The nature of systems administrators’ jobs puts them in a position of power, which can be deliberately or inadvertently subverted, says Bob Tarzey.
IT systems don’t run themselves - at least not all the time. At some point the intervention of system administrators - sysadmins - is required.
The very nature of a sysadmin’s job requires that that he or she is granted a higher, privileged level of access to IT infrastructure than that granted to normal users.
When the actions taken by sysadmins are other than those expected of them, there can be far-reaching consequences. In the worst case, a sysadmin may abuse their privilege for malicious reasons, for example to steal data or set backdoor access to IT systems for themselves or others.
Sysadmins are also good targets for identity theft through techniques such as spear phishing, a privilege ID being more useful to hackers than a normal one. However, the most common problem is simply that sysadmins are human. They make mistakes.
Privileged user management tools help address a number of issues that a recent Quocirca report showed were rife among UK businesses. So here are Quocirca’s top 10 tips for better and safer systems administration.
Tip 1. Know your privileged users
Certain regulations and standards make strong statements about the use of privilege. One of the controls in the IT service management (ITSM) standard ISO 27001 states that “the allocation and use of privileges shall be restricted and controlled”. The Payment Card Industries Data Security Standard (PCI-DSS) recommends “auditing all privileged user activity”.
In other words, the use of group admin accounts is a strict no-no. Such accounts should be blocked and all privileged user access should be via identities that are clearly associated with individuals.
Tip 2. Make sure legacy privileged accounts are closed
This measure includes the default accounts provided with systems and application software, which with the right tools can be searched for and closed, and the accounts of sysadmins who have now left your organisation. The best way to deal with the second point is to provide only short-term access for specific tasks in the first place.
Tip 3. Minimise sysadmins errors
Quocirca’s research suggests that the average error rate of sysadmins runs at about six percent. Errors can waste time - for example, applying patches to the wrong device - be a security risk in cases such as changing the rules of the wrong firewall, or cause disaster - say, wiping the wrong disk volume.
Sysadmin tools that guide users to the right device in the first place and double-check their actions can help avoid errors, as can the automation of certain mundane tasks.
Tip 4. Limit sysadmins’ access to devices
Another way to avoid errors is to grant sysadmins privilege access to devices that need maintenance for limited periods of time. Rather than providing wide-ranging and ongoing access, grant it only to a single device or small subset of devices and only for the period of time deemed reasonable to get the job done.
Tip 5. Encrypt sysadmin login details
Many sysadmin tasks involved maintaining remote devices, which requires the sysadmin login details and the instructions for the given task to be transmitted, sometimes embedded in scripts. It has been common for this to be done in…