Skip Links

Security audit

Professional auditor Shawn Bernard of Networks Unlimited exposes risks overlooked by IT staff of a New England medical center.

By Joel Shore, Network World
October 20, 2003 12:14 AM ET

Network World - Only a security audit can expose the truth about a network's vulnerability. To see how well-prepared a typical enterprise network is, we found a business willing to let us tag along while a professional auditing company poked and probed 28 of its servers, and then delivered its findings in a face-to-face meeting.

The results were frightening - and should sound the alarm for IT directors everywhere.

The company, a major New England medical center (we agreed to conceal the name), has thousands of network devices, but had never been audited. It relies instead on a "high level of confidence in our senior engineers and technicians," says the company's technical services director. The idea of an audit, he concedes, had "come to mind time and again."

Finally, the time had come.

Let the audit begin

Networks Unlimited operates from a 19th-century hilltop Victorian mansion framed by giant sycamore trees. The Hudson, Mass., company audits a diverse mix of businesses - banks, retailers, law firms and government agencies - and provides security solutions. Business is booming.

The purpose of a security audit, says company President Harry Segal, is not to access or corrupt sensitive data. Rather, it is a controlled demonstration that these acts could be carried out. Documenting the breaches and identifying files at risk makes you a security auditor. Access those files and you've crossed the line into hackerdom.

In what was once the dining room, under an ornate gas-lit chandelier, Segal and security engineer Shawn Bernard huddle over a PC, eager to begin a complete security audit of 28 servers, hand-picked from hundreds by the hospital's IT staff. Sitting under a wall adorned with security and vendor certifications, they'll pass this night probing the network, searching for weaknesses, exposing the potential for digital dastardliness. Two weeks later they'll present their findings - and advice - to managers in the hospital's technical services group.

Bernard is gregarious, quick to talk about his family and just as quick to note that he maintains close ties to the hacker community - to better learn about their latest exploits, techniques and tools. Segal spent years at NEC Information Systems and erstwhile modem maker Microcom.

"We will always find issues that must be addressed quickly," Segal says. The top reason for security breakdowns, he says, is almost laughable: company policies that limit server maintenance to just a few weekend hours. "If you discover a security breach - fix it! Now!" he says. "Wait for the weekend maintenance window, and by Monday there might be no business to come back to."

Bernard's PC is loaded with a software smorgasbord any hacker would envy; his tool of choice is Internet Scanner from Internet Security Systems. Internet Scanner provides automated network-vulnerability assessment across servers, desktops and infrastructure devices. It also probes network services, operating systems, routers, switches, servers and firewalls.

"We'll be testing for 1,211 different types of vulnerabilities," Bernard says. One mouse click, and the audit is underway.

Segal adds that this audit is testing only for vulnerabilities from the outside world. A complete audit would also look for - and inevitably would find - internal vulnerabilities.

This audit is somewhat different than most because the IT staff was warned. Usually, the rank-and-file IT staff receives no advance notice. It's not until the final report is presented at a department meeting that the secret is revealed. "We don't want people running around in a frenzy plugging holes," Segal says. "An audit should be a snapshot of business as usual."

Easy access - too easy

As Segal is talking, Bernard suddenly perks up. He's discovered what seems, at first, merely odd, then surprising, then unimaginable. "We've found servers running Compaq's Insight Web management software," he says. "This is not a good thing."

By using one server as a proxy, the other servers let Bernard bypass the perimeter security of the network firewall. In just moments, he gains access to a BayStack hub, residing between two Nokia firewall devices. The hub's factory default password was still in place, easy pickings for an attacker who quickly could disable the device, plunging an entire network segment into digital darkness.

"This is pretty serious," Bernard says, noting that it might be possible to reach any of the hospital's hundreds of servers, not just the 28 in this audit. Bernard takes a few notes and moves on.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News