John,

Instead of jumping on Jan for the use of hashtags in email, please consider
providing him useful and constructive
feedback.

Jan,

I'm curious how you're going to use the responses you're compiling? Just
something informal or will this be for publication/blog post somewhere?

Cheers,
Travis

I could point you to over zealous auditors trying to force implementation of USGCB (http://usgcb.nist.gov/usgcb_faq.html) and going line by line through the the NIST Special Publication 800-53 control catalog trying to find things you don't implement so they can ding you (what?! Your Linux auth isn't using FIPS 140-2 validated encryption?! Or how are you ensuring transmission integrity for everything?).[1]

Luckily those auditors don't have a long shelf life inside my org but they do exist and wreak havoc while they are active.

Carolyn

[1] Password policies are part of this. I'm waiting for the new Mac security folk to run into the case where some poor user gets auto-locked out because their password meets the org level rules for passwords but doesn't match the local Mac password enforcement (different requirements) which they just enabled in order to be thorough. :p


Sent using a mouse-sized keyboard with feigned autocorrect intelligence.

On the topic of passwords: are the different aspects -- such as password
rotation, complexity, hashing algorithms, use of vs. non-password based
auth, SSO vs. different passwords for different things -- and the
threats they attempt to mitigate well understood by most system
administrators?

Do we teach junior sysadmins about these to a sufficient degree or is
this something they (have to) pick up along the way to becoming more
senior?

-Jan

It's these kinds of audits that distract sysadmins from the security that
actually makes things more secure. It drives a wedge between security
people and the sysadmins.

Carolyn

Clarification: Aggressive mode, 256-bit PSK shared group authentication, in addition to individual username & password. (I just neglected to mention username & password in the sentence above, and felt the need to clarify that point.)
_______________________________________________
Discuss mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Oh my dear god, I wanted to avoid this, but now I can't hold back the flood... Anecdotes follow.

I was once instructed to fill all the USB ports of all the computers with hot glue, except one port for keyboard and one port for mouse on each computer, and to install padlocks on all the computer chassis. At that particular company, outbound access to the internet was completely unregulated - you could very easily upload everything to China or Russia or wherever, using any protocol you like. There was also no countermeasure to USB hubs or simply living without the mouse or keyboard for a little while to make room for your USB storage device. I do not recall anymore, why exactly we didn't care about the optical drives - maybe they were all read-only? I forget. Anyway, I refused to do the hotglue thing (tried to engage discussion about what problem we're actually solving, and trying to solve it in some way that would be effective), and got fired a couple weeks later.

Later, I worked for a small company that got acquired by a big company. Small company is located inside an incubator, where the cleaning crew is provided by the incubator. Security folks of big company required us to install locking ethernet jack hole plugs and replace all our regular ethernet cables with locking ethernet cables to plug up each and every ethernet outlet, so the cleaning crew could not plug in a laptop. (Unless they have a butter knife strong enough to bend the plastic, or a smartphone capable of photographing the whiteboards, or a pair of wire snippers and knowledge of ethernet pinout).

Data closet was located in the incubator-provided datacenter on the 14th floor, behind cages which we were able to secure even against the incubator host company, who allowed us to change the locks and keep our own keys. Secure, that is, unless they have an ethernet cable at least 10 inches long and a stick and some duct tape, sufficient to reach right through the holes of the cage to plug an ethernet cable into the obviously visible and reachable switches.

Oh yeah. I mentioned we plugged up all the ethernet jacks of the 3rd floor, which go to a network closet on the 3rd floor, where we had to do the same cage-lock-changing shenanigans as the 14th floor. But the 3rd and 14th floors were connected to each other via fiber optic cable that ran through the incubator's duct work and conduit. Big company security folks *almost* required us to armor the fiber optic cable as a countermeasure to cutting & splicing, until I came up with the brilliant idea of enabling a VPN from our switches on the 3rd, to the switches on the 14th. So we built an on-premise LAN site-to-site VPN as an alternative to armored cables.

Same company, we were forced to disable all ssh servers in favor of telnet and ftp, so the traffic could be monitored. "Improved security." Because hey, otherwise they can't monitor the traffic to see what you're transferring from where to where. "Improved security."

We had some ubuntu servers, and we preferred to keep a local apt repository that we downloaded via rsync protocol. This is an outbound rsync connection, used to download files from the internet. New firewall blocked rsync port, and they denied our request to open outbound rsync protocol. Reason: rsync could be used to upload confidential information out of the company. Conclusion: Use http to download instead. (As if http couldn't be used to upload information out of the company.)

