Propaganda against the lowly sys admin
Comments
-
Paul Boz Member Posts: 2,620 ■■■■■■■■□□It’s not propaganda, its common sense. There's a direct correlation between the amount of access you have and the ease of stealing confidential or sensitive data. Obviously a DBA has a much greater ability to access raw database data than anyone else. I don’t think this article is saying that you can’t trust your admins, but that you shouldn’t. I don’t mean to say that you should single out system administrators, but really you shouldn’t trust anyone. Just like I wouldn’t trust a network engineer to not install back doors in the network I wouldn’t trust a teller to count money by herself.
Beyond theft of assets, consider the impact that a rogue sysadmin can have on the business continuity of an organization. What good is the failover site if the admin has crippled everything? There’s a reason why there should be checks and balances, dual controls, and auditing in place. No one is above suspicion.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
Devilsbane Member Posts: 4,214 ■■■■■■■■□□That is why there can be extensive background checks and companies strive to keep a paper trail. 99% of sysadmins are going to be legit. The trouble is finding that 1 out of 100 and weeding them out.
For example, where I work. Any account that has development privileges is locked. In order to unlock it, the manager has to call the help desk with the change request number and request that it be enabled/unlocked. The account is active for 24 hours and then automatically disables again and it will require the manager to call in again if more work is needed.Decide what to be and go be it. -
Pash Member Posts: 1,600 ■■■■■□□□□□Everything should be locked down and too right. I know some corporations whom actually have high profile directors keep a spreadsheet of admins with access and levels of access. Why not I ask...
I couldn't tell you a domain admin password for half of my customer sites, truth be told you shouldn't be doing anything under hi-priv accounts without a change control (yes this is me saying this) and maybe even a method statement....
This is probably a relevant story although this is more file access related. I wrote a powershell script to retrieve the ACL information for a whole bunch of folders for a HR director last year, she kept thanking me for bringing to her attention that a bunch of ACL's existed that shouldn't. Basically HR kept forgetting to inform IT that line managers, team leaders etc had kept changing. People could see other peoples yearly reviews etc. What made it worse was in some cases these people had drive mappings to said HR folders that were still present in the KIX logon scripts....This is a huge flaw in a security model heavily based on Discretionary Access Control. IT never got in trouble for this, if a request is never raised and a change control never produced we would not change a thing...DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.