As the book IT Risk discusses, managing IT risk involves managing the following four frameworks:

  1. Availability
  2. Access
  3. Accuracy
  4. Agility

Until yesterday, I would have argued that availability, access, and accuracy were fairly well covered by most companies…

Then I read this post on SANS’ Internet Storm Center blog:

“No doubt for some of these your response will be, ‘well duh’, but you’d be surprised how many organisations have these issues. So let us start the report.

  • Fill company name in here does not have an effective patching process in place. The servers examined require numerous patches, some going back as far as 2000. Workstations likewise require patching to be brought up to date.
  • Servers are not hardened or the SOE is not being enforced,
  • A number of test/training/generic accounts exist with weak passwords such as the account name, password, day of the week, …. Access provided to these accounts is permissive and provides access to confidential information.
  • The SA account on the MSSQL server has a blank/weak password allowing the creation of domain administrator accounts (game over).
  • Internet facing servers are running vulnerable versions of web/ftp/OS software.
  • LDAP/Edirectory/AD allows anonymous queries
  • Network devices are managed using telnet
  • Default SNMP community strings are used disclosing server/switch/router information
  • Policies do not exist or are inconsistently/not enforced
  • Procedures are not documented
  • Logs are not monitored or irregularly monitored
  • Internet facing applications are susceptible to XSS/SQL Injection attacks.
  • Email header leak internal ip addresses and names” (¶ 4).

This post got me to thinking, and I had to admit to making a few of these mistakes myself over the years. And I can imagine they happen more often than we would care to admit. This takes me back to my stand about always questioning assumptions. When a manager in IT takes a position at a new company, do not assume anything! Always dig in with the people who are responsible for managing the hardware and software and make sure things are configured the way you want them to be. “Trust by verify” should be your motto for the first few months in a new job.

In fact, I suggest you pick up a copy of the book IT Risk and read the first three chapters before you even start your new job. It will give you a framework to think through what you want to investigate, verify, and guide you in building your “hit list” of quick fix items that will help build confidence in you and your team among the other senior executives.

— Westerman, G. & Hunter, R. (2007). IT Risk. Boston, MA: Harvard Business School Press.

— Hofman, M. (2008, February 15). Doing an audit/pentest or other assessment? Here is part of the report for you. SANS Internet Storm Center.