In today's business environment of takeovers, acquisitions, and mergers of some of the world's largest financial institutions, banks, and service providers coupled with the downsizing of IT and Information Security personnel, what is happening with the world's largest and most complicated networks and application services? One can only hope that these large transitions of internal knowledge of infrastructure and the their control, continue to be monitored and audited and that incidents are managed effectively. This may be an excellent time before the next boom to re-evaluate the controls that are currently in place. Are we monitoring all that we should be monitoring? Do we really know all of the interconnections between telephone services, building infrastructure services, remote access, and new or existing service providers?
Although in this age one would believe that dial-in capability is no longer an issue, dial-in access still continues to be one of the most unmonitored access points. How many of us have recently performed phone sweeps of our environments? While trying to get the rogue wireless access point under control with corporate policies and implementing best practice wireless services for our business and engineering users, we may have forgotten about the old fashion modems. In our rush to implement VOIP services for telephony cost savings, did we really map out how the VOIP network is integrated with the Data Networks? Did we really provide enough controls that prevent tampering? In the new merger or acquisition how will the consolidation of VOIP services be handled? How many of us are actually monitoring and alerting on access attempts or violations on these networks?
How many us have actually mapped out or had audited how the infrastructure of building services is integrated with our networks -- and where are all the possible inter-connections? Access points, which exist in building closets, may contain building services switching with PSDN and Data Networks -- have these been bridged? Where are all the connections to the fire extinguishing systems, air conditioning, elevator services, UPS and power distribution systems or industrial controls? Who has access to our devices, Firewalls, IPS's, Routers, Switches, PSDN, Wireless Access Points, VPN devices, Authentication Management Systems? Is this access monitored? Are there alerts for policy violations, CPU utilization, transaction thresholds, and large data transfers?
Are the internal controls just as efficient as the internet protection controls, and are all transactions being monitored effectively internally? Do we really know what our assets and applications are? Where is personally identifiable customer and employee information stored? What applications need to communicate with what? Which applications and assets provide business critical services? How many databases can employees reach? How many of those databases have default logons and passwords? Have you checked what your network printers are storing or accessing?
We are all trying to do the best we can to put in enough controls and monitoring into our ever-changing and expanding technology environments, while also keeping up with all the compliance requirements, but today's electronic threat might not be thousands of miles away scanning your internet firewall -- they may be in your elevator or lobby.
A sincere thanks to Gordon Smith of canaudit.com for his discussion at this month's ISACA meeting in Philadelphia and reaffirming the concern for all of us auditors everywhere that hackers don't sleep.
Great info, Bill! Looking forward to your future blogs..