Why Do We Even Have That Server?!

Wow! What an end to a good (albeit frustrating) week! In between multiple engagements for several clients this week, I somehow managed to learn that “flowers are like a picnic for butterflies…” Yep, busy week but I still managed to get in all the bedtime stories with the kids!

I’ve seen an interesting trend during my last several engagements that I wanted to share as I believe it may point to one of the quickest and most effective ways you can mitigate or even ELIMINATE some Cybersecurity related risk in your organization.

This is particularly exciting for me because you’ll usually only hear me say something like “now remember, we rarely get to eliminate risk completely so we should instead strive to reduce it…”, well this is one of those exceptions and the initial thought actually came to me by way of an (admittedly hilarious) Disney movie titled “The Emperor’s New Groove”. I won’t go into too much detail as I’m going to assume most everyone has seen it (if you haven’t yet then what are you doing here? Go watch it and come back…I’ll wait). If you recall, during the movie one of the villains falls through a trap door when a henchman pulls the wrong lever to the entrance of their “secret lab”. The villain re-emerges moments later (understandably irritated) and asks the henchman “Why do we even have that lever?!”.

So I’ll admit, yeah it’s a cartoon, but think about that question. The vast majority of major vulnerabilities that I found during my engagements this week were related to servers or services that had been abandoned and forgotten, but were still active even though they had outlived their usefulness. Rather than take the time to carefully patch and remediate these vulnerabilities it would be quicker and simpler to just retire the servers or services all together! This completely eliminates the risk involving those servers and services while simultaneously freeing up valuable resources (usually in multiple areas, like a ripple effect). Those resources can be reserved or reallocated for something that’s actually useful.

The moral of the story? Before running those vulnerability scans and trying to figure out how to prioritize and remediate the hundreds of vulnerabilities found, stop and ask the question “Why do we even have that $VAR?” If you can’t answer that question (or get a satisfactory answer from someone else) then you should seriously consider removing it and moving on.

So how does this happen anyway? Why are there often security incidents that started from compromised systems or services that no one in IT knew existed or for what purpose? This situation usually arises from two practices that I’ve frequently experienced (or been guilty of) in my IT career.

The first is related to the simple words “for now”. As in “let’s just do it this way for now…”. Far too often “for now” becomes “forever” and then becomes “forgotten”.

The second can usually be traced back to the words “just to test it”. As in “let’s set this up quick just to test it”. In IT for some reason we’re always in a hurry and we don’t like to clean up after ourselves. I get it, we all need to run some tests quick once in awhile, but next time try silently reciting this promise to yourself: “After the test, I’ll clean up my mess”.

Until next time!