If you were going to test the fault-points of a building, you wouldn’t hire the architect, you’d hire a demolitions expert. Similarly, you don’t want the designer of your network testing its security. If the team that configures your network does so incorrectly, they are most likely unaware. The creator of the environment has an inherent bias based on the angle from which they view it. They are blind to vulnerabilities, not necessarily because they are under-qualified, but because they are too close to the project. A security team has a “black box perspective”, which means they have the same outside view of the system that an attacker would. This outsider point of view is just one of the advantages a security expert has over an internal IT team. They also have the training, experience, time, and resources that would be impossible to lump in with a standard IT program.
Here’s a quick one for all of the administrators and security practitioners. There’s no shortage of third-party programs designed to do remote desktop management and support. And while sure, many of them are secure, the ones we find in use most often are not. The reason being, they tend to be low or no cost solutions. Now, I’m not one to say that security should always be spendy, but let’s be honest, a lot of the time tools are an investment that management is not always willing to invest in. More often then not when we hit a business that is using VNC as their de facto remote management and support tool, the reason behind it is; “Well, it’s free, and we can shadow and control other machines with it for support calls.”
You’re sitting on your couch at home, it’s 8:00 on a Saturday night and one of your interns emails you about a new security vulnerability he just heard about on the latest and greatest podcast. You know that this new vulnerability is going to be the first thing to come up during the morning water cooler talk Monday morning. It’s time for you, the great server admin, to take flight and protect your kin!
If you’re in the Department of Defense supply chain, you’ve become familiar with DFARS and the corresponding NIST SP 800-171 r1 over the last few years. It is a list of 110 controls that you need to be compliant with in order to continue supplying certain contracts.