Security's Everyman

Security's Everyman

Monday, October 09, 2006

The Problem with IT and Security

Laziness, apathy or poorly trained IT staff? After reading this NetworkWorld article on the state of DNS server configuration I'm once again scratching my head and wondering what is going on.  I just don't get it. Why is it that there are so many instances of poorly implemented technology. Is it because so many unqualified people got into IT because they thought it was the road to riches? Is it because they see it as an easy job that doesn't require much physical exertion? Is management putting that much pressure on them to get it up and running? Why?

I know that if you are unfamiliar with a product that you can overlook some things that leave it vulnerable, but why are you putting it into production if you are unfamiliar with it? Why are you not taking the time to read the documentation or do a google search on common issues and problems? I just don't get it. Especially when the item can really cause a major problem, not only for you but for the whole company or internet. I like what the guys at advocate. They scan everything with Nesus or Core before putting it into production.

I'd like to think that there is a good reason for this. But I've been in this too long to know better. I've seen too many servers, switches, routers, firewalls, and other appliances just configured with a new password and ip address. Then they were put on the network, marked off the list and the next task was started. When I was consulting I ran into many instances where a company called and said that they were having probems. As they described them and/or I looked into them in almost every instance the problem was do to improper configuration or implementation. Only once or twice was the problem related to vendor software issues or hardware problems.

Two of the incidents that really stand out are the time a guy put a dual-homed server that served as the domain controller on both the internal network and the internet. Needless to say that didn't go well. The other one was when a company called and said that since migrating to Windows 2000 that they were having all sorts of problems with authentication, printing and everything else excpet internet and SMTP email. The company that did the migration installed DNS for AD, but they pointed the servers to public DNS servers. Go figure. I just don't get it.


Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.