Security is always on the minds of system administrators. As Intranets have evolved from glorified online cafeteria menus and corporate memos to robust information portals and mission critical applications, the bar has been raised to protect the castle from critters and other unwanted spooks that go bump in the night.
Most of the focus tends to be on protecting the enterprise from external threats and the seemingly scary world at large.
However, a study commissioned by the Computing Technology Industry Association Inc. (CompTIA) in 2005 found that 60 percent of the surveyed company’s security breaches could be attributed to human error, 20 percent to technical malfunctions, and the remainder to a combination of the two (1).
Perhaps we are spending too much time keeping the wolves out of the hen house when it is in fact a few bad hens causing the greatest threat and loss to our organizations.
There are many tangible ways to protect the organization from external threats. In fact an entire discipline within the information technology (IT) field is dedicated to security, and products abound to keep us safe from viruses and unwanted attacks on our systems.
Firewalls, anti-spyware, virus protection, authentication systems for the remote worker — the list of potential threats and solution providers is almost endless. But, who and what are protecting us from ourselves?
Earlier in my career I spent more than seven years as an internal auditor assessing risk and offering best practice solutions to reduce it.
When it comes to human behavior, the two main types of internal threats are intentional and accidental/inadvertent.
If you’re dealing with technology you can add a third possible threat called technology malfunction. When you boil it all down, those are the only possibilities.
Either some “thing” breaks (hardware, glitch, etc.), an employee deliberately chooses to do damage (revenge), or they do so unintentionally.
Unintentionally can be anything from not being properly trained in how to set up the system, which results in security holes, to simply becoming complacent about following prescribed checks and balances (for example, granting system security to new employees).
So, what can you do? Is guarding against internal threats futile? Is it akin to the impossible task of herding cats?
The secret is in constantly striving to find that elusive balance between controls (battening down the hatch so insiders can’t knowingly or unknowingly blow up the ship) and freedom for employees to get the job done without being so bogged down in policy and procedure that their hands are tied.
The biggest Catch 22 when it comes to system security is that the very people you need to trust – the system administrators – are the people with powers akin to comic book heroes when it comes to being able to wreak havoc on system operations.
Here are some tried and true best practices for internal security measures.
Granting System Access
Who gets access to what? Whether it’s a new employee or an existing employee changing roles, what level of access do they really need?
Also, as employees bounce from role to role you need a process in place to revoke their access to systems for which they are no longer responsible.
I can’t tell you how many times in my different jobs I have continued to have root access to systems simply because no one ever took my access away once I moved on.
Revoking Terminated Employee Access ASAP
Whether the employee was fired for cause or simply retired after many years of company loyalty, remove their system access as soon as possible.
In today’s landscape of numerous remote access points and disparate systems, that means it is vital to have one way of removing overall network access and then cascading the revocation of privileges to other, specific systems.
Automate Security Policies And Procedures
To the extent you can, automate. Employees come and go and are overworked.
You can’t risk having an important security policy fall by the wayside simply because someone’s inbox is full.
Proper Configuration Of Hardware And Software
Don’t live blindly accepting and trusting in the defaults. Some of the most commonly used network and server software makes some of the dumbest choices for defaults (from a security standpoint).
Take the time to thoroughly review and understand the choices you are making.
Technology changes at warp speed. For key personnel who are installing and configuring software with far-reaching security risks (and what software doesn’t have that these days), keep them up to date with the latest information on best practices and known security holes.
Root Access Accounts and Passwords
Grant root access only to those who really need it to perform their jobs. Always have at least one person as a backup for each function.
Do not use common “group” logins for root access activities, because activity cannot be monitored or traced to an individual.
Code Review and Release Procedures
No one person should have the power to create, implement, and release code into production environments without some checks and balances involving another person.
The simple truth that there is an unspoken, enforced honesty when a group of people are watching, and it’s true for coders as well.
Take the case of USB Paine Webber, where one employee who wanted revenge planted a logic bomb which took down over 2,000 servers and wreaked such havoc that four years later the damage still hasn’t been completely repaired (2).
The combination of policies coupled with a group of people self-policing daily activities is critical to preventing one individual from having free range to do what they please.
Basic Physical Safeguards
As IT employees, we’re busy, stressed, overwhelmed, and burned out. That means basic safeguards are the first thing to get dropped.
Ensuring workstations are automatically locked when no one is around and administrators accounts are never left idly logged in are simple yet effective preventative measures.
Regularly Test Backup And Disaster Recovery
While this step alone won’t prevent a breach from occurring, it’ll certainly make getting life back to normal much more bearable and certain.
This step will not only help you in the event of an attack but also in the event of any unforeseen disaster, natural or manmade.
Auditing is rarely someone’s favorite word. However, ongoing monitoring by your operational department as well as internal and external audit professionals is worth the fresh perspective it lends to your overall security environment.
It is far less costly and painful to implement a few audit recommendations than it is to experience and recover from a major breach.