8/31/06

Top Ten Security Admin Errors

Background: This is from a 3 or more year old course I gave in support of what I say in The same old stuff further in support of Top Six Reasons Why I Hate Network- and Computer-Security. In short, this is old and, yet, is still relevant. (Kinda like me.)
#10: No or Outdated Security Policy
The reasons for this are many, including:
  • We don't know how to start.
  • We want to get it right, so we delay.
  • We don't have the resources (staff, money, time) to get to it.
  • Things are moving too fast.
Examples are also manifold, including:
  • Mainframe policy in an internetworked world. Or similar (more up-to-date-now), the policy was created 5 years ago when we were a 30 person company and before all of those mergers.
  • Doesn't take into account remote or teleworkers.
  • Doesn't cover all user types. That is to say it treats all users (Sales, Sales reps (not employees), Contract workers, Business partners) the same.
#9. Lack of Senior Management Understanding/Buy-in
They don't understand the expense, the costs, the liabilities, or the risks. They equate security with the last large expense the company made, the "Security=Firewall" phenomenon.

This is from a posting on the firewall-wizards mailing list:
Is there anybody out there that can help me get some configurations right on our new Gauntlet firewall? I have never configured a firewall before and have not had training and this is very important to our company so I am feeling the pressure here. Any help would be apprecaited.
To which I replied:
"Can anyone out there help me learn to drive an 18 wheeler? I was hired to do this and I have a truck supplied by my company. I have a driver's license for an automobile, but I've never driven a big rig before, nor have I had any training in one. It is very important to my company that I get this right and I have to start a cross-country run on Wednesday. Any help you other drivers can offer in your spare time as you pass through will be greatly appreciated.
#8 and #7 No Audit Logs or Unread Audit Logs
This is neglected because enterprises don't know what to do with them or how to handle them. (Okay, maybe this has gotten better. You think?)

#6. Leaving the Door Propped Open
Enterprises are still creating one-time changes to their security posture that end up being permanent, because they are forgotten. "I just need to do this one thing." "Open this up now, and I will call you when I am done." "We have this customer demo."

#5. Exceptions
They might be needed, but are they? The more exceptions, the lower the security posture of the enterprise. And this is linked to #6.

#4. The Big Boss Problem
Every organization has someone high enough in the organization to be able to make a decision that put the enterprise at risk, but lacking the knowledge or information to make it an educated decision.

#3. Network Service Requests Before Establishing Business Requirements
I mean think about these services that are allowed with no real business need:
  • Streaming media from the Internet
  • Instant Messenger
  • SkypeTM
  • Access to my Hotmail, et al. accounts
#2. Allowing Network Services Without Assessing Security
This is almost meaningless nowadays as nearly everything works through today's porous "firewalls." Do we allow SSL through our firewalls? SSH? Can our people use NetMeeting? Of course. Have we weighed the risk? Often, of course not.

#1. User Wants Disguised as Requirements
And solutions disguised as requirements.
  • I need NetMeeting. Translation: I need (maybe) inexpensive teleconferencing.
  • I need port 2592 open on the firewall. Translation: I want to play Netrek.
  • I need access to my hotmail account when at work. Translation: I am running a business on the side.

No comments: