Network Security Blog

What a week it’s been!

I have spent most of my time at work battling a worm infestation, discuss corporate policies (or lack there of), and arguing with the WAN team over the proper way to deal with a worm. But now things are under control and I can back off and deal with these in a much calmer and methodical method. After all, you know I’d never get worked up and threaten people who can’t figure out how to clean up a simple worm. After I’d forwarded them simple instructions. Nope, that would never happen.

I can’t get into details, because I want to have a job come Monday, but here is the gist of it: A laptop user, who logged into the network for the first time in several weeks, was infected with a worm. While this is not an uncommon experience, what was different about this incident was that the worm managed to find a number of other unpatched systems on the network before we could shut it down. While we hunted for the newly infected systems, they managed to find other systems that weren’t protected. In short, thanks to the worm, we discovered that there is a whole class of systems on our network that are not part of the standard update and antivirus policy - the rogue servers! For now, I think we’re winning the war, but I know that this was just one battle, and there is much worse to come. Microsoft just released MS03-040, a patch for a vulnerability in Internet Explorer which may have been under attack for months without anyone realizing it.

Continue on if you want to read my first rant about the three P’s of network security: People, Policies and Procedures. Today, I will concentrate on People.

The basics of network security rest on three things, the people, the policies they enforce and the procedures for using the policies. All the the tech toys we deal with on a daily basis are just ways of implementing and empowering the three P’s. The best monitoring software in the world isn’t going to help you if you don’t have the people who know how to use it, a policy for what is and isn’t allowed and a procedure for dealing with abuses and exceptions to the policy.

Let’s talk about the people first, specifically the technical staff. I’m pretty good, in fact I like to think I’m very good. But I’m very happy to admit that I work with a network engineer who makes me look like a neophyte. Well, not just me, but almost everyone he works with. When I look at network traffic, I often start reaching for my copy of TCP/IP Illustrated, Volume 1 or open a window to Google . On the other hand, most often Steve is able to tell at a glance what were looking at. It’s a little intimidating at times. I can do most of the things he can do, it just takes me 4-5 times as long, and a lot of looking up FAQ’s and HOWTO’s.

The point I’m trying to make is that having the people with the technical expertise to use the tools they’re given is much more important than having the actual tools themselves. A good security expert can do more with ping, nslookup and an IE browser window than a uninterested system administrator can do with IronView, Manhunt and any other tool you care to mention. I know, I see this played out on an almost daily basis.

Another variable in the people equation is management. If you don’t have management buy-in, no amount of technical expertise or systems are going to help you. Managers need to understand the issues behind the technical tools, to understand why the policies and procedures are needed and be willing to enforce the policies and procedures that are put in place. It is the last point that I find most frustrating; the best policy in the world isn’t going to do you a lick of good if management isn’t willing to enforce it. Whole books have been written on working with management from the IT perspective, so I’m not going to beat a dead horse. But some days, I feel like I’m being beaten by management apathy.

Something we sometimes forget as technical people is that all the work we do is aimed at allowing people to work. Not keep the viruses off the network, or make the database server stable, or keep people away from p0rn sites, just enabling them to do their daily chores. Think about that next time you have to justify a piece of equipment or a policy before management. How will this help the average worker do his or her job?