I read an interesting article today by Bill Brenner over at SearchSecurity about how network configuration can affect network security. You can read the article: here
While this topic is somewhat parallel, the article got me to thinking about how many times we focus on what we have to do with regards to security vs. what we should do. Nearly every day I hear someone talking about the extra work that SOX or HIPAA has caused them and I see them focusing much of their time, especially with regards to security, in these areas. It's gotten so bad that many people think that the terms "security" and "compliance" are one and the same. Do a quick Google search on these topics and you'll see what I mean.
While compliance can certainly be important, focusing exclusively in this area seems to me sort of like considering yourself safe driver just because your wear a safety belt and obey the speed limit.
Let's face it - if your company is required by law to think about things like SOX or HIPAA then as a hacker I'm not going to focus my attention in those areas. Instead, I'm going to look for the things that you probably didn't have time to worry about and/or are more abstract in terms of achieving compliance. Some of the top items that people overlook are:
1. Physical security - there are a lot of things that fit into this area all the way from securing access to your switch ports/LAN drops to making sure your users aren't leaving their passwords written down at their desk (more and more common with today's trend of requiring ever more complex and frequently rotating passwords).
2. Network Application/Traffic Security - is there really a valid reason to allow outbound telnet, RDP, FTP, and SSH connections from your network? What about allowing RDP/telnet security from a user subnet into your core routers?
3. Configuration Management - if someone makes a change on one of your devices are you paged? Do you compare the current configs of your routers and firewalls to the configs from last month and validate the changes against an engineering work order or some other tracking mechanism?
With regards to configuration management, there's really no excuse not to have a solid solution in place in today's day and age. A few years ago the choices were limited to very expensive and hard to use enterprise apps or open source applications and the time investment that those imply. That simply isn't the case anymore - take the Cirrus Configuration Manager we offer here at SolarWinds for instance. Very easy to use, inexpensive, and meets most of the common use cases for config management in the enterprise today.
Let me know if this is a topic (network security) that you'd like to read more about and I'll start including some deeper content in this area.