I probably have more, but I choose to quit now. I am currently laughing painfully. ;-) I wish these stories were untrue. I got fired from one company and quit the other because of these.
_______________________________________________
Discuss mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

I would like to point out that Mark's beginning statement has been true, as it still is today, since companies have had DP/MIS/IT departments.  After many years working in this field, the real issue regarding this subject, is that the wrong priorities are stressed if you wish to have a more secure IT. 

Getting the App/Prog to market first (no matter what, attitude) is the wrong priority.  Security that is part of the foundation of whatever (Op Sys, App, Protocol, Service, etc.) will allow solutions for unseen problem to be more quickly resolved, if developed and tested properly.  Taking Short-cuts to get to market has not been the solution in the long run.  If the foundations are wrong then replace them with new ones and not by tacking on fixes.

An example of this would be Steve Jobs's choice to build his MAC Os upon a more securely built, than other OS's that he had a choice of at the time, was the right direction to take, and this has been proven over time.  I understand that it was FreeBSD.

I take offense to the implication that "grumpy old-timers" seem to be the roadblock.  The real issue are persons with Closed Minds.  These persons can be younger or older.  The technology of today, just like our science, is built upon the foundations from the working past, such as Virtual technology from mainframe days.  The working concepts just took the tech in another direction.  Is the concept really a brand new concept or just applied differently ? 

These are my views since starting in computers when I was a high school teenager and corporations were pretty much the only ones that needed and used computers.  I thank the list for letting me present a different view on the same issues.  I wish you ALL a Happy Holidays !
Sincerely,Harvey RothenbergSystems Integrator/Security Specialist
 “Science without religion is lame. Religion without science is blind.” Albert Einstein

On Saturday, December 6, 2014 2:37 AM, "***@nym.hush.com" <***@nym.hush.com> wrote:


Hi Jan!

I like that you are doing your homework! That's a good thing :)

Now on to some various topics that should help you out a bit. If these have been pointed out previously, just consider them confirmation on that topic.
I didn't have time to read through all the responses.


1) Linux file system permissions as they pertain to webserver functionality. In practice, it's great to have a layered security approach. Granular permisisons can be burdensome. Especially with resellers who like to have one user own a couple hundred wordpress sites on a server.
That wouldn't be so bad, except every plugin they install will eventually lead to an exploited server with hundreds of back doors and shell scripts hidden in every nook and cranny. CMS based sites are already inherently insecure, however with the correct user/permission structure you can limit the blast radius. The webserver user (www-data, apache, nobody) should never own the site. The webserver only needs read-only permission to the site for it to run. All updates should be carried out by an unprivileged user that owns the site.
Any directory that shouldn't have php rendered in it, should have an .htaccess directive that prohibits it, image directories for example.
Always do a quick security assessment of newly provisioned servers and review their filesystem permissions. Is /root world read/writable? it's shouldn't be. Too often I see simple mistakes like this that can cause quite a few issues for those who use control panel software like cPanel. Get a program in place for hardening all newly provisioned systems.  I could go on forever about webserver/system security. So I'll stop here.

2) Learn regex and some other scripting language(s) - you will use it. (bash(required) - perl, python, c#, c++) and it makes you more desirable.

3) When it comes to passwords - I've seen many opinions on this in the responses you've gotten so I'll be brief. In many cases you can't opt for SSO or 2 factor. I tend to encourage end users to pick pass phrases if they must use a password. A passphrase should be multiple terms/digits/special characters. A dictionary attack will generally not be able to crack these. Avoid common phrases and memes. "my2d0NkEy$***@s" Use a password manager software that will generate random passwords if you can't remember them. LastPass or something like that.

4) Keep a KB and/or if you have it a case/ticket system and write things down in detail, because you will forget how you solved that one issue 6 months to a year+ ago.

5) Most organizations get so tunnel-vision on the next great thing, they tend to not keep up with updates/patches/maintenance for existing infra. Don't fall into that habit. Help your organization develop a maintenance program that will roll like clock-work once it's set up. Set aside the time each month to ensure you get it done. This is a compliance requirement!!!

6) Also ensure you audit and test your solutions to ensure they are always doing what they were implemented to do. I can't stress it enough - MONITOR EVERYTHING - use SNMP, use WMI, don't rely on PING for downtime events. Rely on actual processes that enable the functionality of the system. If those processes die due to whatever reason and the system is still up - how long until you notice and resolve? How many things were impacted? You can avoid not having these answers by ensuring you have everything in your arsenal monitored and acted on.

