There’s no shortage of tough problems that jump right in the faces of IT administrators, but some of the worst IT problems facing companies are the ones they don’t know they have. In this story, eWEEK Labs identifies 10 cost- and productivity-robbing problems that might be lurking in your infrastructure and offers IT admins guidance on how to overcome them before it’s too late.
Wireless LAN Security
Your Wireless LAN Is Talking About You
Even though you may have spent countless hours locking up your wireless LAN-segregating data, voice and guest traffic, implementing certificate based WPA2 (Wi-Fi Protected Access 2) security, and constantly monitoring for rogue access points or client activity-the network could still be leaking valuable information about your wired infrastructure, providing an easily detectable fountain of information that intruders could use to map out devices and services on your network.
As wireless intrusion prevention maker AirDefense pointed out in a survey of business zones within the city of San Francisco prior to the RSA conference in March, many wireless LANs are leaking unencrypted enterprise traffic like CDP, VRRP, Spanning Tree, or NetBIOS. This kind of information can be gathered to identify the types of equipment running on a corporate LAN, as well as the names and addresses of chatty Windows machines. And at least potentially, an intruder could attempt to inject incorrect protocol traffic back into the network.
Wireless intrusion prevention overlay networks like those from AirDefense or AirTight Networks will be able to detect this kind of information leakage-provided you configure the right types of alerts-but administrators can also use a number of portable analysis tools to similar effect.
For-pay troubleshooting tools like AirMagnet’s Laptop Analyzer or WildPackets’ OmniPeek are certainly useful, but even freeware tools and a sharp pair of eyes can suss out suspect leakage as well. In fact, AirDefense’s scan of San Francisco businesses was done by one man walking around town with laptop running the open-source BackTrack tool kit (www.remote-exploit.org/backtrack.html).
After detecting this kind of suspect traffic, it is then a matter of reading the documentation or talking with your WLAN provider to find out how to configure your network to staunch the egress of this telltale broadcast traffic. –AG
Web 2.0 Technology Infiltration Risks
Internal Use of External Services
The rapid growth of the so-called Web 2.0 technologies has put free, powerful, and easy-to-use tools at the fingertips of everyone, including your employees. And outside of personal use, these services are also being employed to get work done in your company.
Workers are collaborating on data in Google Spreadsheets, chatting with a contractor on AOL Instant Messenger, or even using SAAS (software as a service) project management tools like Basecamp to complete vital projects. And in many if not all of these cases, these tools are being used without the input or knowledge of company IT staff (to workers, that’s the beauty of these solutions).
But this can cause problems for all parties involved. Employees who run into network or other problems that prevent access of now-vital services will find an IT department unready to provide help or support. And IT departments are now dealing with new points of access where malware can potentially enter the company and vital company data can potentially exit.
IT staff should make sure that external services are part of any discussion about application needs for employees and departments. User surveys can help with finding out what external services are being used, along with network tools that will display actual usage statistics.
External services and SAAS applications are only becoming more popular and are touching more and more vital company areas. If you don’t know what’s being used and who is using it, you can’t manage it. –JR
Sensitive Data Flows Traveling Unencrypted
Sensitive Data Flows Traveling Unencrypted
Your business has what you would consider a standard, secure network configuration. A firewall protects all internal network traffic. Web servers and other systems requiring direct Internet access are in a DMZ configuration with encrypted tunnels to needed data sources within the firewall. A VPN lets outside workers and partners securely access network resources from remote locations.
So far, everything looks good. All traffic that needs to be encrypted is protected and company data is being protected. Or is it? Outside of this traditional security setup many businesses may find that additional encryption options could pay dividends.
For example, just because a network is inside the firewall doesn’t mean it is safe. Moderately technology-savvy employees can easily employ network-sniffing tools to access lots of sensitive company data, from human resources payroll information to confidential partner services to customer credit information.
And just because something is outside of the company firewall doesn’t mean it doesn’t contain sensitive information. While many enterprise-oriented SAAS applications offer secure Web connections as an option, this is not always the default, or it is used only for user log-ins, and then all other data is sent in the clear.
