I’ve been a network/systems admin for a long time now and just when I think I’ve got all of my responsibilities nailed down, I discover a new pile of them hiding in the corner.  The latest batch has turned out to be security.  Yes that’s a very, very broad scope.  I’ve always been responsible for network security, being the primary manager of our firewalls and VPN platforms, but this is quickly branching into areas I’m not comfortable (yet) with. 

We’re currently being audited for PCI compliance by our bank.  This means that all sorts of things need to be tested and verified and that numerous configurations must be in place from the perimiter to the desktop.  Lots of these things aren’t in place, mainly on the desktop side, but I was welcoming this audit as I’ve always felt that we should be better about security and I just didn’t know where to start.  Well the PCI stuff is pretty straight forward, but what happened was that during the interviews I discovered that several of our internet-facing systems are allowing the submission of sensitive customer data.  It turns out that some of our internal developers don’t have much sense for security and have taken some of our web applications much further than we in the IT department ever anticipated.  This was a massive wakeup call.  Massive. » Read more: Blurring the lines between admin and security