A quick post:
We have found that our users that have updated themselves to Windows 10 have effectively locked themselves out of the network, from remote locations. It seems Windows 10 is not supported by our Citrix Netscaler VPNs. Of course we put a note out to our worldwide users, but some "had" to update. Hopefully there will be a patch or fix soon.
At the moment, we don't support Windows 10 in the infrastructure. That doesn't stop some of our users from updating anyway.
Friday, July 31, 2015
Found a Windows 2003 Server - now to Remediate
I've always known that we have a handful of Windows 2003 servers. And with the retiring of Windows 2003 on July 14th I started beating the drum towards migrating to newer (supported) servers. When I last looked, I think that there was two or three servers left in existence. Flash forward to today, and our weekly external vulnerability scan. One of the scans picked up a Windows 2003 server in the publicly facing DMZ, and flagged the finding as critical. I can support that, it's a pretty serious finding. The scan also noted IIS 6.0, another finding.
After consulting with the Sysadmins, we found that there are only two applications being utilized on the server. Off I went to query the application owners as to migrating the applications off the server to something supported. Here's one of the responses:
After consulting with the Sysadmins, we found that there are only two applications being utilized on the server. Off I went to query the application owners as to migrating the applications off the server to something supported. Here's one of the responses:
I will speak with my management regarding making the migration of what's on there a priority to move. The wrinkle is that some of the code is old and needs to be rewritten/ported into the current project and that is an effort that I have yet to get permission to put the hours in on.So for now, we need to leave it where it is and I'll try to get everything off of there as soon as possible.
Sigh.
Security education only goes so far. The fact that there are exploits out there does nothing for the application owners...they're willing to take the risk. I have their acceptance of risk in writing; but a lot of good that will do if/when something happens to the server.
Wednesday, July 15, 2015
Failed a Pentest...Stake in the Ground
I've been with the company a little over a month and a half. I've run numerous gap analysis, and I know where we are deficient. And some of it is not good. I've compared ourselves to the SANS Top 20, and again, it's not good. Management wanted an internal pentest, to get a feel for the security posture. We in IT wanted a good boutique pentesting company, but we were told to use the company that already audits the finance department. Fortunately, these guys were good.
We failed the pentest, miserable. Most of my guesses as to how it would happen came to pass. And I'm ok with that. Heck, they had domain admin in about a day. There were some good surprises, and there were some good wins. I'm good with it; as it confirmed most of what I have been raising to management for the past year. The hope is that management will open their eyes and start making changes.
So mentally, I've put a stake in the ground. I want to see how long it takes for any real change to take place. I'm waiting to see when management starts mandating change in the form of implementation of controls in order to raise the security posture of the company. Or, is management just checking a box that an audit was performed.
I'll update as controls start being implemented.
P.S.: I have to say, as a former auditor, it was interesting to experience the audit from the other side of the fence. I was able to understand what the auditors were looking for and better able to answer their questions since I had been in their shoes.
We failed the pentest, miserable. Most of my guesses as to how it would happen came to pass. And I'm ok with that. Heck, they had domain admin in about a day. There were some good surprises, and there were some good wins. I'm good with it; as it confirmed most of what I have been raising to management for the past year. The hope is that management will open their eyes and start making changes.
So mentally, I've put a stake in the ground. I want to see how long it takes for any real change to take place. I'm waiting to see when management starts mandating change in the form of implementation of controls in order to raise the security posture of the company. Or, is management just checking a box that an audit was performed.
I'll update as controls start being implemented.
P.S.: I have to say, as a former auditor, it was interesting to experience the audit from the other side of the fence. I was able to understand what the auditors were looking for and better able to answer their questions since I had been in their shoes.
Subscribe to:
Posts (Atom)