Network Vulnerability: Rate Your Relationship
Do you have a business resumption plan in place to address the vulnerabilities of your site’s client/server system? Would your network be safe in the event of a disaster?

By Leo A. Wrobel

Take this "Cosmo" style survey for technical support managers to tell you about your relationships (in this case, with your client/server system). Hopefully, this approach, while somewhat lighthearted, will make a few valid points about network vulnerability, especially in the client/server environment.

RATE YOUR CLIENT/SERVER VULNERABILITY

1. Are you too dependent on your "significant other"?
As processing has become more distributive in general, mainline business operations have moved from the relative safety of corporate computer centers to the more autonomous habitats of the business units themselves. This move toward a client/server architecture does have the advantage of bringing the tools closer to the business, but it also carries some drawbacks. Pools of technical specialists often appear in the business units themselves. While these individuals are close to the business, responsive and technically savvy, they are few in number. While this phenomena has always been a problem, it is especially troublesome with regard to client/server processing. Close your eyes and imagine the principal LAN support manager out on the floor. You know who I’m talking about—that one guru who keeps all the meaty inner workings of the LAN close to the vest. (That’s job security, right?)

The problem is, what happens if this person quits the company, or worse, the disaster that wipes out the network takes him out, too? You know who the "Lone Ranger" is in your organization. If you are not sure, try "bumping off" suspected key individuals immediately before your next disaster recovery test and see how things operate then! That will usually bring a problem to light, if there is one.

On a scale of 1 to 10, rate your level of confidence in being able to fill in for a critical LAN administrator yourself (or find a competent replacement) if you had to do it today. (1=No Confidence, 10=Very Confident)

2. Have you no standards?!?
Operating and security standards for the client/server environment are written for two reasons.

a. Security standards are designed to prevent disasters from happening in the first place. That’s why there are procedures for how often you change passwords, what doors are locked, how you store data offsite, what kind of fire system, etc. The problem is, when mainframe environments metamorphose into hot new client/server platforms, the standards which previously governed the mainframe often do not move with the technology.

b. Operating standards are also developed to allow a business resumption plan to execute gracefully. For example, if your recovery plan says "call everyone back to work," it has to assume that an accurate list of home telephone numbers resides somewhere. Changes must be made in the operational environment to ensure emergency procedures can be carried out smoothly. What changes have you made to your normal operating environment design to ensure your plan will work when you need it? What types of disasters are you inviting by not documenting standards for fire protection, media storage, or employee access?

On a scale of 1 to 10, rate your organization’s operating and security standards in the following areas: (1=Poor, 10=Excellent)

___ Documentation of writing layouts
___ Documentation of software inventory
___ Documentation of hardware inventory
___ Change control procedures for major system changes
___ Development LANs for new applications
___ Availability of spare parts and cards for critical components
___ Physical location of the server(s)
___ Fire detection/protection systems
___ Air conditioning and heating components
___ Locks, card key systems and physical access control
___ Personnel call-out and "first-alert" procedures

3. Are you drawn to water signs? Is there an "Aquarius" in your future?
Water is one of the most common problems when it comes to catastrophic business interruptions, not only in client/server installations, but in technical installations of all types, including mainframe installations and PBX rooms. Survey your location for all sources of water, particularly overhead. That means popping some ceiling tiles and looking. Are emergency shut-offs located and marked? Have you had water anywhere in your building where it did not belong in the last 12 months? Include any of the following:

___ Ground water from outside or from roof
___ Leaky water pipes
___ Drinking fountain
___ Sewers
___ Drains
___ Air conditioning condensing units
___ Sprinklers If you answered yes to any of the above, deduct 50 points.

If the problem was caused by overhead pipes in the server or telecommunications room, deduct 100 points.

4. Why won’t he call!?
How vulnerable is your business to telephone disruptions? Today’s client/server systems are front-line revenue-impacting systems. They are fueled by incoming callers seeking to buy your company’s product or service. Since the system could be virtually useless if your customers can’t reach you, a quick overview of supporting telecommunications is definitely in order.

