Hands-on Security for System Administrators

On Monday, November 4, Branson Matheson will be teaching Hands-on Security for System Administrators at USENIX LISA '13 in Washington, D.C.

Branson is a systems architect for SGT working at NASA and has 25 years of system administration and security under his belt, so he knows a thing or two about the topic.  In this interview, Branson answers a few questions about system administration and security.

Rikki: What are three of the most common security-related mistakes sysadmins make?

Branson: Sysadmins tend to be fire-fighters, not gardeners. They have to deal with urgent issues and don't have enough time to deal with day-to-day things that keep their systems secure. The three most common things I see sliding are:

1. No baselining: Many admins have monitoring tools of various types, but don't take the time to baseline their systems, so they miss identifying misbehavior. Simple things, like graphs of network use by port, that one looks at every day can help visually identify issues.
2. Not testing backups: While not part of an initial security event, backups should be the method of choice for returning a system to operation—assuming you know when the system was compromised. Lots of admins run comprehensive backups and fewer still test to make sure they can restore. Having that capability is very important—even restoring partial information, like databases—to returning your system to production.
3. Not patching: Keeping up with patches is an arduous task in any environment; however, given the plethora of automated penetration tools and the speed with which exploits are written for vulnerabilities, it's not credible to not patch. There's a good balance to knowing when a patch is released, getting it tested so that it doesn't impact your system, and then applying it. Making sure that you minimize the time from release to implementation is becoming more critical.

Rikki: What are some of the new security vulnerabilities that sysadmins need to consider?

Branson: More and more enterprises are being invaded by mobile phones. Most sites now are experimenting with a Bring Your Own Device (BYOD) model for internal communications. With these wondrous devices comes convenient exploitation. Mobile device applications are notorious for asking for the moon when it comes to local device permissions. These applications can be easily exploited and used to pivot and attack the local networks. Each enterprise needs to develop a model to manage these risks. For example, if you allow BYOD devices on a local wireless network, that network should be treated as completely untrusted and separate from a wireless network for enterprises managed devices.

Rikki: Have you seen any security-related news stories lately that a better trained/prepared admin could have helped prevent?

Branson: So Edward Snowden demonstrated the vast power wielded by system administrators, and while we might debate the merits of his work, he did it in a way that has very publicly made clear the lack of limitations of administrative privilege. Hackers gain admin rights, and have the same level of access. Was there a way to detect this breach? The answer is sure, using two methods: separation of powers and out-of-band logging. Many regulatory bodies enforce a strong separation of power between auditing and administration. Setting up an auditing system, administered separately from everything else and that is immutable, is an invaluable aid for discovering and solving problems. Simply, log monitoring remains one of the most effective tools for detecting an incident.

Rikki: What is the best piece of security advice you have for sysadmins?

Branson: Stay abreast of current threats. Take time out of every day to review news sites for information on current vulnerabilities, exploits, and threats. I recommend isc.sans.org, reddit, slashdot, and others. Consider each threat you read about in the context of your environment. Discuss these threats at meetings, as it keeps your associates and management up-to-date. If you identify an issue that will impact you, take action to mitigate it as soon as is reasonable—hackers read news sites, too.

Registration is now open for LISA '13 and the early bird discount ends October 15.

Student grant application deadline is September 30, so apply today: 27th Large Installation System Administration Conference (LISA '13), November 3-8, 2013, Washington, D.C.