Welcome back to our Security 101 series. In this post, let’s take a look at the seven deadly sins that far too many SysAdmins are guilty of. Why do we care? Because each of these can directly lead to a security incident. Whether it’s a hack, a failure, or data spillage, anything that impacts confidentiality, integrity, or availability is a hit to our security, and far too many of us have personally committed one or more of these very deadly sins.
1. Not patching
There are three ways systems get hacked. Compromised credentials, malware, and exploitation of vulnerabilities. There’s an easy way to close the door on 1 out of 3 of those. Patch! Seriously, in today’s environments, if an app has problems because you apply a patch, lose the app! Because if you don’t patch, you are going to lose your data, and that will lead to lose your job.
2. Default configurations
Go check your favorite search engine for the phrase “Default Password List.” Now that you see how many tens of thousands of results that brings up, go finally change the default administrative passwords on all the printers, access points, lights-out boards, and other applications that you didn’t change because “what could it hurt?”
3. Working as admin
RunAs, sudo, log on to a different session… whatever it takes, never ever, ever, do your regular work like opening emails, surfing the web, etc. while logged on as a user with admin rights. If you do make a mistake and click something/open something/hit a pwned webpage, there is much less damage that can be done if you do it while not logged on as a super user.
4. Not documenting
Changes, configurations, vendor support contacts, warranties, license keys, IP addresses. Document everything and keep it somewhere that everyone who might need it can get to it. Wikis are a great idea, and they have them in everything from freeware to SharePoint. The right time to document will always be right now – while you are doing whatever you are doing – definitely not later when you get around to it, because you never will.
5. Not reviewing logs
Western Digital, Seagate, Dell, NetApp, and all the other storage vendors would like to thank you for all the logging that you are doing. Cranking that logging level up to 11 ensures you that you have a ton of data, and that they will continue to enjoy brisk sales in the coming quarters. All the evil hackers out there would also like to thank you for never reviewing those logs, because it means they can get away with things for months! Seriously, look at the write-ups on all the major hacks of the past year, including Sony, Target, and the US Department of Personnel Management. One consistent theme is that the attackers had been on the inside for months. How did they figure that out? They finally got around to reviewing those logs.
6. Sharing credentials
Pop quiz! What’s the admin password on the firewall? If something popped into your mind, you’re doing it wrong. Just like in AD every user should have their own account known only to them, the same holds true for applications and network gear. If two admins know the same password, then you can never know who did what. Passwords should be like toothbrushes: never shared, and changed often.
7. Asking for passwords
You spend a couple of hours at new employee orientation telling users not to give out their passwords. You spend days cleaning up from the latest successful phishing attack because someone got tricked online. Fast forward a few weeks and there you are, asking a user for their password so you can log onto something to troubleshoot it for them. Never, ever, under any circumstances, ask a user for their password. There is no exception to this, ever.
If you are guilty of any of the above, recite RFC 3514 20 times and list all the layers of the OSI Model 10 times, and then go fix that and never do it again! In Infosec, the “do as I say, not as I do” is utter codswallop and must stop. It’s bad enough when a regular user or a sysadmin breaks the rules. When the Infosec team does, the damage could be infinitely worse and your credibility is blown. Don’t be that guy!