Network administrators should think like a hacker themselves and use network-sniffing and analysis tools to identify all the data moving through their internal network to look for sensitive data. If you can see it in this way, then so too can anyone else on the network. Once found, these data connections can be secured. And any SAAS contract that entails sensitive data transmission should specify a secure connection for entire sessions. –JR
Security Flaws in Web Applications
Security Flaws Lurking in Your Web Applications
Lots of companies have gotten to be very serious when it comes to making sure that all the applications they use are regularly and fully patched against bugs and security holes, and that these companies aren’t using any older applications that are susceptible to known problems. But while this is a good thing to do, it doesn’t address the entire application security profile.
That’s because there are a number of other company applications-that are often very sensitive and very exposed-that are typically ignored in patching and update policies.
These are the types of applications that are often the most at risk of being compromised by external hackers who know about the simple scripting hacks and known (although perhaps unknown to you) holes in old versions of applications.
Companies should have a full listing of all Web-facing applications and scripts that reside on their networks. For full products like open-source blogging and wiki systems, you must make sure that you are running the most up-to-date versions of the applications, and of the software components on which these applications depend. For custom applications, keep track of any potential problems that may come up in the underlying scripting technology.
This does mean regular tracking of security services like CERT and the main sites of these technologies, but since these applications are often the public face of your company, it is definitely time well spent. –JR
Are You Ready for the Auditors?
Are You Ready for the Auditors?
While keeping a precise accounting of the data that’s stored within your organization is a duty that’s quite familiar to traditionally regulated industries, it’s a chore that looms for a widening range of companies-whether they realize it yet or not.
The impetus for these potentially overlooked duties, particularly with regard to retail sales organizations, has been the emergence over the past two years of the PCI (Payment Card Industry) Data Security Standard.
Regulated industries including banking, finance, insurance and health care are accustomed to the audit process and thus have a somewhat greater knowledge of what data is stored where. However, some historically unregulated businesses have amassed large amounts of sensitive customer information without keeping close tabs on where this data ends up.
Addressing this gap in the data life cycle requires a two-pronged approach in order to achieve regulatory compliance while at the same time securing valuable data resources. First, IT managers must work with business managers to fully understand what data is being captured and where this information is being stored. Start by enumerating the most common business processes in your organization-a point of sale transaction, a restocking order, bill generation and presentment, and the like-and then follow the money.
It makes sense to involve your database and applications staff in these reviews, as they should have an intimate knowledge of the data inputs and manipulation that are required to make the money move through your organization.
Second, begin a formal process of tracking what data is collected by your organization, noting the points at which data is collected, where it is stored and where it is allowed to flow out. You can be sure that going forward, security will be as much about protecting specific types of information as it will be about patching software bugs and correctly configuring applications so that they only work as intended. –CS
Storage Capacity and Security
Storage Everywhere, and Not a Drop to Drink
A tally of the invoices from the storage systems you’ve purchased, stacked up against the data storage needs of your enterprise, suggests that your company has plenty of storage capacity on hand. However, inefficient “siloing” of your storage resources could place your vital systems at risk of running out of capacity, regardless of how those invoices add up.
The culprits for this storage capacity uncertainty include the different sorts of storage that may lurk in your enterprise, some of which may not be well-suited to sharing, and some of which may hail from separate vendors with less than fully compatible products.
While it may be easiest to express your storage needs in terms of capacity, performance requirements play a major role. For instance, a 500GB database might fit on a single spindle, but storing that database on a single drive would probably deliver unacceptably poor performance. You could spread that database out over 10 drives to make up the performance gap, but that would leave you with under-utilization.
Administrators must take a close look at the capacity and performance needs of their applications and take a careful stock of the storage pieces they have available. Companies can maximize capacity utilization while keeping performance at an acceptable level by identifying performance tiers in your applications and by pairing performance-intensive applications such as databases with less intensive applications, such as file storage and archiving.
Storage virtualization products, such as those from LeftHand Networks, Seanodes and RevStor, can help un-silo currently unshared storage assets, such as direct attached storage units, or the local storage that typically sits unused on servers running VMware’s ESX Server. –JB
POE and VOIP
Keeping the Link Lights On
Companies are relying on their IP networks for more duties than ever before. At many sites, wireless access points, VOIP (voice over IP) phones and security cameras are offering companies new convergence options, alongside the opportunity to run fewer phone lines and, through the magic of POE (power over Ethernet), fewer power lines.
However, unlike the staid and well-established phone and power lines that Ethernet cabling is bidding increasingly to displace, the standards and products upon which POE schemes are based are in nearly as much flux as are the devices that these networks must serve. As a result, enterprises may be in store for a raft of issues solved long ago in “legacy” wiring schemes.