One measure is to weigh the vulnerability against the amount of business which comes directly over the phone (as opposed to walk-in business) in order to provide a clear picture of the risk.

Circle the number on the scale below to weigh the percentage of your calls which are core business telephone exchanges (exclude administrative).

1……………………….10%
2……………………….20%
3……………………….30%
4……………………….40%
5……………………….50%
6…….…………………60%
7………….……………70%
8…….…………………80%
9………….……………90%
10…….………………100%

Consider all those inbound telephone numbers which turn your client/server computing system into a revenue generator for the enterprise. Many businesses no longer have a store front at all, and take most, if not all, orders over the phone. Most of this exposure can be addressed, often inexpensively, with a little planning.

For each "Yes" answer below, award yourself 5 points times the number you circled above (over the percentage of core business telephone calls).

___ Do you prioritize and document your company’s most critical telephone numbers (those with the most bearing on revenue) and take precautions beforehand? Yes or No
___ Have you documented the locations of power failure cut-over phones for use in the event a power problem renders your PBX unusable? Yes or No
___ Have you solicited input from the business units? Have you developed a form for your users to prioritize their most important incoming numbers? Remember, fax lines and modems count as telephones! Yes or No

5. Do you continue to do the "special" thoughtful things to nurture your relationship?
Remember when your relationship was just budding? You never overlooked the details. You even took pleasure in making special efforts to ensure a happy relationship. Those "little things" still matter!

Where is the file server?
___ In a secure area or computer room (Add 20 points)
___ Some other place in the organization (Deduct 50 points)

Who performs the data/system backups?
___ End users (Deduct 20 points)
___ Formal procedures for technical service organization (Add 50 points)

Who staffs the Help Desk?
___ Users are basically on their own (Deduct 20)
___ Trained, dedicated technical service personnel (Add 50)

Does one user have the ability to casually connect into the system (with a laptop, for example) and potentially knock down an entire workgroup?
___ Yes (Deduct 20)
___ No, all spare access ports to the network are locked and secure (Add 50)

Does your organization utilize a full-blown network management system for diagnostics, inventory and control?
___ Yes (Add 50)
___ No (Deduct 100)

Does the network management system employ "hooks" and interfaces to intelligently and productively monitor the client/server environment?
___ Yes (Add 100)
___ No (Deduct 150)

BONUS QUESTIONS!
Getting worried about your score? Here are a few easy questions so I won’t feel guilty about hurting your self-esteem.

Has your company hosted an on-site New Year’s Eve party in the last five years where there was more than one live animal in attendance?
___ Yes=10 points
___ No=0 points

Does your company have a proactive program to screen incoming dial-in data lines for fraud and abuse? For example, if someone made 25 unsuccessful log-in attempts to your system last night would you know?
___ Yes=20 points
___ No=0 points

Could you get your principal system administrator in to work for a 6 a.m. call-out January 1 after he attended the party in question #1?
___ Yes=0 points—you’re lying!
___ No=5 points—for at least being honest!

Are all cable risers in your building fire-stopped with an approved material? Have you physically inspected cable paths throughout the risers? Are water pipes co-located in the risers?

Rate the condition of your cable risers based on the above criteria (1=Poor, 10=Excellent)

Do you have a long-term client/server migration strategy focused on the core business and espousing an adequate level of security and control before and after the conversion?
___ Yes=100 points
___ No=0 points

About the author:
Leo A. Wrobel is an active author and lecturer. He has nearly two decades of industry experience, including assignments in government and the banking, brokerage, heavy manufacturing, and telecommunications industries. He is president and CEO of Dallas-based Premiere Network Services, Inc. For more information, contact Premiere Network Services at (972)228-8881 or visit their web site at www.dallas.net/~premiere. ©1998 Technical Enterprise, Inc. Reprinted with permission of Technical Support magazine. For subscription information, email mbrship@naspa.net or call (414) 768-8000, Ext. 116.