January 19

Making Lots of Lemonade in 2009 – Part I

By David E Stern, CISSP

lemonadeBy all accounts, the financial situation for 2009 is not going to be pretty. Organizations are cutting budgets across the board and IT Security certainly isn’t immune. While I certainly would never turn away increases in staffing or capital budget for new equipment, I do see some great opportunity for IT Security in these tough times. IT Security spending has consistently grown in the past 5 to 8 years putting lots of new technology into the field.  However, no matter where I look, I still see the same gaps in the walls that I saw 5 years ago in terms of how security systems are operated and how security organizations are run. In 2009, the information security community needs to focus inwards, and focus on cleaning up some of its worst lingering messes.

Invalid internal SSL certificates

How many times have you logged into the web (SSL “protected”) management console for your SIEM or Antivirus server and quickly clicked through the little popup warning that the system’s certificate is invalid? We are all guilty of this practice. Generate valid certificates and install them on every web based management console under your control. Send out emails to other infrastructure management teams in the organization explaining the issue and offering to provide them with valid certificates as well. Finally, make sure that the expiration date on the certificate is noted on a shared calendar.

DNS entries

While writing this article, I looked through my browser bookmarks and found a number of IP addresses where DNS names should be. Every system needs to have a forward and reverse DNS entry. This is basic housekeeping that will result in less system errors, better performance, and make troubleshooting a lot easier. Oh, and it also necessary for certificates to work properly.

Asset management

You cannot protect something that you don’t know you have. Asset management is certainly not a traditional IT Security function. However, without accurate asset lists, IT Security cannot run complete vulnerability scans and cannot assess newly discovered threats. It only takes one un-patched machine to compromise a network. Get together with the desktop and server support teams and talk it over.

Rack cleanup

Go into your data center and find your most critical firewall. If you needed to swap it out today, would you be blocked by tight cables running across its face? Could you easily trace the power cables back to the power strip? Will you “jiggle” another fiber patch while replacing this unit? Clean up your racks in planned change windows before its too late.

Next month, we will continue to look at ways to turn those 2009 lemons into lemonade.


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. Hi,

    i would like to ask what your concern about invalid internal SSL certificates is. i think relevant attacks are very unlikely to happen.
    There are other much more likely things we could have an eye on. Like
    – user or admin-accounts no longer in use, but still active
    – no or too slack access management


  2. Christian-

    My concern about internal certs being invalid is more about “the message” and less about technology. As you are aware, IT Security is holistic. If a secure system is brought online, but the housekeeping isnt completed, then the veracity of the system is in question. It is sloppy, and security people cant be sloppy.

    As to your other concerns, they too are important and I will be addressing them in Part II.

    Thanks for your feedback.

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!