it hits the company's central virus scanner, it does indeed crash the scanner -- and brings down the entire e-mail system.
And the security manager? "He doesn't even notice that his whole e-mail system went down," fish says. "A little while later he also heads home -- leaving this 24/7 company without e-mail for the whole weekend."
Souped-up Security
Stories in this report:
- Souped-Up Security
- Farming Out Security: How to Choose a Service Provider
- Security and QoS Unite
- Security Begins at Home (With Telecommuters)
- The Almanac: Networking