7) PCI - Don't offer information you don't have to. "Oh yeah we have an IDS, we finally got it working after being down for 8 months" <-- avoid that. Generally, the QSA won't care, but if you happen to get the one who does - he'll see it as a red flag and start digging deeper for more evidence in everything else and make your life more difficult. Just say "Yes we have IDS." You want them in and out. If you do have issues with something that could ding your compliance, be freaking honest. "This system is not patched right now because we have a particular mission critical application that will break if we do. But we are working on phasing it out/updating. We monitor all logs, employ the use of FIM, and access is strictly controlled via SDN/WAF/FIREWALL/ACLs/ etc.." This answer is more acceptable than "This system isn't patched and there's nothing we can do about it"

8) For PCI or SSA16, you need evidence. So collect it on a regular basis. Quarterly works. Have a central repository set up and dump your evidence in there. This will range from reports to screenshots. This way you aren't scrambling to provide it at the time of assessment.

9) Don't be afraid of breaking stuff. Cause you will, and you will learn from it. If you avoid doing particular things at work because you are worried about screwing up - you won't get anywhere. If you are absolutely unsure, simply ask. There's no harm in asking. Make mistakes (unintentional of course), if you are in an organization that hangs you out to dry over a mistake - then you are in the wrong organization. It's processes and controls that should be evaluated when mistakes are made. It could be a training issue, but in other cases it is usually the process that is broken.

10 ) Understand the workflow and how every solution interacts with your traffic/data. This will help you to better troubleshoot and identify everything that touches that data from point a to point b within your network.


Hopefully some of this hits a chord and helps you in your endeavors. I wish you the best!

Alicia

On 12/3/2014 at 9:48 AM, "Jan Schaumann" <***@netmeister.org> wrote:
Hello,

I'm currently exploring the intersection of #sysadmin / #infosec[1] a
bit. There is obvious overlap, yet at many companies the two camps also
frequently end up at loggerheads. I'd like to collect some feedback:

What #infosec or (PCI) compliance mandates and rules drive you nuts?
What (seemingly or actually) pointless, braindead things are demanded of
you?[2]

On the flip side, what are some of the security related concepts or
fundamentals that you think junior sysadmins are frequently lacking or
having trouble understanding?[3]

Feel free to email me off-list, if you prefer. Alternatively, you can
also reply to the tweets referenced.

Thanks in advance!
-Jan

[1] https://twitter.com/jschauma/status/540153322670661632
[2] https://twitter.com/jschauma/status/539626083583541249
[3] https://twitter.com/jschauma/status/539918484663062529

_______________________________________________
Discuss mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Dear Mr. Brandon Allbery,
I thank you for your attention to detail and your correction. 

Sincerely,Harvey Rothenberg
I've been doing infosec for the last 20 years, and doing a lot of sysadmin work
along the way.

The biggest reason for the two groups to end up at loggerheads is just different
priorities and resource contraints.

If security has to tell ops to do something, and then ops has to figure out how
to do it on top of all the work they already have to do (which almost always
already exceeds the manpower available by a significant amount) they are going
to be grumpy. It's especially bad if their bonuses depend on them completing
their assigned work, and that assigned work doesn't allow for the security
issues.

The security folks get grumpy because they don't see problems getting fixed.



All to frequently, security people end up taking a "do what I say, not what I
do" approach to things. This is a pet peeve of mine. 'pentest experts' in
particular tend to take the attitude that the rules don't apply to them if they
can figure a way around them

Many times ops people resist improving the security of anything because there is
some other way to get it (they don't get the idea of fixing some things now and
other things later)



In good organizations, the security people live by the rules that they set, and
there is time set aside in the schedule planning to be able to do security work.
The best sysadmins understand security and the best security people understand
operations, but such people are rare. The most important thing is the ability
for the two sides to talk and disagree on the priority of things. If either side
can override the other at will, it's going to be a disaster.


It's valuable to have the two teams report to different management (for example:
if security reports to the ops manager who's bonus is based on service uptime,
security concerns are likely to get low priority until there is an incident that
causes an outage), but this split just emphisises the difference in priorities.
This can be especially troublesome if the security group reports to management
that doesn't understand the technology (reporting to legal is common, and senior
lawyers aren't likely to be keeping up to date on datacenter technology)

David Lang
_______________________________________________
Discuss mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Who minds the office?

Is the address on the web site correct?

Early this year I mailed a check for my dues to the address on the web
site. It didn't come back but it was never cashed.

Eventually I concluded that it was lost in the mail and sent another check
with a note to the address on the web site. So far there has been the same
result.

Who is minding the stor?

/dan

Member Number 311


--
Dan Schlitt
***@theworld.com


_______________________________________________
Discuss mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/