Five Security Secrets Network Administrators Keep Quiet

Tuesday, March 22, 2011



Philip Lieberman has an interesting writeup on HelpNet Security titled "Five security secrets your IT administrators don't want you to know" that outlines what he describes as "shortcuts" taken by network administrators that may compromise security.

Most everyone is aware that not all security vulnerabilities can be eliminated, and that companies conduct what amounts to a cost/benefit analysis when allocating resources to mitigate risk.

What many are not aware of is that network administrators may be conducting their own personal risk assessments in the course of their daily duties.

They may be weighing factors such as performance pay incentives, the thoroughness of security audits, time constraints, and the demands from other departments within the organization when deciding what is or is not a priority.

Excerpts of Lieberman's analysis is as follows:

  • Most passwords never change: Sensitive accounts like administrator logins, embedded application-to-application passwords, and privileged service accounts often keep the same passwords for years because IT staff may not have the tools to track and change them...
  • Too many individuals have too much access: Regardless of your written policies, highly-privileged account passwords are almost certainly known to large numbers of IT staff. And chances are, for the sake of convenience these logins have been shared with individuals outside of IT...
  • Your CEO's data isn't private: Anyone with knowledge of the right credentials can gain anonymous access to read, copy and alter data – including the communications and application data belonging to your executive staff...
  • IT auditors can be misled: IT staff have limited time to complete higher-visibility projects that influence performance ratings and paychecks, so in most cases you can forget about them fixing any security holes that your auditors fail to notice...
  • Security often takes a back seat: Most IT administrators won’t tell you about the security vulnerabilities they discover in the course of their jobs because they’re not paid to fight losing battles to gain resources necessary to close each discovered security gap...

We've all been there, when faced with a task at work that we know is a major pain in the rear, and many of us opted to let the matter slide, but when it comes to information security, there is a lot at stake.

Lieberman makes some good observations, and his article goes into greater detail on each of these issues. It is worth a read:


Possibly Related Articles:
Passwords Risk Assessments Network Access Control Security Audits Headlines Network Security Administration cost/benefit
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.