For one thing, as wireless access points move into the 802.11n era, these devices are becoming markedly more power-hungry, due in part to 802.11n’s 3×3 transmit and receive capabilities. For security cameras, support for panning also requires more juice from these devices’ POE lifelines.
While there’s work going on around making these devices do more without requiring more power, some of these solutions will present their own problems. For instance, some 802.11n access points are designed to fall back to lower-power (and lower-performance) modes.
The primary industry solution to the growing power needs of these devices is a new POE standard, 802.3AT. As the industry moves to 802.3AT, you may find that your existing 802.3AF POE investments won’t provide enough power to run some of your devices. Make sure that your vendors provide you with detailed information on the way their products interact with POE.
Considering the relatively high rate of change in the wireless networking, POE and VOIP spaces, however, the best advice moving forward with these technologies is to move forward slowly and to demand forward-compatible road maps from your vendors. –JB
Slow USB Hubs and Other Last Mile Issues
Bumps in the Last Mile IT Road
Between the end user and the first connection to the network, productivity can be sapped by problems that seem too small for a help desk call. Many of these problems are associated with aging desktop and network infrastructure.
For example slow, version 1.1 USB hubs may be hidden productivity robbers lurking in your organization. Upgrade your USB hubs, and your work force will see the difference. Upgrade costs can be reduced by making this part of an employee self-install project, since most workers know what a USB port is and how to use it.
Your road warriors will be in the battle longer and fight more effectively if you equip them with new laptop batteries on a regular basis. Don’t wait for employees to notice that they can only work for an hour on a charge.
Also on the end-user front, the practice in too many organizations of allowing users to run with administrator rights by default is irresponsible and will incur unneeded support costs and user downtime. Even senior executives-especially senior executives, considering their access to critical financial and customer information-should be guided away from running as admin on their systems.
IT organizations are faced with an era when targeted phishing attacks aimed at specific groups of employees are becoming the norm and new technologies including IPv6 are making their way into global organizations. Taking care of hidden problems in the last “100 feet” between the physical network and the end user can spell the difference between a productive work force and one that is too mired in “cruft” to take advantage of opportunities. –CS
Lack of Sufficient Business Intelligence
Lack of Sufficient Business Intelligence
Large enterprises, especially in regulated industries including finance and health care, have used business intelligence tools that include data warehouses for years. Midsize and smaller organizations are about to find that they may have a competitive problem if they aren’t ready to implement these technologies too.
Far from being just a rich man’s game, business analytics tools are increasingly being made available to organizations of more modest means. There is little question that these tools can be used by a company to differentiate services and offerings to squeeze more profit out of customer transactions.
Taking advantage of these tools means making a commitment to marrying technology and business process in an organization. To even make the proposal, IT managers have to know that they are running a well-tuned IT infrastructure, including well-managed data collection tools that reliably gather customer transaction information.
Hidden problems that can sabotage a BI project include sloppy data collection and storage procedures. This is especially true when data will be coming from multiple sources such as pharmacy, patient treatment and insurance billing systems.
BI projects demand that IT managers truly understand the business objectives of their organizations. A successful marriage of technology and business means making a commitment to discovering hidden areas of business ignorance in IT and ensuring that technology is put in the service of supporting business success. –CS
Consultants Can Leave Gaps
The Games Consultants Play
The same promises of low cost and fast delivery that delivered you to your consultant of choice could open the door for all sorts of shortcuts and messy processes that get the job done on time and under budget, yet serve to undermine the whole project in the end.
There’s any number of shortcuts consultants may take to speed the delivery of their stated task. Maybe they transfer your sensitive data to and from their personal computer via an ad-hoc wireless network or a temporary (and shoddily protected) access point. Perhaps they use unlicensed tools and software to monitor, protect or manage some component of the deployment. Or maybe they punch a hole in your firewall so they can fix things remotely, then forget to close the hole before they leave.
Companies need to clearly state the rules of conduct up-front and establish a system for assessing the overall quality of the work after the job is done. In the contract, companies should set ground rules set detailing the minimum acceptable processes concerning security, licensing, documentation and change management. And then, when the project is done, there must be an after-the-fact evaluation process that not only ensures that the goals of the project have been met, but that no unintended collateral damage was inflicted in the process of getting the job done.
The last thing anyone needs is to find your Active Directory server hosting French porn torrents because your consultant wanted to work from home. –AG