Can’t keep up with the network security challenges in your business?

Here’s how one company uses regular vulnerability scanning to enforce a consistent network security policy across 650 business units.

Northbrook, IL – August 10, 2005 – The impressive corporate headquarters of Illinois Tool Works Inc. orchestrates the diverse activities of 650 decentralized business units employing 49,000 men and women in 45 countries.

Decentralization and aversion to overhead are ITW’s mantra. With little corporate infrastructure imposed on the individual business units, each operates autonomously with little extra overhead. In fact, the individual business units operate with as much freedom as their entrepreneurial competitors and are responsible for most of their own IT decisions. Because of the hands-off and decentralized role played by the corporate headquarters, ITW’s corporate IT operations are managed by a very small IT staff plus an outsourced team of several individuals responsible for help desk, e-mail and network security.

No matter how hands-off they try to be, maintaining and enforcing a consistent network security policy across all business units is vital to efficient network operations. Communicating and enforcing this policy—without imposing unnecessary “corporate baggage” on the individual business units—is one of Gary Anton’s jobs.

According to Anton, ITW’s vice president of strategic sourcing and IT, corporate does not make IT decisions for each of the business units. “They know what kind of systems they need better than we do. Our job is to define policy, provide stability and guidance, and make decisions for anything that touches the worldwide corporate network.”

ITW’s worldwide corporate network utilizes a massive, carrier-agnostic VPN (virtual private network) that connects all 650 business units to financial reporting, HR and e-mail services (hosting, spam and virus fi ltering).

Unaudited Connections Slow Network
Early on, a number of unaudited connections to the worldwide corporate network caused a number of problems. “Some business units were not
up to date on patches and virus protection,” says Anton. “Some had poorly configured security and network hardware.”

When ITW connected these business units to the corporate VPN, the unaudited connections slowed the corporate network with worms, viruses and Trojan horses.

When the VPN went live, three or four business units had significant network issues that were affecting other units on the VPN,” notes Anton. “Almost immediately we were fighting fires. It didn’t take long to understand the dollar impact of these kinds of vulnerabilities.”

Staying ahead of the vulnerabilities in 650 different business units could become an incredibly costly and complicated effort. After fighting these fires, the search began first for tools that impose and enforce consistent security standards without asking the business units to install new software or absorb additional overhead. Next, ITW sought ways to proactively
improve their network security over time.

To do this, ITW needed a clear security standard and a way to audit
compliance to that standard. According to Anton, “We needed a way to discover and audit network assets, understand and prioritize
current network vulnerabilities, then track and manage the remediation efforts over time.”

Selling the Solution
Convincing the ITW corporate executive team and each of the business unit controllers and IT staff that worldwide security standards were necessary was easier than anticipated.

“We didn’t use fear to sell this project,” Anton says. “All our executives and business unit management were aware of what happens when critical systems are disabled. They understand the potential dollar impact when orders can’t be received and goods can’t be shipped.”

After the executive team gave the go-ahead for implementing and enforcing a consistent security policy, the first task was a complete discovery of all network assets. With 650 business units touching the corporate network in different ways, ITW wanted to know which devices were infected, poorly configured or in need of patches.

For the vulnerability assessments, after a three-month review of nearly 10 different vulnerability scanning vendors, Anton selected Beyond-IP's automated vulnerability scanning tool.

Beyond-IP’s scanning and management technologies automate vulnerability testing by locating and exposing security vulnerabilities in hosts and corporate networks. In addition, they check systems for the possibility of hostile external attacks for both exposed and private LAN/WANs.

The Process
Even before selecting the vulnerability scanning software, Anton knew they’d find vulnerabilities. Anton’s team constructed a comprehensive remediation based on the following four-step vulnerability management process:

1. Discover and Audit: What is our current state of network security? What are our vulnerabilities? What is the baseline that we need to improve?

2. Prioritize: What are the high-risk vulnerabilities?

3. Remediate: Fix the high-risk vulnerabilities and eliminate or control their root cause, and most of the low-risk vulnerabilities will also disappear.

4. Maintain and Monitor: Utilize regular scans to enforce policy and understand the state of our network security as it relates to evolving security threats. How do we know we are secure? How do we know that we are doing a good job? How do we know that our outsourced team is doing what they say they are doing?

To get the business units to accept this policy, Anton and his team spent extra time explaining the new security policy to the ITW business units. They explained that they would be performing IT systems vulnerability testing as part of an internal controls initiative, and that the technology would cause no disruption to their systems and required no installation of new software.

Most importantly, the team spent many hours working with ITW’s business unit management to ensure that at no time would their data be read, altered or copied by this application.

ITW manages the vulnerability scanning over its VPN from within its own NOC (network operations center), minimizing travel or shipment of devices to each location.

Since each business unit has a different network infrastructure, scans were completed across all operating systems, including Windows, Novell and multiple versions of UNIX. Full system vulnerability scans were also conducted across all network devices such as firewalls, routers and switches, in addition to the servers and PCs.

Mountains of Data
The first series of scans looked at nearly 10,000 nodes. Anton admits that even though they anticipated extensive data from the scans, they were not fully prepared for the volume of data generated by the first vulnerability audit. The automated scanning tool ran thousands of test categories on each node.

The results of the first scans showed all the assets that exist on the network, plus the kind of information that could be obtained by an intruder targeting the network. In addition, all vulnerabilities were ranked by risk level,
and every host affected by that vulnerability was listed and prioritized by severity.

Instead of reviewing mountains of paper to prioritize these vulnerabilities, adds Anton, ITW and the team built a Web-based portal that allows business units to view their scans, understand the severity and priority of vulnerabilities, track remediation projects and review differential data to compare their current security posture to past security readiness.

The portal also describes each vulnerability—specifically, its possible impact on the network and information on remediation. “Each business unit can now monitor and track their security projects and receive recommendations for best remediation practices,” says Anton. Corporate management uses the portal to track and oversee business unit compliance
with the security policy.

Remediation Within 20 Days
As written, ITW’s security policy states that when vulnerabilities are discovered in the corporate network, they must be addressed within 20 business days. This same 20-day policy applies to all the business units as well.

Once the business unit has addressed high-risk vulnerabilities, they are required to contact ITW Corporate IT to request a follow-up or differential scan for confirmation of remediation.

ITW also provides courtesy scanning if a business unit is installing a new network device (i.e. firewall, router, switch, server, etc.) and wants confirmation of proper configuration. Business units can also request recommendations and help managing their internal patch management and virus scanning processes. This could include the installation of software update services, configuration of an enterprise antivirus
management console and other tools.

Looking back, Anton believes a consistent and measurable security standard has positively impacted the company. “At first, the enormity of the baseline vulnerability data was daunting. Once you begin auditing, fixing problems and enforcing policy on a regular basis, the light at the end
of the tunnel appears very quickly.” Anton believes in the power of information. He knows that the by-product of this scanning process is that he can clearly demonstrate security improvements over time. “I now have
historical records of scans, problems fixed and how quickly they were fixed. I can show the executive team what we’re doing and how fast we’re responding to threats. I know someday this information will be useful to our audit group.”

Because of these processes, ITW has seen a massive reduction in attacks on its network, and by enforcing these policies, believes it has found a way to stay ahead of the vulnerabilities in its 650 business units.

Reprinted with permission of www.CDW.com