Posted by: Arian Eigen Heald
Adventures in Auditing, Eigen's Rules of Thumb, Start Laughing Now, Steps to an Easy Audit, TCM (Truly Clueless Management)
Not long ago (needless to say I can’t mention time or client name) I was asked by a medium-sized business to investigate some problems they were having with spam, malware, and “weird stuff” on their network.
Their network contained at least 200 users spread out over multiple sites. I asked to speak with their network admin, and they said, “Oh, that’s Sally over in clerical. She’s part-time. We have a local company that comes in when we have any problems with hardware. They monitor our firewall, too. It’s too expensive to have a full-time person.”
Rule of Thumb (I forget how many I’ve got now): More than 50 users? Rent or hire a full-time administrator. (Not from the clerical department either). It’s not fair to the part-time employee, and no one is there to monitor what the IT company is or isn’t doing.
I asked for a network diagram, and they said, “Oh, we don’t have one. Do you really need it?”
Rule of Thumb number something-or-other: If you don’t have a network diagram, you don’t have your network. The hackers do.
I suggested some free tools for acquiring a network diagram, such as Spiceworks, which is nice for monitoring (you have to put up with some ads, but you can get rid of them for a fee) and Look-at-LAN, available for free at CNET, along with other free tools. They said they’d ask the IT company to do it.
At that point, I thought I ought to look at their server room. It was a good sign that they had one, and the door even locked. I went in, looked around. The part-time clerical person said that they had just moved from an older building and the IT company had moved their computers and server room/data center/storage closet over to the new building. It really was a nice room. No temperature monitoring, no fire alarm, and overhead water sprinklers, but a nice new room.
After looking at the equipment for a few minutes, I said, “So, where’s the firewall?” She didn’t know what firewall looked like (bad sign). She called up the IT company, who said it was in the building, because they were getting reports from it.
At that point, I had a brainstorm. I asked, “Which building, exactly?”