“Where Are You Going, Where Have You Been?” is a fairly famous story by Joyce Carol Oates. In it, Oates’ character Connie ends up being convinced to walk outside and go off with Arnold Friend and his companion. The story was inspired by the three murders committed by Charles Schmid, Schmid’s inspiration for the murder was supposedly he simply wanted to murder someone. Why am I spoiling your day with a tale of murder from the 1960’s and mentioning its literary connection to Joyce Carol Oates in a short blog about Password security? Because the struggle that character has with Arthur Friend, reminds me of all too many disasters with passwords.
The Keys to the kingdom are the core passwords and administrator passwords of any environment. I’ve seen password security schemes as simple as everyone used root, to as complex as each person has their own password into a password wallet that allows the user to login to specific systems. Since password security is such a large concept, I’m going to start with three concepts and maybe add a few volumes to this topic later on.
1. Administrator and root are not for daily tasks. These users are the Windows default and Linux default administrators respectively. Half or more of all abuses I’ve ever encountered from either employees or malicious attacks have come from people having and using these logins to do all of their work. I’ve seen Microsoft Report Servers running under the Administrator credentials, the SA password and account of a massive MS-SQL database cluster running as Administrator, I’ve seen Tomcat and Apache on the same web servers running as root. This is wrong. This is more wrong that young Connie picking up boys and men at the truck stop, but far worse than this, is giving these keys to everyone in your IT department.
Linux has a solution they prefer for this problem, called the Sudo command. Sudo is an implementation of Simon says for the root user. You can execute commands as root with the sudo command, but a strict stratification of who can use it can be established in the /etc/sudoers file of most distributions. It’s not a fool proof plan, but it means giving out root access willy nilly isn’t necessary. It allows the actions of the SUDO user to be tracked in a reasonable manner and if editing of the sudoers file is limited to a smaller subset of admin, and other permissions are further limited from the sudo users, then sudo becomes a good starting point for the most basic of server security.
Microsoft has group security, and specifically has a group for Admins by default. While the default group may in fact have too much access, I have to give it to the folks at Microsoft, the system is fairly reliable. By default, you can’t change the Administrator password without installing a root-kit, direct physical access to the machine(traditional methods include the Knoppix boot to reset the machine administrator and or password crackers from boot) or the login for Administrator. The individual admins under that group can do a significant amount of damage to the system, but there’s logging and there’s reliable control, should the user need to be disabled.
Did I forget to mention that along the way? That’s the core reason you don’t give everyone the Administrator password. Eventually, everybody leaves and unfortunately, they don’t always leave on the best terms. The end comes eventually to all employment opportunities. One of the chief challenges of any IT team lead, CTO or Systems Administrator is making sure that people who are being laid off or fired are locked out of the system. Imagine for a moment though, that the person in the Boss’s office with the HR rep inside, is a System Admin him or herself? Imagine they were the system architect for your entire system! Think of all of the passwords they use on a daily basis! Now imagine that they’re a disgruntled employee and they want to lash out at your company and delete everything important and infect everything else with viral malware!
Now graciously realize that most won’t do it, you now have to treat them like they would. Too many horror stories in IT start with the words, “I didn’t think they’d do it…”
2. Have a plan to replace, remove and seal every and any system within your enterprise. Most security experts will discuss this as being several levels of security.
- 1. Password is the first and weakest.
- 2. Physical access is the possession of any company property, physical keys to servers and rooms and accepted credentials at server farms and co-location terminals
- 3. IP security is the integrity of your code, hardware designs and the legal contracts, trademarks, copyrights and patents you have protecting them
- 4. Network security includes your VPN, your edge to the Internet, Intranet and your publicly facing applications as protected by your Firewall, WAF, Routers, and Modems
- 5. Personal Security is related to physical security, but includes the basic security for each and every employee who is part of your organization. The classic example of the postman going in with a shotgun and shooting up his co-workers is a mean, unfair, but reasonably scary and in this case useful example of Personal security and the physical aspect of physical security.
I could write an article about each of these, and may come back and link to them, but there’s a basic strategy for each. The first is dealt with through a system that is planned from the beginning and mentioned above. The second is principally handled by a set of secure keys established for the on site assets, preferably an electronic key and a physical key that must be used in tandem or sequence. Often companies use biometric keys based upon the physiology of the user, but these are a bit pricier than a couple of secure keys or locks. When the employee goes into the office for their termination, have the boss collect their keys immediately. Give the termination officer a list of everything they need to pick up. Meanwhile, at their desk, have a sysadmin or support agent collect the laptop or desktop they’ve left behind. Don’t leave it in the cubicle or office when they return. Wheel up with a cart and a box, pick everything up, and take it out of the office for re-purposing. The last will help you to have the time to secure the equipment properly, will remove all access when the terminated employee returns to the office to gather their personal effects, and finally satisfies a complete disconnect from physical security. As a final note, many workplaces assign cell phones to their employees that support email and a host of other functions–make sure you pick that up immediately.
3. May require an attorney for most, but a lot of planning beforehand. Make sure you have a patent assignment agreement in force, a non-disclosure that can be enforced in your locale, and a separation agreement that covers all contingencies. These are the basics, more would require that attorney I mentioned.
4. I have read at least twelve books on Network Security, and while at least thirty pages were cribbed off each other or the industry standards, the simple fact is that Network security is a moving target that requires skilled employees willing to dedicate time and learning to this task. There’s very little basic support save, have a firewall, limit external access and limit internal abuse of equipment to prevent tangents through your security.
5. Is something I understand very little of. You might need a body guard armed with an assault rifle if your office is in downtown Baghdad or a similar war zone, but you might only need a receptionist watching the door or a key card entry system if you’re dealing with employees who aren’t going to go nuts. My concern is that they say “it’s always the quiet ones,” but I don’t want to be the exception should my limited judgment of a person’s character fail me. I like to think that since many terminations are a termination of the person after you misjudged their capabilities and attitude towards work. Do not allow that original mistake in judgment disarm you from a reasonable dose of caution.
Back to my top level of basic security, my third suggestion is simple. Change your system from time to time. Make incremental upgrades, someone with senior level security who left 8 years ago should not be able to approach and recognize all aspects of your security as being identical to what you had then. Make changes, you can read all of the advanced articles to find those.
I started this whole story with a ramble about Joyce Carol Oates and the probable murder of poor Connie. In the story, Connie is convinced to walk outside and accept her fate by the cajoling of her would be murderers. My metaphor may have been short in the center of my assessment for the most basic security, but I urge you to realize that it is not vigilance and defense that cost us, but our acceptance of our fates. A blind walk into the murderer’s embrace. Open your eyes, change the way you do things, and give the bad guys nothing. You may be a veritable babe in the woods of the IT security world, but with the basics you can at least avoid the most basic of weaknesses.