Digg this story   Add to del.icio.us  
Teaching the Rules of the Road
Jon Lasser, 2002-04-24

Bad system administrators affect more than their own computers -- they make the entire Internet a little less safe.

There's a big, seemingly unassailable, problem with computer security today. It's a people problem, not a technology problem.

The problem is that, by and large, most system administrators are not locking down their systems according to the principles of minimalism and least privilege; system administrators are not keeping up-to-date with security patches; many system administrators don't even realize that these are issues.

If you're reading this, you're probably not part of the problem. Taking time to read a computer security news site and read an opinion piece means that you spend some amount of time and energy on computer security. You probably keep your systems, and your skills, up to date.

But if your neighbor leaves his car keys in the steering column, he's not necessarily the only person who loses out. A drunken joy rider could go on a tear through the neighborhood, ripping through the shrubbery and knocking over telephone poles.

Similarly, intruders turn easily-cracked, poorly-administered sites into launch points for further attacks.

Attacks launched from easily-cracked sites are often just more opportunistic attacks against other unadministered systems. However, many, if not most, carefully targeted and executed attacks are also launched from these sites. I would venture that few attackers are stupid or arrogant enough to launch a focused intrusion attempt from their own systems. (I have, admittedly, known a few to do so.)

It's like stealing a car to rob a bank -- only there are thousands of cars left with their engines running, their doors unlocked, and nobody in sight. It's an invitation to abuse.

That makes unadministered computers everyone's problem. But a solution is elusive.

Nobody much liked my solution to this last time around: clearly, experienced system administrators don't like software expiration. This is unsurprising, as they would benefit least from it, and pay the same or greater cost than others. So far, however, attempts at educating other system administrators have failed. While it's relatively easy to get people to lock their cars, it is surprisingly difficult to convince them to secure their systems, perhaps because the loss is not immediately apparent, and may not even be noticed.

Users need to learn that securing their systems not only protects their own property, but protects everyone else in the process, and that the losses are real.

One solution is to centralize security administration, or at least policy, in your organization: most large companies and campuses seem to have a large number of rogue systems, administered by people outside of a central services group.

That, however, is only a small part of the problem, and a corresponding fraction of the solution. Many, many systems are located on the far side of the globe, or at the end of a cable modem. Trying to contact administrators at these sites is an exercise in futility, as anyone who's been responsible for an intrusion detection system can tell you.

We need to educate users that a computer is more like a car than it is like a toaster. You don't just plug it in and go: you also need to gas it up, change the oil, rotate the tires, and so on. With a car, there's an expectation of ongoing maintenance expense. Today, with a computer, even one connected to the Internet, this is not the average user's assumption.


SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:
Teaching the Rules of the Road 2002-04-30
Anonymous
Teaching the Rules of the Road 2002-05-02
Anonymous (2 replies)
Teaching the Rules of the Road 2002-05-07
Anonymous (1 replies)
Teaching the Rules of the Road 2002-05-09
Anonymous
Teaching the Rules of the Road 2002-05-02
ReadTooManyOfThese :\
Thanks for the obvious again!!! 2002-05-06
Anonymous
Teaching the Rules of the Road 2002-05-06
OhMyJonStatesTheObviousYetAgain
Thou Art Exalted On High 2002-05-07
Anonymous
Teaching the Rules of the Road 2002-05-07
Anonymous
Teaching the Rules of the Road 2002-05-09
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus